AppArmor mediation for signals, IPC and ptrace
Deliverable: finish mediation for signals, IPC and ptrace. When completed, users will be able to define AppArmor policy for these such that confined applications will only be able to send/receive signals, use IPC and ptrace other processes according to policy.
Acceptance criteria for March 2014:
Goal: Users are able to write basic policy for signals
Goal: Users are able to write basic policy for ptrace
Acceptance criteria for August 2014:
Goal: Users are able to write basic policy for unix domain sockets, anonymous IPC and netlink sockets
Blueprint information
- Status:
- Complete
- Approver:
- Jamie Strandboge
- Priority:
- High
- Drafter:
- John Johansen
- Direction:
- Approved
- Assignee:
- John Johansen
- Definition:
- Approved
- Series goal:
- Accepted for trusty
- Implementation:
- Implemented
- Milestone target:
- ubuntu-14.01
- Started by
- Jamie Strandboge
- Completed by
- Jamie Strandboge
Related branches
Related bugs
Sprints
Whiteboard
jdstrand: Other items to be integrated with the others and captured here so they are not lost:
[jjohansen] ipc rules add to parser (medium): TODO
[jjohansen] ipc rules add to parser tests (low): TODO
[jjohansen] ipc rules add to kernel (medium): TODO
[jjohansen] ipc rules regression tests (low): TODO
[jjohansen] ipc - update documentation/man pages low: TODO
[jjohansen] update how labeling of unix domain sockets is done (high): TODO
[jjohansen] update parser/language for abstract unix domain socket naming: TODO
[jjohansen] update how labeling of netlink sockets is done: TODO
[jjohansen] update parser/language to support netlink beyond af_mask: TODO
jdstrand: ext. mediation, signal work carried over from https:/
Work Items
Work items for ubuntu-14.01:
[jjohansen] verify yama sufficiently handles ptrace for near-term priorities: DONE
[jjohansen] ext. mediation, signal, extend checks to kill hook - kernel: DONE
[jjohansen] ext. mediation, signal, extend policy language - parser: DONE
Work items for ubuntu-14.03:
[jjohansen] ext. mediation, signal - parser tests: DONE
[sbeattie] ext. mediation, signal - regression tests: INPROGRESS
[tyhicks] apparmor IPC mediation in ppa: DONE
[tyhicks] apparmor IPC mediation packaging for Ubuntu: DONE
[tyhicks] verify/adjust distro policy for IPC based on Features: DONE
[jjohansen] ext. mediation, signal - userspace tools (???) (2): DONE
[sbeattie] ext. mediation, signal - userspace tools unit tests (???) (1): DONE
[jjohansen] ext. mediation, signal - documentation/man page (0.5): DONE
[jjohansen] ext. mediation, ptrace - kernel (???) (0.5): DONE
[jjohansen] ext. mediation, ptrace - parser (???) (0.5): DONE
[sbeattie] ext. mediation, ptrace - parser tests (???) (0.5): DONE
[jjohansen] ext. mediation, ptrace - regression tests (???) (1): DONE
[jjohansen] ext. mediation, ptrace - userspace tools (???) (1): DONE
[sbeattie] ext. mediation, ptrace - userspace tools unit tests (???) (1): DONE
[jjohansen] ext. mediation, ptrace - documentation/man pages (???) (0.5): DONE
[jjohansen] ext. mediation, ipc, RFC/discussion (???) (1): DONE
[jjohansen] ext. mediation, ipc - upstream (???) (1): DONE
[jjohansen] ext. mediation, ipc mediate - kernel (???) (5): DONE
[jjohansen] ext. mediation, ipc rules - parser (???) (2): DONE
[sbeattie] ext. mediation, ipc rules - parser tests (???) (1): DONE
[sbeattie] ext. mediation, ipc rules - regression tests (???) (2): DONE
[jjohansen] ext. mediation, ipc rules - userspace tools (???) (2): DONE
[jjohansen] ext. mediation, ipc rules - userspace tools unit tests (???) (1): DONE
