16:36 <jdstrand> #startmeeting 16:36 <meetingology> Meeting started Mon Apr 7 16:36:06 2014 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:36 <meetingology> 16:36 <meetingology> Available commands: action commands idea info link nick 16:36 <jdstrand> The meeting agenda can be found at: 16:36 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:36 <jdstrand> [TOPIC] Announcements 16:36 <jdstrand> apparmor ptrace and signal mediation has landed on desktop and server. Touch images have the userspace and should have kernel updates next week. For anyone seeing apparmor denials in distro/click policy, please file bugs 16:36 <jdstrand> oxide is now in main and in use on the touch images 16:37 <jdstrand> [TOPIC] Weekly stand-up report 16:37 <jdstrand> I'll go first 16:37 <jdstrand> I'm in the happy place this week 16:37 <jdstrand> I will be publishing the openjdk-6 update today 16:38 <jdstrand> I'm also working with phonedations on the media-hub landing (apparmor policy updates) 16:38 <jdstrand> and will be working on scopes apparmor policy this week 16:38 <jdstrand> I have other updates assigned to me that I plan on picking up again 16:38 <jdstrand> mdeslaur: you're up 16:38 <mdeslaur> I'm on triage this week 16:39 <mdeslaur> just published a couple of updates, and have some more in the PPA to test and release 16:39 <mdeslaur> the cve list is growing, so I'll be poking at that too 16:39 <mdeslaur> and I'm off on friday 16:39 <mdeslaur> that's it for me, sbeattie, you're up 16:39 <sbeattie> I'm on apparmor again this week 16:40 <sbeattie> I'm finishing up reviewing the user spaces patches for ptrace signals, to get them landed upstream. 16:40 <sbeattie> As well as writing additional test cases for them. 16:41 <sbeattie> I know jj made a couple of commits over the weekend, which caused the jenkins builds to fail, so I need to see what's up with that (I suspect a couple of files got missed being added in a commit) 16:41 <sbeattie> and I also need to finish making travel arrangements for the upcoming sprint. 16:42 <sbeattie> that's it for me 16:42 <sbeattie> tyhicks: you're up 16:42 <tyhicks> I'm currently working on fixing up some lightdm guest session denials 16:42 <tyhicks> one is a new denial from the signals/ptrace ffe and the rest are pre-existing denials 16:43 <tyhicks> I also need to do a small followup patch, at cboltz's request, around the aa.py test cases that I added 16:43 <tyhicks> then I'm going to get caught up on what's been happening around kdbus LSM integration 16:43 <tyhicks> I also need to book sprint travel 16:43 <tyhicks> that's it for me 16:44 <tyhicks> jj is out today 16:44 <tyhicks> sarnold: that means you're up 16:44 <sarnold> I'm on community this week 16:45 <sarnold> I believe there is only one outstanding MIR left, glusterfs, to finish up this week 16:45 <sarnold> I want to upgrade to trusty before release, it'd be nice to participate in a pre-release circus :) 16:45 <sarnold> there's plenty of apparmor patches outstanding, I'd like to review some of those and get them checked in 16:46 <tyhicks> +1 16:46 <sarnold> and I haven't yet bookde sprint travel, so that'll be this week :) 16:46 <sarnold> I think that's me this week, chrisccoulson? :) 16:46 <jdstrand> tyhicks: re pre-existing-- I'm not sure you have to fix everything up. I think there are several things that may have been left out on purpose 16:47 <chrisccoulson> hi :) 16:47 <tyhicks> jdstrand: I'll be sure to pass everything by you 16:47 <mdeslaur> sarnold: geez, might as well wait an extra couple of weeks and directly upgrade to U :P 16:47 <chrisccoulson> right now, i'm fixing bug 1301341 16:47 <ubottu> bug 1301341 in webbrowser-app "grooveshark playback has stopped functioning" [Undecided,Confirmed] https://launchpad.net/bugs/1301341 16:47 <chrisccoulson> i'm going to do another upload of oxide later with some other stuff in (file picker support) 16:48 <sarnold> mdeslaur :) 16:48 <chrisccoulson> but other than that, i shall be mostly working on https://bugs.launchpad.net/oxide/ ;) 16:49 <jdstrand> chrisccoulson: fyi, oxide got promoted this morning 16:49 <chrisccoulson> i've got another update to do this week as well 16:49 <chrisccoulson> jdstrand, thanks 16:49 <chrisccoulson> i think that's me done 16:49 <jdstrand> [TOPIC] Highlighted packages 16:49 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 