[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
Adjusted the bug statuses based on the updated description. This is "Won't Fix" for Utopic ("Triaged" when "V" opens). ** Changed in: urfkill (Ubuntu Utopic) Status: In Progress => Won't Fix ** Changed in: ubuntu-system-settings (Ubuntu Utopic) Status: In Progress => Won't Fix ** Changed in: indicator-network (Ubuntu) Status: In Progress => Triaged ** Changed in: indicator-network (Ubuntu) Importance: Undecided => Wishlist ** Changed in: indicator-network (Ubuntu Utopic) Importance: Undecided => Wishlist ** Changed in: network-manager (Ubuntu) Status: In Progress => Triaged ** Changed in: network-manager (Ubuntu) Importance: Undecided => Wishlist ** Changed in: network-manager (Ubuntu Utopic) Importance: Undecided => Wishlist ** Changed in: nuntium (Ubuntu) Status: In Progress => Triaged ** Changed in: nuntium (Ubuntu) Importance: Undecided => Wishlist ** Changed in: nuntium (Ubuntu Utopic) Importance: Undecided => Wishlist ** Changed in: ofono (Ubuntu) Status: In Progress => Triaged ** Changed in: powerd (Ubuntu) Status: In Progress => Triaged ** Changed in: powerd (Ubuntu) Importance: Undecided => Wishlist ** Changed in: powerd (Ubuntu Utopic) Importance: Undecided => Wishlist ** Changed in: ubuntu-download-manager (Ubuntu) Status: In Progress => Triaged ** Changed in: ubuntu-download-manager (Ubuntu) Importance: Undecided => Wishlist ** Changed in: ubuntu-download-manager (Ubuntu Utopic) Importance: Undecided => Wishlist ** Changed in: urfkill (Ubuntu) Status: In Progress => Triaged ** Changed in: urfkill (Ubuntu) Importance: Undecided => Wishlist ** Changed in: urfkill (Ubuntu Utopic) Status: Won't Fix => Triaged ** Changed in: urfkill (Ubuntu Utopic) Importance: Undecided => Wishlist ** Changed in: ubuntu-system-settings (Ubuntu) Status: In Progress => Triaged ** Changed in: ubuntu-system-settings (Ubuntu) Importance: Undecided => Wishlist ** Changed in: ubuntu-system-settings (Ubuntu Utopic) Status: Won't Fix => Triaged ** Changed in: ubuntu-system-settings (Ubuntu Utopic) Importance: Undecided => Wishlist ** Changed in: urfkill (Ubuntu Utopic) Status: Triaged => Won't Fix ** Changed in: ubuntu-system-settings (Ubuntu Utopic) Status: Triaged => Won't Fix ** Changed in: indicator-network (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: indicator-network (Ubuntu Utopic) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: network-manager (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: network-manager (Ubuntu Utopic) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: nuntium (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: nuntium (Ubuntu Utopic) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: ofono (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: ofono (Ubuntu Utopic) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: powerd (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: powerd (Ubuntu Utopic) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: ubuntu-download-manager (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: ubuntu-download-manager (Ubuntu Utopic) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: ubuntu-system-settings (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: ubuntu-system-settings (Ubuntu Utopic) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: urfkill (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: urfkill (Ubuntu Utopic) Assignee: Jamie Strandboge (jdstrand) => (unassigned) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: Triaged Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “network-manager” package in Ubuntu: Triaged Status in “nuntium” package in Ubuntu: Triaged Status in “ofono” package in Ubuntu: Triaged Status in “powerd” package in Ubuntu: Triaged Status in “ubuntu-download-manager” package in Ubuntu: Triaged Status in “ubuntu-system-settings” package in Ubuntu: Triaged Status in “urfkill” package in Ubuntu: Triaged Status in “indicator-network” source package in Utopic: Won't Fix Status in “isc-dhcp” source package in Utopic: Fix Released Status in “network-manager” source package in Utopic: Won't Fix Status in “nuntium” source package in Utopic: Won't
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Changed in: indicator-network (Ubuntu Utopic) Status: In Progress => Won't Fix ** Changed in: network-manager (Ubuntu Utopic) Status: In Progress => Won't Fix ** Changed in: nuntium (Ubuntu Utopic) Status: In Progress => Won't Fix ** Changed in: ofono (Ubuntu Utopic) Status: In Progress => Won't Fix ** Changed in: powerd (Ubuntu Utopic) Status: In Progress => Won't Fix ** Changed in: ubuntu-download-manager (Ubuntu Utopic) Status: In Progress => Won't Fix -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: Triaged Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “network-manager” package in Ubuntu: Triaged Status in “nuntium” package in Ubuntu: Triaged Status in “ofono” package in Ubuntu: Triaged Status in “powerd” package in Ubuntu: Triaged Status in “ubuntu-download-manager” package in Ubuntu: Triaged Status in “ubuntu-system-settings” package in Ubuntu: Triaged Status in “urfkill” package in Ubuntu: Triaged Status in “indicator-network” source package in Utopic: Triaged Status in “isc-dhcp” source package in Utopic: Fix Released Status in “network-manager” source package in Utopic: Triaged Status in “nuntium” source package in Utopic: Triaged Status in “ofono” source package in Utopic: Triaged Status in “powerd” source package in Utopic: Triaged Status in “ubuntu-download-manager” source package in Utopic: Triaged Status in “ubuntu-system-settings” source package in Utopic: Won't Fix Status in “urfkill” source package in Utopic: Triaged Bug description: NOTE: After further review from the security team, unfortunately what is presented as a solution in this bug is not sufficient to block unconfined processes from connecting to ofono for essentially two reasons: a) anything that is unconfined can change into another profile, so an unconfined process can simply change into the profile of one of the allowed services, and b) this doesn't protect against scenarios where the user is able to alter the behavior of the allowed services running in the user session (eg, indicator-network and ubuntu-system-settings) 'a' is solvable by making sure that the user's session starts under a new AppArmor "user-session" profile that prevents changing profile in to one of the allowed services (of course, the user session services continue to run under their own profiles). We'd have to investigate the best method for profile attachment in this case as well. An alternative might be to store the profile attachment in the inode of the binary when AppArmor adds this. 'b' is perhaps solvable by more strictly confining these allowed user session services (eg, 'audit deny ptrace tracedby peer=user-session, audit deny owner /** m, preventing QML loading, future AppArmor environment filtering, etc') along with, importantly, hardening these services to the point that they can't be controlled via environment, configuration, library loading, etc, etc. An alternative solution would be to run these services as another user in such a way that the user cannot alter their behavior beyond what is exposed in the UI. Preventing unconfined from doing things is a difficult prospect and while I think with the recent improvements with AppArmor over the last two cycles finally makes the notion plausible, significant work remains to solve 'a' and 'b'. This is cannot be achieved for RTM (note, this only affected limiting unconfined and has no effect on application isolation, which is in full effect and does not suffer from this at all). Description: It would be useful to limit the services that can connect to ofonod over DBus. We can implement this be creating an otherwise permissive AppArmor profile for ofonod that will limit any DBus calls to ofonod to a list of peer profiles (specifically excluding 'unconfined'). The list of peer profiles is: - indicator-network - network-manager (and dispatcher.d/03mmsproxy) - nuntium - telepathy-ofono - ofono-scripts - powerd - ubuntu-download-manager - system-settings - urfkill Each of the above needs to have a profile created for it, adjusting the boot scripts as necessary to ensure that the profile is loaded before the service starts. The peer profile implementation will be wide open as the purpose of the profile is (currently) to simply ensure the process of the service has the correct AppArmor labeling (though this opens the possibility to confine these services down the road if desired). Merge requests have been requested for everything except urfkill, which has a debdiff attached to this bug. As mentioned, the AppArmor profile