[jdstrand] ext. mediation, ipc rules - documentation/man pages (???) (1): DONE
Work items for ubuntu-14.04:
[jdstrand] release note on IPC: DONE
[jdstrand] update Features for ipc/signals: DONE
[jjohansen] backport signal/ptrace mediation to phablet kernels: POSTPONED
Work items for later:
[jjohansen] ext. mediation, alt ns unix domain socket, labeling - kernel - deps labeling: POSTPONED
[jjohansen] ext. mediation, alt ns unix domain socket, policy language - parser: POSTPONED
[jjohansen] ext. mediation, alt ns unix domain socket - parser tests: POSTPONED
[sbeattie] ext. mediation, alt ns unix domain socket - regressiont tests: POSTPONED
[tyhicks] verify policy for dbus, upstart and other abstract sockets: BLOCKED
[jjohansen] ext. mediation, netlink, address matching - kernel: POSTPONED
[jjohansen] ext. mediation, netlink, profile language - parser: POSTPONED
[jjohansen] ext. mediation, netlink - parser tests: POSTPONED
[jjohansen] ext. mediation, netlink - regression tests: POSTPONED
[sbeattie] ext. mediation, anonymous ipc (pipes, sock pairs, ..) mediate - kernel: POSTPONED
[jjohansen] ext. mediation, anonymous ipc rules (pipes, sock pairs, ..) - parser: POSTPONED
[jjohansen] ext. mediation, anonymous ipc rules (pipes, sock pairs, ..) - parser tests: POSTPONED
[sbeattie] ext. mediation, anonymous ipc rules (pipes, sock pairs, ..) - regression tests: POSTPONED
[jjohansen] stacking, extend exec to have stacking transition - kernel (essential): POSTPONED
[jjohansen] stacking, extend policy language - parser (essential): POSTPONED
[jjohansen] fd passing and inheritance - revalidate files at ipc (essential): POSTPONED
[sbeattie] fd passing and inheritance - regression tests (essential): POSTPONED
[jjohansen] ext. mediation, signal, use sids for interrupts - kernel (???) (2): POSTPONED
[jjohansen] ext. mediation, signal - update aa-logparser (???) (1): POSTPONED
[jjohansen] ext. mediation, alt ns unix domain socket - update aa-logparse, including tests (???) (1): POSTPONED
[jjohansen] ext. mediation, alt ns unix domain socket - userspace tools (???) (2): POSTPONED
[sbeattie] ext. mediation, alt ns unix domain socket - userspace tools unit tests (???) (1): POSTPONED
[jjohansen] ext. mediation, alt ns unix domain socket - documentation/man pages (0.5): POSTPONED
[jjohansen] ext. mediation, netlink - update aa-logparser, including tests (???) (1): POSTPONED
[jjohansen] ext. mediation, netlink - userspace tools (???) (2): POSTPONED
[sbeattie] ext. mediation, netlink - userspace tools unit tests (???) (1): POSTPONED
[jjohansen] ext. mediation, netlink - documentation/man pages (???) (0.5): POSTPONED
[jjohansen] ext. mediation, ipc rules - update aa-logparser, including tests (???) (1): POSTPONED
[jjohansen] ext. mediation, anonymous ipc (pipes, sock pairs, ..) - RFC/discussion (???) (1): POSTPONED
[jjohansen] ext. mediation, anonymous ipc (pipes, sock pairs, ..) - upstream (???) (1): POSTPONED
[jjohansen] ext. mediation, anonymous ipc rules (pipes, sock pairs, ..) - update aa-logparser, including tests (???) (1): POSTPONED
[jjohansen] ext. mediation, anonymous ipc rules (pipes, sock pairs, ..) - userspace tools (???) (2): POSTPONED
[jjohansen] ext. mediation, anonymous ipc rules (pipes, sock pairs, ..) - userspace tools unit tests (???) (1): POSTPONED
[jdstrand] ext. mediation, anonymoys ipc rules (pipes, sock pairs, ..) - documentation/man pages (???) (1): BLOCKED
[jjohansen] ext. mediation, ptrace - aa-logparser, including tests (???) (1): POSTPONED
Dependency tree
* Blueprints in grey have been implemented.