Security Catch-all

Registered by Marc Deslauriers on 2012-04-30

Implement various additional security things that don't need a full blueprint of their own. Some or all of this will be discussed in the morning roundtable discussions.

Blueprint information

Status:
Complete
Approver:
Jamie Strandboge
Priority:
Medium
Drafter:
Marc Deslauriers
Direction:
Approved
Assignee:
Marc Deslauriers
Definition:
Approved
Series goal:
Accepted for quantal
Implementation:
Implemented
Milestone target:
milestone icon ubuntu-12.10
Started by
Jamie Strandboge on 2012-05-15
Completed by
Jamie Strandboge on 2012-10-03

Related branches

Sprints

Whiteboard

usndb
- priority - not a severtity, but a prioirty of work
 - could put nvdb CSS score when it is available - better than our priority
    - could we modify this score with mitigation in Ubuntu (hardening etc)
    - shouldn't add nvd score because the score comes out way after the fact
    - we could create our own scoring, but there isn't a demand at this time
- CVE - these should already be in there
- linux kernel USN

CVEs with no fixes
- can we temporarily remove stuff from our alert script
- use deferred with date we last checked after: Eg pkg_precise: deferred (2012-04-05)

Flavors notification:
- CVE
 - page with all packages not supported by the security team but with open CVEs. also have packages which are supported and flag them in some way
 - in same place as our html export
 - per release
 - ubuntu-archive-tools uses edit_acl.py which should be able to list package sets
 - stgraber also lists the package sets

Default sysrq mask
- can use it to disable the screensaver and active process
- Debian restricts some of these by default
- should we do it? mainly just the ones to kill processes
- should use sysctl if possible
- is sys-ctrl-del

Security audit iso testing
- can this be run in jenkins
- we shove a reviewed dump into jenkins and have it run the script and run a diff against script. then we get a report and update the reviewed

vm-tools
- qed?
- snapshotting with virsh snapshot*

Actions:
[action] list the linux kernel meta package in all cases
[action] list our prioirity in the usn db
[action] verify/add cve field in the usn database
[action] fix dtabase for early USNs with embedded utf-8 characters
[action] documenation on how to consume the json db for landscape
[sbeattie] security fake sync with native package
[tyhicks] confirm performance/size improvement with qed

firefox - profile
- load a firefox profile that doesn't attach
- plugin/extension to enable apparmor which makes firefox do a change_profile
- button that says "secure me"
- have a toggle to disable on and off. if it is disabled, then prompt
- would be nice to allow choosing what to disable (java, productivity)
 - problems:
   - need to reload policy
   - /etc/apparmor.d/abstractions/ubuntu-browsers.d/firefox is system wide
- could maybe do this with kernel variables
- could also just have 3 profiles: low/medium/high for like 'high' is no additional profiles, medium allows flash, low allows java
- then have viewing denials available via the extension
- the wrapper script could do the change via aa-exec or something

UMT
- Make umt compare-log smart enough to handle two releases with the same orig package version. This is for when say natty and oneiric have the same version
 - could just grep for the 'Distribution:' line at the head
- launchpad build logs
 - useful to compare against each other and maybe against local
  - problems are parallel flags
  - is it worth it? local builds seem pretty stable now and comparing local to local gets us most of what we need
- can compare-bin against ppa builds
- add a umt command to copy_sppa_to_repo and then do a compare-bin on those pulled

UCT
[jdstrand] sanity check json exports
[jdstrand] investigate sanity checking pickle file
[jdstrand] clean up old USN in pickle db that have embedded utf-8
[jdstrand] adjust cve_alerts to use heuristics so things with say 14 lows and no mediums still show up in the list

New kernel options
- stack-protector-strong (non-upstream) patch. This is somewhere between stack-protector and stack-protector-all. 'all' is too aggressive and not appropriate (many optimizations are broken). kees will be working on that to get it upstream and will investigate. Probably not for 12.10, maybe for 13.04
- pie by default for amd64?
 - doko doesn't want to see it as a default for an architecture unless it can be demonstrated that it doesn't degrade performance for common workloads. Problem is that there isn't a set of representative tests for various workloads
 - probably a lot of work
 - NCommander rebuilt everything with pie at one time and had some problems

