| 2016-11-11 23:00:35 |
Tyler Hicks |
bug |
|
|
added bug |
| 2016-11-11 23:20:45 |
Tyler Hicks |
description |
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap. |
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update. Additionally, I've ran the following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile):
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-tcpdump.py |
|
| 2016-11-11 23:21:16 |
Tyler Hicks |
nominated for series |
|
Ubuntu Trusty |
|
| 2016-11-11 23:21:16 |
Tyler Hicks |
bug task added |
|
apparmor (Ubuntu Trusty) |
|
| 2016-11-11 23:21:30 |
Tyler Hicks |
apparmor (Ubuntu): status |
In Progress |
Invalid |
|
| 2016-11-11 23:21:39 |
Tyler Hicks |
apparmor (Ubuntu Trusty): status |
New |
In Progress |
|
| 2016-11-11 23:21:41 |
Tyler Hicks |
apparmor (Ubuntu Trusty): importance |
Undecided |
High |
|
| 2016-11-11 23:21:43 |
Tyler Hicks |
apparmor (Ubuntu): importance |
High |
Undecided |
|
| 2016-11-11 23:21:45 |
Tyler Hicks |
apparmor (Ubuntu): assignee |
Tyler Hicks (tyhicks) |
|
|
| 2016-11-11 23:21:47 |
Tyler Hicks |
apparmor (Ubuntu Trusty): assignee |
|
Tyler Hicks (tyhicks) |
|
| 2016-11-12 00:08:17 |
Tyler Hicks |
bug task added |
|
dbus (Ubuntu) |
|
| 2016-11-12 00:08:26 |
Tyler Hicks |
dbus (Ubuntu): status |
New |
Invalid |
|
| 2016-11-12 00:08:33 |
Tyler Hicks |
dbus (Ubuntu Trusty): status |
New |
Confirmed |
|
| 2016-11-12 00:08:37 |
Tyler Hicks |
dbus (Ubuntu Trusty): importance |
Undecided |
High |
|
| 2016-11-12 00:08:41 |
Tyler Hicks |
dbus (Ubuntu Trusty): importance |
High |
Medium |
|
| 2016-11-12 00:08:43 |
Tyler Hicks |
dbus (Ubuntu Trusty): assignee |
|
Tyler Hicks (tyhicks) |
|
| 2016-11-12 18:24:00 |
Steve Langasek |
apparmor (Ubuntu Trusty): status |
In Progress |
Incomplete |
|
| 2016-11-29 23:36:37 |
Tyler Hicks |
description |
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update. Additionally, I've ran the following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile):
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-tcpdump.py |
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-tcpdump.py
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done.
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update. |
|
| 2016-11-29 23:59:36 |
Tyler Hicks |
description |
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-tcpdump.py
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done.
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update. |
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done.
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update. |
|
| 2016-11-30 00:23:57 |
Tyler Hicks |
description |
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done.
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update. |
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done. The manual test should check basic functionality as well as for proper confinement (`ps auxZ` output).
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update. |
|
| 2016-11-30 00:59:17 |
Tyler Hicks |
description |
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done. The manual test should check basic functionality as well as for proper confinement (`ps auxZ` output).
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update. |
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
I have a branch of lp:qa-regression-testing (unmerged, currently at https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref/apparmor-trusty-sru) that pulls in the parser and regression tests from the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in Trusty, in addition to the tests in the 2.10.95 based package.
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done. The manual test should check basic functionality as well as for proper confinement (`ps auxZ` output).
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update. |
|
| 2016-11-30 01:07:29 |
Tyler Hicks |
apparmor (Ubuntu Trusty): status |
Incomplete |
New |
|
| 2016-11-30 01:07:40 |
Tyler Hicks |
apparmor (Ubuntu Trusty): status |
New |
In Progress |
|
| 2016-11-30 01:07:42 |
Tyler Hicks |
dbus (Ubuntu Trusty): status |
Confirmed |
In Progress |
|
| 2016-12-01 02:50:36 |
Tyler Hicks |
description |
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
I have a branch of lp:qa-regression-testing (unmerged, currently at https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref/apparmor-trusty-sru) that pulls in the parser and regression tests from the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in Trusty, in addition to the tests in the 2.10.95 based package.
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done. The manual test should check basic functionality as well as for proper confinement (`ps auxZ` output).
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update. |
= apparmor SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
I have a branch of lp:qa-regression-testing (unmerged, currently at https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref/apparmor-trusty-sru) that pulls in the parser and regression tests from the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in Trusty, in addition to the tests in the 2.10.95 based package.
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done. The manual test should check basic functionality as well as for proper confinement (`ps auxZ` output).
