** Changed in: indicator-network (Ubuntu Utopic)
Status: In Progress = Won't Fix
** Changed in: network-manager (Ubuntu Utopic)
Status: In Progress = Won't Fix
** Changed in: nuntium (Ubuntu Utopic)
Status: In Progress = Won't Fix
** Changed in: ofono (Ubuntu Utopic)
Adjusted the bug statuses based on the updated description. This is
Won't Fix for Utopic (Triaged when V opens).
** Changed in: urfkill (Ubuntu Utopic)
Status: In Progress = Won't Fix
** Changed in: ubuntu-system-settings (Ubuntu Utopic)
Status: In Progress = Won't Fix
** Changed
Bumped Importance to WishList as it's clear this will not be fixed for
RTM.
** Changed in: ofono (Ubuntu Utopic)
Importance: High = Wishlist
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
Removed the rtm14 tag based on Jamie's NOTE in the bug description.
** Tags removed: rtm14
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1296415
Title:
[security] please
** Description changed:
NOTE: After further review from the security team, unfortunately what is
presented as a solution in this bug is not sufficient to block
unconfined processes from connecting to ofono for essentially two
reasons:
a) anything that is unconfined can change into
indicator-network-autopilot needs to talk to ofono directly.
inside lp:indicator-network tree see
tests/autopilot/indicator_network/helpers/phonesim_manager.py
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
This bug was fixed in the package isc-dhcp - 4.2.4-7ubuntu13
---
isc-dhcp (4.2.4-7ubuntu13) utopic; urgency=medium
* apparmor-profile.dhclient: allow signal receive and ptrace readby by
peer=/usr/sbin/NetworkManager to dhclient and nm-dhcp-client.action
(LP: #1296415)
--
** Description changed:
+ NOTE: After further review from the security team, unfortunately what is
+ presented as a solution in this bug is not sufficient to block
+ unconfined processes from connecting to ofono for essentially two
+ reasons:
+
+ a) anything that is unconfined can change into
** Also affects: network-manager (Ubuntu Utopic)
Importance: Undecided
Assignee: Jamie Strandboge (jdstrand)
Status: In Progress
** Also affects: indicator-network (Ubuntu Utopic)
Importance: Undecided
Assignee: Jamie Strandboge (jdstrand)
Status: In Progress
**
Adding an isc-dhcp task. It doesn't need to talk to ofono, but dhclient
is confined and the dhclient profile needs to allow receiving signals
and ptrace reads by /usr/sbin/NetworkManager.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to
** Changed in: isc-dhcp (Ubuntu Utopic)
Status: In Progress = Fix Committed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1296415
Title:
[security] please use
** Patch added: ofono_1.12.bzr6868+14.10.20140513.1-0ubuntu3.debdiff
https://bugs.launchpad.net/ubuntu/+source/ofono/+bug/1296415/+attachment/4138452/+files/ofono_1.12.bzr6868%2B14.10.20140513.1-0ubuntu3.debdiff
** Changed in: ubuntu-download-manager (Ubuntu)
Status: Triaged = In
** Patch added: powerd_0.15+14.10.20140612-0ubuntu2.debdiff
https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138456/+files/powerd_0.15%2B14.10.20140612-0ubuntu2.debdiff
--
You received this bug notification because you are a member of Desktop
** Patch added: ubuntu-system-settings_0.3+14.10.20140623-0ubuntu2.debdiff
https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138457/+files/ubuntu-system-settings_0.3%2B14.10.20140623-0ubuntu2.debdiff
--
You received this bug notification because you
** Patch added: nuntium_0.1+14.10.20140529-0ubuntu2.debdiff
https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138455/+files/nuntium_0.1%2B14.10.20140529-0ubuntu2.debdiff
--
You received this bug notification because you are a member of Desktop
** Patch added: network-manager_0.9.8.8-0ubuntu19.debdiff
https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138454/+files/network-manager_0.9.8.8-0ubuntu19.debdiff
--
You received this bug notification because you are a member of Desktop
Packages,
I'll be attaching debdiffs for review and also proposing merge requests.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1296415
Title:
[security] please use apparmor to
** Patch added:
urfkill_0.6.0~20140527.173146.03f4503-0ubuntu1~mtrudel1ubuntu1.debdiff
https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138458/+files/urfkill_0.6.0%7E20140527.173146.03f4503-0ubuntu1%7Emtrudel1ubuntu1.debdiff
--
You received this
** Patch added: ubuntu-download-manager_0.3+14.10.20140523-0ubuntu2.debdiff
https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138485/+files/ubuntu-download-manager_0.3%2B14.10.20140523-0ubuntu2.debdiff
--
You received this bug notification because
** Tags added: patch
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1296415
Title:
[security] please use apparmor to restrict access to ofono to approved
services
Status
** Patch added: indicator-network_0.5.1+14.10.20140602-0ubuntu2.debdiff
https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138507/+files/indicator-network_0.5.1%2B14.10.20140602-0ubuntu2.debdiff
--
You received this bug notification because you are a
** Branch linked: lp:~jdstrand/ofono/ofono-lp1296415
** Branch linked: lp:~jdstrand/network-manager/network-manager-lp1296415
** Branch linked: lp:~jdstrand/indicator-network/indicator-network-
lp1296415
** Branch linked: lp:~jdstrand/nuntium/nuntium-lp1296415
** Branch linked:
Ok, at this point I am handing off to Phonedations to perform the
landing. I've updated the description for testing, risk, implementation,
etc and I believe everything is in place and am of course available for
questions.
