** Changed in: linux (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1298611
Title:
[FFe] apparmor signal and ptrace mediation
Status in “apparmor” package in Ubuntu:
New
Status in “linux” package in Ubuntu:
Confirmed
Bug description:
Background: kernel and apparmor userspace updates to support signal
and ptrace mediation. These packages are listed in one bug because
they are related, but the FFes may be granted and the uploads may
happen at different times.
= linux =
Summary:
This feature freeze exception is requested for signal and ptrace mediation
via apparmor in the kernel. When used with a compatible apparmor userspace,
signals and ptrace rules are supported. When used without a compatible apparmor
userspace (eg, on a precise system with a trusty backport kernel), signal and
ptrace mediation is not enforced (ie, you can use this kernel with an old
userspace without any issues).
Testing:
* 12.04 system with backported kernel: INPROGRESS
* 14.04 system (non-Touch) with current apparmor userspace: INPROGRESS
* 14.04 system (non-Touch) with updated apparmor userspace capable of
supporting signal and ptrace mediation: INPROGRESS
* 14.04 system (non-Touch) using lxc containers: INPROGRESS
Justification:
This feature is required to support comprehensive application confinement on
Ubuntu Touch (a separate pull will be requested at a later date). This feature
adds a significant security benefit to libvirt's qemu guest isolation which is
fundamental to Ubuntu on Server/Cloud. This feature adds a welcome improvement
to administrators wishing to further protect their systems.
= apparmor userspace =
Summary:
This feature freeze exception is requested for signal and ptrace mediation
for apparmor userspace. When used with a compatible kernel, signals and ptrace
rules are supported. When used without a compatible kernel (eg, immediately on
Ubuntu Touch or with upstream kernels), signal and ptrace rules are skipped
(ie, you can use this userspace with other kernels without issue).
Testing:
* 14.04 system with current kernel (Touch, Desktop, Server): TODO
* 14.04 system with updated kernel capable of supporting signal and ptrace
mediation (Touch, Desktop, Server): INPROGRESS
* 14.04 system using lxc containers (Touch, Desktop, Server): TODO
Justification:
This feature is required to support comprehensive application confinement on
Ubuntu Touch. This feature adds a significant security benefit to libvirt's
qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This
feature adds a welcome improvement to administrators wishing to further protect
their systems.
Extra information:
While the apparmor userspace and kernel changes to support signal and ptrace
mediation can happen at different times, the apparmor userspace upload must
correspond with uploads for packages that ship AppArmor policy that require
updates (eg, libvirt, lxc, etc). The packages outlined in
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been
tested to either work without modification to the policy or updated and tested
to work with updated policy. Common rules will be added to the apparmor base
abstraction such that most packages shipping apparmor policy will not require
updating. These updates will be prepared, tested and published en masse via a
silo ppa.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
