16:36 #startmeeting 16:36 Meeting started Mon Apr 7 16:36:06 2014 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:36 16:36 Available commands: action commands idea info link nick 16:36 The meeting agenda can be found at: 16:36 [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:36 [TOPIC] Announcements 16:36 apparmor ptrace and signal mediation has landed on desktop and server. Touch images have the userspace and should have kernel updates next week. For anyone seeing apparmor denials in distro/click policy, please file bugs 16:36 oxide is now in main and in use on the touch images 16:37 [TOPIC] Weekly stand-up report 16:37 I'll go first 16:37 I'm in the happy place this week 16:37 I will be publishing the openjdk-6 update today 16:38 I'm also working with phonedations on the media-hub landing (apparmor policy updates) 16:38 and will be working on scopes apparmor policy this week 16:38 I have other updates assigned to me that I plan on picking up again 16:38 mdeslaur: you're up 16:38 I'm on triage this week 16:39 just published a couple of updates, and have some more in the PPA to test and release 16:39 the cve list is growing, so I'll be poking at that too 16:39 and I'm off on friday 16:39 that's it for me, sbeattie, you're up 16:39 I'm on apparmor again this week 16:40 I'm finishing up reviewing the user spaces patches for ptrace signals, to get them landed upstream. 16:40 As well as writing additional test cases for them. 16:41 I know jj made a couple of commits over the weekend, which caused the jenkins builds to fail, so I need to see what's up with that (I suspect a couple of files got missed being added in a commit) 16:41 and I also need to finish making travel arrangements for the upcoming sprint. 16:42 that's it for me 16:42 tyhicks: you're up 16:42 I'm currently working on fixing up some lightdm guest session denials 16:42 one is a new denial from the signals/ptrace ffe and the rest are pre-existing denials 16:43 I also need to do a small followup patch, at cboltz's request, around the aa.py test cases that I added 16:43 then I'm going to get caught up on what's been happening around kdbus LSM integration 16:43 I also need to book sprint travel 16:43 that's it for me 16:44 jj is out today 16:44 sarnold: that means you're up 16:44 I'm on community this week 16:45 I believe there is only one outstanding MIR left, glusterfs, to finish up this week 16:45 I want to upgrade to trusty before release, it'd be nice to participate in a pre-release circus :) 16:45 there's plenty of apparmor patches outstanding, I'd like to review some of those and get them checked in 16:46 +1 16:46 and I haven't yet bookde sprint travel, so that'll be this week :) 16:46 I think that's me this week, chrisccoulson? :) 16:46 tyhicks: re pre-existing-- I'm not sure you have to fix everything up. I think there are several things that may have been left out on purpose 16:47 hi :) 16:47 jdstrand: I'll be sure to pass everything by you 16:47 sarnold: geez, might as well wait an extra couple of weeks and directly upgrade to U :P 16:47 right now, i'm fixing bug 1301341 16:47 bug 1301341 in webbrowser-app "grooveshark playback has stopped functioning" [Undecided,Confirmed] https://launchpad.net/bugs/1301341 16:47 i'm going to do another upload of oxide later with some other stuff in (file picker support) 16:48 mdeslaur :) 16:48 but other than that, i shall be mostly working on https://bugs.launchpad.net/oxide/ ;) 16:49 chrisccoulson: fyi, oxide got promoted this morning 16:49 i've got another update to do this week as well 16:49 jdstrand, thanks 16:49 i think that's me done 16:49 [TOPIC] Highlighted packages 16:49 The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 16:49 See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 16:50 http://people.canonical.com/~ubuntu-security/cve/pkg/gallery2.html 16:50 http://people.canonical.com/~ubuntu-security/cve/pkg/libjboss-cache3-java.html 16:50 http://people.canonical.com/~ubuntu-security/cve/pkg/jplayer.html 16:50 http://people.canonical.com/~ubuntu-security/cve/pkg/djbdns.html 16:50 http://people.canonical.com/~ubuntu-security/cve/pkg/pen.html 16:50 [TOPIC] Miscellaneous and Questions 16:50 I had one question 16:51 someone reported this denial to me in #ubuntu-devel: [13395.573516] type=1400 audit(1396873920.517:120): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" name="/var/lib/NetworkManager/dhclient-9a71cfcd-ec48-4ea2-9a72-928b504f7429-usb0.lease" pid=1168 comm="nm-dhcp-client." requested_mask="r" denied_mask="r" fsuid=0 ouid=0 16:51 this requred /usr/lib/NetworkManager/nm-dhcp-client.action {} to need a new rule: 16:51 /var/lib/NetworkManager/*lease r, 16:52 someone in the #apparmor channel over the weekend saw something similar 16:52 and then I saw it this morning with my chromium-browser profile 16:53 it is my understanding that this was intentional, related to file delegation and that maybe at some point we want to make this configurable 16:54 I have some concerns that this is turned on atm. I didn't see it in any of the rather significant testing we did over the past weeks 16:54 is this from a new patch to the kernel? 16:54 ah, hrm, I hadn't seen that before either. 16:54 I'm not aware of it being a new patch, but jj is the one to answer that for sure. 16:55 a quick git blame points at "apparmor: revalidate open files at exec time" 16:55 it is one of the last few patches in jj's patch set 16:55 so that is in the kernels we tested 16:56 hmm 16:56 I find it really odd that I didn't see the nm one 16:56 I never saw it, either 16:56 iirc this revalidation should only occur when a confined profile hands a fd across an exec to a different domain 16:56 it is due to fd's not being closed (or intentionally being passed) across exec 16:57 so there may be some paths in nm that close the fds and some that don't?? 16:57 I believe unconfined -> exec -> confined is probably still not validated 16:57 sarnold: right that was my understanding too. nm ships 3 different profiles 16:58 sarnold: that is consistent with what I've seen and what was reported in #apparmor 16:59 jdstrand: I -think- the revalidation used to occur at read() time (perhaps 'back in the day') -- this might have moved it forward to exec time to better label fds 16:59 I guess sanitized helper won't be affected cause if its wide file access (/** rwkl,) 17:00 but I worry about evince 17:00 I guess we can just keep an eye on it 17:00 what do other people think? 17:01 jdstrand: I did a `dmesg -C && sudo ./test-evince.py -v && dmesg | grep DENIED` and didn't see any denials 17:01 tyhicks: right, but I think if this occurs it will be less direct than that. eg, firefox opening evince, eveince opening firefox, etc 17:02 jdstrand: firefox opening evince does happen in test-evince.py, but I'm not sure about evince opening firefox 17:02 tyhicks: right, but in that test, firefox isn't confined, is it 17:02 ? 17:02 ah 17:02 probably not 17:02 good point 17:03 well, possibly good point. I don't know if it is a problem or now-- I was just surprised by these denials 17:03 s/now/not/ 17:04 yeah, I wasn't looking for delegation denials during my testing 17:05 me either-- I wasn't aware the patchset changed things 17:05 wrt delegation 17:06 well, anyway, I guess we can just keep an eye on it 17:06 Does anyone have any other questions or items to discuss? 17:07 * sbeattie takes a note to make sure delegation is exercised in the regression tests 17:08 sbeattie: thanks 17:14 mdeslaur, sbeattie, tyhicks, sarnold, chrisccoulson: thanks! 17:14 #endmeeting