16:49 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 16:50 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/gallery2.html 16:50 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/libjboss-cache3-java.html 16:50 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/jplayer.html 16:50 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/djbdns.html 16:50 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/pen.html 16:50 <jdstrand> [TOPIC] Miscellaneous and Questions 16:50 <jdstrand> I had one question 16:51 <jdstrand> someone reported this denial to me in #ubuntu-devel: [13395.573516] type=1400 audit(1396873920.517:120): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" name="/var/lib/NetworkManager/dhclient-9a71cfcd-ec48-4ea2-9a72-928b504f7429-usb0.lease" pid=1168 comm="nm-dhcp-client." requested_mask="r" denied_mask="r" fsuid=0 ouid=0 16:51 <jdstrand> this requred /usr/lib/NetworkManager/nm-dhcp-client.action {} to need a new rule: 16:51 <jdstrand> /var/lib/NetworkManager/*lease r, 16:52 <jdstrand> someone in the #apparmor channel over the weekend saw something similar 16:52 <jdstrand> and then I saw it this morning with my chromium-browser profile 16:53 <jdstrand> it is my understanding that this was intentional, related to file delegation and that maybe at some point we want to make this configurable 16:54 <jdstrand> I have some concerns that this is turned on atm. I didn't see it in any of the rather significant testing we did over the past weeks 16:54 <jdstrand> is this from a new patch to the kernel? 16:54 <sbeattie> ah, hrm, I hadn't seen that before either. 16:54 <sbeattie> I'm not aware of it being a new patch, but jj is the one to answer that for sure. 16:55 <tyhicks> a quick git blame points at "apparmor: revalidate open files at exec time" 16:55 <tyhicks> it is one of the last few patches in jj's patch set 16:55 <jdstrand> so that is in the kernels we tested 16:56 <jdstrand> hmm 16:56 <jdstrand> I find it really odd that I didn't see the nm one 16:56 <tyhicks> I never saw it, either 16:56 <sarnold> iirc this revalidation should only occur when a confined profile hands a fd across an exec to a different domain 16:56 <tyhicks> it is due to fd's not being closed (or intentionally being passed) across exec 16:57 <tyhicks> so there may be some paths in nm that close the fds and some that don't?? 16:57 <sarnold> I believe unconfined -> exec -> confined is probably still not validated 16:57 <jdstrand> sarnold: right that was my understanding too. nm ships 3 different profiles 16:58 <jdstrand> sarnold: that is consistent with what I've seen and what was reported in #apparmor 16:59 <sarnold> jdstrand: I -think- the revalidation used to occur at read() time (perhaps 'back in the day') -- this might have moved it forward to exec time to better label fds 16:59 <jdstrand> I guess sanitized helper won't be affected cause if its wide file access (/** rwkl,) 17:00 <jdstrand> but I worry about evince 17:00 <jdstrand> I guess we can just keep an eye on it 17:00 <jdstrand> what do other people think? 17:01 <tyhicks> jdstrand: I did a `dmesg -C && sudo ./test-evince.py -v && dmesg | grep DENIED` and didn't see any denials 17:01 <jdstrand> tyhicks: right, but I think if this occurs it will be less direct than that. eg, firefox opening evince, eveince opening firefox, etc 17:02 <tyhicks> jdstrand: firefox opening evince does happen in test-evince.py, but I'm not sure about evince opening firefox 17:02 <jdstrand> tyhicks: right, but in that test, firefox isn't confined, is it 17:02 <jdstrand> ? 17:02 <tyhicks> ah 17:02 <tyhicks> probably not 17:02 <tyhicks> good point 17:03 <jdstrand> well, possibly good point. I don't know if it is a problem or now-- I was just surprised by these denials 17:03 <jdstrand> s/now/not/ 17:04 <tyhicks> yeah, I wasn't looking for delegation denials during my testing 17:05 <jdstrand> me either-- I wasn't aware the patchset changed things 17:05 <jdstrand> wrt delegation 17:06 <jdstrand> well, anyway, I guess we can just keep an eye on it 17:06 <jdstrand> Does anyone have any other questions or items to discuss? 17:07 * sbeattie takes a note to make sure delegation is exercised in the regression tests 17:08 <jdstrand> sbeattie: thanks 17:14 <jdstrand> mdeslaur, sbeattie, tyhicks, sarnold, chrisccoulson: thanks! 17:14 <jdstrand> #endmeeting