| 2014-08-27 14:33:17 |
Jamie Strandboge |
bug |
|
|
added bug |
| 2014-08-27 14:33:34 |
Jamie Strandboge |
apparmor (Ubuntu): importance |
Undecided |
Critical |
|
| 2014-08-27 14:34:24 |
Jamie Strandboge |
bug task added |
|
apparmor-easyprof-ubuntu (Ubuntu) |
|
| 2014-08-27 14:34:41 |
Jamie Strandboge |
bug task added |
|
libvirt (Ubuntu) |
|
| 2014-08-27 14:34:53 |
Jamie Strandboge |
bug task added |
|
lxc (Ubuntu) |
|
| 2014-08-27 14:35:08 |
Jamie Strandboge |
bug task added |
|
lightdm (Ubuntu) |
|
| 2014-08-27 14:35:28 |
Jamie Strandboge |
bug task added |
|
linux (Ubuntu) |
|
| 2014-08-27 14:35:51 |
Jamie Strandboge |
tags |
|
kernel-bot-stop-nagging |
|
| 2014-08-27 14:36:14 |
Jamie Strandboge |
bug task added |
|
rsyslog (Ubuntu) |
|
| 2014-08-27 14:37:39 |
Jamie Strandboge |
bug task added |
|
isc-dhcp (Ubuntu) |
|
| 2014-08-27 14:41:30 |
Jamie Strandboge |
rsyslog (Ubuntu): status |
New |
In Progress |
|
| 2014-08-27 14:41:33 |
Jamie Strandboge |
rsyslog (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2014-08-27 14:41:37 |
Jamie Strandboge |
lightdm (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2014-08-27 14:41:42 |
Jamie Strandboge |
libvirt (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2014-08-27 14:41:47 |
Jamie Strandboge |
isc-dhcp (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2014-08-27 14:41:50 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2014-08-27 14:42:04 |
Jamie Strandboge |
lxc (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2014-08-27 14:42:13 |
Jamie Strandboge |
lightdm (Ubuntu): status |
New |
In Progress |
|
| 2014-08-27 14:42:16 |
Jamie Strandboge |
libvirt (Ubuntu): status |
New |
In Progress |
|
| 2014-08-27 14:42:20 |
Jamie Strandboge |
isc-dhcp (Ubuntu): status |
New |
In Progress |
|
| 2014-08-27 14:42:24 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu): status |
New |
In Progress |
|
| 2014-08-27 14:42:26 |
Jamie Strandboge |
apparmor (Ubuntu): status |
New |
In Progress |
|
| 2014-08-27 14:42:41 |
Jamie Strandboge |
lxc (Ubuntu): status |
New |
Triaged |
|
| 2014-08-27 15:00:09 |
Brad Figg |
linux (Ubuntu): status |
New |
Incomplete |
|
| 2014-08-27 15:11:02 |
Jamie Strandboge |
bug task added |
|
cups (Ubuntu) |
|
| 2014-08-27 15:11:18 |
Jamie Strandboge |
bug task added |
|
cups-filters (Ubuntu) |
|
| 2014-08-27 15:11:34 |
Jamie Strandboge |
cups (Ubuntu): status |
New |
In Progress |
|
| 2014-08-27 15:11:49 |
Jamie Strandboge |
cups-filters (Ubuntu): status |
New |
In Progress |
|
| 2014-08-27 15:12:51 |
Jamie Strandboge |
linux (Ubuntu): status |
Incomplete |
In Progress |
|
| 2014-08-27 15:13:11 |
Jamie Strandboge |
cups (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2014-08-27 15:13:22 |
Jamie Strandboge |
cups-filters (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2014-08-27 18:56:48 |
Joseph Salisbury |
tags |
kernel-bot-stop-nagging |
kernel-bot-stop-nagging kernel-da-key |
|
| 2014-09-02 19:55:02 |
Jamie Strandboge |
bug task deleted |
cups (Ubuntu) |
|
|
| 2014-09-02 19:55:16 |
Jamie Strandboge |
bug task deleted |
cups-filters (Ubuntu) |
|
|
| 2014-09-02 19:55:55 |
Jamie Strandboge |
linux (Ubuntu): assignee |
|
John Johansen (jjohansen) |
|
| 2014-09-03 01:12:56 |
Jamie Strandboge |
bug task added |
|
tlsdate (Ubuntu) |
|
| 2014-09-03 01:13:13 |
Jamie Strandboge |
tlsdate (Ubuntu): status |
New |
In Progress |
|
| 2014-09-03 01:13:13 |
Jamie Strandboge |
tlsdate (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2014-09-04 20:20:03 |
Jamie Strandboge |
description |
Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times.
= linux =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).
Testing:
* 14.04 system with backported kernel: TODO
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests)
* 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor))
* click-apparmor QRT touch image tests: TODO
* apparmor-easyprof-ubuntu QRT touch image tests: TODO
* 14.10 system (non-Touch) with updated apparmor userspace capable of supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor))
* click-apparmor QRT touch image tests: TODO
* apparmor-easyprof-ubuntu QRT touch image tests: TODO
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.
