[ubuntu/wily-proposed] ubuntu-core-security 15.10.12 (Accepted)
Jamie Strandboge
jamie at ubuntu.com
Mon Sep 21 21:41:14 UTC 2015
ubuntu-core-security (15.10.12) wily; urgency=medium
* add restricted network-admin policy group
* ubuntu-core/default:
- allow reading unversioned package dirs in $HOME
- suppress noisy write denials to .pyc files in the install dir
(LP: #1496892). This might be able to be removed when LP: 1496895 is
fixed.
* ubuntu-core/default: handle miscellaneous java accesses (LP: #1496895)
- read to @PROC/@{pid}/ and @PROC/@{pid}/fd/
- owner read to owner @PROC/@{pid}/auxv
- reads to @PROC/@{pid}/version_signature, @PROC/@{pid}/version,
/etc/lsb-release
- read to @PROC/sys/vm/zone_reclaim_mode
- read to /sys/devices/**/read_ahead_kb and /sys/devices/system/cpu/**
- read to /sys/kernel/mm/transparent_hugepage/enabled and
/sys/kernel/mm/transparent_hugepage/defrag
- explicit deny to @{PROC}/@{pid}/cmdline. This seems to be ok for now,
but if it breaks things, allow with owner match (an info leak) until we
have kernel side pid variable in AppArmor
- allow reads on /etc/{,writable/}localtime and /etc/{,writable/}timezone
* add restricted snapd policy group
* add restricted network-firewall policy group
* add restricted network-status policy group
* bin/snappy-security: use 'Caps' instead of 'Policy groups' in output
* ubuntu/network-service: reluctantly allow access to /proc/*/net/if_inet6
and /proc/*/net/ipv6_route until we can find a better way (LP: #1496906)
* add test-format.sh to make sure we have properly formatted policy
* debian/rules: use test-format.sh
* ubuntu/unconfined: use 'Usage: reserved' not 'restricted' since
'restricted' is not a valid 'Usage' value
ubuntu-core-security (15.10.11) wily; urgency=medium
* ubuntu-core/default: allow reads on directories in /sys/devices and
/sys/class to ease using hw-assign
Date: Mon, 21 Sep 2015 16:30:32 -0500
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Maintainer: Ubuntu Security <security at ubuntu.com>
https://launchpad.net/ubuntu/+source/ubuntu-core-security/15.10.12
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 21 Sep 2015 16:30:32 -0500
Source: ubuntu-core-security
Binary: ubuntu-core-security-apparmor ubuntu-core-security-seccomp ubuntu-core-security-utils
Architecture: source
Version: 15.10.12
Distribution: wily
Urgency: medium
Maintainer: Ubuntu Security <security at ubuntu.com>
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Description:
ubuntu-core-security-apparmor - AppArmor easyprof templates for Ubuntu Core
ubuntu-core-security-seccomp - Seccomp templates for Ubuntu Core
ubuntu-core-security-utils - Security utilities for Ubuntu Core
Launchpad-Bugs-Fixed: 1496892 1496895 1496906
Changes:
ubuntu-core-security (15.10.12) wily; urgency=medium
.
* add restricted network-admin policy group
* ubuntu-core/default:
- allow reading unversioned package dirs in $HOME
- suppress noisy write denials to .pyc files in the install dir
(LP: #1496892). This might be able to be removed when LP: 1496895 is
fixed.
* ubuntu-core/default: handle miscellaneous java accesses (LP: #1496895)
- read to @PROC/@{pid}/ and @PROC/@{pid}/fd/
- owner read to owner @PROC/@{pid}/auxv
- reads to @PROC/@{pid}/version_signature, @PROC/@{pid}/version,
/etc/lsb-release
- read to @PROC/sys/vm/zone_reclaim_mode
- read to /sys/devices/**/read_ahead_kb and /sys/devices/system/cpu/**
- read to /sys/kernel/mm/transparent_hugepage/enabled and
/sys/kernel/mm/transparent_hugepage/defrag
- explicit deny to @{PROC}/@{pid}/cmdline. This seems to be ok for now,
but if it breaks things, allow with owner match (an info leak) until we
have kernel side pid variable in AppArmor
- allow reads on /etc/{,writable/}localtime and /etc/{,writable/}timezone
* add restricted snapd policy group
* add restricted network-firewall policy group
* add restricted network-status policy group
* bin/snappy-security: use 'Caps' instead of 'Policy groups' in output
* ubuntu/network-service: reluctantly allow access to /proc/*/net/if_inet6
and /proc/*/net/ipv6_route until we can find a better way (LP: #1496906)
* add test-format.sh to make sure we have properly formatted policy
* debian/rules: use test-format.sh
* ubuntu/unconfined: use 'Usage: reserved' not 'restricted' since
'restricted' is not a valid 'Usage' value
.
ubuntu-core-security (15.10.11) wily; urgency=medium
.
* ubuntu-core/default: allow reads on directories in /sys/devices and
/sys/class to ease using hw-assign
Checksums-Sha1:
81eeeedd544f848280362ba634e9cdae9d62762e 1938 ubuntu-core-security_15.10.12.dsc
6bb0809a282e2735df0feb7d79197c99e262e623 23108 ubuntu-core-security_15.10.12.tar.xz
Checksums-Sha256:
8f7af925228b410bdf435e2cd39d43fe3431bd20297949955789764de1261e5b 1938 ubuntu-core-security_15.10.12.dsc
6ca959762bab72a3c31a570b627817e8d9007b4ac55240a3b296ca7a6183b49c 23108 ubuntu-core-security_15.10.12.tar.xz
Files:
6391e3076f1111805772680909ab5c26 1938 admin optional ubuntu-core-security_15.10.12.dsc
a7c78b914c1739dbc694abb6b07b10f7 23108 admin optional ubuntu-core-security_15.10.12.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWAHkqAAoJEFHb3FjMVZVz4qQP/1fRJxpZFLiw7IK/+WFvTZQ5
p8QByXY+2RhNeT9sxlV9d3EWN/fU4IiVOpADNdbTrloD6/KgeZ/OT6nsijGP8PU6
nhkgRdXyaVES4lXbW4vvSLgGd7atQwuKQ+dcv1rfYvqwnFK3Ajt2T1rXWbU55hoG
FNLGMSAxl9Zx1CT8qkE+n7GG28BUkGksrao9GLz5HHmyyWnHOs+IEhWj5XtLkvuD
LyeyYTGGqpTSB6VbH/lTu1rVtTdCGahTxuwgrrEcKo7Wyk3wDLwpSU+/VLsufIBK
ALtk4vk9YlXoYUUCNZY/ZIRWVJR4Ntw3uZTSfTkiWBj1w0KuqvjSOPNsW+Oyd14U
0iX68zQeHWO5GSuQ9kVrV9X774gX9YtftcUt8m9+fsKtRRMgH5yRyoASeKP7n3bs
ff2uDELzkHiE/khbKO7UZvCTFXZTl+qwu8dRqLxzHNcdD2CbFKZ9++dCq6zpgC/R
mofRY6dBCOiNOvN8FCYKKoLlsmxS1OeFv7IEb2oTAQjSI6wdpnUTsjJYT6TltOuK
F8csBruoTWtVu3NmXAJ444rGSKB2AXlZs5DOJO5tE5FyPiVc7L8b5+lQj7TVqJ/P
LmEIzXY1lQ/NypUpb+SPX1GDigOh+NwPrqLYqxqkKfbe/Kz2CuHjIcxDqiG8PdQi
ozLi0dDzIzhEkg4iypdv
=V8cH
-----END PGP SIGNATURE-----
More information about the Wily-changes
mailing list