Mir

Merge lp:~kgunn72/mir/snappy-packaging-with-secprofile into lp:~mir-team/mir/snappy-packaging

  1. snappy-packaging-with-secprofile
  2. Merge into snappy-packaging
Proposed by kevin gunn
Status: Work in progress
Proposed branch: lp:~kgunn72/mir/snappy-packaging-with-secprofile
Merge into: lp:~mir-team/mir/snappy-packaging
Diff against target: 999 lines (+932/-2)
8 files modified
Makefile (+1/-1)
overlay/meta/framework-policy/apparmor/policygroups/client (+6/-0)
overlay/meta/framework-policy/seccomp/policygroups/client (+1/-0)
overlay/meta/mir.apparmor (+74/-0)
overlay/meta/mir.seccomp (+403/-0)
overlay/meta/mirdemosvr.apparmor (+45/-0)
overlay/meta/mirdemosvr.seccomp (+393/-0)
overlay/meta/package.yaml (+9/-1)
To merge this branch: bzr merge lp:~kgunn72/mir/snappy-packaging-with-secprofile
Reviewer Review Type Date Requested Status
Jamie Strandboge (community) Needs Fixing
Mir development team Pending
Review via email: mp+266111@code.launchpad.net

Commit message

first draft additions to confine the mir snap and client

Description of the change

first draft additions to confine the mir snap and client
used the Qt clock reference app as the means to exercise the mir operation, which my not be exhaustive and other client applications may need to look for AA denials or bad sys calls during debug.

To post a comment you must log in.
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Things are really coming along! Most of my comments are inline, however I did want to mention that in looking at the mir_demo_server packaging and security policy, I think you can simplify things and have mir_demo_server simply use the default security policy with the @PACKAGE@_client cap. Ie, update the yaml to be:

binaries:
  - name: mir_demo_server
    exec: debs/usr/bin/mir_demo_server
    caps:
      - network-client
      - @PACKAGE@_client

Then do:
$ rm -f overlay/meta/mirdemosvr.apparmor overlay/meta/mirdemosvr.seccomp

Note: framework binaries and services may reference the framework-policy from this snap.

review: Needs Fixing
Reply
Revision history for this message
Chris Halse Rogers (raof) wrote :

Commented about AUTH_ADMIN requirement. I don't think we actually need chown in the regular case, and the option which *does* need it probably shouldn't be allowed system-wide.

Reply
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

I think this proposal has stagnated because ~mir-team isn't familiar with any of this.

I say just land it. If anyone on ~mir-team does have a clue about what they're modifying in these areas, they can probably just commit directly to the snappy-packaging branch. Doing a merge proposal seems counter-productive at this early stage of Snappy.

Reply
Revision history for this message
kevin gunn (kgunn72) wrote :

true on the stagnation, as I did the snappy confinement work but I need help with some of the comments as my technical depth isn't deep enough.

But please don't land it, the point of the MP was to capture security team feeback on the snappy confinement.

Reply
Revision history for this message
Kevin DuBois (kdub) wrote :

I suppose lets move to work-in-progress then?

Reply
Revision history for this message
kevin gunn (kgunn72) wrote :

OK, based on the current changes in snappy this is now strictly historical.
All security policy is going to be defined by the system for the "display-server" capability which is based on the confinement work done here, this is happening b/c snappy is deprecating the concept of a framework that provides it's own security policy.

