Ubuntu Wiki

Meeting

• Who: SecurityTeam

• When: Mon Apr 7th 2014 16:30 UTC

• End: 17:00 UTC

• Where: #ubuntu-meeting on irc.freenode.net

• Chaired By: JamieStrandboge (jdstrand)

Attendance

• jdstrand
• mdeslaur
• sbeattie
• tyhicks
• sarnold
• chrisccoulson

Not present

• jjohansen

Agenda

• Announcements
  • apparmor ptrace and signal mediation has landed on desktop and server. Touch images have the userspace and should have kernel updates next week. For anyone seeing apparmor denials in distro/click policy, please file bugs
  • oxide is now in main and in use on the touch images
• Weekly stand-up report (each member discusses any pending and planned future work for the week)
  • jdstrand
    • weekly role: happy place
    • openjdk-6 regression
    • media-hub landing
    • scopes confinement
    • install testing
    • updates
  • mdeslaur
    • short week: off friday
    • weekly role: triage
    • updates
  • sbeattie

    • AppArmor

      • reviews for signal and ptrace
      • coordinate upstream landings
      • additional test cases for them
      • review jenkins FTBFS over the weekend
      • travel arrangements
  • tyhicks

    • AppArmor

      • lightdm guest session denials
      • follow-up on aa.py patchset
      • travel arrangements
  • sarnold
    • weekly role: community
    • MIR: glusterfs
    • apparmor reviews
  • chrisccoulson
    • Oxide
      • reviews

      • grooveshark 1301341

      • file picker upload
      • go down oxide bug list
• Highlighted packages

  The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. The highlighted packages for this week are:

  The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so. See the available merges and SecurityTeam/UpdateProcedures for details on preparing Ubuntu security updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see SecurityTeam/GettingInvolved.

• Miscellaneous and Questions

  • jdstrand asked about file_inherit:

    11:51 < jdstrand> someone reported this denial to me in #ubuntu-devel: 
                      [13395.573516] type=1400 audit(1396873920.517:120): 
                      apparmor="DENIED" operation="file_inherit" 
                      profile="/usr/lib/NetworkManager/nm-dhcp-client.action" 
                      name="/var/lib/NetworkManager/dhclient-9a71cfcd-ec48-4ea2-9a72-928b504f7429-usb0.lease" 
                      pid=1168 comm="nm-dhcp-client." requested_mask="r" denied_mask="r" 
                      fsuid=0 ouid=0
    11:51 < jdstrand> this requred /usr/lib/NetworkManager/nm-dhcp-client.action {} 
                      to need a new rule:
    11:51 < jdstrand> /var/lib/NetworkManager/*lease r,
    11:52 < jdstrand> someone in the #apparmor channel over the weekend saw something similar
    11:52 < jdstrand> and then I saw it this morning with my chromium-browser profile
    11:53 < jdstrand> it is my understanding that this was intentional, related to file delegation and that maybe at some point we want to make this configurable
    11:54 < jdstrand> I have some concerns that this is turned on atm. I didn't see it in any of the rather significant testing we did over the past weeks
    11:54 < jdstrand> is this from a new patch to the kernel?
    ...
    11:55 < tyhicks> a quick git blame points at "apparmor: revalidate open files at exec time"
    11:55 < tyhicks> it is one of the last few patches in jj's patch set
    11:55 < jdstrand> so that is in the kernels we tested
    ...
    12:04 < tyhicks> yeah, I wasn't looking for delegation denials during my testing
    12:05 < jdstrand> me either-- I wasn't aware the patchset changed things
    12:05 < jdstrand> wrt delegation
    12:06 < jdstrand> well, anyway, I guess we can just keep an eye on it
    12:07  * sbeattie takes a note to make sure delegation is exercised in the regression tests
    12:08 < jdstrand> sbeattie: thanks

Log

Logs available at http://ubottu.com/meetingology/logs/ubuntu-meeting/2014/ubuntu-meeting.2014-04-07-16.36.html