AppArmor mediation for signals, IPC and ptrace

Registered by Jamie Strandboge on 2013-03-27

Deliverable: finish mediation for signals, IPC and ptrace. When completed, users will be able to define AppArmor policy for these such that confined applications will only be able to send/receive signals, use IPC and ptrace other processes according to policy.

Acceptance criteria for March 2014:
Goal: Users are able to write basic policy for signals
Goal: Users are able to write basic policy for ptrace

Acceptance criteria for August 2014:
Goal: Users are able to write basic policy for unix domain sockets, anonymous IPC and netlink sockets

Blueprint information

Status:
Complete
Approver:
Jamie Strandboge
Priority:
High
Drafter:
John Johansen
Direction:
Approved
Assignee:
John Johansen
Definition:
Approved
Series goal:
Accepted for trusty
Implementation:
Implemented
Milestone target:
milestone icon ubuntu-14.01
Started by
Jamie Strandboge on 2013-04-26
Completed by
Jamie Strandboge on 2014-04-04

Related branches

Sprints

Whiteboard

jdstrand: Other items to be integrated with the others and captured here so they are not lost:
[jjohansen] ipc rules add to parser (medium): TODO
[jjohansen] ipc rules add to parser tests (low): TODO
[jjohansen] ipc rules add to kernel (medium): TODO
[jjohansen] ipc rules regression tests (low): TODO
[jjohansen] ipc - update documentation/man pages low: TODO
[jjohansen] update how labeling of unix domain sockets is done (high): TODO
[jjohansen] update parser/language for abstract unix domain socket naming: TODO
[jjohansen] update how labeling of netlink sockets is done: TODO
[jjohansen] update parser/language to support netlink beyond af_mask: TODO

jdstrand: ext. mediation, signal work carried over from https://blueprints.launchpad.net/ubuntu/+spec/security-1304-appisolation-signals-ipc-ptrace

(?)

Work Items

Work items for ubuntu-14.01:
[jjohansen] verify yama sufficiently handles ptrace for near-term priorities: DONE
[jjohansen] ext. mediation, signal, extend checks to kill hook - kernel: DONE
[jjohansen] ext. mediation, signal, extend policy language - parser: DONE

Work items for ubuntu-14.03:
[jjohansen] ext. mediation, signal - parser tests: DONE
[sbeattie] ext. mediation, signal - regression tests: INPROGRESS
[tyhicks] apparmor IPC mediation in ppa: DONE
[tyhicks] apparmor IPC mediation packaging for Ubuntu: DONE
[tyhicks] verify/adjust distro policy for IPC based on Features: DONE
[jjohansen] ext. mediation, signal - userspace tools (???) (2): DONE
[sbeattie] ext. mediation, signal - userspace tools unit tests (???) (1): DONE
[jjohansen] ext. mediation, signal - documentation/man page (0.5): DONE
[jjohansen] ext. mediation, ptrace - kernel (???) (0.5): DONE
[jjohansen] ext. mediation, ptrace - parser (???) (0.5): DONE
[sbeattie] ext. mediation, ptrace - parser tests (???) (0.5): DONE
[jjohansen] ext. mediation, ptrace - regression tests (???) (1): DONE
[jjohansen] ext. mediation, ptrace - userspace tools (???) (1): DONE
[sbeattie] ext. mediation, ptrace - userspace tools unit tests (???) (1): DONE
[jjohansen] ext. mediation, ptrace - documentation/man pages (???) (0.5): DONE
[jjohansen] ext. mediation, ipc, RFC/discussion (???) (1): DONE
[jjohansen] ext. mediation, ipc - upstream (???) (1): DONE
[jjohansen] ext. mediation, ipc mediate - kernel (???) (5): DONE
[jjohansen] ext. mediation, ipc rules - parser (???) (2): DONE
[sbeattie] ext. mediation, ipc rules - parser tests (???) (1): DONE
[sbeattie] ext. mediation, ipc rules - regression tests (???) (2): DONE
[jjohansen] ext. mediation, ipc rules - userspace tools (???) (2): DONE
[jjohansen] ext. mediation, ipc rules - userspace tools unit tests (???) (1): DONE
[jdstrand] ext. mediation, ipc rules - documentation/man pages (???) (1): DONE

