#ubuntu-meeting log

16:36 <jdstrand> #startmeeting
16:36 <meetingology> Meeting started Mon Apr  7 16:36:06 2014 UTC.  The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
16:36 <meetingology> 
16:36 <meetingology> Available commands: action commands idea info link nick
16:36 <jdstrand> The meeting agenda can be found at:
16:36 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
16:36 <jdstrand> [TOPIC] Announcements
16:36 <jdstrand> apparmor ptrace and signal mediation has landed on desktop and server. Touch images have the userspace and should have kernel updates next week. For anyone seeing apparmor denials in distro/click policy, please file bugs
16:36 <jdstrand> oxide is now in main and in use on the touch images
16:37 <jdstrand> [TOPIC] Weekly stand-up report
16:37 <jdstrand> I'll go first
16:37 <jdstrand> I'm in the happy place this week
16:37 <jdstrand> I will be publishing the openjdk-6 update today
16:38 <jdstrand> I'm also working with phonedations on the media-hub landing (apparmor policy updates)
16:38 <jdstrand> and will be working on scopes apparmor policy this week
16:38 <jdstrand> I have other updates assigned to me that I plan on picking up again
16:38 <jdstrand> mdeslaur: you're up
16:38 <mdeslaur> I'm on triage this week
16:39 <mdeslaur> just published a couple of updates, and have some more in the PPA to test and release
16:39 <mdeslaur> the cve list is growing, so I'll be poking at that too
16:39 <mdeslaur> and I'm off on friday
16:39 <mdeslaur> that's it for me, sbeattie, you're up
16:39 <sbeattie> I'm on apparmor again this week
16:40 <sbeattie> I'm finishing up reviewing the user spaces patches for ptrace signals, to get them landed upstream.
16:40 <sbeattie> As well as writing additional test cases for them.
16:41 <sbeattie> I know jj made a couple of commits over the weekend, which caused the jenkins builds to fail, so I need to see what's up with that (I suspect a couple of files got missed being added in a commit)
16:41 <sbeattie> and I also need to finish making travel arrangements for the upcoming sprint.
16:42 <sbeattie> that's it for me
16:42 <sbeattie> tyhicks: you're up
16:42 <tyhicks> I'm currently working on fixing up some lightdm guest session denials
16:42 <tyhicks> one is a new denial from the signals/ptrace ffe and the rest are pre-existing denials
16:43 <tyhicks> I also need to do a small followup patch, at cboltz's request, around the aa.py test cases that I added
16:43 <tyhicks> then I'm going to get caught up on what's been happening around kdbus LSM integration
16:43 <tyhicks> I also need to book sprint travel
16:43 <tyhicks> that's it for me
16:44 <tyhicks> jj is out today
16:44 <tyhicks> sarnold: that means you're up
16:44 <sarnold> I'm on community this week
16:45 <sarnold> I believe there is only one outstanding MIR left, glusterfs, to finish up this week
16:45 <sarnold> I want to upgrade to trusty before release, it'd be nice to participate in a pre-release circus :)
16:45 <sarnold> there's plenty of apparmor patches outstanding, I'd like to review some of those and get them checked in
16:46 <tyhicks> +1
16:46 <sarnold> and I haven't yet bookde sprint travel, so that'll be this week :)
16:46 <sarnold> I think that's me this week, chrisccoulson? :)
16:46 <jdstrand> tyhicks: re pre-existing-- I'm not sure you have to fix everything up. I think there are several things that may have been left out on purpose
16:47 <chrisccoulson> hi :)
16:47 <tyhicks> jdstrand: I'll be sure to pass everything by you
16:47 <mdeslaur> sarnold: geez, might as well wait an extra couple of weeks and directly upgrade to U :P
16:47 <chrisccoulson> right now, i'm fixing bug 1301341
16:47 <ubottu> bug 1301341 in webbrowser-app "grooveshark playback has stopped functioning" [Undecided,Confirmed] https://launchpad.net/bugs/1301341
16:47 <chrisccoulson> i'm going to do another upload of oxide later with some other stuff in (file picker support)
16:48 <sarnold> mdeslaur :)
16:48 <chrisccoulson> but other than that, i shall be mostly working on https://bugs.launchpad.net/oxide/ ;)
16:49 <jdstrand> chrisccoulson: fyi, oxide got promoted this morning
16:49 <chrisccoulson> i've got another update to do this week as well
16:49 <chrisccoulson> jdstrand, thanks
16:49 <chrisccoulson> i think that's me done
16:49 <jdstrand> [TOPIC] Highlighted packages
16:49 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
