Created by Ubuntu Package Importer on 2014-04-30 and last modified on 2014-10-22
Get this branch:
bzr branch lp:ubuntu/utopic-proposed/apparmor-easyprof-ubuntu
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

95. By Jamie Strandboge on 2014-10-22

ubuntu/networking: add rules for app-specific ubuntu-download-manager
file downloads (LP: #1384349)

94. By Jamie Strandboge on 2014-10-14

ubuntu/audio: also allow access to GetArtistArt when accessing the
thumbnailer (LP: #1381102)

93. By Jamie Strandboge on 2014-10-08

* ubuntu/accounts: allow all on org.freedesktop.DBus.Properties for
  /com/google/code/AccountsSSO/SingleSignOn/** (LP: #1378809)
* ubuntu/ubuntu-*, pending/ubuntu-scope-local-content, ubuntu/webview: also
  allow read on /android/system/build.prop (LP: #1378838)

92. By Jamie Strandboge on 2014-10-06

* ubuntu/1.2/push-notification-client: don't deny access to the clipboard
  since sdk apps are supposed to be able to specify this policy group
* ubuntu/1.2: add ubuntu-push-helper for push-helpers to use which (among
  other things) explicitly disables access to the clipboard (LP: #1371170)
* adjust autopackagetest for ubuntu-push-helper
* ubuntu/accounts: allow all on org.freedesktop.DBus.Properties for
* ubuntu/1.2/ubuntu-scope-network, pending/ubuntu-scope-local-content: also
  add remaining libhybris paths (/{,var/}run/shm/hybris_shm_data and
* ubuntu/ubuntu-sdk: explicitly disallow gsettings (dconf) access
  (LP: #1378115)

91. By Jamie Strandboge on 2014-10-06

ubuntu/1.[12]/ubuntu-{sdk,webapp}: re-add still needed rule for
/{,run/}shm/shm/WK2SharedMemory.[0-9]*. This needs to stay until qtwebkit
is removed from the image (LP: #1377648)

90. By Jamie Strandboge on 2014-10-03

* ubuntu/accounts: allow access to GetAll on org.freedesktop.DBus.Properties
  for /com/google/code/AccountsSSO/SingleSignOn (LP: #1377205)
* ubuntu/webview: also deny access to /custom/etc/dconf_profile. This is
  fallout from Oxide trying to use gsettings, but we've been silently
  denying that access since the webview policy group was added, so just
  silence this denial too (LP: #1260101)
* ubuntu/ubuntu-{sdk,webapp}: also allow talking to clipboard on freedesktop
  interface (LP: #1377221)
* tests/test-data.py: update hardware dir handling and also adjust policy
  groups to use tmpdir
* debian/control: Build-Depends on apparmor so we can check syntax during

89. By Jamie Strandboge on 2014-10-01

* ubuntu/1.2/ubuntu-scope-network, pending/ubuntu-scope-local-content:
  allow access to android libraries (LP: #1376430)
* ubuntu/ubuntu-{sdk,webapp}: allow read access for thumbnailer icons
  (LP: #1376436)

88. By Jamie Strandboge on 2014-09-30

* ubuntu/ubuntu-*: add owner /{run,dev}/shm/shmfd-* rwk (LP: #1370218)
* ubuntu/microphone: remove shmfd access since it is in the templates now

87. By Jamie Strandboge on 2014-09-29

ubuntu/webview: explicitly deny write access to @{PROC}/[0-9]*/oom_adj
and @{PROC}/[0-9]*/oom_score_adj. This is confirmed as a way to escape
application lifecycle (LP: #1260115)

86. By Jamie Strandboge on 2014-09-26

* ubuntu/calendar: add missing rule for org.freedesktop.DBus.Introspectable
  on path /com/canonical/indicator/datetime/AlarmProperties (LP: #1374623)
* ubuntu/1.[12]/ubuntu-{sdk,webapp}: remove no longer needed rule for
  /{,run/}shm/shm/WK2SharedMemory.[0-9]* (LP: #1197060)
* ubuntu/microphone:
  - add temporary write access to /{run,dev}/shm/shmfd-* for QAudioRecorder
    (LP: #1370218)
  - explicitly deny read on /dev/
* ubuntu/1.1/webview: allow dbus send to RequestName on org.freedesktop.DBus
  webapp-container needs corresponding 'bind' call on
  org.freedesktop.Application, which we block elsewhere. webapp-container
  shouldn't be doing this under confinement, but we allow this rule in
  content_exchange, so just allow it to avoid confusion. (LP: #1357371)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.