• jdstrand
  • mdeslaur
  • sbeattie
  • tyhicks
  • sarnold
  • chrisccoulson

Not present

  • jjohansen


  • Announcements
    • apparmor ptrace and signal mediation has landed on desktop and server. Touch images have the userspace and should have kernel updates next week. For anyone seeing apparmor denials in distro/click policy, please file bugs
    • oxide is now in main and in use on the touch images
  • Weekly stand-up report (each member discusses any pending and planned future work for the week)
    • jdstrand
      • weekly role: happy place
      • openjdk-6 regression
      • media-hub landing
      • scopes confinement
      • install testing
      • updates
    • mdeslaur
      • short week: off friday
      • weekly role: triage
      • updates
    • sbeattie
      • AppArmor

        • reviews for signal and ptrace
        • coordinate upstream landings
        • additional test cases for them
        • review jenkins FTBFS over the weekend
        • travel arrangements
    • tyhicks
      • AppArmor

        • lightdm guest session denials
        • follow-up on aa.py patchset
        • travel arrangements
    • sarnold
      • weekly role: community
      • MIR: glusterfs
      • apparmor reviews
    • chrisccoulson
      • Oxide
        • reviews
        • grooveshark 1301341

        • file picker upload
        • go down oxide bug list
  • Highlighted packages

    The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. The highlighted packages for this week are:

    The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so. See the available merges and SecurityTeam/UpdateProcedures for details on preparing Ubuntu security updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see SecurityTeam/GettingInvolved.

  • Miscellaneous and Questions
    • jdstrand asked about file_inherit:

      11:51 < jdstrand> someone reported this denial to me in #ubuntu-devel: 
                        [13395.573516] type=1400 audit(1396873920.517:120): 
                        apparmor="DENIED" operation="file_inherit" 
                        pid=1168 comm="nm-dhcp-client." requested_mask="r" denied_mask="r" 
                        fsuid=0 ouid=0
      11:51 < jdstrand> this requred /usr/lib/NetworkManager/nm-dhcp-client.action {} 
                        to need a new rule:
      11:51 < jdstrand> /var/lib/NetworkManager/*lease r,
      11:52 < jdstrand> someone in the #apparmor channel over the weekend saw something similar
      11:52 < jdstrand> and then I saw it this morning with my chromium-browser profile
      11:53 < jdstrand> it is my understanding that this was intentional, related to file delegation and that maybe at some point we want to make this configurable
      11:54 < jdstrand> I have some concerns that this is turned on atm. I didn't see it in any of the rather significant testing we did over the past weeks
      11:54 < jdstrand> is this from a new patch to the kernel?
      11:55 < tyhicks> a quick git blame points at "apparmor: revalidate open files at exec time"
      11:55 < tyhicks> it is one of the last few patches in jj's patch set
      11:55 < jdstrand> so that is in the kernels we tested
      12:04 < tyhicks> yeah, I wasn't looking for delegation denials during my testing
      12:05 < jdstrand> me either-- I wasn't aware the patchset changed things
      12:05 < jdstrand> wrt delegation
      12:06 < jdstrand> well, anyway, I guess we can just keep an eye on it
      12:07  * sbeattie takes a note to make sure delegation is exercised in the regression tests
      12:08 < jdstrand> sbeattie: thanks


Logs available at http://ubottu.com/meetingology/logs/ubuntu-meeting/2014/ubuntu-meeting.2014-04-07-16.36.html

MeetingLogs/Security/20140407 (last edited 2014-04-07 17:11:19 by jdstrand)