Created by Ubuntu Package Importer on 2013-10-19 and last modified on 2014-04-09
Get this branch:
bzr branch lp:ubuntu/trusty/apparmor-easyprof-ubuntu
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches

Recent revisions

61. By Jamie Strandboge on 2014-04-09

1.1/webview: update to allow exec of chrome-sandbox now that oxide is
doing a proper fork/exec

60. By Jamie Strandboge on 2014-04-08

* 1.*/unconfined: update for ptrace and signal
* 1.1/music_files*: add rules for talking to the media-hub-server and read
  access to mediascanner files
* 1.1/video_files*: add rules for talking to the media-hub-server and read
  access to mediascanner files

59. By Jamie Strandboge on 2014-04-03

* 1.1/webview: update for ptrace and signal mediation (LP: #1298611)
* debian/control: Depends on apparmor >= 2.8.95~2430-0ubuntu4

58. By Jamie Strandboge on 2014-04-02

* 1.1/webview (LP: #1301351)
  - add 'mr' for chrome-sandbox and oxide-renderer
  - allow 'r' for @{PROC}/sys/kernel/yama/ptrace_scope

57. By Jamie Strandboge on 2014-03-31

1.1/webview: suppress denial for write to /usr/bin/locales/ like we do for
/usr/lib/@{multiarch}/oxide-qt/locales/ already since it is confusing for
people who are diagnosing oxide issues (LP: #1260044)

56. By Jamie Strandboge on 2014-03-28

* 1.0/ubuntu-*: explicitly deny access to oxide files so webbrowser-app's
  fallback mechanism to QtWebKit works correctly. This is needed so 13.10
  framework webapps don't regress
* 1.1/webview: prevent certificate db poisoning and disallow write access to
  @{HOME}/.pki/nssdb/*. Note, while this prevents cert attacks, it doesn't
  prevent information disclosure so once LP: 1260048 is fixed in oxide, we
  can remove the read access.

55. By Jamie Strandboge on 2014-03-24

* 1.*/ubuntu-*:
  - add read access to /usr/share/unity/icons/**. Why this isn't under
    /usr/share/icons/unity instead, I don't know, but the access is
    harmless, so allow it. This is currently needed by the gallery
  - explicitly deny access to com.canonical.snapdecisions interface
    (LP: #1291234)
* 1.*/friends: allow freedesktop.org notifications which is needed by the
  gallery app to show that a picture has been uploaded (LP: #1279969)
* debian/control: Build-Depends on apparmor-easyprof since it is needed by
  the testsuite. This is needed because dh-apparmor now only Suggests

54. By Jamie Strandboge on 2014-03-17

* adjustments for Qt5.2
  - 1.*/networking: like with other NetworkManager access, explicitly deny
    connecting to peer=(name=org.freedesktop.NetworkManager)
* 1.1/content_exchange: deny 'w' on ~/.cache/@{APP_PKGNAME}/HubIncoming/**.
  The content-hub will create hard links in this directory for volatile
  data, but using hard links means the content source file could be modified
  by the app. This prevents that. (LP: #1293771)

53. By Jamie Strandboge on 2014-03-05

* 1.*/ubuntu-sdk: allow accesses to workaround intel driver crash on X
  - allow read of /sys/devices/pci[0-9]*/**/uevent
  - allow read of /etc/udev/udev.conf
  - explicityly deny /run/udev/data/**, like we do elsewhere
  - LP: #1286162

52. By Jamie Strandboge on 2014-03-03

1.*/ubuntu-sdk: /usr/share/ubuntu-html5-theme moved to
/usr/share/ubuntu-html5-ui-toolkit (LP: #1287297)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.