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
Bumped Importance to WishList as it's clear this will not be fixed for RTM. ** Changed in: ofono (Ubuntu Utopic) Importance: High => Wishlist -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Status in “indicator-network” source package in Utopic: In Progress Status in “isc-dhcp” source package in Utopic: Fix Released Status in “network-manager” source package in Utopic: In Progress Status in “nuntium” source package in Utopic: In Progress Status in “ofono” source package in Utopic: In Progress Status in “powerd” source package in Utopic: In Progress Status in “ubuntu-download-manager” source package in Utopic: In Progress Status in “ubuntu-system-settings” source package in Utopic: In Progress Status in “urfkill” source package in Utopic: In Progress Bug description: NOTE: After further review from the security team, unfortunately what is presented as a solution in this bug is not sufficient to block unconfined processes from connecting to ofono for essentially two reasons: a) anything that is unconfined can change into another profile, so an unconfined process can simply change into the profile of one of the allowed services, and b) this doesn't protect against scenarios where the user is able to alter the behavior of the allowed services running in the user session (eg, indicator-network and ubuntu-system-settings) 'a' is solvable by making sure that the user's session starts under a new AppArmor "user-session" profile that prevents changing profile in to one of the allowed services (of course, the user session services continue to run under their own profiles). We'd have to investigate the best method for profile attachment in this case as well. An alternative might be to store the profile attachment in the inode of the binary when AppArmor adds this. 'b' is perhaps solvable by more strictly confining these allowed user session services (eg, 'audit deny ptrace tracedby peer=user-session, audit deny owner /** m, preventing QML loading, future AppArmor environment filtering, etc') along with, importantly, hardening these services to the point that they can't be controlled via environment, configuration, library loading, etc, etc. An alternative solution would be to run these services as another user in such a way that the user cannot alter their behavior beyond what is exposed in the UI. Preventing unconfined from doing things is a difficult prospect and while I think with the recent improvements with AppArmor over the last two cycles finally makes the notion plausible, significant work remains to solve 'a' and 'b'. This is cannot be achieved for RTM (note, this only affected limiting unconfined and has no effect on application isolation, which is in full effect and does not suffer from this at all). Description: It would be useful to limit the services that can connect to ofonod over DBus. We can implement this be creating an otherwise permissive AppArmor profile for ofonod that will limit any DBus calls to ofonod to a list of peer profiles (specifically excluding 'unconfined'). The list of peer profiles is: - indicator-network - network-manager (and dispatcher.d/03mmsproxy) - nuntium - telepathy-ofono - ofono-scripts - powerd - ubuntu-download-manager - system-settings - urfkill Each of the above needs to have a profile created for it, adjusting the boot scripts as necessary to ensure that the profile is loaded before the service starts. The peer profile implementation will be wide open as the purpose of the profile is (currently) to simply ensure the process of the service has the correct AppArmor labeling (though this opens the possibility to confine these services down the road if desired). Merge requests have been requested for everything except urfkill, which has a debdiff attached to this bug. As mentioned, the AppArmor profiles for everything except ofonod is wide open so the risk of regression is very low for these. In fact, if it is helpful, everything except ofono could be uploaded to the archive independently and at any time. For ofono, as mentioned, the AppArmor profile is also lenient except for the policy
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
Removed the "rtm14" tag based on Jamie's NOTE in the bug description. ** Tags removed: rtm14 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Status in “indicator-network” source package in Utopic: In Progress Status in “isc-dhcp” source package in Utopic: Fix Released Status in “network-manager” source package in Utopic: In Progress Status in “nuntium” source package in Utopic: In Progress Status in “ofono” source package in Utopic: In Progress Status in “powerd” source package in Utopic: In Progress Status in “ubuntu-download-manager” source package in Utopic: In Progress Status in “ubuntu-system-settings” source package in Utopic: In Progress Status in “urfkill” source package in Utopic: In Progress Bug description: NOTE: After further review from the security team, unfortunately what is presented as a solution in this bug is not sufficient to block unconfined processes from connecting to ofono for essentially two reasons: a) anything that is unconfined can change into another profile, so an unconfined process can simply change into the profile of one of the allowed services, and b) this doesn't protect against scenarios where the user is able to alter the behavior of the allowed services running in the user session (eg, indicator-network and ubuntu-system-settings) 'a' is solvable by making sure that the user's session starts under a new AppArmor "user-session" profile that prevents changing profile in to one of the allowed services (of course, the user session services continue to run under their own profiles). We'd have to investigate the best method for profile attachment in this case as well. An alternative might be to store the profile attachment in the inode of the binary when AppArmor adds this. 'b' is perhaps solvable by more strictly confining these allowed user session services (eg, 'audit deny ptrace tracedby peer=user-session, audit deny owner /** m, preventing QML loading, future AppArmor environment filtering, etc') along with, importantly, hardening these services to the point that they can't be controlled via environment, configuration, library loading, etc, etc. An alternative solution would be to run these services as another user in such a way that the user cannot alter their behavior beyond what is exposed in the UI. Preventing unconfined from doing things is a difficult prospect and while I think with the recent improvements with AppArmor over the last two cycles finally makes the notion plausible, significant work remains to solve 'a' and 'b'. This is cannot be achieved for RTM (note, this only affected limiting unconfined and has no effect on application isolation, which is in full effect and does not suffer from this at all). Description: It would be useful to limit the services that can connect to ofonod over DBus. We can implement this be creating an otherwise permissive AppArmor profile for ofonod that will limit any DBus calls to ofonod to a list of peer profiles (specifically excluding 'unconfined'). The list of peer profiles is: - indicator-network - network-manager (and dispatcher.d/03mmsproxy) - nuntium - telepathy-ofono - ofono-scripts - powerd - ubuntu-download-manager - system-settings - urfkill Each of the above needs to have a profile created for it, adjusting the boot scripts as necessary to ensure that the profile is loaded before the service starts. The peer profile implementation will be wide open as the purpose of the profile is (currently) to simply ensure the process of the service has the correct AppArmor labeling (though this opens the possibility to confine these services down the road if desired). Merge requests have been requested for everything except urfkill, which has a debdiff attached to this bug. As mentioned, the AppArmor profiles for everything except ofonod is wide open so the risk of regression is very low for these. In fact, if it is helpful, everything except ofono could be uploaded to the archive independently and at any time. For ofono, as mentioned, the AppArmor profile is also lenient except for the policy for its DBus interface. It is critical that ofono i
