lp:ubuntu/vivid/ubuntu-core-security
- Get this branch:
- bzr branch lp:ubuntu/vivid/ubuntu-core-security
Branch merges
Branch information
Recent revisions
- 7. By Jamie Strandboge
-
* seccomp/default:
- add ARM private syscalls: breakpoint, cacheflush, set_tls, usr26, usr32
- add getrandom, ugetrlimit, sched_getattr, sched_rr_get_interval
- add getxattr, setxattr and listxattr family of calls - 6. By Jamie Strandboge
-
* seccomp/default: allow futimesat, utime, utimensat, and utimes
* apparmor/default: revert /dev/** change. Snappy will instead maintain
click-apparmor .additional files for these (and add the access only if
cgroups restrictions are in effect)
* allow 'udevadm trigger --verbose --dry-run --tag-match=snappy- assign' .
Access for using '--property-match=SNAPPY_ APP=<pkgname> ' will be handled
elsewhere for now - 4. By Jamie Strandboge
-
* explicity deny mount and mknod too
* add some missing syscalls: eventfd, eventfd2, exit, ftime, get_mempolicy,
get_robust_list, ipc, mremap, msgctl, msgget, msgrcv, msgsnd,
restart_syscall, rt_sigqueueinfo, rt_tgsigqueueinfo, set_thread_area,
signal, sigaction, sigaltstack, sigpending, sigprocmask, sigreturn and
sigsuspend to seccomp default policy - 3. By Jamie Strandboge
-
* explicitly deny ptrace (trace) in the policy since it currently allows
breaking out of seccomp sandbox
* correct path to policy groups for --include-policy- dir - 2. By Jamie Strandboge
-
* update autopkgtests to include compatibility templates and policy groups
* debian/control:
- don't Build-Depends on seccomp (it is not needed at this time)
- adjust ubuntu-core-security- seccomp to not Depends on seccomp (it only
ships data files)
- adjust ubuntu-core-security- utils to Depends on seccomp for amd64, i386
and armhf
* update default apparmor policy to allow running /usr/bin/ldd
* add app-specific rules for access to /{dev,run}/shm (LP: #1443612) - 1. By Jamie Strandboge
-
* Initial release. It provides:
- the apparmor policies for Ubuntu Core
- the seccomp policies for Ubuntu Core
- various utilies including sc-filtergen for generating template-based
seccomp filters
- replaces apparmor-easyprof- ubuntu- snappy and sets up compatibility
symlinks which can be dropped when packages stop using them
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/wily/ubuntu-core-security