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update.
= dbus SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation for snaps when running under the 16.04 hardware enablement kernel. The dbus package in 14.04 is missing support for blocking unrequested reply messages. This functionality was added to the D-Bus AppArmor mediation patches after 14.04 was released but before the patches were merged upstream in dbus. The idea is to prevent a malicious snap from attacking another snap, over D-Bus, with unrequested reply messages and also to prevent two connections from subverting the snap confinement by communicating via unrequested reply messages.
[Test Case]
The upstream AppArmor userspace project has thorough tests for D-Bus mediation, including unrequested replies. Its tests/regression/apparmor/dbus_*.sh tests should be ran before and after updating to the dbus SRU. Before updating, the dbus_unrequested_reply.sh should fail and should pass after updating.
In addition, the test-dbus.py tests from lp:qa-regression-testing should be ran to verify basic D-Bus functionality.
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
[Regression Potential]
Low. There's no use for unrequested D-Bus reply messages and silently dropping them for AppArmor confined applications should have no unintended side effects. The unrequested reply protections have been present in releases after 14.04 and have not caused any issues. |
|
| 2016-12-01 02:54:00 |
Tyler Hicks |
apparmor (Ubuntu Trusty): status |
In Progress |
Incomplete |
|
| 2016-12-01 03:21:36 |
Tyler Hicks |
description |
= apparmor SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
I have a branch of lp:qa-regression-testing (unmerged, currently at https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref/apparmor-trusty-sru) that pulls in the parser and regression tests from the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in Trusty, in addition to the tests in the 2.10.95 based package.
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done. The manual test should check basic functionality as well as for proper confinement (`ps auxZ` output).
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update.
= dbus SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation for snaps when running under the 16.04 hardware enablement kernel. The dbus package in 14.04 is missing support for blocking unrequested reply messages. This functionality was added to the D-Bus AppArmor mediation patches after 14.04 was released but before the patches were merged upstream in dbus. The idea is to prevent a malicious snap from attacking another snap, over D-Bus, with unrequested reply messages and also to prevent two connections from subverting the snap confinement by communicating via unrequested reply messages.
[Test Case]
The upstream AppArmor userspace project has thorough tests for D-Bus mediation, including unrequested replies. Its tests/regression/apparmor/dbus_*.sh tests should be ran before and after updating to the dbus SRU. Before updating, the dbus_unrequested_reply.sh should fail and should pass after updating.
In addition, the test-dbus.py tests from lp:qa-regression-testing should be ran to verify basic D-Bus functionality.
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
[Regression Potential]
Low. There's no use for unrequested D-Bus reply messages and silently dropping them for AppArmor confined applications should have no unintended side effects. The unrequested reply protections have been present in releases after 14.04 and have not caused any issues. |
= apparmor SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
I have a branch of lp:qa-regression-testing (unmerged, currently at https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref/apparmor-trusty-sru) that pulls in the parser and regression tests from the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in Trusty, in addition to the tests in the 2.10.95 based package.
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done. The manual test should check basic functionality as well as for proper confinement (`ps auxZ` output).
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update.
= dbus SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation for snaps when running under the 16.04 hardware enablement kernel. The dbus package in 14.04 is missing support for blocking unrequested reply messages. This functionality was added to the D-Bus AppArmor mediation patches after 14.04 was released but before the patches were merged upstream in dbus. The idea is to prevent a malicious snap from attacking another snap, over D-Bus, with unrequested reply messages and also to prevent two connections from subverting the snap confinement by communicating via unrequested reply messages.
[Test Case]
The upstream AppArmor userspace project has thorough tests for D-Bus mediation, including unrequested replies. Its tests/regression/apparmor/dbus_*.sh tests should be ran before and after updating to the dbus SRU. Before updating, the dbus_unrequested_reply.sh should fail and should pass after updating.
To run the dbus_*.sh tests:
$ sudo apt-get install -y bzr libdbus-1-dev
$ bzr branch lp:apparmor # apt-get source apparmor to test the current apparmor
$ cd apparmor/tests/regression/apparmor/
$ make USE_SYSTEM=1 \
dbus_{eavesdrop,message,service,unrequested_reply} uservars.inc
$ for t in dbus_{eavesdrop,message,service,unrequested_reply}.sh; \
do sudo VERBOSE=1 bash $t || break; done
The exit code should be 0 and all output lines should start with "ok:".
In addition, the test-dbus.py tests from lp:qa-regression-testing should be ran to verify basic D-Bus functionality.