Reply

Unmerged revisions

26. By kevin gunn

final seccomp change

25. By kevin gunn

seccomp updates for demo of clock app

24. By kevin gunn

seccomp profile changes, mir launches

23. By kevin gunn

final aa profile changes, clock example launches

22. By kevin gunn

apparmor profile updates, mir launching

21. By kevin gunn

update more aa profile

20. By kevin gunn

update from trunk

19. By kevin gunn

update apparmor and seccomp files for mir & better server script

18. By kevin gunn

mir-comp sec prof updates and add mir-demo-server files

17. By kevin gunn

first adds of security profile

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'Makefile'
--- Makefile 2015-06-19 06:20:48 +0000
+++ Makefile 2015-07-28 14:59:40 +0000
@@ -15,7 +15,7 @@
15# You should have received a copy of the GNU General Public License15# You should have received a copy of the GNU General Public License
16# along with this program. If not, see <http://www.gnu.org/licenses/>.16# along with this program. If not, see <http://www.gnu.org/licenses/>.
1717
18SNAPVER:=118SNAPVER:=1.1
19VERSION="$(shell apt-cache policy mir-demos | grep '^ \*\*\* ' | cut -c1-7,10-17 --complement | cut -d' ' -f3)snap${SNAPVER}"19VERSION="$(shell apt-cache policy mir-demos | grep '^ \*\*\* ' | cut -c1-7,10-17 --complement | cut -d' ' -f3)snap${SNAPVER}"
2020
21all: snap21all: snap
2222
=== modified file 'overlay/meta/framework-policy/apparmor/policygroups/client'
--- overlay/meta/framework-policy/apparmor/policygroups/client 2015-07-09 21:58:15 +0000
+++ overlay/meta/framework-policy/apparmor/policygroups/client 2015-07-28 14:59:40 +0000
@@ -8,9 +8,13 @@
8@{CLICK_DIR}/@PACKAGE@/*/debs/usr/lib/*/mir/client-platform/ r,8@{CLICK_DIR}/@PACKAGE@/*/debs/usr/lib/*/mir/client-platform/ r,
9@{CLICK_DIR}/@PACKAGE@/*/debs/usr/lib/*/mir/client-platform/* r,9@{CLICK_DIR}/@PACKAGE@/*/debs/usr/lib/*/mir/client-platform/* r,
1010
11capability chown,
12capability fowner,
13
11# Socket to talk on14# Socket to talk on
12/run/mir_socket rw,15/run/mir_socket rw,
13unix (connect, send, receive) peer=(label=@PACKAGE@_system-compositor_@VERSION@),16unix (connect, send, receive) peer=(label=@PACKAGE@_system-compositor_@VERSION@),
17#unix (receive, send) type=seqpacket addr=none,
1418
15# For non-opengl apps19# For non-opengl apps
16# https://www.kernel.org/doc/gorman/html/understand/understand015.html20# https://www.kernel.org/doc/gorman/html/understand/understand015.html
@@ -29,3 +33,5 @@
2933
30# FIXME: this is too lenient, please adjust for specific accesses34# FIXME: this is too lenient, please adjust for specific accesses
31/sys/devices/*/*/*/uevent r,35/sys/devices/*/*/*/uevent r,
36
37/usr/share/applications/ r,
3238
=== modified file 'overlay/meta/framework-policy/seccomp/policygroups/client'
--- overlay/meta/framework-policy/seccomp/policygroups/client 2015-07-09 21:58:15 +0000
+++ overlay/meta/framework-policy/seccomp/policygroups/client 2015-07-28 14:59:40 +0000
@@ -3,3 +3,4 @@
33
4# needed to connect to mir4# needed to connect to mir
5socketpair5socketpair
6lchown
6\ No newline at end of file7\ No newline at end of file
78
=== added file 'overlay/meta/mir.apparmor'
--- overlay/meta/mir.apparmor 1970-01-01 00:00:00 +0000
+++ overlay/meta/mir.apparmor 2015-07-28 14:59:40 +0000
@@ -0,0 +1,74 @@
1# Description: mir-compositor apparmor security profile
2# Usage: Mir
3
4#include <tunables/global>
5
6# Specified profile variables
7###VAR###
8
9###PROFILEATTACH### (attach_disconnected) {
10 #include <abstractions/base>
11 #include <abstractions/nameservice>
12
13capability dac_override,
14capability sys_tty_config,
15capability sys_admin,
16
17 # Read-only for the install directory
18 @{CLICK_DIR}/@{APP_PKGNAME}/ r,
19 @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r,
