Catch all for work items

Registered by Jamie Strandboge on 2014-05-02

Catch all for work items that do not fit in another blueprint.

Blueprint information

Status:
Complete
Approver:
Marc Deslauriers
Priority:
High
Drafter:
Jamie Strandboge
Direction:
Approved
Assignee:
None
Definition:
Approved
Series goal:
Accepted for utopic
Implementation:
Implemented
Milestone target:
milestone icon ubuntu-14.10
Started by
Jamie Strandboge on 2014-05-02
Completed by
Jamie Strandboge on 2014-10-23

Related branches

Sprints

Whiteboard

jdstrand: display manager work carried over from https://blueprints.launchpad.net/ubuntu/+spec/security-s-appisolation-display-manager
jdstrand: 14.04 catchall work carried over from https://blueprints.launchpad.net/ubuntu/+spec/security-t-catchall

jdstrand: had this, but per scopes team it is no longer relevant: [jdstrand] provide apparmor profile for gettext process for infographic: TODO

jdstrand: investigate hardening sensitive notifications-- same issue as ofono in LP: #1296415 (ie, plausible but lots of work)

(?)

Work Items

Work items for ubuntu-14.05:
[tyhicks] investigate sending kdbus patches upstream that expose the needed metadata for fine-grained filtering: DONE
[tyhicks] DBus v3 patchset in Ubuntu: DONE
[tyhicks] fix 2 DBus/AppArmor bugs found during upstream review: DONE
[sbeattie] enable -fstack-protector-strong by default: DONE
[tyhicks] verify kernel security features in phablet image (besides ufw and apparmor): DONE
[jjohansen] Add Differential State Compression to the DFA (exists, needs testing): DONE

Work items for ubuntu-14.06:
[jdstrand] finish touch install audits: DONE
[seth-arnold] review new maliit/mir implementation (ie, try to break keyboard/mouse sniffing barrier): BLOCKED
[mdeslaur] review mir clipboard implementation (ie, try to break clipboard sniffing barrier): DONE
[seth-arnold] review mir_socket protocol (both root and session sockets): DONE
[seth-arnold] Audit click app download validation on touch images (LP: #1330770): DONE
[jdstrand] Audit network ports and connectivity on touch images: DONE
[jdstrand] investigate hardening sensitive notifications: DONE
[sbeattie] verify GCC test suite failures: DONE
[sbeattie] fix GCC broken -Wformat/Wformat-security handling (LP: #1317305): DONE
[sbeattie] fix test-kernel-security test script errors on ppc64el: DONE

Work items for ubuntu-14.08:
[jjohansen] Update kernel to unpack and store the attachment location in the profile/namespace: DONE
[jjohansen] Have the path lookup code prepend the attachment location, in the disconnected cases: DONE

Work items for later:
[jdstrand] Audit RTM click hooks: DONE
[seth-arnold] Perform round 2 Mir security review: POSTPONED
[sbeattie] automate running QRT/scripts/test-apparmor.py: POSTPONED
[tyhicks] add AppArmor mediation tests for open_by_handle_at() syscall: POSTPONED
[tyhicks] verify selinux tools work enough to develop policy (also coordinate with debian): POSTPONED
[sbeattie] add QRT check for CONFIG_KEXEC sysctl availability in 14.04 and higher kernels: DONE
fix parser to properly support old names (fix LP: #1058356, et al): POSTPONED
fix 12.04 parser to better handle block_suspend (LP: #1199933): POSTPONED
[tyhicks] implement aa_log libapparmor call: POSTPONED
[tyhicks] adjust dbus patchset to use aa_log: POSTPONED
[jjohansen] query interface (subject object): POSTPONED
provide LSM hook for access() (LP: #1220713): POSTPONED
[tyhicks] investigate use of org.freedesktop.DBus.NameHasOwner and possible mitigation strategies: POSTPONED
support versioned apparmor policy in Ubuntu packaging: POSTPONED
[tyhicks] add libapparmor APIs to operate (at least iterate, maybe more) on label sets: POSTPONED
[mdeslaur] fix apparmor python rewrite regressions and SRU to 14.04: POSTPONED
[sbeattie] enable PIE on amd64: POSTPONED
[tyhicks] Update apparmor_parser to parse and output an disconnected_path attachment location: POSTPONED
[tyhicks] Perform SRUs for disconnected_path attachment location fix: POSTPONED
[tyhicks] fix dbus reply protection (LP: #1362469): POSTPONED

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.