= apparmor userspace =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues).
Testing:
* 14.10 system with current kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
* 14.10 system with previous kernel lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (exploratory manual testing, lxc, libvirt, etc)
* test-apparmor.py: TODO
* lightdm guest session: TODO (login, start browser, logout)
* 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
* Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: TODO (except juju since it doesn't have policy itself)
* lightdm guest session: TODO (login, start browser, logout)
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.
Extra information:
While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. |
Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times.
= linux =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).
Testing:
* 14.04 system with backported kernel: TODO
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests)
* 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor))
* click-apparmor QRT touch image tests: TODO
* apparmor-easyprof-ubuntu QRT touch image tests: TODO
* 14.10 system (non-Touch) with updated apparmor userspace capable of supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor))
* click-apparmor QRT touch image tests: TODO
* apparmor-easyprof-ubuntu QRT touch image tests: TODO
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.
= apparmor userspace =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues).
Testing:
* 14.10 system with current kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
* 14.10 system with previous kernel lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc)
* test-apparmor.py: DONE
* lightdm guest session: DONE (login, start browser, logout)
* 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
* Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself)
* lightdm guest session: TODO (login, start browser, logout)
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.
Extra information:
While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. |
|
| 2014-09-04 20:21:00 |
Jamie Strandboge |
bug task deleted |
lxc (Ubuntu) |
|
|
| 2014-09-05 02:23:05 |
Jamie Strandboge |
tags |
kernel-bot-stop-nagging kernel-da-key |
kernel-bot-stop-nagging kernel-da-key rtm14 touch-2014-09-11 |
|
| 2014-09-05 14:36:54 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu): importance |
Undecided |
Critical |
|
| 2014-09-05 14:36:59 |
Jamie Strandboge |
apparmor (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2014-09-05 20:58:55 |
Jamie Strandboge |
isc-dhcp (Ubuntu): status |
In Progress |
Fix Released |
|
| 2014-09-08 19:57:59 |
Jamie Strandboge |
description |
Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times.
= linux =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).
Testing:
* 14.04 system with backported kernel: TODO
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests)
* 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor))
* click-apparmor QRT touch image tests: TODO
* apparmor-easyprof-ubuntu QRT touch image tests: TODO
* 14.10 system (non-Touch) with updated apparmor userspace capable of supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor))
* click-apparmor QRT touch image tests: TODO
* apparmor-easyprof-ubuntu QRT touch image tests: TODO
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.
= apparmor userspace =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues).
Testing:
* 14.10 system with current kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
* 14.10 system with previous kernel lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc)
* test-apparmor.py: DONE
* lightdm guest session: DONE (login, start browser, logout)
* 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
* Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself)
* lightdm guest session: TODO (login, start browser, logout)
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.
Extra information:
While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. |
Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times.
= apparmor userspace =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues).
Testing:
* 14.10 system with previous kernel lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc)
* 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
* Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself)
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.
Extra information:
While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa.
= linux =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).
Testing:
* 14.04 system with backported kernel: TODO
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests)
* 14.10 system (non-Touch) with updated kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
* 14.10 system (Touch) with updated kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. |
|
| 2014-09-08 19:58:46 |
Jamie Strandboge |
bug |
|
|
added subscriber Ubuntu Release Team |
| 2014-09-08 20:53:56 |
Jamie Strandboge |
description |
Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times.
= apparmor userspace =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues).
Testing:
* 14.10 system with previous kernel lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc)
* 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
* Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself)
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.
Extra information:
While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa.
= linux =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).
Testing:
* 14.04 system with backported kernel: TODO
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests)
* 14.10 system (non-Touch) with updated kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
* 14.10 system (Touch) with updated kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. |
Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times.
= apparmor userspace =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues).
Testing:
* 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc)
* 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
* Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself)
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.
Extra information:
While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa.
= linux =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).
Testing:
* 14.04 system with backported kernel: TODO
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests)
* 14.10 system (non-Touch) with updated kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
* 14.10 system (Touch) with updated kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. |
|
| 2014-09-08 20:54:53 |
Jamie Strandboge |
description |
Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times.
= apparmor userspace =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues).
Testing:
* 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc)
* 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
* Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself)
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.
Extra information:
While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa.
= linux =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).
Testing:
* 14.04 system with backported kernel: TODO
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests)
* 14.10 system (non-Touch) with updated kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
* 14.10 system (Touch) with updated kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. |
Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times.
= apparmor userspace =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues).
Testing:
* 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc)
* 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
* Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself)
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.
Extra information:
While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa.
= linux =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).
