← Back to team overview

kernel-packages team mailing list archive

[Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation

 

This bug was fixed in the package apparmor - 2.8.96~2652-0ubuntu3

---------------
apparmor (2.8.96~2652-0ubuntu3) utopic; urgency=medium

  * 08-phpsysinfo-policy-updates.patch: update for new phpsysinfo on Ubuntu
    14.10
  * 09-apache2-policy-instructions.patch: update for recent Debian/Ubuntu
    packaging
  * debian/control: update Breaks for apparmor-easyprof-ubuntu, libvirt-bin,
    and lightdm. Add Breaks on rsyslog.

apparmor (2.8.96~2652-0ubuntu2) utopic; urgency=medium

  * 07-parser-fix_local_perms.patch: do not output local permissions for rules
    that have peer_conditionals. Patch from John Johansen

apparmor (2.8.96~2652-0ubuntu1) utopic; urgency=medium

  * Updated to r2652 snapshot of 2.8.96 (LP: #1362199, LP: #1341152)

  [ Steve Beattie ]
  * removed upstreamed patches:
    - dnsmasq-libvirtd-signal-ptrace.patch
    - update-base-abstraction-for-signals-and-ptrace.patch
    - update-nameservice-abstraction-for-extrausers.patch
  - debian/apparmor-profiles.install: dropped program-chunks/postfix-common,
    moved to abstractions/ and covered by apparmor.install
  - refreshed libapparmor-layout-deb.patch patch
  * Add in Tyler Hicks' regression test improvements:
    - 01-tests-unix_socket_lists.patch,
    - 02-tests-accept_unix_rules_in_mkprofile.patch,
    - 03-tests-unix_sockets_v7_pathnames.patch,
    - 04-tests-migrate_from_poll_to_sockio_timeout.patch,
    - 05-tests-add_abstract_socket_tests.patch,
  * 07-parser-fix_local_perms.patch: do not output local permissions
    for rules that have peer_conditionals

  [ Jamie Strandboge ]
  * add-chromium-browser.patch: update for unix socket mediation
  * drop-peer_addr-with-local-addr-in-base.patch: don't use peer=(addr=none)
    with getattr, getopt, setopt and shutdown

  [ Tyler Hicks ]
  * debian/lib/apparmor/functions, debian/apparmor.init,
    debian/apparmor.upstart: Ensure system policy cache cannot become stale
    after image based upgrades that update the system profiles (LP: #1350673)
  * parser-include-usr-share-apparmor.patch, debian/apparmor.install: Adjust
    the default parser.conf file, to add /usr/share/apparmor as an additional
    search path when resolving include directives in profiles, and install the
    file in /etc/apparmor. Ubuntu places hardware specific access rules in
    /usr/share/apparmor/hardware. This change allows these files to be
    included without using an absolute path (e.g.,
    '#include <hardware/graphics.d>').
 -- Jamie Strandboge <jamie@xxxxxxxxxx>   Mon, 08 Sep 2014 16:13:10 -0500

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1362199

Title:
  [FFe] apparmor abstract, anonymous and netlink socket mediation

Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Fix Released
Status in “isc-dhcp” package in Ubuntu:
  Fix Released
Status in “libvirt” package in Ubuntu:
  Fix Released
Status in “lightdm” package in Ubuntu:
  Fix Released
Status in “linux” package in Ubuntu:
  In Progress
Status in “rsyslog” package in Ubuntu:
  Fix Released
Status in “tlsdate” package in Ubuntu:
  In Progress

Bug description:
  Background: kernel and apparmor userspace updates to support abstract,
  anonymous and fine-grained netlink socket mediation. These packages
  are listed in one bug because they are related, but the FFes may be
  granted and the uploads may happen at different times.

  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues).

  Testing:
  * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc)
  * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
   * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself)

  Justification:
  This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.

  Extra information:
  While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa.

  = linux =
  Summary:
  This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).

  Testing:
  * 14.04 system with backported kernel: TODO
   * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
   * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
   * aa-status: TODO
   * lxc: TODO (containers can be created, started, shutdown)
   * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests)
  * 14.10 system (non-Touch) with updated kernel:
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
  * 14.10 system (Touch) with updated kernel:
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)

  Justification:
  This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1362199/+subscriptions


References