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Description changed: NOTE: After further review from the security team, unfortunately what is presented as a solution in this bug is not sufficient to block unconfined processes from connecting to ofono for essentially two reasons: a) anything that is unconfined can change into another profile, so an unconfined process can simply change into the profile of one of the allowed services, and b) this doesn't protect against scenarios where the user is able to alter the behavior of the allowed services running in the user session (eg, indicator-network and ubuntu-system-settings) 'a' is solvable by making sure that the user's session starts under a new AppArmor "user-session" profile that prevents changing profile in to one of the allowed services (of course, the user session services continue to run under their own profiles). We'd have to investigate the - best method for profile attachment in this case as well. + best method for profile attachment in this case as well. An alternative + might be to store the profile attachment in the inode of the binary when + AppArmor adds this. 'b' is perhaps solvable by more strictly confining these allowed user session services (eg, 'audit deny ptrace tracedby peer=user-session, audit deny owner /** m, preventing QML loading, future AppArmor environment filtering, etc') along with, importantly, hardening these services to the point that they can't be controlled via environment, configuration, library loading, etc, etc. An alternative solution would be to run these services as another user in such a way that the user cannot alter their behavior beyond what is exposed in the UI. Preventing unconfined from doing things is a difficult prospect and while I think with the recent improvements with AppArmor over the last two cycles finally makes the notion plausible, significant work remains to solve 'a' and 'b'. This is cannot be achieved for RTM (note, this only affected limiting unconfined and has no effect on application isolation, which is in full effect and does not suffer from this at all). Description: It would be useful to limit the services that can connect to ofonod over DBus. We can implement this be creating an otherwise permissive AppArmor profile for ofonod that will limit any DBus calls to ofonod to a list of peer profiles (specifically excluding 'unconfined'). The list of peer profiles is: - indicator-network - network-manager (and dispatcher.d/03mmsproxy) - nuntium - telepathy-ofono - ofono-scripts - powerd - ubuntu-download-manager - system-settings - urfkill Each of the above needs to have a profile created for it, adjusting the boot scripts as necessary to ensure that the profile is loaded before the service starts. The peer profile implementation will be wide open as the purpose of the profile is (currently) to simply ensure the process of the service has the correct AppArmor labeling (though this opens the possibility to confine these services down the road if desired). Merge requests have been requested for everything except urfkill, which has a debdiff attached to this bug. As mentioned, the AppArmor profiles for everything except ofonod is wide open so the risk of regression is very low for these. In fact, if it is helpful, everything except ofono could be uploaded to the archive independently and at any time. For ofono, as mentioned, the AppArmor profile is also lenient except for the policy for its DBus interface. It is critical that ofono is updated at the same time or after all the other packages in this bug, otherwise any packages that aren't updated will fail to connect to ofono. I've been running this configuration on my phone for weeks with no denials (excepting 03mmsproxy which I adjusted for yesterday). I've tested the packaging on x86 emulator to make sure that the profiles are installed and loaded properly on boot. Test Plan (additional to any existing appropriate test plans) 1. Install all services on a device 2. reboot (important to restart the session and any services that aren't restarted automatically, like nuntium. reboot is easiest). Note the time of the reboot on the device 3. in addition to any applicable test plans, after full boot: adb shell grep DEN /var/log/syslog # there should be no denials for # ofono after the system boots (there # likely will be denials during # upgrade) adb shell tail -f /var/log/syslog | grep DEN # run this during all tests 4. make a call 5. send a text 6. send an mms (if possible) 7. connect to wifi 8. connect to 3G 9. download an app 10. toggle wifi in system-settings 11. verify ofono-scripts (eg, /usr/share/ofono/scripts/list-modems and /usr/share/ofono/script
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Description changed: + NOTE: After further review from the security team, unfortunately what is + presented as a solution in this bug is not sufficient to block + unconfined processes from connecting to ofono for essentially two + reasons: + + a) anything that is unconfined can change into another profile, so an unconfined process can simply change into the profile of one of the allowed services, and + b) this doesn't protect against scenarios where the user is able to alter the behavior of the allowed services running in the user session (eg, indicator-network and ubuntu-system-settings) + + 'a' is solvable by making sure that the user's session starts under a + new AppArmor "user-session" profile that prevents changing profile in to + one of the allowed services (of course, the user session services + continue to run under their own profiles). We'd have to investigate the + best method for profile attachment in this case as well. + + 'b' is perhaps solvable by more strictly confining these allowed user + session services (eg, 'audit deny ptrace tracedby peer=user-session, + audit deny owner /** m, preventing QML loading, future AppArmor + environment filtering, etc') along with, importantly, hardening these + services to the point that they can't be controlled via environment, + configuration, library loading, etc, etc. An alternative solution would + be to run these services as another user in such a way that the user + cannot alter their behavior beyond what is exposed in the UI. + + Preventing unconfined from doing things is a difficult prospect and + while I think with the recent improvements with AppArmor over the last + two cycles finally makes the notion plausible, significant work remains + to solve 'a' and 'b'. + + Description: It would be useful to limit the services that can connect to ofonod over DBus. We can implement this be creating an otherwise permissive AppArmor profile for ofonod that will limit any DBus calls to ofonod to a list of peer profiles (specifically excluding 'unconfined'). The list of peer profiles is: - indicator-network - network-manager (and dispatcher.d/03mmsproxy) - nuntium - telepathy-ofono - ofono-scripts - powerd - ubuntu-download-manager - system-settings - urfkill Each of the above needs to have a profile created for it, adjusting the boot scripts as necessary to ensure that the profile is loaded before the service starts. The peer profile implementation will be wide open as the purpose of the profile is (currently) to simply ensure the process of the service has the correct AppArmor labeling (though this opens the possibility to confine these services down the road if desired). Merge requests have been requested for everything except urfkill, which has a debdiff attached to this bug. As mentioned, the AppArmor profiles for everything except ofonod is wide open so the risk of regression is very low for these. In fact, if it is helpful, everything except ofono could be uploaded to the archive independently and at any time. For ofono, as mentioned, the AppArmor profile is also lenient except for the policy for its DBus interface. It is critical that ofono is updated at the same time or after all the other packages in this bug, otherwise any packages that aren't updated will fail to connect to ofono. I've been running this configuration on my phone for weeks with no denials (excepting 03mmsproxy which I adjusted for yesterday). I've tested the packaging on x86 emulator to make sure that the profiles are installed and loaded properly on boot. Test Plan (additional to any existing appropriate test plans) 1. Install all services on a device 2. reboot (important to restart the session and any services that aren't restarted automatically, like nuntium. reboot is easiest). Note the time of the reboot on the device 3. in addition to any applicable test plans, after full boot: adb shell grep DEN /var/log/syslog # there should be no denials for # ofono after the system boots (there # likely will be denials during # upgrade) adb shell tail -f /var/log/syslog | grep DEN # run this during all tests 4. make a call 5. send a text 6. send an mms (if possible) 7. connect to wifi 8. connect to 3G 9. download an app 10. toggle wifi in system-settings - 11. verify ofono-scripts (eg, /usr/share/ofono/scripts/list-modems and - /usr/share/ofono/scripts/online-modem + 11. verify ofono-scripts (eg, /usr/share/ofono/scripts/list-modems and + /usr/share/ofono/scripts/online-modem 12. double check `adb shell grep DEN /var/log/syslog` for no ofono denials during the testing = Original text = We should try to find ways to restrict certain properties and interfaces to well known callers, for
