Ubuntu

Security Catch-all

Registered by Kees Cook on 2010-04-27

Implement various additional security things for Natty that don't need a full blueprint of their own.

Blueprint information

Status:: Started

Approver:: Kees Cook

Priority:: Medium

Drafter:: Kees Cook

Direction:: Approved

Assignee:: Kees Cook

Definition:: Approved

Series goal:: Accepted for natty

Implementation:: Started

Milestone target:: ubuntu-11.04

Started by: Kees Cook on 2010-05-18

Related branches

Related bugs

Sprints

uds-m

Whiteboard

Work items:
[kees] deroot auditd, get into main: POSTPONED
[kees] re-submit gcc testsuite updates (part 2) to upstream: TODO
[kees] document in the wiki how to use hardening-includes: DONE
[kees] update packages that currently use hardening-wrapper to use hardening-includes: POSTPONED
[kees] write a lintian info script that checks for hardening when hardening-includes/wrapper is in the build-deps: POSTPONED

From gobby notes from the morning meetings of Maverick UDS:
Day 1
-----
Introductions

Open round table topics

Cautious launcher feels broken with wine (https://wiki.ubuntu.com/SecurityTeam/Policies#Execute-Permission%20Bit%20Required)
* needs to be translatable
* possibly use extended attributes and modify frefox and mail clients to say
   when downloaded and from where so that cautious launcher can use that to
   provide more information so people can make a better decision. Does this help
   the process significantly?
* use clam automatically on the file
* feels broken (eg, CDROM are mounted ro with no execute, so can't launch it
   in wine)
* generalized icon theme for the executable
   - if .exe show embedded or something else
   - if executable bit set
   - file command
* Lots of experimentation this cycle about what kinds of dialogs help the user
   - feel good that Ubuntu didn't run it to begin with
   - make an informed decision
   - not run things automatically
* Would be nice to make it easy to restrict Wine to a whitelist of apps
   - example use case: corporate install that has a few apps from 90s that run in Wine for business but doesn't want users downloading random windows games.

Possibly use a container or sandbox to confine .sh files for games, etc (not
useful for things that need access to your data)

Maybe have specific type of container (akin to the guest session) specifically
for games

look into clamfs -- wine could be installed in it

maybe look into ways to confine wine apps generally (eg a business has to run
app X, so how can we confine app X generally (or at least easily (container,
apparmor, etc)
- could have wine confined by an apparmor profile and call out to a helper
program (wine-aa-helper) to change_profile() into it

wine apps offered through software center (could then have an apparmor profile)

utilize wine prefixes more rather than the traditional .wine folder

Maybe a generic apparmor profile that allows very limited access to files for
these types of files
- could have cautious launcher running under AppArmor and have it change_profile
to the .sh executable (could work, but problematic to not be too general)
- may not work with the .sh file is an installer
- cautious-launcher will need root privs to change_profile() -- (or a helper
like with libvirt)

Self-contained "live cd" container for .debs that could work with users without root
- example: world of goo provides .debs
- might help to have gui for what you provide the container (eg network access)
- be capabilities aware

Use-cases:
- downloaded ELF binaries with data (frequently games)
- downloaded Windows installers
- malware
- closed source apps (like World of Goo tar.gz) who want to target Ubuntu but
don't want to use PPA

Workitems:
- update cautious launcher to make it clear it's ubuntu not the app raising the dialog
- make cautious launcher translatable
- scan with clamscan if it is available (wine Recommends clam?)

Day 2
-----
* ted said mainly be concerned about unity and its interaction
* popcon talk captured in https://blueprints.launchpad.net/ubuntu/+spec/security-m-popcon
* mutter (clutter metacity) window manager is new, so check things like
   screensaver operation.
* mozilla
   - all the rdepends on xul go to -proposed by building on the mozilla ppa
   - these will be copied to -proposed for wider testing then to both
     -security and -updates
   - anything depending on xul in older releases and is exposed to webcontent
     needs a USN
   - push lucid (-1) when ready and hardy and jaunty (-2) will be a week or two later
     look at 354-1 and group all the rdepends on xul that is exposed to web
     content in one USN (-3)
   - tbird3 and seamonkey go to hardy and jaunty too. requires new NSS, but wait
     on these

Day 3
-----
* see notes in the gpg-migration spec

Day 4
-----
* kees ran away

Day 5
-----
* https://blueprints.launchpad.net/ubuntu/+spec/security-m-tls-renegotiation-updates

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

Chuck Short

Duncan McGreggor

Jamie Strandboge

Kees Cook

Marc Deslauriers

Roderick B. Greening