20 @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix,
21
22 # Writable home area
23 owner @{HOMEDIRS}/apps/@{APP_PKGNAME}/ rw,
24 owner @{HOMEDIRS}/apps/@{APP_PKGNAME}/** mrwklix,
25
26 # Read-only system area for other versions
27 /var/lib/apps/@{APP_PKGNAME}/ r,
28 /var/lib/apps/@{APP_PKGNAME}/** mrkix,
29
30 # Writable system area only for this version.
31 /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/ w,
32 /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
33
34# ... specialized confinement ...
35# Socket to talk on
36/run/mir_socket rw,
37unix (receive, send) type=seqpacket addr=none,
38
39# Hardware acceleration
40/dev/dri/card0 rw,
41
42# For non-opengl apps
43/dev/shm/\#* rw,
44
45# udev
46/sys/devices/**/uevent r,
47/sys/devices/**/ r,
48/dev/input/* rw,
49/dev/tty* wr,
50/run/udev/data/* r,
51
52ptrace peer=**,
53/bin/dash mrix,
54/bin/sleep mrix,
55/bin/pidof mrix,
56/bin/sed mrix,
57/bin/cp mrix,
58/sbin/killall5 ixr,
59/usr/bin/expr ixr,
60/usr/bin/chmod ixr,
61/bin/chmod ixr,
62/proc/ r,
63/proc/*/stat r,
64/proc/*/cmdline r,
65/sys/bus/ r,
66/sys/class/ r,
67/sys/class/input/ r,
68/sys/class/drm/ r,
69/etc/udev/udev.conf r,
70capability sys_ptrace,
71capability chown,
72capability fowner,
73capability sys_ptrace,
74}
075
=== added file 'overlay/meta/mir.seccomp'
--- overlay/meta/mir.seccomp 1970-01-01 00:00:00 +0000
+++ overlay/meta/mir.seccomp 2015-07-28 14:59:40 +0000
@@ -0,0 +1,403 @@
1sudo vi# Description: mir-compositor apparmor security profile
2# Usage: Mir
3access
4accept
5faccessat
6
7alarm
8brk
9bind
10# ARM private syscalls
11breakpoint
12cacheflush
13set_tls
14usr26
15usr32
16
17capget
18
19chdir
20fchdir
21
22# We can't effectively block file perms due to open() with O_CREAT, so allow
23# chmod until we have syscall arg filtering (LP: #1446748)
24chmod
25fchmod
26fchmodat
27
28# snappy doesn't currently support per-app UID/GIDs so don't allow chown. To
29# properly support chown, we need to have syscall arg filtering (LP: #1446748)
30# and per-app UID/GIDs.
31#chown
32#chown32
33#fchown
34#fchown32
35#fchownat
36
37# needed for chmod'ing the mir socket so apps can use
38lchown
39#lchown32
40
41clock_getres
42clock_gettime
43clock_nanosleep
44clone
45close
46connect
47creat
48dup
49dup2
50dup3
51epoll_create
52epoll_create1
53epoll_ctl
54epoll_ctl_old
55epoll_pwait
56epoll_wait
57epoll_wait_old
58eventfd
59eventfd2
60execve
61execveat
62_exit
63exit
64exit_group
65fallocate
66
67# requires CAP_SYS_ADMIN
68#fanotify_init
69#fanotify_mark
70
71fcntl
72fcntl64
73flock
74fork
75ftime
76futex
77get_mempolicy
78get_robust_list
79get_thread_area
80getcpu
81getcwd
82getdents
83getdents64
84getegid
85getegid32
86geteuid
87geteuid32
88getgid
89getgid32
90getgroups
91getgroups32
92getitimer
93getpgid
94getpgrp
95getpid
96getppid
97getpriority
98getrandom
99getresgid
100getresgid32
101getresuid
102getresuid32
103
104getrlimit
105ugetrlimit
106
107getrusage
108getsid
109getsockname
110getsockopt
111gettid
112gettimeofday
113getuid
114getuid32
115
116getxattr
117fgetxattr
118lgetxattr
119
120inotify_add_watch
121inotify_init
122inotify_init1
123inotify_rm_watch
124
125# Needed by shell
126ioctl
127
128io_cancel
129io_destroy
130io_getevents
131io_setup
132io_submit
133ioprio_get
134# affects other processes, requires CAP_SYS_ADMIN. Potentially allow with
135# syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748)
136#ioprio_set
137
138ipc
139kill
140link
141linkat
142listen
143listxattr
144llistxattr
145flistxattr
146
147lseek
148llseek
149_llseek
150lstat
151lstat64
152
153madvise
154fadvise64
155fadvise64_64
156arm_fadvise64_64
157
158mbind
159mincore
160mkdir
161mkdirat
162mlock
163mlockall
164mmap
165mmap2
166mprotect
167
168# LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now
169#mq_getsetattr
170#mq_notify
171#mq_open
172#mq_timedreceive
173#mq_timedsend
174#mq_unlink
175
176mremap
177msgctl
178msgget
179msgrcv
180msgsnd
181msync
182munlock
183munlockall
184munmap
185
186nanosleep
187
188# LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set
189# RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value
190# and allow this call
191#nice
192
193# LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT
194open
195
196openat
197pause
198pipe
199pipe2
200poll
201ppoll
202
203# LP: #1446748 - support syscall arg filtering
204prctl
205arch_prctl
206
207read
208pread
209pread64
210preadv
211readv
212
213readahead
214readdir
215readlink
216readlinkat
217recvmsg
218remap_file_pages
219
220removexattr
221fremovexattr
222lremovexattr
223
224rename
225renameat
226renameat2
227
228# The man page says this shouldn't be needed, but we've seen denials for it
229# in the wild
230restart_syscall
231
232rmdir
233rt_sigaction
234rt_sigpending
235rt_sigprocmask
236rt_sigqueueinfo
237rt_sigreturn
238rt_sigsuspend
239rt_sigtimedwait
240rt_tgsigqueueinfo
241sched_getaffinity
242sched_getattr
243sched_getparam
244sched_get_priority_max
245sched_get_priority_min
246sched_getscheduler
247sched_rr_get_interval
248# LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the
249# app may only change its own scheduler
250sched_setscheduler
251
252sched_yield
253
254select
255_newselect
256pselect
257pselect6
258
259semctl
260semget
261semop
262semtimedop
263sendfile
264sendfile64
265sendmsg
266sendto
267
268# snappy doesn't currently support per-app UID/GIDs so don't allow this family
269# of syscalls. To properly support these, we need to have syscall arg filtering
270# (LP: #1446748) and per-app UID/GIDs.
271#setgid
272#setgid32
273#setgroups
274#setgroups32
275#setregid
276#setregid32
277#setresgid
278#setresgid32
279#setresuid
280#setresuid32
281#setreuid
282#setreuid32
283#setuid
284#setuid32
285
286# These break isolation but are common and can't be mediated at the seccomp
287# level with arg filtering
288setpgid
289setpgrp
290
291set_thread_area
292setitimer
293
294# apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard
295# limits
296setrlimit
297prlimit64
298
299set_mempolicy
300set_robust_list
301setsid
302set_tid_address
303setsockopt
304setxattr
305fsetxattr
306lsetxattr
307
308shmat
309shmctl
310shmdt
311shmget
312signal
313sigaction
314signalfd
315signalfd4
316sigaltstack
317sigpending
318sigprocmask
319sigreturn
320sigsuspend
321sigtimedwait
322sigwaitinfo
323socket
324socketpair
325splice
326
327stat
328stat64
329fstat
330fstat64
331fstatat64
332lstat
333newfstatat
334oldfstat
335oldlstat
336oldstat
337
338statfs
339statfs64
340fstatfs
341fstatfs64
342statvfs
343fstatvfs
344ustat
345
346symlink
347symlinkat
348
349sync
350sync_file_range
351sync_file_range2
352arm_sync_file_range
353fdatasync
354fsync
355syncfs
356sysinfo
357syslog
358tee
359tgkill
360time
361timer_create
362timer_delete
363timer_getoverrun
364timer_gettime
365timer_settime
366timerfd_create
367timerfd_gettime
368timerfd_settime
369times
370tkill
371
372truncate
373truncate64
374ftruncate
375ftruncate64
376
377umask
378
379uname
380olduname
381oldolduname
382
383unlink
384unlinkat
385
386utime
387utimensat
388utimes
389futimesat
390
391vfork
392vmsplice
393wait4
394oldwait4
395waitpid
396waitid
397
398write
399writev
400pwrite
401pwrite64
402pwritev
403
0404
=== added file 'overlay/meta/mirdemosvr.apparmor'
--- overlay/meta/mirdemosvr.apparmor 1970-01-01 00:00:00 +0000
+++ overlay/meta/mirdemosvr.apparmor 2015-07-28 14:59:40 +0000
@@ -0,0 +1,45 @@
1# Description: mir-demo-server apparmor security profile
2# Usage: Mir
3
4#include <tunables/global>
5