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
This bug was fixed in the package isc-dhcp - 4.2.4-7ubuntu13 --- isc-dhcp (4.2.4-7ubuntu13) utopic; urgency=medium * apparmor-profile.dhclient: allow signal receive and ptrace readby by peer=/usr/sbin/NetworkManager to dhclient and nm-dhcp-client.action (LP: #1296415) -- Jamie StrandbogeWed, 25 Jun 2014 07:05:47 -0500 ** Changed in: isc-dhcp (Ubuntu Utopic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Status in “indicator-network” source package in Utopic: In Progress Status in “isc-dhcp” source package in Utopic: Fix Released Status in “network-manager” source package in Utopic: In Progress Status in “nuntium” source package in Utopic: In Progress Status in “ofono” source package in Utopic: In Progress Status in “powerd” source package in Utopic: In Progress Status in “ubuntu-download-manager” source package in Utopic: In Progress Status in “ubuntu-system-settings” source package in Utopic: In Progress Status in “urfkill” source package in Utopic: In Progress Bug description: It would be useful to limit the services that can connect to ofonod over DBus. We can implement this be creating an otherwise permissive AppArmor profile for ofonod that will limit any DBus calls to ofonod to a list of peer profiles (specifically excluding 'unconfined'). The list of peer profiles is: - indicator-network - network-manager (and dispatcher.d/03mmsproxy) - nuntium - telepathy-ofono - ofono-scripts - powerd - ubuntu-download-manager - system-settings - urfkill Each of the above needs to have a profile created for it, adjusting the boot scripts as necessary to ensure that the profile is loaded before the service starts. The peer profile implementation will be wide open as the purpose of the profile is (currently) to simply ensure the process of the service has the correct AppArmor labeling (though this opens the possibility to confine these services down the road if desired). Merge requests have been requested for everything except urfkill, which has a debdiff attached to this bug. As mentioned, the AppArmor profiles for everything except ofonod is wide open so the risk of regression is very low for these. In fact, if it is helpful, everything except ofono could be uploaded to the archive independently and at any time. For ofono, as mentioned, the AppArmor profile is also lenient except for the policy for its DBus interface. It is critical that ofono is updated at the same time or after all the other packages in this bug, otherwise any packages that aren't updated will fail to connect to ofono. I've been running this configuration on my phone for weeks with no denials (excepting 03mmsproxy which I adjusted for yesterday). I've tested the packaging on x86 emulator to make sure that the profiles are installed and loaded properly on boot. Test Plan (additional to any existing appropriate test plans) 1. Install all services on a device 2. reboot (important to restart the session and any services that aren't restarted automatically, like nuntium. reboot is easiest). Note the time of the reboot on the device 3. in addition to any applicable test plans, after full boot: adb shell grep DEN /var/log/syslog # there should be no denials for # ofono after the system boots (there # likely will be denials during # upgrade) adb shell tail -f /var/log/syslog | grep DEN # run this during all tests 4. make a call 5. send a text 6. send an mms (if possible) 7. connect to wifi 8. connect to 3G 9. download an app 10. toggle wifi in system-settings 11. verify ofono-scripts (eg, /usr/share/ofono/scripts/list-modems and /usr/share/ofono/scripts/online-modem 12. double check `adb shell grep DEN /var/log/syslog` for no ofono denials during the testing = Original text = We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
indicator-network-autopilot needs to talk to ofono directly. inside lp:indicator-network tree see tests/autopilot/indicator_network/helpers/phonesim_manager.py -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: Fix Committed Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Status in “indicator-network” source package in Utopic: In Progress Status in “isc-dhcp” source package in Utopic: Fix Committed Status in “network-manager” source package in Utopic: In Progress Status in “nuntium” source package in Utopic: In Progress Status in “ofono” source package in Utopic: In Progress Status in “powerd” source package in Utopic: In Progress Status in “ubuntu-download-manager” source package in Utopic: In Progress Status in “ubuntu-system-settings” source package in Utopic: In Progress Status in “urfkill” source package in Utopic: In Progress Bug description: It would be useful to limit the services that can connect to ofonod over DBus. We can implement this be creating an otherwise permissive AppArmor profile for ofonod that will limit any DBus calls to ofonod to a list of peer profiles (specifically excluding 'unconfined'). The list of peer profiles is: - indicator-network - network-manager (and dispatcher.d/03mmsproxy) - nuntium - telepathy-ofono - ofono-scripts - powerd - ubuntu-download-manager - system-settings - urfkill Each of the above needs to have a profile created for it, adjusting the boot scripts as necessary to ensure that the profile is loaded before the service starts. The peer profile implementation will be wide open as the purpose of the profile is (currently) to simply ensure the process of the service has the correct AppArmor labeling (though this opens the possibility to confine these services down the road if desired). Merge requests have been requested for everything except urfkill, which has a debdiff attached to this bug. As mentioned, the AppArmor profiles for everything except ofonod is wide open so the risk of regression is very low for these. In fact, if it is helpful, everything except ofono could be uploaded to the archive independently and at any time. For ofono, as mentioned, the AppArmor profile is also lenient except for the policy for its DBus interface. It is critical that ofono is updated at the same time or after all the other packages in this bug, otherwise any packages that aren't updated will fail to connect to ofono. I've been running this configuration on my phone for weeks with no denials (excepting 03mmsproxy which I adjusted for yesterday). I've tested the packaging on x86 emulator to make sure that the profiles are installed and loaded properly on boot. Test Plan (additional to any existing appropriate test plans) 1. Install all services on a device 2. reboot (important to restart the session and any services that aren't restarted automatically, like nuntium. reboot is easiest). Note the time of the reboot on the device 3. in addition to any applicable test plans, after full boot: adb shell grep DEN /var/log/syslog # there should be no denials for # ofono after the system boots (there # likely will be denials during # upgrade) adb shell tail -f /var/log/syslog | grep DEN # run this during all tests 4. make a call 5. send a text 6. send an mms (if possible) 7. connect to wifi 8. connect to 3G 9. download an app 10. toggle wifi in system-settings 11. verify ofono-scripts (eg, /usr/share/ofono/scripts/list-modems and /usr/share/ofono/scripts/online-modem 12. double check `adb shell grep DEN /var/log/syslog` for no ofono denials during the testing = Original text = We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/12