** Description changed:
- We should try to find ways to restrict certain
** Description changed:
It would be useful to limit the services that can connect to ofonod over
DBus. We can implement this be creating an otherwise permissive AppArmor
profile for ofonod that will limit any DBus calls to ofonod to a list of peer
profiles (specifically excluding
Ok, I made a small change to the policy in the MRs so I deleted the
debdiffs since they aren't that useful now that I linked the MRs to this
bug. Attached is an updated debdiff for urfkill.
** Patch removed: ofono_1.12.bzr6868+14.10.20140513.1-0ubuntu3.debdiff
FYI, /etc/NetworkManager/dispatcher.d/03mmsproxy also needs to talk to
ofono. This is actually called by /usr/lib/NetworkManager/nm-
dispatcher.action as opposed to /usr/sbin/NetworkManager and
/etc/NetworkManager/dispatcher.d/03mmsproxy is shipped by lxc-android-
config. This isn't a problem, but
AppArmor packages are in https://launchpad.net/~ubuntu-security-
proposed/+archive/ppa/+packages to unblock this bug. I'm testing local
modifications for this bug with those packages now and everything works
well. We will be requesting a silo for the apparmor packages on monday.
As such, I will be
So, I have things working locally, but there is a problem in that a race
condition is being hit (LP: #1305108) where telepathy-ofono is launching
before their profile is loaded, which breaks the dialer (since the
process is running under the 'unconfined' label which isn't allowed to
talk to
I just added a task for ubuntu-download-manager. Nice catch. Please
let me know when you're ready for some more hands-on testing.
** Also affects: ubuntu-download-manager (Ubuntu)
Importance: Undecided
Status: New
** Changed in: ubuntu-download-manager (Ubuntu)
Assignee:
I think I was wrong about rild and was hitting another issue.
I seem to have this all working locally by creating profiles for:
usr.bin.nuntium
usr.bin.powerd
usr.bin.system-settings
usr.lib.indicator-network-service
usr.lib.urfkilld
usr.sbin.NetworkManager
usr.sbin.ofonod
then
Looks like rild will also need a profile. Furthermore, we need to create
the symlinks in /etc/apparmor/init/network-interface-security to make
sure these things are coming up confined.
** Changed in: ubuntu-system-settings (Ubuntu)
Assignee: (unassigned) = Jamie Strandboge (jdstrand)
**
After discussion with Jamie, I think we merely want to restrict ofono
usage to a particular set of system processes.
AppArmor is not capable of restricting individual properties, and
unfortunately Online is a property of the top-level org.ofono.Modem
interface which we really can't restrict to
We also need some further investigation as the following components
*may* also need access:
- ubuntu-download-manager
- greeter
** Also affects: nuntium (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages,
The greeter code itself probably doesn't need its own access to ofono,
but if you are basing any checks on which user is running, please
remember that telepathy-ofono and friends run as the 'lightdm' user
inside a greeter session.
--
You received this bug notification because you are a member of
** Also affects: ubuntu-system-settings (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1296415
Title:
[security] please
35 matches
Mail list logo
