Adjusted the bug statuses based on the updated description. This is
"Won't Fix" for Utopic ("Triaged" when "V" opens).
** Changed in: urfkill (Ubuntu Utopic)
Status: In Progress => Won't Fix
** Changed in: ubuntu-system-settings (Ubuntu Utopic)
Status: In Progress => Won't Fix
** C
** Changed in: indicator-network (Ubuntu Utopic)
Status: In Progress => Won't Fix
** Changed in: network-manager (Ubuntu Utopic)
Status: In Progress => Won't Fix
** Changed in: nuntium (Ubuntu Utopic)
Status: In Progress => Won't Fix
** Changed in: ofono (Ubuntu Utopic)
Bumped Importance to WishList as it's clear this will not be fixed for
RTM.
** Changed in: ofono (Ubuntu Utopic)
Importance: High => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1296415
Removed the "rtm14" tag based on Jamie's NOTE in the bug description.
** Tags removed: rtm14
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1296415
Title:
[security] please use apparmor to restrict
** Description changed:
NOTE: After further review from the security team, unfortunately what is
presented as a solution in this bug is not sufficient to block
unconfined processes from connecting to ofono for essentially two
reasons:
a) anything that is unconfined can change into an
** Description changed:
+ NOTE: After further review from the security team, unfortunately what is
+ presented as a solution in this bug is not sufficient to block
+ unconfined processes from connecting to ofono for essentially two
+ reasons:
+
+ a) anything that is unconfined can change into an
This bug was fixed in the package isc-dhcp - 4.2.4-7ubuntu13
---
isc-dhcp (4.2.4-7ubuntu13) utopic; urgency=medium
* apparmor-profile.dhclient: allow signal receive and ptrace readby by
peer=/usr/sbin/NetworkManager to dhclient and nm-dhcp-client.action
(LP: #1296415)
-- Ja
indicator-network-autopilot needs to talk to ofono directly.
inside lp:indicator-network tree see
tests/autopilot/indicator_network/helpers/phonesim_manager.py
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net
** Changed in: isc-dhcp (Ubuntu Utopic)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1296415
Title:
[security] please use apparmor to restrict access to
Adding an isc-dhcp task. It doesn't need to talk to ofono, but dhclient
is confined and the dhclient profile needs to allow receiving signals
and ptrace reads by /usr/sbin/NetworkManager.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Also affects: network-manager (Ubuntu Utopic)
Importance: Undecided
Assignee: Jamie Strandboge (jdstrand)
Status: In Progress
** Also affects: indicator-network (Ubuntu Utopic)
Importance: Undecided
Assignee: Jamie Strandboge (jdstrand)
Status: In Progress
** Also
Ok, I made a small change to the policy in the MRs so I deleted the
debdiffs since they aren't that useful now that I linked the MRs to this
bug. Attached is an updated debdiff for urfkill.
** Patch removed: "ofono_1.12.bzr6868+14.10.20140513.1-0ubuntu3.debdiff"
https://bugs.launchpad.net/ubun
** Description changed:
It would be useful to limit the services that can connect to ofonod over
DBus. We can implement this be creating an otherwise permissive AppArmor
profile for ofonod that will limit any DBus calls to ofonod to a list of peer
profiles (specifically excluding 'unconfined'
Ok, at this point I am handing off to Phonedations to perform the
landing. I've updated the description for testing, risk, implementation,
etc and I believe everything is in place and am of course available for
questions.