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Changed in: isc-dhcp (Ubuntu Utopic) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: Fix Committed Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Status in “indicator-network” source package in Utopic: In Progress Status in “isc-dhcp” source package in Utopic: Fix Committed Status in “network-manager” source package in Utopic: In Progress Status in “nuntium” source package in Utopic: In Progress Status in “ofono” source package in Utopic: In Progress Status in “powerd” source package in Utopic: In Progress Status in “ubuntu-download-manager” source package in Utopic: In Progress Status in “ubuntu-system-settings” source package in Utopic: In Progress Status in “urfkill” source package in Utopic: In Progress Bug description: It would be useful to limit the services that can connect to ofonod over DBus. We can implement this be creating an otherwise permissive AppArmor profile for ofonod that will limit any DBus calls to ofonod to a list of peer profiles (specifically excluding 'unconfined'). The list of peer profiles is: - indicator-network - network-manager (and dispatcher.d/03mmsproxy) - nuntium - telepathy-ofono - ofono-scripts - powerd - ubuntu-download-manager - system-settings - urfkill Each of the above needs to have a profile created for it, adjusting the boot scripts as necessary to ensure that the profile is loaded before the service starts. The peer profile implementation will be wide open as the purpose of the profile is (currently) to simply ensure the process of the service has the correct AppArmor labeling (though this opens the possibility to confine these services down the road if desired). Merge requests have been requested for everything except urfkill, which has a debdiff attached to this bug. As mentioned, the AppArmor profiles for everything except ofonod is wide open so the risk of regression is very low for these. In fact, if it is helpful, everything except ofono could be uploaded to the archive independently and at any time. For ofono, as mentioned, the AppArmor profile is also lenient except for the policy for its DBus interface. It is critical that ofono is updated at the same time or after all the other packages in this bug, otherwise any packages that aren't updated will fail to connect to ofono. I've been running this configuration on my phone for weeks with no denials (excepting 03mmsproxy which I adjusted for yesterday). I've tested the packaging on x86 emulator to make sure that the profiles are installed and loaded properly on boot. Test Plan (additional to any existing appropriate test plans) 1. Install all services on a device 2. reboot (important to restart the session and any services that aren't restarted automatically, like nuntium. reboot is easiest). Note the time of the reboot on the device 3. in addition to any applicable test plans, after full boot: adb shell grep DEN /var/log/syslog # there should be no denials for # ofono after the system boots (there # likely will be denials during # upgrade) adb shell tail -f /var/log/syslog | grep DEN # run this during all tests 4. make a call 5. send a text 6. send an mms (if possible) 7. connect to wifi 8. connect to 3G 9. download an app 10. toggle wifi in system-settings 11. verify ofono-scripts (eg, /usr/share/ofono/scripts/list-modems and /usr/share/ofono/scripts/online-modem 12. double check `adb shell grep DEN /var/log/syslog` for no ofono denials during the testing = Original text = We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packag
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
Adding an isc-dhcp task. It doesn't need to talk to ofono, but dhclient is confined and the dhclient profile needs to allow receiving signals and ptrace reads by /usr/sbin/NetworkManager. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Status in “indicator-network” source package in Utopic: In Progress Status in “isc-dhcp” source package in Utopic: In Progress Status in “network-manager” source package in Utopic: In Progress Status in “nuntium” source package in Utopic: In Progress Status in “ofono” source package in Utopic: In Progress Status in “powerd” source package in Utopic: In Progress Status in “ubuntu-download-manager” source package in Utopic: In Progress Status in “ubuntu-system-settings” source package in Utopic: In Progress Status in “urfkill” source package in Utopic: In Progress Bug description: It would be useful to limit the services that can connect to ofonod over DBus. We can implement this be creating an otherwise permissive AppArmor profile for ofonod that will limit any DBus calls to ofonod to a list of peer profiles (specifically excluding 'unconfined'). The list of peer profiles is: - indicator-network - network-manager (and dispatcher.d/03mmsproxy) - nuntium - telepathy-ofono - ofono-scripts - powerd - ubuntu-download-manager - system-settings - urfkill Each of the above needs to have a profile created for it, adjusting the boot scripts as necessary to ensure that the profile is loaded before the service starts. The peer profile implementation will be wide open as the purpose of the profile is (currently) to simply ensure the process of the service has the correct AppArmor labeling (though this opens the possibility to confine these services down the road if desired). Merge requests have been requested for everything except urfkill, which has a debdiff attached to this bug. As mentioned, the AppArmor profiles for everything except ofonod is wide open so the risk of regression is very low for these. In fact, if it is helpful, everything except ofono could be uploaded to the archive independently and at any time. For ofono, as mentioned, the AppArmor profile is also lenient except for the policy for its DBus interface. It is critical that ofono is updated at the same time or after all the other packages in this bug, otherwise any packages that aren't updated will fail to connect to ofono. I've been running this configuration on my phone for weeks with no denials (excepting 03mmsproxy which I adjusted for yesterday). I've tested the packaging on x86 emulator to make sure that the profiles are installed and loaded properly on boot. Test Plan (additional to any existing appropriate test plans) 1. Install all services on a device 2. reboot (important to restart the session and any services that aren't restarted automatically, like nuntium. reboot is easiest). Note the time of the reboot on the device 3. in addition to any applicable test plans, after full boot: adb shell grep DEN /var/log/syslog # there should be no denials for # ofono after the system boots (there # likely will be denials during # upgrade) adb shell tail -f /var/log/syslog | grep DEN # run this during all tests 4. make a call 5. send a text 6. send an mms (if possible) 7. connect to wifi 8. connect to 3G 9. download an app 10. toggle wifi in system-settings 11. verify ofono-scripts (eg, /usr/share/ofono/scripts/list-modems and /usr/share/ofono/scripts/online-modem 12. double check `adb shell grep DEN /var/log/syslog` for no ofono denials during the testing = Original text = We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/in
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Also affects: network-manager (Ubuntu Utopic) Importance: Undecided Assignee: Jamie Strandboge (jdstrand) Status: In Progress ** Also affects: indicator-network (Ubuntu Utopic) Importance: Undecided Assignee: Jamie Strandboge (jdstrand) Status: In Progress ** Also affects: ofono (Ubuntu Utopic) Importance: High Assignee: Jamie Strandboge (jdstrand) Status: In Progress ** Also affects: urfkill (Ubuntu Utopic) Importance: Undecided Assignee: Jamie Strandboge (jdstrand) Status: In Progress ** Also affects: powerd (Ubuntu Utopic) Importance: Undecided Assignee: Jamie Strandboge (jdstrand) Status: In Progress ** Also affects: ubuntu-system-settings (Ubuntu Utopic) Importance: Undecided Assignee: Jamie Strandboge (jdstrand) Status: In Progress ** Also affects: ubuntu-download-manager (Ubuntu Utopic) Importance: Undecided Assignee: Jamie Strandboge (jdstrand) Status: In Progress ** Also affects: nuntium (Ubuntu Utopic) Importance: Undecided Assignee: Jamie Strandboge (jdstrand) Status: In Progress ** Also affects: isc-dhcp (Ubuntu) Importance: Undecided Status: New ** Changed in: isc-dhcp (Ubuntu Utopic) Status: New => In Progress ** Changed in: isc-dhcp (Ubuntu Utopic) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Status in “indicator-network” source package in Utopic: In Progress Status in “isc-dhcp” source package in Utopic: In Progress Status in “network-manager” source package in Utopic: In Progress Status in “nuntium” source package in Utopic: In Progress Status in “ofono” source package in Utopic: In Progress Status in “powerd” source package in Utopic: In Progress Status in “ubuntu-download-manager” source package in Utopic: In Progress Status in “ubuntu-system-settings” source package in Utopic: In Progress Status in “urfkill” source package in Utopic: In Progress Bug description: It would be useful to limit the services that can connect to ofonod over DBus. We can implement this be creating an otherwise permissive AppArmor profile for ofonod that will limit any DBus calls to ofonod to a list of peer profiles (specifically excluding 'unconfined'). The list of peer profiles is: - indicator-network - network-manager (and dispatcher.d/03mmsproxy) - nuntium - telepathy-ofono - ofono-scripts - powerd - ubuntu-download-manager - system-settings - urfkill Each of the above needs to have a profile created for it, adjusting the boot scripts as necessary to ensure that the profile is loaded before the service starts. The peer profile implementation will be wide open as the purpose of the profile is (currently) to simply ensure the process of the service has the correct AppArmor labeling (though this opens the possibility to confine these services down the road if desired). Merge requests have been requested for everything except urfkill, which has a debdiff attached to this bug. As mentioned, the AppArmor profiles for everything except ofonod is wide open so the risk of regression is very low for these. In fact, if it is helpful, everything except ofono could be uploaded to the archive independently and at any time. For ofono, as mentioned, the AppArmor profile is also lenient except for the policy for its DBus interface. It is critical that ofono is updated at the same time or after all the other packages in this bug, otherwise any packages that aren't updated will fail to connect to ofono. I've been running this configuration on my phone for weeks with no denials (excepting 03mmsproxy which I adjusted for yesterday). I've tested the packaging on x86 emulator to make sure that the profiles are installed and loaded properly on boot. Test Plan (additional to any existing appropriate test plans) 1. Install all services on a device 2. reboot (important to restart the session and any services that aren't restarted automatically, like nuntium. reboot is easiest). Note the time of the reboot on the device 3. in addition to any applicable test plans, after full b
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
Ok, I made a small change to the policy in the MRs so I deleted the debdiffs since they aren't that useful now that I linked the MRs to this bug. Attached is an updated debdiff for urfkill. ** Patch removed: "ofono_1.12.bzr6868+14.10.20140513.1-0ubuntu3.debdiff" https://bugs.launchpad.net/ubuntu/+source/ofono/+bug/1296415/+attachment/4138452/+files/ofono_1.12.bzr6868%2B14.10.20140513.1-0ubuntu3.debdiff ** Patch removed: "network-manager_0.9.8.8-0ubuntu19.debdiff" https://bugs.launchpad.net/ubuntu/+source/ofono/+bug/1296415/+attachment/4138454/+files/network-manager_0.9.8.8-0ubuntu19.debdiff ** Patch removed: "nuntium_0.1+14.10.20140529-0ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/ofono/+bug/1296415/+attachment/4138455/+files/nuntium_0.1%2B14.10.20140529-0ubuntu2.debdiff ** Patch removed: "powerd_0.15+14.10.20140612-0ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/ofono/+bug/1296415/+attachment/4138456/+files/powerd_0.15%2B14.10.20140612-0ubuntu2.debdiff ** Patch removed: "ubuntu-system-settings_0.3+14.10.20140623-0ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/ofono/+bug/1296415/+attachment/4138457/+files/ubuntu-system-settings_0.3%2B14.10.20140623-0ubuntu2.debdiff ** Patch removed: "urfkill_0.6.0~20140527.173146.03f4503-0ubuntu1~mtrudel1ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/ofono/+bug/1296415/+attachment/4138458/+files/urfkill_0.6.0%7E20140527.173146.03f4503-0ubuntu1%7Emtrudel1ubuntu1.debdiff ** Patch removed: "ubuntu-download-manager_0.3+14.10.20140523-0ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/ofono/+bug/1296415/+attachment/4138485/+files/ubuntu-download-manager_0.3%2B14.10.20140523-0ubuntu2.debdiff ** Patch removed: "indicator-network_0.5.1+14.10.20140602-0ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/ofono/+bug/1296415/+attachment/4138507/+files/indicator-network_0.5.1%2B14.10.20140602-0ubuntu2.debdiff ** Patch added: "urfkill_0.6.0~20140527.173146.03f4503-0ubuntu1~mtrudel1ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/ofono/+bug/1296415/+attachment/4138577/+files/urfkill_0.6.0%7E20140527.173146.03f4503-0ubuntu1%7Emtrudel1ubuntu1.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: It would be useful to limit the services that can connect to ofonod over DBus. We can implement this be creating an otherwise permissive AppArmor profile for ofonod that will limit any DBus calls to ofonod to a list of peer profiles (specifically excluding 'unconfined'). The list of peer profiles is: - indicator-network - network-manager (and dispatcher.d/03mmsproxy) - nuntium - telepathy-ofono - ofono-scripts - powerd - ubuntu-download-manager - system-settings - urfkill Each of the above needs to have a profile created for it, adjusting the boot scripts as necessary to ensure that the profile is loaded before the service starts. The peer profile implementation will be wide open as the purpose of the profile is (currently) to simply ensure the process of the service has the correct AppArmor labeling (though this opens the possibility to confine these services down the road if desired). Merge requests have been requested for everything except urfkill, which has a debdiff attached to this bug. As mentioned, the AppArmor profiles for everything except ofonod is wide open so the risk of regression is very low for these. In fact, if it is helpful, everything except ofono could be uploaded to the archive independently and at any time. For ofono, as mentioned, the AppArmor profile is also lenient except for the policy for its DBus interface. It is critical that ofono is updated at the same time or after all the other packages in this bug, otherwise any packages that aren't updated will fail to connect to ofono. I've been running this configuration on my phone for weeks with no denials (excepting 03mmsproxy which I adjusted for yesterday). I've tested the packaging on x86 emulator to make sure that the profiles are installed and loaded properly on boot. Test Plan (additional to any existing appropriate test plans) 1. Install all services on a device 2. reboot (important to restart the session and any
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Description changed: It would be useful to limit the services that can connect to ofonod over DBus. We can implement this be creating an otherwise permissive AppArmor profile for ofonod that will limit any DBus calls to ofonod to a list of peer profiles (specifically excluding 'unconfined'). The list of peer profiles is: - - indicator-network - - network-manager (and dispatcher.d/03mmsproxy) - - nuntium - - telepathy-ofono - - ofono-scripts - - powerd - - ubuntu-download-manager - - system-settings - - urfkill + - indicator-network + - network-manager (and dispatcher.d/03mmsproxy) + - nuntium + - telepathy-ofono + - ofono-scripts + - powerd + - ubuntu-download-manager + - system-settings + - urfkill Each of the above needs to have a profile created for it, adjusting the boot scripts as necessary to ensure that the profile is loaded before the service starts. The peer profile implementation will be wide open as the purpose of the profile is (currently) to simply ensure the process of the service has the correct AppArmor labeling (though this opens the possibility to confine these services down the road if desired). Merge requests have been requested for everything except urfkill, which has a debdiff attached to this bug. As mentioned, the AppArmor profiles for everything except ofonod is wide open so the risk of regression is very low for these. In fact, if it is helpful, everything except ofono could be uploaded to the archive independently and at any time. For ofono, as mentioned, the AppArmor profile is also lenient except for the policy for its DBus interface. It is critical that ofono is updated at the same time or after all the other packages in this bug, otherwise any packages that aren't updated will fail to connect to ofono. I've been running this configuration on my phone for weeks with no denials (excepting 03mmsproxy which I adjusted for yesterday). I've tested the packaging on x86 emulator to make sure that the profiles are installed and loaded properly