== Meeting == * '''Who''': SecurityTeam * '''When''': [[http://www.timeanddate.com/worldclock/fixedtime.html?month=04&day=7&year=2014&hour=&min=30&sec=0&p1=0|Mon Apr 7th 2014 16:30 UTC]] * '''End''': 17:00 UTC * '''Where''': #ubuntu-meeting on irc.freenode.net * '''Chaired By''': JamieStrandboge (jdstrand) == Attendance == * jdstrand * mdeslaur * sbeattie * tyhicks * sarnold * chrisccoulson == Not present == * jjohansen == Agenda == * Announcements * apparmor ptrace and signal mediation has landed on desktop and server. Touch images have the userspace and should have kernel updates next week. For anyone seeing apparmor denials in distro/click policy, please file bugs * oxide is now in main and in use on the touch images * Weekly stand-up report (each member discusses any pending and planned future work for the week) * jdstrand * weekly role: happy place * openjdk-6 regression * media-hub landing * scopes confinement * install testing * updates * mdeslaur * short week: off friday * weekly role: triage * updates * sbeattie * !AppArmor * reviews for signal and ptrace * coordinate upstream landings * additional test cases for them * review jenkins FTBFS over the weekend * travel arrangements * tyhicks * !AppArmor * lightdm guest session denials * follow-up on aa.py patchset * travel arrangements * sarnold * weekly role: community * MIR: glusterfs * apparmor reviews * chrisccoulson * Oxide * reviews * grooveshark Bug:1301341 * file picker upload * go down oxide bug list * Highlighted packages The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. The highlighted packages for this week are: <> * Miscellaneous and Questions * jdstrand asked about file_inherit:{{{ 11:51 < jdstrand> someone reported this denial to me in #ubuntu-devel: [13395.573516] type=1400 audit(1396873920.517:120): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" name="/var/lib/NetworkManager/dhclient-9a71cfcd-ec48-4ea2-9a72-928b504f7429-usb0.lease" pid=1168 comm="nm-dhcp-client." requested_mask="r" denied_mask="r" fsuid=0 ouid=0 11:51 < jdstrand> this requred /usr/lib/NetworkManager/nm-dhcp-client.action {} to need a new rule: 11:51 < jdstrand> /var/lib/NetworkManager/*lease r, 11:52 < jdstrand> someone in the #apparmor channel over the weekend saw something similar 11:52 < jdstrand> and then I saw it this morning with my chromium-browser profile 11:53 < jdstrand> it is my understanding that this was intentional, related to file delegation and that maybe at some point we want to make this configurable 11:54 < jdstrand> I have some concerns that this is turned on atm. I didn't see it in any of the rather significant testing we did over the past weeks 11:54 < jdstrand> is this from a new patch to the kernel? ... 11:55 < tyhicks> a quick git blame points at "apparmor: revalidate open files at exec time" 11:55 < tyhicks> it is one of the last few patches in jj's patch set 11:55 < jdstrand> so that is in the kernels we tested ... 12:04 < tyhicks> yeah, I wasn't looking for delegation denials during my testing 12:05 < jdstrand> me either-- I wasn't aware the patchset changed things 12:05 < jdstrand> wrt delegation 12:06 < jdstrand> well, anyway, I guess we can just keep an eye on it 12:07 * sbeattie takes a note to make sure delegation is exercised in the regression tests 12:08 < jdstrand> sbeattie: thanks }}} == Log == Logs available at http://ubottu.com/meetingology/logs/ubuntu-meeting/2014/ubuntu-meeting.2014-04-07-16.36.html