16:49 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
16:50 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/gallery2.html
16:50 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/libjboss-cache3-java.html
16:50 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/jplayer.html
16:50 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/djbdns.html
16:50 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/pen.html
16:50 <jdstrand> [TOPIC] Miscellaneous and Questions
16:50 <jdstrand> I had one question
16:51 <jdstrand> someone reported this denial to me in #ubuntu-devel: [13395.573516] type=1400 audit(1396873920.517:120): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" name="/var/lib/NetworkManager/dhclient-9a71cfcd-ec48-4ea2-9a72-928b504f7429-usb0.lease" pid=1168 comm="nm-dhcp-client." requested_mask="r" denied_mask="r" fsuid=0 ouid=0
16:51 <jdstrand> this requred /usr/lib/NetworkManager/nm-dhcp-client.action {} to need a new rule:
16:51 <jdstrand> /var/lib/NetworkManager/*lease r,
16:52 <jdstrand> someone in the #apparmor channel over the weekend saw something similar
16:52 <jdstrand> and then I saw it this morning with my chromium-browser profile
16:53 <jdstrand> it is my understanding that this was intentional, related to file delegation and that maybe at some point we want to make this configurable
16:54 <jdstrand> I have some concerns that this is turned on atm. I didn't see it in any of the rather significant testing we did over the past weeks
16:54 <jdstrand> is this from a new patch to the kernel?
16:54 <sbeattie> ah, hrm, I hadn't seen that before either.
16:54 <sbeattie> I'm not aware of it being a new patch, but jj is the one to answer that for sure.
16:55 <tyhicks> a quick git blame points at "apparmor: revalidate open files at exec time"
16:55 <tyhicks> it is one of the last few patches in jj's patch set
16:55 <jdstrand> so that is in the kernels we tested
16:56 <jdstrand> hmm
16:56 <jdstrand> I find it really odd that I didn't see the nm one
16:56 <tyhicks> I never saw it, either
16:56 <sarnold> iirc this revalidation should only occur when a confined profile hands a fd across an exec to a different domain
16:56 <tyhicks> it is due to fd's not being closed (or intentionally being passed) across exec
16:57 <tyhicks> so there may be some paths in nm that close the fds and some that don't??
16:57 <sarnold> I believe unconfined -> exec -> confined is probably still not validated
16:57 <jdstrand> sarnold: right that was my understanding too. nm ships 3 different profiles
16:58 <jdstrand> sarnold: that is consistent with what I've seen and what was reported in #apparmor
16:59 <sarnold> jdstrand: I -think- the revalidation used to occur at read() time (perhaps 'back in the day') -- this might have moved it forward to exec time to better label fds
16:59 <jdstrand> I guess sanitized helper won't be affected cause if its wide file access (/** rwkl,)
17:00 <jdstrand> but I worry about evince
17:00 <jdstrand> I guess we can just keep an eye on it
17:00 <jdstrand> what do other people think?
17:01 <tyhicks> jdstrand: I did a `dmesg -C && sudo ./test-evince.py -v && dmesg | grep DENIED` and didn't see any denials
17:01 <jdstrand> tyhicks: right, but I think if this occurs it will be less direct than that. eg, firefox opening evince, eveince opening firefox, etc
17:02 <tyhicks> jdstrand: firefox opening evince does happen in test-evince.py, but I'm not sure about evince opening firefox
17:02 <jdstrand> tyhicks: right, but in that test, firefox isn't confined, is it
17:02 <jdstrand> ?
17:02 <tyhicks> ah
17:02 <tyhicks> probably not
17:02 <tyhicks> good point
17:03 <jdstrand> well, possibly good point. I don't know if it is a problem or now-- I was just surprised by these denials
17:03 <jdstrand> s/now/not/
17:04 <tyhicks> yeah, I wasn't looking for delegation denials during my testing
17:05 <jdstrand> me either-- I wasn't aware the patchset changed things
17:05 <jdstrand> wrt delegation
17:06 <jdstrand> well, anyway, I guess we can just keep an eye on it
17:06 <jdstrand> Does anyone have any other questions or items to discuss?
17:07 * sbeattie takes a note to make sure delegation is exercised in the regression tests
17:08 <jdstrand> sbeattie: thanks
17:14 <jdstrand> mdeslaur, sbeattie, tyhicks, sarnold, chrisccoulson: thanks!
17:14 <jdstrand> #endmeeting