- Lorenzo Hernández García-Hierro
- Jeff Schroeder
- Andrew Mitchell
- push vSecurity
- IBM Stack Smashing Protector merged in 4.1 (upstream!). Deployment?
- SELinux status and work to get done
- misc, kernel patches
- * ip randomization, etc
- File specs for UBZ by 27 oct.
- Just Works (TM) and doesn't need to be configured
- VSecurity works using simple interfaces, there's no need for buggy and complicated device nodes handling. it works using sysctl and sysfs/procfs
- out of the box you get everything except the fine-grained capabilities granting
One problem left
Jeff: "The end user impact is this: when you rmmod capability, modprobe capability disable=1, modprobe vsecurity, and close that terminal, you get a kernel oops. complete system freeze and a hard reboot is required"
Lorenzo is working on this.
SELinux status and work to get done
remove suid binaries in dapper?
List of Jeff's suid files in Ubuntu http://wiki.tuxedo-es.org/Suid_files
Jeff wrote some documentation: http://wiki.tuxedo-es.org/Lowering_privilege_with_capabilities_tutorial
File Spec(s) for UBZ
Mark noted in his "Road to Dapper" on the announce list. Specs should be filed in on launchpad. This all Before 27 oct! http://lists.ubuntu.com/archives/ubuntu-announce/2005-October/000045.html
Following these guidelines https://wiki.ubuntu.com/FeatureSpecifications
Proactive Security Spec
This spec includes vSecurity. And Andrew already filed it on launchpad for UBZ. https://launchpad.net/distros/ubuntu/+spec/proactive-security
ProactiveSecurityBOF which the spec links is still empty. We need to fill this up before UBZ
Andrew will lead the BOF on UBZ regarding this spec.
From UDU: ProactiveSecurityRoadmap