16:37 #startmeeting 16:37 Meeting started Mon Mar 2 16:37:20 2015 UTC. The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:37 16:37 Available commands: action commands idea info link nick 16:37 The meeting agenda can be found at: 16:37 [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:37 [TOPIC] Weekly stand-up report 16:37 jdstrand: you're up 16:38 I'm working on the store review tools wrt snappy 16:38 I'm also helping with the oxide FFe and helping coordinate some oxide work 16:39 I also have performance reviews to do 16:40 I hope to work on snappy hw access some more. phase 1 landed, but need to be thinking longer term now 16:40 I'd like to sync up with tyhicks and/or jjohansen on overlayfs/apparmor at some point this week too 16:40 that's it from me 16:41 I'm on community this week 16:41 and tomorrow, I have patch piloting 16:41 I'm still banging my head on the icu updates 16:42 that's probably going to take up a couple of days still 16:42 after that, I'll continue down the CVE list 16:42 that's it for me 16:42 sbeattie: you're up 16:42 I'm on security bug triage this week 16:43 I also need to correct the mir abstraction library paths for bug 1422521 16:43 bug 1422521 in apparmor (Ubuntu) "mmap of ...mir/client-platform/mesa.so DENIED" [High,In progress] https://launchpad.net/bugs/1422521 16:43 I'm continuing to test gcc-5 with pie enabled by default. 16:44 I have some apparmor patches to review and am hoping to release 2.9.2 soon. 16:44 That's pretty much it for me. 16:44 tyhicks: tag. 16:44 sbeattie: will 2.9.2 contain the mir abstraction? 16:44 or we still want it to mature? 16:45 Maybe. I'd kind of like it to mature a bit, perhaps move the unpriv mir client socket there as well. 16:46 But I can also see the desire to get it in place upstream and fleshed out there instead. 16:47 sbeattie: have you wrapped up the work to look at how well the apparmor init script is working with systemd? 16:48 tyhicks: mostly, I want to poke at it a little more, but things are looking okay so far. 16:48 sbeattie: good to hear - thanks for looking at that :) 16:48 I'm on CVE triage this week 16:48 it is the first time in a long time so it'll take me a while to get back in the swing of things 16:49 I still need to land fixes upstream, retest and publish ecryptfs-utils security updates 16:49 I'm going to add the ability to check subfeatures and then send out v2 of the libapparmor API changes 16:49 by subfeatures, I mean the permissions typically found in the "mask" files of apparmorfs (such as apparmorfs/dbus/mask) 16:50 then I'll restart my work on AppArmor kernel keyring mediation for user data encryption 16:50 that's it for me 16:50 jjohansen: you're up 16:50 I need to finish testing the fix for the fd_inheritance Bug 1423810 (it is backport kernels only), 16:50 I still need to finish looking into Bug 1425398, a first glance lead me to believe its actually a bug fix against the trusty version of apparmor that is causing the issue. 16:50 push the current stack of bug fixes up to the kt 16:50 Finish my review of the latest revision of the LSM stacking patches 16:50 sync up discuss the libapparmor policy load api 16:50 sync up with jdstrand on overlayfs 16:50 and of course get back to upstreaming cleanup 16:50 bug 1423810 in apparmor (Ubuntu) "[krillin] apparmor fd_inheritance regression test causes kernel to crash" [Undecided,New] https://launchpad.net/bugs/1423810 16:50 bug 1425398 in linux-lts-utopic (Ubuntu) "Apparmor uses rsyslogd profile for different processes - utopic HWE" [Undecided,New] https://launchpad.net/bugs/1425398 16:51 sbeattie: re systemd> I just noticed on a snappy system: 16:51 1 processes are unconfined but have a profile defined. 16:51 /sbin/dhclient (723) 16:52 sbeattie: that may be known-- dhclient is a system profile and not a snap profile, but seems we need to do something special there *if* we weren't going to land cache loading 16:52 that isn't surprising 16:52 no, it isn' 16:52 t 16:52 jdstrand: hunh, okay. I didn't see that in a vm, but I'll try and play around with snappy this week 16:52 also, I'm not sure how tradition server software is doing 16:53 traditional* 16:53 sbeattie: thanks 16:53 sbeattie: it might be a race. ping me if you need help with snappy kvm 16:54 that is it for me sarnold you're up 16:55 I'm in happy place this week; I'm working on several MIR requests and back-burnered the horizon updates; those are blocked on the server team's work on preparing their servrestack testing environment to handle precise with distro-supplied openstack 16:55 when they have something far enough along to test, I'll head over to that 16:56 and I'll try to review some of the apparmor patches coming this week or already outstanding, but it's also not going to be a top priority 16:56 that's it for me, chrisccoulson? 16:56 sarnold: lets continue to wait on the precise-essex serverstack enablement this week 16:57 sarnold: if it doesn't happen this week, we need to go back to the wiki page for precise testing next week 16:57 tyhicks: makes sense 16:57 thanks 16:57 This week, I'll be getting thunderbird out. I also expect a chromium update, which means there'll be a corresponding oxide update 16:58 Other than that, I'll be working on oxide bugs 16:58 That's me done 16:59 [TOPIC] Highlighted packages 16:59 The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 16:59 See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 16:59 http://people.canonical.com/~ubuntu-security/cve/pkg/insighttoolkit4.html 16:59 http://people.canonical.com/~ubuntu-security/cve/pkg/libphp-adodb.html 16:59 [TOPIC] Miscellaneous and Questions 16:59 http://people.canonical.com/~ubuntu-security/cve/pkg/maildrop.html 16:59 http://people.canonical.com/~ubuntu-security/cve/pkg/xlockmore.html 16:59 http://people.canonical.com/~ubuntu-security/cve/pkg/python-soappy.html 16:59 Does anyone have any other questions or items to discuss? 17:01 jdstrand, mdeslaur, sbeattie, jjohansen, sarnold, ChrisCoulson: Thanks! 17:01 #endmeeting