Catch all for work items

Registered by Jamie Strandboge on 2013-05-03

Catch all for work items that do not fit in another blueprint.

Blueprint information

Status:
Not started
Approver:
Jamie Strandboge
Priority:
Medium
Drafter:
Jamie Strandboge
Direction:
Approved
Assignee:
John Johansen
Definition:
Approved
Series goal:
Accepted for saucy
Implementation:
Deferred
Milestone target:
milestone icon ubuntu-13.10

Related branches

Sprints

Whiteboard

jdstrand> asac questioned whether webkit's URI-handling is secure as opposed to just convenient. Since webapps will be launched in a chromeless webview and not as a general purpose browser, external links should always be opened in the full browser and not the webview

It was decided to delay the phablet kernel backport until the dbus revision where done as it will affect the abi, and may have synchronization issues between kernel, dbus, and apparmor userspace

"backport apparmor patches to phablet kernels" is now in the foundations-1303-phablet-kernel-maintenance bp

(?)

Work Items

Work items for ubuntu-13.06:
[jdstrand] determine needed netfilter config for ufw: DONE

Work items for later:
[tyhicks] fix LP: #359338 so the base apparmor abstraction is actually sane for apps when using ecryptfs: TODO
[jdstrand] verify kernel security features in phablet image (besides ufw and apparmor): TODO
fix parser to properly support old names (fix LP: #1058356, et al): TODO
fix 12.04 parser to better handle block_suspend (LP: #1199933): TODO
[mdeslaur] decide how to fix upgrade failures on apparmor policy load: INPROGRESS
[mdeslaur] revert upstart distro patch to fail open on policy load: BLOCKED
Add Differential State Compression to the DFA (exists, needs testing): POSTPONED
[tyhicks] implement aa_log libapparmor call: POSTPONED
[tyhicks] adjust dbus patchset to use aa_log: POSTPONED
dbus service enumeration is filtered by mediation: POSTPONED
[jjohansen] query interface (subject object): POSTPONED
provide LSM hook for access() (LP: #1220713): POSTPONED
[tyhicks] investigate use of org.freedesktop.DBus.NameHasOwner and possible mitigation strategies: POSTPONED
[jdstrand] revamp policy load (system and click): POSTPONED
[jdstrand] discuss apparmor profile for mediascanner with jamesh: POSTPONED
[jdstrand] provide apparmor profile for gettext process for infographic: POSTPONED
[chrisccoulson] verify if URI handling in webkit can be trusted for security gating: POSTPONED
[chrisccoulson] list Canonical-supported apps that use QtWebkit that would need to be moved over: POSTPONED
[jjohansen] drive apparmor policy versioning to completion: POSTPONED
[tyhicks] update apparmor_parser to add v3 open rules to v2 policy: POSTPONED
[jdstrand] support versioned apparmor policy in Ubuntu packaging: POSTPONED
[tyhicks] add libapparmor APIs to operate (at least iterate, maybe more) on label sets: BLOCKED
[tyhicks] Add apparmor_parser support for a dbus eavesdrop permission: DONE
[tyhicks] Update dbus-daemon AddMatch() code to query AA when eavesdropping: DONE

This blueprint contains Public information 
Everyone can see this information.