[FFe] apparmor abstract, anonymous and netlink socket mediation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Critical
|
Jamie Strandboge | ||
apparmor-easyprof-ubuntu (Ubuntu) |
Fix Released
|
Critical
|
Jamie Strandboge | ||
isc-dhcp (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
libvirt (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
lightdm (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
linux (Ubuntu) |
Fix Released
|
High
|
John Johansen | ||
linux-flo (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
linux-goldfish (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
linux-mako (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
linux-manta (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
rsyslog (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
tlsdate (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge |
Bug Description
Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times.
= apparmor userspace =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues).
Testing:
* 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https:/
* 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https:/
* Verify everything in https:/
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.
Extra information:
While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https:/
= linux =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).
Testing:
* 14.04 system with backported kernel: TODO
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests)
* 14.10 system (non-Touch) with updated kernel:
* https:/
* 14.10 system (Touch) with updated kernel:
* https:/
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.
Changed in apparmor (Ubuntu): | |
importance: | Undecided → Critical |
tags: | added: kernel-bot-stop-nagging |
Changed in rsyslog (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in lightdm (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in libvirt (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in isc-dhcp (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in lxc (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in lightdm (Ubuntu): | |
status: | New → In Progress |
Changed in libvirt (Ubuntu): | |
status: | New → In Progress |
Changed in isc-dhcp (Ubuntu): | |
status: | New → In Progress |
Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
status: | New → In Progress |
Changed in apparmor (Ubuntu): | |
status: | New → In Progress |
Changed in lxc (Ubuntu): | |
status: | New → Triaged |
Changed in cups (Ubuntu): | |
status: | New → In Progress |
Changed in cups-filters (Ubuntu): | |
status: | New → In Progress |
Changed in linux (Ubuntu): | |
status: | Incomplete → In Progress |
Changed in cups (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in cups-filters (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
tags: | added: kernel-da-key |
no longer affects: | cups (Ubuntu) |
no longer affects: | cups-filters (Ubuntu) |
Changed in linux (Ubuntu): | |
assignee: | nobody → John Johansen (jjohansen) |
Changed in tlsdate (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
status: | New → In Progress |
description: | updated |
no longer affects: | lxc (Ubuntu) |
tags: | added: rtm14 touch-2014-09-11 |
Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
importance: | Undecided → Critical |
Changed in apparmor (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu): | |
importance: | Undecided → Critical |
importance: | Critical → High |
Changed in linux-mako (Ubuntu): | |
importance: | Undecided → High |
status: | New → In Progress |
Changed in linux (Ubuntu): | |
importance: | High → Critical |
importance: | Critical → High |
Changed in linux-mako (Ubuntu): | |
importance: | High → Critical |
Changed in linux-goldfish (Ubuntu): | |
importance: | Undecided → High |
status: | New → In Progress |
Changed in linux-manta (Ubuntu): | |
importance: | Undecided → High |
status: | New → In Progress |
Changed in linux-flo (Ubuntu): | |
importance: | Undecided → High |
status: | New → In Progress |
Changed in linux-mako (Ubuntu): | |
importance: | Critical → High |
tags: | removed: rtm14 |
Changed in linux-manta (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in linux-mako (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in linux-flo (Ubuntu): | |
status: | In Progress → Fix Committed |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1362199
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.