EC2 kernel
- kernel team wants to kill Lucid EC2 topic branch - SRU in pv-ops kernel. Reasoning is sound: ec2 branch uses the old pre-upstream Xen pvops patches. This is some 120,000+ line patch and touches all kinds of parts of the kernel. It makes it very difficult to maintain and apply security patches. We have been using the 'new' patch for pvops since Maverick which is much, much smaller since it utilizes the upstream pvops work and it has worked very well. The ec2 kernel patch was added because at the time lucid kernels would not start on 25% of the zones. This is now completely resolved since Maverick. The old patch is unmaintained by upstream and too difficult to maintain by us (ie, patches have to be applied twice which potentially doubles work for lucid security updates and also error prone since maintaining two parts of the same kernel). For maintenance reasons and security support, we should drop the ec2 branch
- [jjohansen] talk to smoser for any concerns or usage numbers
- [jjohansen] if there are security fixes, push through -security, otherwise -proposed
- [jjohansen] verify kernel via QRT
- [kernel] ensure we have a back out plan in case this was a problem
- [smoser] test the kernel

Micah:
[roadmap] Rid the archive of MD5 in a security context - problem is defining what is being used in a security context. Look at all functions in crypto libraries that use MD5 then scan the archive for these things. Perhaps define how to make this more discoverable-- could print errors, but this is risky and too many false positives. Could also spew if the environment variable is set. May take a couple of months.
Default to at least SHA256 for security contexts that we control (I'm thinking this is already happening)
 - pam - done
 - package archive - done
 - others if they are are using other checksums, file a bug and then we'll get it fixed
 - [roadmap] use env var technique to spew an error if sha1
Apparmor profiles for thunderbird/chromium in package
- [micahg] move chromium
- [micahg] get tbird one into the apparmor-profiles repository
- [jdstrand] look into method to work better with sanitized_helper
Criteria for turning on apparmor protection for Firefox by default
- possibly via extension, but needs more work at this time
Reducing build times for Firefox/webkitgtk builds through parallelization
Fixing the Firefox test suite to the point that we can fail on it on build or at least do a log compare that's worthwhile
Start using xz tarballs for for Firefox/Chromium (Chris will probably end up doing this for Firefox unless he doesn't think this is worthwhile) - this will reduce upload times, BW for the DC and mirrors as well
Get rid of the tarball in tarball design for Firefox/Chromium - This slows down builds
Take an axe to the chromium tarball (probably for kalikiana) (there's no sane reason we need a 400MB tarball) - this might require upstreaming patches to use system versions of certain things

(mostly/fully) automated builds for stable mozilla branches
- daily builds in ppa
- how do we get to the point when the mozilla builds are 'just there' in the ppa ready to test so that 20 million users don't have to wait 2 days for an update
 - use bot for build
  - build tarball
  - file bug
  - adjust changelog and any other packaging
 - goal: testing should take 5 minutes. how can we get there?
  - screenshots that are reviewed
[micahg] talk to chris about bot script
[micahg] security ppa building with script (build tarball, file bug, changelog, etc)

Rolling release
- meta package to pull you forward automatically
- in 14.04, we may only have 1 kernel that is the latest kernel
 - requires deep testing and this has been brought up to QA and they will handle it

whoopsie-daisy
[jdstrand] look at whoopsie-daisy again

aa-sandbox
[jdstrand] send prototype to the mailing list

apparmor backports with enablement stack:
- no new pockets
- renaming packages (X/pulse/...)
- openstack coming straight from upstream, may pull in updated lxc stack (but that's unknown) which means we have to do apparmor
- 12.10,13.04 stack to auto upgrade to 14.04 stack after 14.04 release
- kernel will keep compatibility with 12.04 userspace
- new userspace can move to an old kernel
- new kernel + new parser + old policy (possibly updated by users) may have problems and break
- all of it needs testing

suid-dumpable (what is the default prctl for suid apps?)
- [kees] will send an email about this; but suid_dumpable=2 should not be the default
- make crash handler determine whether process should be dumpable

running UCT scripts from reviewed only
- adjust all scripts that run from cron jobs to run from reviewed
- cron jobs scripts cleaned up to not run scripts-diff.sh individiually
- adjust cron jobs to run 'scripts-diff.sh && ...' when we want to block on reviewed/ being old
- adjust cron to run scripts-diff.sh to nag (if needed)
- adjust scripts-diff.sh and the bzr pull script to remove pyc files and maybe run without generating pyc files (http://stackoverflow.com/questions/154443/how-to-avoid-pyc-files)

(?)