6# Specified profile variables
7###VAR###
8
9###PROFILEATTACH### (attach_disconnected) {
10 #include <abstractions/base>
11 #include <abstractions/nameservice>
12
13 # Read-only for the install directory
14 @{CLICK_DIR}/@{APP_PKGNAME}/ r,
15 @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r,
16 @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix,
17
18 # Writable home area
19 owner @{HOMEDIRS}/apps/@{APP_PKGNAME}/ rw,
20 owner @{HOMEDIRS}/apps/@{APP_PKGNAME}/** mrwklix,
21
22 # Read-only system area for other versions
23 /var/lib/apps/@{APP_PKGNAME}/ r,
24 /var/lib/apps/@{APP_PKGNAME}/** mrkix,
25
26 # Writable system area only for this version.
27 /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/ w,
28 /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
29
30# ... specialized confinement ...
31# Socket to talk on
32/run/mir_socket rw,
33
34# Hardware acceleration
35/dev/dri/card0 rw,
36
37# For non-opengl apps
38/dev/shm/\#* rw,
39
40# udev
41/sys/devices/*/*/*/uevent rw,
42/sys/devices/*/*/*/drm/card0/uevent rw,
43/sys/bus r,
44/sys/class r,
45}
046
=== added file 'overlay/meta/mirdemosvr.seccomp'
--- overlay/meta/mirdemosvr.seccomp 1970-01-01 00:00:00 +0000
+++ overlay/meta/mirdemosvr.seccomp 2015-07-28 14:59:40 +0000
@@ -0,0 +1,393 @@
1# Description: mir-demo-server apparmor security profile
2# Usage: Mir
3access
4accept
5faccessat
6
7alarm
8brk
9
10# ARM private syscalls
11breakpoint
12cacheflush
13set_tls
14usr26
15usr32
16
17capget
18
19chdir
20fchdir
21
22# We can't effectively block file perms due to open() with O_CREAT, so allow
23# chmod until we have syscall arg filtering (LP: #1446748)
24chmod
25fchmod
26fchmodat
27
28# snappy doesn't currently support per-app UID/GIDs so don't allow chown. To
29# properly support chown, we need to have syscall arg filtering (LP: #1446748)
30# and per-app UID/GIDs.
31#chown
32#chown32
33#fchown
34#fchown32
35#fchownat
36#lchown
37#lchown32
38
39clock_getres
40clock_gettime
41clock_nanosleep
42clone
43close
44creat
45dup
46dup2
47dup3
48epoll_create
49epoll_create1
50epoll_ctl
51epoll_ctl_old
52epoll_pwait
53epoll_wait
54epoll_wait_old
55eventfd
56eventfd2
57execve
58execveat
59_exit
60exit
61exit_group
62fallocate
63
64# requires CAP_SYS_ADMIN
65#fanotify_init
66#fanotify_mark
67
68fcntl
69fcntl64
70flock
71fork
72ftime
73futex
74get_mempolicy
75get_robust_list
76get_thread_area
77getcpu
78getcwd
79getdents
80getdents64
81getegid
82getegid32
83geteuid
84geteuid32
85getgid
86getgid32
87getgroups
88getgroups32
89getitimer
90getpgid
91getpgrp
92getpid
93getppid
94getpriority
95getrandom
96getresgid
97getresgid32
98getresuid
99getresuid32
100
101getrlimit
102ugetrlimit
103
104getrusage
105getsid
106gettid
107gettimeofday
108getuid
109getuid32
110
111getxattr
112fgetxattr
113lgetxattr
114
115inotify_add_watch
116inotify_init
117inotify_init1
118inotify_rm_watch
119
120# Needed by shell
121ioctl
122
123io_cancel
124io_destroy
125io_getevents
126io_setup
127io_submit
128ioprio_get
129# affects other processes, requires CAP_SYS_ADMIN. Potentially allow with
130# syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748)
131#ioprio_set
132
133ipc
134kill
135link
136linkat
137
138listxattr
139llistxattr
140flistxattr
141
142lseek
143llseek
144_llseek
145lstat
146lstat64
147
148madvise
149fadvise64
150fadvise64_64
151arm_fadvise64_64
152
153mbind
154mincore
155mkdir
156mkdirat
157mlock
158mlockall
159mmap
160mmap2
161mprotect
162
163# LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now
164#mq_getsetattr
165#mq_notify
166#mq_open
167#mq_timedreceive
168#mq_timedsend
169#mq_unlink
170
171mremap
172msgctl
173msgget
174msgrcv
175msgsnd
176msync
177munlock
178munlockall
179munmap
180
181nanosleep
182
183# LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set
184# RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value
185# and allow this call
186#nice
187
188# LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT
189open
190
191openat
192pause
193pipe
194pipe2
195poll
196ppoll
197
198# LP: #1446748 - support syscall arg filtering
199prctl
200arch_prctl
201
202read
203pread
204pread64
205preadv
206readv
207
208readahead
209readdir
210readlink
211readlinkat
212remap_file_pages
213
214removexattr
215fremovexattr
216lremovexattr
217
218rename
219renameat
220renameat2
221
222# The man page says this shouldn't be needed, but we've seen denials for it
223# in the wild
224restart_syscall
225
226rmdir
227rt_sigaction
228rt_sigpending
229rt_sigprocmask
230rt_sigqueueinfo
231rt_sigreturn
232rt_sigsuspend
233rt_sigtimedwait
234rt_tgsigqueueinfo
235sched_getaffinity
236sched_getattr
237sched_getparam
238sched_get_priority_max
239sched_get_priority_min
240sched_getscheduler
241sched_rr_get_interval
242# LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the
243# app may only change its own scheduler
244sched_setscheduler
245
246sched_yield
247
248select
249_newselect
250pselect
251pselect6
252
253semctl
254semget
255semop
256semtimedop
257sendfile
258sendfile64
259
260# snappy doesn't currently support per-app UID/GIDs so don't allow this family
261# of syscalls. To properly support these, we need to have syscall arg filtering
262# (LP: #1446748) and per-app UID/GIDs.
263#setgid
264#setgid32
265#setgroups
266#setgroups32
267#setregid
268#setregid32
269#setresgid
270#setresgid32
271#setresuid
272#setresuid32
273#setreuid
274#setreuid32
275#setuid
276#setuid32
277
278# These break isolation but are common and can't be mediated at the seccomp
279# level with arg filtering
280setpgid
281setpgrp
282
283set_thread_area
284setitimer
285
286# apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard
287# limits
288setrlimit
289prlimit64
290
291set_mempolicy
292set_robust_list
293setsid
294set_tid_address
295
296setxattr
297fsetxattr
298lsetxattr
299
300shmat
301shmctl
302shmdt
303shmget
304signal
305sigaction
306signalfd
307signalfd4
308sigaltstack
309sigpending
310sigprocmask
311sigreturn
312sigsuspend
313sigtimedwait
314sigwaitinfo
315splice
316
317stat
318stat64
319fstat
320fstat64
321fstatat64
322lstat
323newfstatat
324oldfstat
325oldlstat
326oldstat
327
328statfs
329statfs64
330fstatfs
331fstatfs64
332statvfs
333fstatvfs
334ustat
335
336symlink
337symlinkat
338
339sync
340sync_file_range
341sync_file_range2
342arm_sync_file_range
343fdatasync
344fsync
345syncfs
346sysinfo
347syslog
348tee
349tgkill
350time
351timer_create
352timer_delete
353timer_getoverrun
354timer_gettime
355timer_settime
356timerfd_create
357timerfd_gettime
358timerfd_settime
359times
360tkill
361
362truncate
363truncate64
364ftruncate
365ftruncate64
366
367umask
368
369uname
370olduname
371oldolduname
372
373unlink
374unlinkat
375
376utime
377utimensat
378utimes
379futimesat
380
381vfork
382vmsplice
383wait4
384oldwait4
385waitpid
386waitid
387
388write
389writev
390pwrite
391pwrite64
392pwritev
393
0394
=== modified file 'overlay/meta/package.yaml'
--- overlay/meta/package.yaml 2015-06-11 21:18:28 +0000
+++ overlay/meta/package.yaml 2015-07-28 14:59:40 +0000
@@ -8,4 +8,12 @@
8 - name: system-compositor8 - name: system-compositor
9 description: "system compositor"9 description: "system compositor"
10 start: bin/server10 start: bin/server
11 security-template: unconfined11 security-policy:
12 apparmor: ./meta/mir.apparmor
13 seccomp: ./meta/mir.seccomp
14binaries:
15 - name: mir_demo_server
16 exec: debs/usr/bin/mir_demo_server
17 security-policy:
18 apparmor: ./meta/mirdemosvr.apparmor
19 seccomp: ./meta/mirdemosvr.seccomp

Subscribers

People subscribed via source and target branches