Work items for ubuntu-14.04:
[jdstrand] release note on IPC: DONE
[jdstrand] update Features for ipc/signals: DONE
[jjohansen] backport signal/ptrace mediation to phablet kernels: POSTPONED

Work items for later:
[jjohansen] ext. mediation, alt ns unix domain socket, labeling - kernel - deps labeling: POSTPONED
[jjohansen] ext. mediation, alt ns unix domain socket, policy language - parser: POSTPONED
[jjohansen] ext. mediation, alt ns unix domain socket - parser tests: POSTPONED
[sbeattie] ext. mediation, alt ns unix domain socket - regressiont tests: POSTPONED
[tyhicks] verify policy for dbus, upstart and other abstract sockets: BLOCKED
[jjohansen] ext. mediation, netlink, address matching - kernel: POSTPONED
[jjohansen] ext. mediation, netlink, profile language - parser: POSTPONED
[jjohansen] ext. mediation, netlink - parser tests: POSTPONED
[jjohansen] ext. mediation, netlink - regression tests: POSTPONED
[sbeattie] ext. mediation, anonymous ipc (pipes, sock pairs, ..) mediate - kernel: POSTPONED
[jjohansen] ext. mediation, anonymous ipc rules (pipes, sock pairs, ..) - parser: POSTPONED
[jjohansen] ext. mediation, anonymous ipc rules (pipes, sock pairs, ..) - parser tests: POSTPONED
[sbeattie] ext. mediation, anonymous ipc rules (pipes, sock pairs, ..) - regression tests: POSTPONED
[jjohansen] stacking, extend exec to have stacking transition - kernel (essential): POSTPONED
[jjohansen] stacking, extend policy language - parser (essential): POSTPONED
[jjohansen] fd passing and inheritance - revalidate files at ipc (essential): POSTPONED
[sbeattie] fd passing and inheritance - regression tests (essential): POSTPONED
[jjohansen] ext. mediation, signal, use sids for interrupts - kernel (???) (2): POSTPONED
[jjohansen] ext. mediation, signal - update aa-logparser (???) (1): POSTPONED
[jjohansen] ext. mediation, alt ns unix domain socket - update aa-logparse, including tests (???) (1): POSTPONED
[jjohansen] ext. mediation, alt ns unix domain socket - userspace tools (???) (2): POSTPONED
[sbeattie] ext. mediation, alt ns unix domain socket - userspace tools unit tests (???) (1): POSTPONED
[jjohansen] ext. mediation, alt ns unix domain socket - documentation/man pages (0.5): POSTPONED
[jjohansen] ext. mediation, netlink - update aa-logparser, including tests (???) (1): POSTPONED
[jjohansen] ext. mediation, netlink - userspace tools (???) (2): POSTPONED
[sbeattie] ext. mediation, netlink - userspace tools unit tests (???) (1): POSTPONED
[jjohansen] ext. mediation, netlink - documentation/man pages (???) (0.5): POSTPONED
[jjohansen] ext. mediation, ipc rules - update aa-logparser, including tests (???) (1): POSTPONED
[jjohansen] ext. mediation, anonymous ipc (pipes, sock pairs, ..) - RFC/discussion (???) (1): POSTPONED
[jjohansen] ext. mediation, anonymous ipc (pipes, sock pairs, ..) - upstream (???) (1): POSTPONED
[jjohansen] ext. mediation, anonymous ipc rules (pipes, sock pairs, ..) - update aa-logparser, including tests (???) (1): POSTPONED
[jjohansen] ext. mediation, anonymous ipc rules (pipes, sock pairs, ..) - userspace tools (???) (2): POSTPONED
[jjohansen] ext. mediation, anonymous ipc rules (pipes, sock pairs, ..) - userspace tools unit tests (???) (1): POSTPONED
[jdstrand] ext. mediation, anonymoys ipc rules (pipes, sock pairs, ..) - documentation/man pages (???) (1): BLOCKED
[jjohansen] ext. mediation, ptrace - aa-logparser, including tests (???) (1): POSTPONED

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.