Work Items

Work items:
[jdstrand] implement deferred date handling in UCT and adjust cve alerts to use it (medium) (0.5): DONE
[mdeslaur] list the linux kernel meta package in the CVE tracker in all cases (1.5) (high): POSTPONED
[mdeslaur] list our prioirity in the usn db (0.5) (high): POSTPONED
[mdeslaur] verify/add cve field in the usn database (high) (0.5): POSTPONED
[jdstrand] fix database for early USNs with embedded utf-8 characters (medium) (0.5): POSTPONED
[jdstrand] documentation on how to consume the json db for landscape (medium) (0.5): POSTPONED
[sbeattie] security fake sync with native package (low) (0.5): POSTPONED
[tyhicks] confirm performance/size improvement with qed (low) (0.5): POSTPONED
[jdstrand] sanity check json exports (medium) (1.5): POSTPONED
[jdstrand] investigate sanity checking pickle file (medium) (0.5): POSTPONED
[jdstrand] adjust cve_alerts to use heuristics so things with say 14 lows and no mediums still show up in the list (medium) (0.5): DONE
[jjohansen] (ec2 lucid migration) talk to smoser for any concerns or usage numbers (high) (0.5): POSTPONED
[jjohansen] (ec2 lucid migration) if there are security fixes, push through -security, otherwise -proposed (high) (0.5): POSTPONED
[jjohansen] (ec2 lucid migration) verify kernel via QRT (high) (1): POSTPONED
[jjohansen] (ec2 lucid migration) ensure we have a back out plan in case this was a problem (high) (0.5): POSTPONED
[smoser] (ec2 lucid migration) test the kernel (high) (1): POSTPONED
[micahg] move chromium apparmor profile to package (medium) (1): POSTPONED
[micahg] get tbird apparmor profile into the apparmor-profiles repository (medium) (1.5): POSTPONED
[jdstrand] (thunderbird aa profile) look into method to work better with sanitized_helper (medium) (0.5): POSTPONED
[jdstrand] audit whoopsie-daisy again (medium) (1): POSTPONED
[kees] send an email about suid_dumpable=2 should not be the default (high) (0.5): POSTPONED
[mdeslaur] investigate firewire dma with all drivers (high) (1): POSTPONED
[mdeslaur] add to regression tests that firewire dma is off and the old driver is blacklisted (low) (0.5): POSTPONED
[tyhicks] create AppArmor profile for auditd (high) (1): POSTPONED
[sbeattie] investigate debsums.ubuntu.com and document proper use of debsums with a livecd (low) (1.5): POSTPONED
[sbeattie] fix qrt apache scripts for working with upstream testsuite (medium) (1.5): POSTPONED
[jdstrand] add umt compare-bin --ppa to copy_sppa_to_repo and then do a compare-bin on those pulled (low) (0.5): DONE
[jdstrand] improve documentation for MIR audits (high) (1): DONE
[jdstrand] improve tools for MIR audits (high) (3): DONE
[sbeattie] investigate appropriate uses of seccomp2 support in Ubuntu and send report to security team (high) (3): POSTPONED
[micahg] enable the seccomp2 backend in chromium-browser instead of using the setuid sandbox (high) (1): POSTPONED
[jdstrand] create security dashboard page (low) (0.5): DONE
[jdstrand] adjust UCT reports for archive reorg (medium) (2): POSTPONED
[mdeslaur] adjust UST tools for archive reorg support database (high) (1): POSTPONED
[jdstrand] UCT updates for flavors notification (high) (2): DONE
[jdstrand] automatic auditing of isos (medium) (3): POSTPONED
[mdeslaur] update umt compare-log for handle two releases with the same orig package version (low) (0.5): POSTPONED
[mdeslaur] investigate sysrq and get added to kernel (medium) (0.5): DONE
[mdeslaur] investigate virsh snapshot, and modify tools if successful (high) (1.5): DONE
[mdeslaur] rewrite vm tools in python to ease maintenance (high) (3): DONE
[micahg] participate in plus one team duties (high) (20): POSTPONED
[jdstrand] fix UCT/scripts (et al) to be able to run from reviewed/ on lillypilly (high) (1): DONE

This blueprint contains Public information 
Everyone can see this information.