Testing:
* 14.04 system with backported kernel: TODO
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests)
* 14.10 system (non-Touch) with updated kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
* 14.10 system (Touch) with updated kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. |
|
| 2014-09-09 02:58:51 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/utopic-proposed/lightdm |
|
| 2014-09-09 02:59:14 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/utopic-proposed/rsyslog |
|
| 2014-09-09 03:08:13 |
Launchpad Janitor |
libvirt (Ubuntu): status |
In Progress |
Fix Released |
|
| 2014-09-09 03:14:13 |
Launchpad Janitor |
lightdm (Ubuntu): status |
In Progress |
Fix Released |
|
| 2014-09-09 03:42:01 |
Launchpad Janitor |
rsyslog (Ubuntu): status |
In Progress |
Fix Released |
|
| 2014-09-09 04:10:59 |
Launchpad Janitor |
apparmor-easyprof-ubuntu (Ubuntu): status |
In Progress |
Fix Released |
|
| 2014-09-09 04:10:56 |
Launchpad Janitor |
apparmor (Ubuntu): status |
In Progress |
Fix Released |
|
| 2014-09-09 13:24:20 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/utopic-proposed/tlsdate |
|
| 2014-09-09 13:38:02 |
Launchpad Janitor |
tlsdate (Ubuntu): status |
In Progress |
Fix Released |
|
| 2014-09-17 21:15:10 |
Jamie Strandboge |
linux (Ubuntu): importance |
Undecided |
Critical |
|
| 2014-09-17 21:15:32 |
Jamie Strandboge |
linux (Ubuntu): importance |
Critical |
High |
|
| 2014-09-18 21:29:15 |
Jamie Strandboge |
bug task added |
|
linux-mako (Ubuntu) |
|
| 2014-09-18 21:29:33 |
Jamie Strandboge |
bug task added |
|
linux-goldfish (Ubuntu) |
|
| 2014-09-18 21:29:48 |
Jamie Strandboge |
bug task added |
|
linux-flo (Ubuntu) |
|
| 2014-09-18 21:30:08 |
Jamie Strandboge |
bug task added |
|
linux-manta (Ubuntu) |
|
| 2014-09-18 21:30:26 |
Jamie Strandboge |
linux-mako (Ubuntu): importance |
Undecided |
High |
|
| 2014-09-18 21:30:26 |
Jamie Strandboge |
linux-mako (Ubuntu): status |
New |
In Progress |
|
| 2014-09-18 21:30:39 |
Jamie Strandboge |
linux (Ubuntu): importance |
High |
Critical |
|
| 2014-09-18 21:30:51 |
Jamie Strandboge |
linux (Ubuntu): importance |
Critical |
High |
|
| 2014-09-18 21:31:07 |
Jamie Strandboge |
linux-mako (Ubuntu): importance |
High |
Critical |
|
| 2014-09-18 21:31:25 |
Jamie Strandboge |
linux-goldfish (Ubuntu): importance |
Undecided |
High |
|
| 2014-09-18 21:31:25 |
Jamie Strandboge |
linux-goldfish (Ubuntu): status |
New |
In Progress |
|
| 2014-09-18 21:31:49 |
Jamie Strandboge |
linux-manta (Ubuntu): importance |
Undecided |
High |
|
| 2014-09-18 21:31:49 |
Jamie Strandboge |
linux-manta (Ubuntu): status |
New |
In Progress |
|
| 2014-09-18 21:32:09 |
Jamie Strandboge |
linux-flo (Ubuntu): importance |
Undecided |
High |
|
| 2014-09-18 21:32:09 |
Jamie Strandboge |
linux-flo (Ubuntu): status |
New |
In Progress |
|
| 2014-09-18 21:32:47 |
Jamie Strandboge |
linux-mako (Ubuntu): importance |
Critical |
High |
|
| 2014-09-19 11:32:23 |
Victor Tuson Palau |
tags |
kernel-bot-stop-nagging kernel-da-key rtm14 touch-2014-09-11 |
kernel-bot-stop-nagging kernel-da-key touch-2014-09-11 |
|
| 2014-09-22 18:36:01 |
Andy Whitcroft |
linux-manta (Ubuntu): status |
In Progress |
Fix Committed |
|
| 2014-09-22 18:36:08 |
Andy Whitcroft |
linux-mako (Ubuntu): status |
In Progress |
Fix Committed |
|
| 2014-09-22 18:36:14 |
Andy Whitcroft |
linux-flo (Ubuntu): status |
In Progress |
Fix Committed |
|
| 2014-09-22 21:42:37 |
Launchpad Janitor |
linux (Ubuntu): status |
In Progress |
Fix Released |
|
| 2014-09-23 03:08:04 |
Launchpad Janitor |
linux-goldfish (Ubuntu): status |
In Progress |
Fix Released |
|
| 2014-09-23 03:08:09 |
Launchpad Janitor |
linux-mako (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2014-09-23 03:08:12 |
Launchpad Janitor |
linux-manta (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2014-09-23 03:12:15 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/utopic-proposed/linux-flo |
|
| 2014-09-23 03:13:14 |
Launchpad Janitor |
linux-flo (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2014-10-30 08:41:25 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/apparmor-easyprof-ubuntu |
|
