Public bug reported:

[ Impact ]

We need to add IPC mediation support in the userspace tools, starting with 
posix message queue.
This would improve security and lower the attack surface for applications
There is already a proposal upstream: 
https://gitlab.com/apparmor/apparmor/-/merge_requests/858

[ Test Plan ]

In the merge request in the description there are several tests added.
There are parser tests that can be run with "make -C parser check" in the 
project source tree.
There are also tests for the python tools that can be run ith "make -C utils 
check" in the project source tree.
There are also regression tests in tests/regression/apparmor. They run with the 
whole test suite when you run with "sudo make tests", but they can also be run 
individually with "sudo ./posix_mq.sh"

[ Where problems could occur ]

There could be problems related to #1728130, where a policy was developed for a 
set of rules supported by a specific kernel, and if new mediation is available 
on newer kernels, then there will be some denied rules. Therefore we need to 
also prevent that from happening. This is already available in apparmor-3.+, 
but for older versions could be done by backporting the abi patches from 
apparmor-3.0.

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993353

Title:
  Add posix message queue IPC mediation

Status in apparmor package in Ubuntu:
  New

Bug description:
  [ Impact ]

  We need to add IPC mediation support in the userspace tools, starting with 
posix message queue.
  This would improve security and lower the attack surface for applications
  There is already a proposal upstream: 
  https://gitlab.com/apparmor/apparmor/-/merge_requests/858

  [ Test Plan ]

  In the merge request in the description there are several tests added.
  There are parser tests that can be run with "make -C parser check" in the 
project source tree.
  There are also tests for the python tools that can be run ith "make -C utils 
check" in the project source tree.
  There are also regression tests in tests/regression/apparmor. They run with 
the whole test suite when you run with "sudo make tests", but they can also be 
run individually with "sudo ./posix_mq.sh"

  [ Where problems could occur ]

  There could be problems related to #1728130, where a policy was developed for 
a set of rules supported by a specific kernel, and if new mediation is 
available on newer kernels, then there will be some denied rules. Therefore we 
need to also prevent that from happening. This is already available in 
apparmor-3.+, but for older versions could be done by backporting the abi 
patches from 
  apparmor-3.0.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993353/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to