Created by Ubuntu Package Importer and last modified
Get this branch:
bzr branch lp:ubuntu/trusty-proposed/apparmor-easyprof-ubuntu
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

61. By Jamie Strandboge

1.1/webview: update to allow exec of chrome-sandbox now that oxide is
doing a proper fork/exec

60. By Jamie Strandboge

* 1.*/unconfined: update for ptrace and signal
* 1.1/music_files*: add rules for talking to the media-hub-server and read
  access to mediascanner files
* 1.1/video_files*: add rules for talking to the media-hub-server and read
  access to mediascanner files

59. By Jamie Strandboge

* 1.1/webview: update for ptrace and signal mediation (LP: #1298611)
* debian/control: Depends on apparmor >= 2.8.95~2430-0ubuntu4

58. By Jamie Strandboge

* 1.1/webview (LP: #1301351)
  - add 'mr' for chrome-sandbox and oxide-renderer
  - allow 'r' for @{PROC}/sys/kernel/yama/ptrace_scope

57. By Jamie Strandboge

1.1/webview: suppress denial for write to /usr/bin/locales/ like we do for
/usr/lib/@{multiarch}/oxide-qt/locales/ already since it is confusing for
people who are diagnosing oxide issues (LP: #1260044)

56. By Jamie Strandboge

* 1.0/ubuntu-*: explicitly deny access to oxide files so webbrowser-app's
  fallback mechanism to QtWebKit works correctly. This is needed so 13.10
  framework webapps don't regress
* 1.1/webview: prevent certificate db poisoning and disallow write access to
  @{HOME}/.pki/nssdb/*. Note, while this prevents cert attacks, it doesn't
  prevent information disclosure so once LP: 1260048 is fixed in oxide, we
  can remove the read access.

55. By Jamie Strandboge

* 1.*/ubuntu-*:
  - add read access to /usr/share/unity/icons/**. Why this isn't under
    /usr/share/icons/unity instead, I don't know, but the access is
    harmless, so allow it. This is currently needed by the gallery
  - explicitly deny access to com.canonical.snapdecisions interface
    (LP: #1291234)
* 1.*/friends: allow freedesktop.org notifications which is needed by the
  gallery app to show that a picture has been uploaded (LP: #1279969)
* debian/control: Build-Depends on apparmor-easyprof since it is needed by
  the testsuite. This is needed because dh-apparmor now only Suggests

54. By Jamie Strandboge

* adjustments for Qt5.2
  - 1.*/networking: like with other NetworkManager access, explicitly deny
    connecting to peer=(name=org.freedesktop.NetworkManager)
* 1.1/content_exchange: deny 'w' on ~/.cache/@{APP_PKGNAME}/HubIncoming/**.
  The content-hub will create hard links in this directory for volatile
  data, but using hard links means the content source file could be modified
  by the app. This prevents that. (LP: #1293771)

53. By Jamie Strandboge

* 1.*/ubuntu-sdk: allow accesses to workaround intel driver crash on X
  - allow read of /sys/devices/pci[0-9]*/**/uevent
  - allow read of /etc/udev/udev.conf
  - explicityly deny /run/udev/data/**, like we do elsewhere
  - LP: #1286162

52. By Jamie Strandboge

1.*/ubuntu-sdk: /usr/share/ubuntu-html5-theme moved to
/usr/share/ubuntu-html5-ui-toolkit (LP: #1287297)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.