on boot. Test Plan (additional to any existing appropriate test plans) - 1. Install all services on a device - 2. reboot (important to restart the session and any services that aren't - restarted automatically, like nuntium. reboot is easiest). Note the time - of the reboot on the device - 3. in addition to any applicable test plans, after full boot: - adb shell grep DEN /var/log/syslog # there should be no denials for -# ofono after the system boots (there -# likely will be denials during -# upgrade) - adb shell tail -f /var/log/syslog | grep DEN # run this during all tests - 4. make a call - 5. send a text - 6. send an mms (if possible) - 7. connect to wifi - 8. connect to 3G - 9. download an app - 10. toggle wifi in system-settings - 11. double check `adb shell grep DEN /var/log/syslog` for no ofono denials - during the testing - + 1. Install all services on a device + 2. reboot (important to restart the session and any services that aren't + restarted automatically, like nuntium. reboot is easiest). Note the time + of the reboot on the device + 3. in addition to any applicable test plans, after full boot: + adb shell grep DEN /var/log/syslog # there should be no denials for + # ofono after the system boots (there + # likely will be denials during + # upgrade) + adb shell tail -f /var/log/syslog | grep DEN # run this during all tests + 4. make a call + 5. send a text + 6. send an mms (if possible) + 7. connect to wifi + 8. connect to 3G + 9. download an app + 10. toggle wifi in system-settings + 11. verify ofono-scripts (eg, /usr/share/ofono/scripts/list-modems and + /usr/share/ofono/scripts/online-modem + 12. double check `adb shell grep DEN /var/log/syslog` for no ofono denials + during the testing = Original text = We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powe
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
Ok, at this point I am handing off to Phonedations to perform the landing. I've updated the description for testing, risk, implementation, etc and I believe everything is in place and am of course available for questions. ** Description changed: - We should try to find ways to restrict certain properties and interfaces - to well known callers, for example Modem 'Online' should be settable by - urfkill only. We don't want to allow other processes to set these - properties. This would also help to identify if some unintended process - is trying to set such properties by accident. + It would be useful to limit the services that can connect to ofonod over DBus. We can implement this be creating an otherwise permissive AppArmor profile for ofonod that will limit any DBus calls to ofonod to a list of peer profiles (specifically excluding 'unconfined'). The list of peer profiles is: + - indicator-network + - network-manager (and dispatcher.d/03mmsproxy) + - nuntium + - telepathy-ofono + - ofono-scripts + - powerd + - ubuntu-download-manager + - system-settings + - urfkill + + Each of the above needs to have a profile created for it, adjusting the + boot scripts as necessary to ensure that the profile is loaded before + the service starts. The peer profile implementation will be wide open as + the purpose of the profile is (currently) to simply ensure the process + of the service has the correct AppArmor labeling (though this opens the + possibility to confine these services down the road if desired). + + Merge requests have been requested for everything except urfkill, which + has a debdiff attached to this bug. As mentioned, the AppArmor profiles + for everything except ofonod is wide open so the risk of regression is + very low for these. In fact, if it is helpful, everything except ofono + could be uploaded to the archive independently and at any time. + + For ofono, as mentioned, the AppArmor profile is also lenient except for + the policy for its DBus interface. It is critical that ofono is updated + at the same time or after all the other packages in this bug, otherwise + any packages that aren't updated will fail to connect to ofono. + + I've been running this configuration on my phone for weeks with no + denials (excepting 03mmsproxy which I adjusted for yesterday). I've + tested the packaging on x86 emulator to make sure that the profiles are + installed and loaded properly on boot. + + Test Plan (additional to any existing appropriate test plans) + 1. Install all services on a device + 2. reboot (important to restart the session and any services that aren't + restarted automatically, like nuntium. reboot is easiest). Note the time + of the reboot on the device + 3. in addition to any applicable test plans, after full boot: + adb shell grep DEN /var/log/syslog # there should be no denials for +# ofono after the system boots (there +# likely will be denials during +# upgrade) + adb shell tail -f /var/log/syslog | grep DEN # run this during all tests + 4. make a call + 5. send a text + 6. send an mms (if possible) + 7. connect to wifi + 8. connect to 3G + 9. download an app + 10. toggle wifi in system-settings + 11. double check `adb shell grep DEN /var/log/syslog` for no ofono denials + during the testing + + + = Original text = + We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: It would be useful to limit the services that can connect to ofonod over DBus. We can implement this be creating an otherwise permissive AppArmor profile for ofonod that will limit any DBus calls to ofonod to a list of peer profiles (specifically excluding 'unconfined'). The list of peer profiles is: - indicator-network - network-manager (and dispatcher.d/03mmsproxy) - nuntium - telepathy-ofono - ofono-scripts -
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Branch linked: lp:~jdstrand/ofono/ofono-lp1296415 ** Branch linked: lp:~jdstrand/network-manager/network-manager-lp1296415 ** Branch linked: lp:~jdstrand/indicator-network/indicator-network- lp1296415 ** Branch linked: lp:~jdstrand/nuntium/nuntium-lp1296415 ** Branch linked: lp:~jdstrand/powerd/powerd-lp1296415 ** Branch linked: lp:~jdstrand/ubuntu-download-manager/ubuntu-download- manager-lp1296415 ** Branch linked: lp:~jdstrand/ubuntu-system-settings/ubuntu-system- settings-lp1296415 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Patch added: "indicator-network_0.5.1+14.10.20140602-0ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138507/+files/indicator-network_0.5.1%2B14.10.20140602-0ubuntu2.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Tags added: patch -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Patch added: "ubuntu-download-manager_0.3+14.10.20140523-0ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138485/+files/ubuntu-download-manager_0.3%2B14.10.20140523-0ubuntu2.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
I'll be attaching debdiffs for review and also proposing merge requests. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Patch added: "urfkill_0.6.0~20140527.173146.03f4503-0ubuntu1~mtrudel1ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138458/+files/urfkill_0.6.0%7E20140527.173146.03f4503-0ubuntu1%7Emtrudel1ubuntu1.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Patch added: "ofono_1.12.bzr6868+14.10.20140513.1-0ubuntu3.debdiff" https://bugs.launchpad.net/ubuntu/+source/ofono/+bug/1296415/+attachment/4138452/+files/ofono_1.12.bzr6868%2B14.10.20140513.1-0ubuntu3.debdiff ** Changed in: ubuntu-download-manager (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Patch added: "powerd_0.15+14.10.20140612-0ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138456/+files/powerd_0.15%2B14.10.20140612-0ubuntu2.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Patch added: "ubuntu-system-settings_0.3+14.10.20140623-0ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138457/+files/ubuntu-system-settings_0.3%2B14.10.20140623-0ubuntu2.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Patch added: "nuntium_0.1+14.10.20140529-0ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138455/+files/nuntium_0.1%2B14.10.20140529-0ubuntu2.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Patch added: "network-manager_0.9.8.8-0ubuntu19.debdiff" https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138454/+files/network-manager_0.9.8.8-0ubuntu19.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