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
[Regression Potential]
Low. There's no use for unrequested D-Bus reply messages and silently dropping them for AppArmor confined applications should have no unintended side effects. The unrequested reply protections have been present in releases after 14.04 and have not caused any issues. |
|
| 2016-12-01 21:26:17 |
Tyler Hicks |
apparmor (Ubuntu Trusty): status |
Incomplete |
In Progress |
|
| 2016-12-07 10:58:11 |
Brian Murray |
dbus (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
| 2016-12-07 10:58:13 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2016-12-07 10:58:17 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
| 2016-12-07 10:58:24 |
Brian Murray |
tags |
|
verification-needed |
|
| 2016-12-09 11:20:16 |
Timo Aaltonen |
apparmor (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
| 2016-12-14 15:43:03 |
Tyler Hicks |
description |
= apparmor SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
I have a branch of lp:qa-regression-testing (unmerged, currently at https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref/apparmor-trusty-sru) that pulls in the parser and regression tests from the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in Trusty, in addition to the tests in the 2.10.95 based package.
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done. The manual test should check basic functionality as well as for proper confinement (`ps auxZ` output).
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update.
= dbus SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation for snaps when running under the 16.04 hardware enablement kernel. The dbus package in 14.04 is missing support for blocking unrequested reply messages. This functionality was added to the D-Bus AppArmor mediation patches after 14.04 was released but before the patches were merged upstream in dbus. The idea is to prevent a malicious snap from attacking another snap, over D-Bus, with unrequested reply messages and also to prevent two connections from subverting the snap confinement by communicating via unrequested reply messages.
[Test Case]
The upstream AppArmor userspace project has thorough tests for D-Bus mediation, including unrequested replies. Its tests/regression/apparmor/dbus_*.sh tests should be ran before and after updating to the dbus SRU. Before updating, the dbus_unrequested_reply.sh should fail and should pass after updating.
To run the dbus_*.sh tests:
$ sudo apt-get install -y bzr libdbus-1-dev
$ bzr branch lp:apparmor # apt-get source apparmor to test the current apparmor
$ cd apparmor/tests/regression/apparmor/
$ make USE_SYSTEM=1 \
dbus_{eavesdrop,message,service,unrequested_reply} uservars.inc
$ for t in dbus_{eavesdrop,message,service,unrequested_reply}.sh; \
do sudo VERBOSE=1 bash $t || break; done
The exit code should be 0 and all output lines should start with "ok:".
In addition, the test-dbus.py tests from lp:qa-regression-testing should be ran to verify basic D-Bus functionality.
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
[Regression Potential]
Low. There's no use for unrequested D-Bus reply messages and silently dropping them for AppArmor confined applications should have no unintended side effects. The unrequested reply protections have been present in releases after 14.04 and have not caused any issues. |
= apparmor SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
I have pushed changes to lp:qa-regression-testing which pulls in the parser and regression tests from the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in Trusty, in addition to the tests in the 2.10.95 based package.
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done. The manual test should check basic functionality as well as for proper confinement (`ps auxZ` output).
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update.
= dbus SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation for snaps when running under the 16.04 hardware enablement kernel. The dbus package in 14.04 is missing support for blocking unrequested reply messages. This functionality was added to the D-Bus AppArmor mediation patches after 14.04 was released but before the patches were merged upstream in dbus. The idea is to prevent a malicious snap from attacking another snap, over D-Bus, with unrequested reply messages and also to prevent two connections from subverting the snap confinement by communicating via unrequested reply messages.
[Test Case]
The upstream AppArmor userspace project has thorough tests for D-Bus mediation, including unrequested replies. Its tests/regression/apparmor/dbus_*.sh tests should be ran before and after updating to the dbus SRU. Before updating, the dbus_unrequested_reply.sh should fail and should pass after updating.
To run the dbus_*.sh tests:
$ sudo apt-get install -y bzr libdbus-1-dev
$ bzr branch lp:apparmor # apt-get source apparmor to test the current apparmor
$ cd apparmor/tests/regression/apparmor/
$ make USE_SYSTEM=1 \
dbus_{eavesdrop,message,service,unrequested_reply} uservars.inc
$ for t in dbus_{eavesdrop,message,service,unrequested_reply}.sh; \
do sudo VERBOSE=1 bash $t || break; done
The exit code should be 0 and all output lines should start with "ok:".
In addition, the test-dbus.py tests from lp:qa-regression-testing should be ran to verify basic D-Bus functionality.
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
[Regression Potential]
Low. There's no use for unrequested D-Bus reply messages and silently dropping them for AppArmor confined applications should have no unintended side effects. The unrequested reply protections have been present in releases after 14.04 and have not caused any issues. |
|
| 2016-12-14 18:30:32 |
Tyler Hicks |
description |
= apparmor SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
I have pushed changes to lp:qa-regression-testing which pulls in the parser and regression tests from the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in Trusty, in addition to the tests in the 2.10.95 based package.