** Description changed:
- We should try to find ways to restrict certain pr
** Branch linked: lp:~jdstrand/ofono/ofono-lp1296415
** Branch linked: lp:~jdstrand/network-manager/network-manager-lp1296415
** Branch linked: lp:~jdstrand/indicator-network/indicator-network-
lp1296415
** Branch linked: lp:~jdstrand/nuntium/nuntium-lp1296415
** Branch linked: lp:~jdstrand/pow
** Patch added: "indicator-network_0.5.1+14.10.20140602-0ubuntu2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138507/+files/indicator-network_0.5.1%2B14.10.20140602-0ubuntu2.debdiff
--
You received this bug notification because you are a
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1296415
Title:
[security] please use apparmor to restrict access to ofono to approved
services
To manage notifications about thi
** Patch added: "ubuntu-download-manager_0.3+14.10.20140523-0ubuntu2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138485/+files/ubuntu-download-manager_0.3%2B14.10.20140523-0ubuntu2.debdiff
--
You received this bug notification because y
** Patch added: "nuntium_0.1+14.10.20140529-0ubuntu2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138455/+files/nuntium_0.1%2B14.10.20140529-0ubuntu2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs,
** Patch added:
"urfkill_0.6.0~20140527.173146.03f4503-0ubuntu1~mtrudel1ubuntu1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138458/+files/urfkill_0.6.0%7E20140527.173146.03f4503-0ubuntu1%7Emtrudel1ubuntu1.debdiff
--
You received this b
** Patch added: "ubuntu-system-settings_0.3+14.10.20140623-0ubuntu2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138457/+files/ubuntu-system-settings_0.3%2B14.10.20140623-0ubuntu2.debdiff
--
You received this bug notification because you
** Patch added: "network-manager_0.9.8.8-0ubuntu19.debdiff"
https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138454/+files/network-manager_0.9.8.8-0ubuntu19.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
** Patch added: "powerd_0.15+14.10.20140612-0ubuntu2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1296415/+attachment/4138456/+files/powerd_0.15%2B14.10.20140612-0ubuntu2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs,
** Patch added: "ofono_1.12.bzr6868+14.10.20140513.1-0ubuntu3.debdiff"
https://bugs.launchpad.net/ubuntu/+source/ofono/+bug/1296415/+attachment/4138452/+files/ofono_1.12.bzr6868%2B14.10.20140513.1-0ubuntu3.debdiff
** Changed in: ubuntu-download-manager (Ubuntu)
Status: Triaged => In Pro
I'll be attaching debdiffs for review and also proposing merge requests.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1296415
Title:
[security] please use apparmor to restrict access to ofono to ap
FYI, /etc/NetworkManager/dispatcher.d/03mmsproxy also needs to talk to
ofono. This is actually called by /usr/lib/NetworkManager/nm-
dispatcher.action as opposed to /usr/sbin/NetworkManager and
/etc/NetworkManager/dispatcher.d/03mmsproxy is shipped by lxc-android-
config. This isn't a problem, but
AppArmor packages are in https://launchpad.net/~ubuntu-security-
proposed/+archive/ppa/+packages to unblock this bug. I'm testing local
modifications for this bug with those packages now and everything works
well. We will be requesting a silo for the apparmor packages on monday.
As such, I will be
So, I have things working locally, but there is a problem in that a race
condition is being hit (LP: #1305108) where telepathy-ofono is launching
before their profile is loaded, which breaks the dialer (since the
process is running under the 'unconfined' label which isn't allowed to
talk to ofono).
I just added a task for ubuntu-download-manager. Nice catch. Please
let me know when you're ready for some more hands-on testing.
** Also affects: ubuntu-download-manager (Ubuntu)
Importance: Undecided
Status: New
** Changed in: ubuntu-download-manager (Ubuntu)
Assignee: (unassi
I think I was wrong about rild and was hitting another issue.
I seem to have this all working locally by creating profiles for:
usr.bin.nuntium
usr.bin.powerd
usr.bin.system-settings
usr.lib.indicator-network-service
usr.lib.urfkilld
usr.sbin.NetworkManager
usr.sbin.ofonod
then adju
Looks like rild will also need a profile. Furthermore, we need to create
the symlinks in /etc/apparmor/init/network-interface-security to make
sure these things are coming up confined.
** Changed in: ubuntu-system-settings (Ubuntu)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
** Cha
** Also affects: ubuntu-system-settings (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1296415
Title:
[security] please use apparmor to restrict a
The greeter code itself probably doesn't need its own access to ofono,
but if you are basing any checks on which user is running, please
remember that telepathy-ofono and friends run as the 'lightdm' user
inside a greeter session.
--
You received this bug notification because you are a member of
We also need some further investigation as the following components
*may* also need access:
- ubuntu-download-manager
- greeter
** Also affects: nuntium (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is s
After discussion with Jamie, I think we merely want to restrict ofono
usage to a particular set of system processes.
AppArmor is not capable of restricting individual properties, and
unfortunately "Online" is a property of the top-level org.ofono.Modem
interface which we really can't restrict to j
35 matches
Mail list logo