FYI, /etc/NetworkManager/dispatcher.d/03mmsproxy also needs to talk to ofono. This is actually called by /usr/lib/NetworkManager/nm- dispatcher.action as opposed to /usr/sbin/NetworkManager and /etc/NetworkManager/dispatcher.d/03mmsproxy is shipped by lxc-android- config. This isn't a problem, but I think I'd prefer to keep that policy in with the network manager packaging rather than shipping an apparmor profile in lxc-android-config. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: Triaged Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
AppArmor packages are in https://launchpad.net/~ubuntu-security- proposed/+archive/ppa/+packages to unblock this bug. I'm testing local modifications for this bug with those packages now and everything works well. We will be requesting a silo for the apparmor packages on monday. As such, I will be preparing MRs for this bug then. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: Triaged Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
So, I have things working locally, but there is a problem in that a race condition is being hit (LP: #1305108) where telepathy-ofono is launching before their profile is loaded, which breaks the dialer (since the process is running under the 'unconfined' label which isn't allowed to talk to ofono). Basically, I think we need bug #1305108 fixed before we can proceed with this. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: Triaged Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
I just added a task for ubuntu-download-manager. Nice catch. Please let me know when you're ready for some more hands-on testing. ** Also affects: ubuntu-download-manager (Ubuntu) Importance: Undecided Status: New ** Changed in: ubuntu-download-manager (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: ubuntu-download-manager (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-download-manager” package in Ubuntu: Triaged Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
I think I was wrong about rild and was hitting another issue. I seem to have this all working locally by creating profiles for: usr.bin.nuntium usr.bin.powerd usr.bin.system-settings usr.lib.indicator-network-service usr.lib.urfkilld usr.sbin.NetworkManager usr.sbin.ofonod then adjusting these upstart jobs to load the profile prior to launch (I may end up adjusting all the upstart jobs to be sure): ofono.conf powerd.conf urfkill.conf To demonstrate what this looks like, the ofonod profile has: # Permissive profile limit dbus access /usr/sbin/ofonod (attach_disconnected) { ... # We can do anything on dbus dbus (bind, send), # Some methods are ok by anyone (ie, dbus-daemon itself) dbus (receive) bus=system interface="org.freedesktop.DBus.Properties", # Limit who can connect on DBus to processes with these apparmor labels (LP: #1296415) dbus (receive) peer=(label=/usr/lib/*/indicator-network/indicator-network-service), dbus (receive) peer=(label=/usr/sbin/NetworkManager), dbus (receive) peer=(label=/usr/bin/nuntium), dbus (receive) peer=(label=/usr/bin/powerd), dbus (receive) peer=(label=/usr/bin/system-settings), dbus (receive) peer=(label=/usr/lib/*/urfkill/urfkilld), dbus (receive) peer=(label=/usr/lib/telepathy/telepathy-ofono), dbus (receive) peer=(label=ofono_scripts), ... } profile ofono_scripts /usr/share/ofono/scripts/* (attach_disconnected) { capability, mount, remount, umount, network, dbus, ptrace, signal, / rwkl, /** rwlkmix, } All of the peers have permissive profiles ala the 'ofono_scripts' policy above. Each then gets an apparmor label for it, and the ofonod apparmor policy allows connections from only those labels (not even unconfined can connect). Light testing shows that 'list-modems' and 'online-modem' from /usr/share/ofono/scripts work fine and on reboot the phone comes up and connects to 3G and generally seems to work ok. indicator-network and settings all work correctly when switching back and forth between wifi and 3g). Toggling cellular data works. I did notice that ubuntu-download-manager gets a denial: Jun 4 10:19:42 ubuntu-phablet dbus[756]: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.ofono.Manager" member="GetModems" name=":1.77" mask="receive" pid=1350 profile="/usr/sbin/ofonod" peer_pid=4086 peer_profile="unconfined" Jun 4 10:19:42 ubuntu-phablet dbus[756]: message repeated 16 times: [ apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.ofono.Manager" member="GetModems" name=":1.77" mask="receive" pid=1350 profile="/usr/sbin/ofonod" peer_pid=4086 peer_profile="unconfined"] # ps auxww|grep 4086 root 4086 2.0 0.4 65996 7776 ?Sl 10:19 0:00 /usr/bin/ubuntu-download-manager Should ubuntu-download-manager be added to the list? ** Changed in: indicator-network (Ubuntu) Status: New => In Progress ** Changed in: network-manager (Ubuntu) Status: New => In Progress ** Changed in: nuntium (Ubuntu) Status: New => In Progress ** Changed in: ofono (Ubuntu) Status: Confirmed => In Progress ** Changed in: powerd (Ubuntu) Status: New => In Progress ** Changed in: ubuntu-system-settings (Ubuntu) Status: New => In Progress ** Changed in: urfkill (Ubuntu) Status: New => In Progress ** Tags added: apparmor application-confinement rtm14 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: In Progress Status in “network-manager” package in Ubuntu: In Progress Status in “nuntium” package in Ubuntu: In Progress Status in “ofono” package in Ubuntu: In Progress Status in “powerd” package in Ubuntu: In Progress Status in “ubuntu-system-settings” package in Ubuntu: In Progress Status in “urfkill” package in Ubuntu: In Progress Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
Looks like rild will also need a profile. Furthermore, we need to create the symlinks in /etc/apparmor/init/network-interface-security to make sure these things are coming up confined. ** Changed in: ubuntu-system-settings (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: nuntium (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: New Status in “network-manager” package in Ubuntu: New Status in “nuntium” package in Ubuntu: New Status in “ofono” package in Ubuntu: Confirmed Status in “powerd” package in Ubuntu: New Status in “ubuntu-system-settings” package in Ubuntu: New Status in “urfkill” package in Ubuntu: New Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
** Also affects: ubuntu-system-settings (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: New Status in “network-manager” package in Ubuntu: New Status in “nuntium” package in Ubuntu: New Status in “ofono” package in Ubuntu: Confirmed Status in “powerd” package in Ubuntu: New Status in “ubuntu-system-settings” package in Ubuntu: New Status in “urfkill” package in Ubuntu: New Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
The greeter code itself probably doesn't need its own access to ofono, but if you are basing any checks on which user is running, please remember that telepathy-ofono and friends run as the 'lightdm' user inside a greeter session. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: New Status in “network-manager” package in Ubuntu: New Status in “nuntium” package in Ubuntu: New Status in “ofono” package in Ubuntu: Confirmed Status in “powerd” package in Ubuntu: New Status in “urfkill” package in Ubuntu: New Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
After discussion with Jamie, I think we merely want to restrict ofono usage to a particular set of system processes. AppArmor is not capable of restricting individual properties, and unfortunately "Online" is a property of the top-level org.ofono.Modem interface which we really can't restrict to just urfkill. Our current plan of record is that we will provide basic unrestrictive AppArmor profiles to the following system/session processes: - NetworkManager - telepathy-ofono ( or related telepathy process/component ) - urfkill - indicator-network - nuntium ( MMS daemon ) - powerd -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: New Status in “network-manager” package in Ubuntu: New Status in “nuntium” package in Ubuntu: New Status in “ofono” package in Ubuntu: Confirmed Status in “powerd” package in Ubuntu: New Status in “urfkill” package in Ubuntu: New Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1296415] Re: [security] please use apparmor to restrict access to ofono to approved services
We also need some further investigation as the following components *may* also need access: - ubuntu-download-manager - greeter ** Also affects: nuntium (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: New Status in “network-manager” package in Ubuntu: New Status in “nuntium” package in Ubuntu: New Status in “ofono” package in Ubuntu: Confirmed Status in “powerd” package in Ubuntu: New Status in “urfkill” package in Ubuntu: New Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp