Ubuntu

Catch all for work items

Registered by Jamie Strandboge on 2013-11-26

Catch all for work items that do not fit in another blueprint.

Blueprint information

Status:: Complete

Approver:: Marc Deslauriers

Priority:: High

Drafter:: Jamie Strandboge

Direction:: Approved

Assignee:: Steve Beattie

Definition:: Approved

Series goal:: Accepted for trusty

Implementation:: Implemented

Milestone target:: ubuntu-14.03

Started by: Jamie Strandboge on 2013-11-26

Completed by: Jamie Strandboge on 2014-05-02

Related branches

Related bugs

Sprints

Whiteboard

[seth-arnold] investigate arm-specific kernel hardening: DONE

Arm appears to have parity with x86, x86_64, for all the features listed at https://wiki.ubuntu.com/Security/Features with the exception of CONFIG_DEBUG_MODULE_RONX. This feature may be added soon, as Russel King indicated it would be added to linux-next "very soon": http://archive.arm.linux.org.uk/lurker/message/20131027.115707.26b5e887.en.html

I did not discover any Arm-specific security hardening features. QRT's test-kernel-security.py is prepared to know which features were added to which kernel versions on Arm hardware, and the nx tests functioned properly on my pandaboard with XN (execute never) support.

Our saucy kernel configurations appeared to have all the correct settings, so I hope our trusty kernel configurations are carried forward without unsetting them.

"Add Differential State Compression to the DFA (exists, needs testing)" - this was evaluated and it was decided that it didn't provide enough of an improvement to enable at this time.

(?)

Work Items

Work items for ubuntu-13.11:
[jdstrand] discuss apparmor profile for mediascanner with jamesh: DONE
[jjohansen] fix goldfish apparmor traceback: DONE
[jdstrand] fix ufw daily builds: DONE
[jdstrand] enable apparmor daily builds for trusty: DONE
[tyhicks] deep dive into current status of kdbus, libdbus, systemd's intended use of kdbus, etc (high) (5): DONE

Work items for ubuntu-13.12:
[tyhicks] Add apparmor_parser support for a dbus eavesdrop permission: DONE
[tyhicks] update upstream dbus abstractions: DONE
[mdeslaur] demote ruby1.8 and its rdepends to universe: DONE
[seth-arnold] investigate arm-specific kernel hardening: DONE
[tyhicks] Update dbus-daemon AddMatch() code to query AA when eavesdropping: DONE

Work items for ubuntu-14.02:
[tyhicks] make sure LP: #1259570 gets into trusty (disable kexec via sysctl): DONE
[tyhicks] enable YAMA in phablet kernels: DONE
[tyhicks] verify kernel security features in phablet image (besides ufw and apparmor): DONE
[tyhicks] ensure apparmor=0 is removed on goldfish (android emulator is dead, apparmor is enabled in ubuntu-emulator): DONE
[tyhicks] bring kdbus, libdbus, systemd's intended use of kdbus concerns to upstream, etc (high) (5): DONE
[tyhicks] submit dbus-daemon patches for AppArmor mediation to upstream: DONE
[tyhicks] triage LP: #1158500 and determine if it is a kernel and audit bug: DONE

Work items for ubuntu-14.03:
[sbeattie] automate running QRT/scripts/test-apparmor.py: POSTPONED
[tyhicks] fix eCryptfs test framework errors on ppc64el: DONE
[tyhicks] fix test-kernel-security test script errors on ppc64el: POSTPONED
[seth-arnold] add autopkgtests to apparmor: POSTPONED
[jdstrand] provide apparmor profile for gettext process for infographic: POSTPONED
[seth-arnold] update apparmor to 2.8.95: DONE
[seth-arnold] run test-apparmor.py on mako with 2.8.0 and 2.8.95 and compare the results: DONE
[tyhicks] send kdbus patches upstream that expose the needed metadata for fine-grained filtering: POSTPONED
[tyhicks] add AppArmor support to dbus-daemon's new GetConnectionCredentials method: DONE

Work items for ubuntu-14.04:
[tyhicks] verify selinux tools work enough to develop policy: POSTPONED
[tyhicks] fix 2 DBus/AppArmor bugs found during upstream review: POSTPONED
[seth-arnold] revamp policy load (system and click): POSTPONED
[seth-arnold] investigate/benchmark/bootchart converting apparmor to an upstart job (before lightdm/other login managers, console, sysv scripts): POSTPONED
[tyhicks] verify kernel security features in phablet image (besides ufw and apparmor) for 4.4-based android: POSTPONED
Add Differential State Compression to the DFA (exists, needs testing): DONE

Work items for later:
[sbeattie] add QRT check for CONFIG_KEXEC sysctl availability in 14.04 and higher kernels: POSTPONED
fix parser to properly support old names (fix LP: #1058356, et al): POSTPONED
fix 12.04 parser to better handle block_suspend (LP: #1199933): POSTPONED
[mdeslaur] decide how to fix upgrade failures on apparmor policy load: POSTPONED
[mdeslaur] revert upstart distro patch to fail open on policy load: BLOCKED
[tyhicks] implement aa_log libapparmor call: POSTPONED
[tyhicks] adjust dbus patchset to use aa_log: POSTPONED
dbus service enumeration is filtered by mediation: POSTPONED
[jjohansen] query interface (subject object): POSTPONED
provide LSM hook for access() (LP: #1220713): POSTPONED
[tyhicks] investigate use of org.freedesktop.DBus.NameHasOwner and possible mitigation strategies: POSTPONED
[jjohansen] drive apparmor policy versioning to completion: POSTPONED
[tyhicks] update apparmor_parser to add v3 open rules to v2 policy: POSTPONED
[jdstrand] support versioned apparmor policy in Ubuntu packaging: BLOCKED
[tyhicks] add libapparmor APIs to operate (at least iterate, maybe more) on label sets: BLOCKED
[tyhicks] DBus v2 patchset in Ubuntu: POSTPONED

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information

Everyone can see this information.

Subscribers

Marc Deslauriers

Tyler Hicks