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done. The manual test should check basic functionality as well as for proper confinement (`ps auxZ` output).
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update.
= dbus SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation for snaps when running under the 16.04 hardware enablement kernel. The dbus package in 14.04 is missing support for blocking unrequested reply messages. This functionality was added to the D-Bus AppArmor mediation patches after 14.04 was released but before the patches were merged upstream in dbus. The idea is to prevent a malicious snap from attacking another snap, over D-Bus, with unrequested reply messages and also to prevent two connections from subverting the snap confinement by communicating via unrequested reply messages.
[Test Case]
The upstream AppArmor userspace project has thorough tests for D-Bus mediation, including unrequested replies. Its tests/regression/apparmor/dbus_*.sh tests should be ran before and after updating to the dbus SRU. Before updating, the dbus_unrequested_reply.sh should fail and should pass after updating.
To run the dbus_*.sh tests:
$ sudo apt-get install -y bzr libdbus-1-dev
$ bzr branch lp:apparmor # apt-get source apparmor to test the current apparmor
$ cd apparmor/tests/regression/apparmor/
$ make USE_SYSTEM=1 \
dbus_{eavesdrop,message,service,unrequested_reply} uservars.inc
$ for t in dbus_{eavesdrop,message,service,unrequested_reply}.sh; \
do sudo VERBOSE=1 bash $t || break; done
The exit code should be 0 and all output lines should start with "ok:".
In addition, the test-dbus.py tests from lp:qa-regression-testing should be ran to verify basic D-Bus functionality.
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
[Regression Potential]
Low. There's no use for unrequested D-Bus reply messages and silently dropping them for AppArmor confined applications should have no unintended side effects. The unrequested reply protections have been present in releases after 14.04 and have not caused any issues. |
= apparmor SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap.
Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
The following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile) can be used to verify that their respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
I have pushed changes to lp:qa-regression-testing which pulls in the parser and regression tests from the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in Trusty, in addition to the tests in the 2.10.95 based package.
Additionally, manually testing evince, which is confined by an AppArmor profile, should be done. The manual test should check basic functionality as well as for proper confinement (`ps auxZ` output).
Finally, we need to test that 12.04 -> 14.04 upgrades continue to work. Specifically, the apparmor packages in trusty-proposed and the 12.04 kernel need to be tested together.
[Regression Potential]
High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update.
= dbus SRU =
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation for snaps when running under the 16.04 hardware enablement kernel. The dbus package in 14.04 is missing support for blocking unrequested reply messages. This functionality was added to the D-Bus AppArmor mediation patches after 14.04 was released but before the patches were merged upstream in dbus. The idea is to prevent a malicious snap from attacking another snap, over D-Bus, with unrequested reply messages and also to prevent two connections from subverting the snap confinement by communicating via unrequested reply messages.
[Test Case]
The upstream AppArmor userspace project has thorough tests for D-Bus mediation, including unrequested replies. Its tests/regression/apparmor/dbus_*.sh tests should be ran before and after updating to the dbus SRU. Before updating, the dbus_unrequested_reply.sh should fail and should pass after updating.
To run the dbus_*.sh tests:
$ sudo apt-get install -y bzr libdbus-1-dev
$ bzr branch lp:apparmor # apt-get source apparmor to test the current apparmor
$ cd apparmor/tests/regression/apparmor/
$ make USE_SYSTEM=1 \
dbus_{eavesdrop,message,service,unrequested_reply} uservars.inc
$ for t in dbus_{eavesdrop,message,service,unrequested_reply}.sh; \
do sudo VERBOSE=1 bash $t || break; done
The exit code should be 0 and all output lines should start with "ok:".
In addition, the test-dbus.py tests from lp:qa-regression-testing should be ran to verify basic D-Bus functionality.
This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks and hello-world, as well as a much more complex snap such as lxd.
[Regression Potential]
Low. There's no use for unrequested D-Bus reply messages and silently dropping them for AppArmor confined applications should have no unintended side effects. The unrequested reply protections have been present in releases after 14.04 and have not caused any issues. |
|
| 2016-12-22 22:45:26 |
Tyler Hicks |
tags |
verification-needed |
verification-done |
|
| 2017-01-18 17:28:31 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2017-01-18 17:28:38 |
Launchpad Janitor |
dbus (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
| 2017-01-18 17:28:28 |
Launchpad Janitor |
apparmor (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
