[ubuntu/wily-proposed] ubuntu-core-security 15.10.13 (Accepted)
Jamie Strandboge
jamie at ubuntu.com
Mon Sep 21 22:32:14 UTC 2015
ubuntu-core-security (15.10.13) wily; urgency=medium
* update autopkgtests for new policy groups
ubuntu-core-security (15.10.12) wily; urgency=medium
* add restricted network-admin policy group
* ubuntu-core/default:
- allow reading unversioned package dirs in $HOME
- suppress noisy write denials to .pyc files in the install dir
(LP: #1496892). This might be able to be removed when LP: 1496895 is
fixed.
* ubuntu-core/default: handle miscellaneous java accesses (LP: #1496895)
- read to @PROC/@{pid}/ and @PROC/@{pid}/fd/
- owner read to owner @PROC/@{pid}/auxv
- reads to @PROC/@{pid}/version_signature, @PROC/@{pid}/version,
/etc/lsb-release
- read to @PROC/sys/vm/zone_reclaim_mode
- read to /sys/devices/**/read_ahead_kb and /sys/devices/system/cpu/**
- read to /sys/kernel/mm/transparent_hugepage/enabled and
/sys/kernel/mm/transparent_hugepage/defrag
- explicit deny to @{PROC}/@{pid}/cmdline. This seems to be ok for now,
but if it breaks things, allow with owner match (an info leak) until we
have kernel side pid variable in AppArmor
- allow reads on /etc/{,writable/}localtime and /etc/{,writable/}timezone
* add restricted snapd policy group
* add restricted network-firewall policy group
* add restricted network-status policy group
* bin/snappy-security: use 'Caps' instead of 'Policy groups' in output
* ubuntu/network-service: reluctantly allow access to /proc/*/net/if_inet6
and /proc/*/net/ipv6_route until we can find a better way (LP: #1496906)
* add test-format.sh to make sure we have properly formatted policy
* debian/rules: use test-format.sh
* ubuntu/unconfined: use 'Usage: reserved' not 'restricted' since
'restricted' is not a valid 'Usage' value
ubuntu-core-security (15.10.11) wily; urgency=medium
* ubuntu-core/default: allow reads on directories in /sys/devices and
/sys/class to ease using hw-assign
Date: Mon, 21 Sep 2015 17:23:42 -0500
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Maintainer: Ubuntu Security <security at ubuntu.com>
https://launchpad.net/ubuntu/+source/ubuntu-core-security/15.10.13
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 21 Sep 2015 17:23:42 -0500
Source: ubuntu-core-security
Binary: ubuntu-core-security-apparmor ubuntu-core-security-seccomp ubuntu-core-security-utils
Architecture: source
Version: 15.10.13
Distribution: wily
Urgency: medium
Maintainer: Ubuntu Security <security at ubuntu.com>
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Description:
ubuntu-core-security-apparmor - AppArmor easyprof templates for Ubuntu Core
ubuntu-core-security-seccomp - Seccomp templates for Ubuntu Core
ubuntu-core-security-utils - Security utilities for Ubuntu Core
Launchpad-Bugs-Fixed: 1496892 1496895 1496906
Changes:
ubuntu-core-security (15.10.13) wily; urgency=medium
.
* update autopkgtests for new policy groups
.
ubuntu-core-security (15.10.12) wily; urgency=medium
.
* add restricted network-admin policy group
* ubuntu-core/default:
- allow reading unversioned package dirs in $HOME
- suppress noisy write denials to .pyc files in the install dir
(LP: #1496892). This might be able to be removed when LP: 1496895 is
fixed.
* ubuntu-core/default: handle miscellaneous java accesses (LP: #1496895)
- read to @PROC/@{pid}/ and @PROC/@{pid}/fd/
- owner read to owner @PROC/@{pid}/auxv
- reads to @PROC/@{pid}/version_signature, @PROC/@{pid}/version,
/etc/lsb-release
- read to @PROC/sys/vm/zone_reclaim_mode
- read to /sys/devices/**/read_ahead_kb and /sys/devices/system/cpu/**
- read to /sys/kernel/mm/transparent_hugepage/enabled and
/sys/kernel/mm/transparent_hugepage/defrag
- explicit deny to @{PROC}/@{pid}/cmdline. This seems to be ok for now,
but if it breaks things, allow with owner match (an info leak) until we
have kernel side pid variable in AppArmor
- allow reads on /etc/{,writable/}localtime and /etc/{,writable/}timezone
* add restricted snapd policy group
* add restricted network-firewall policy group
* add restricted network-status policy group
* bin/snappy-security: use 'Caps' instead of 'Policy groups' in output
* ubuntu/network-service: reluctantly allow access to /proc/*/net/if_inet6
and /proc/*/net/ipv6_route until we can find a better way (LP: #1496906)
* add test-format.sh to make sure we have properly formatted policy
* debian/rules: use test-format.sh
* ubuntu/unconfined: use 'Usage: reserved' not 'restricted' since
'restricted' is not a valid 'Usage' value
.
ubuntu-core-security (15.10.11) wily; urgency=medium
.
* ubuntu-core/default: allow reads on directories in /sys/devices and
/sys/class to ease using hw-assign
Checksums-Sha1:
ebab0d590522a29c50f8f42b54a771dd118b5c14 1938 ubuntu-core-security_15.10.13.dsc
c68e341b15e54f7ae07e5ee4a4e162d79c2d04b5 23128 ubuntu-core-security_15.10.13.tar.xz
Checksums-Sha256:
9c5d2ec9b21ac7f76422bc525894537a67365e38bb439d67e8a76b6a08bc9144 1938 ubuntu-core-security_15.10.13.dsc
a676d13da7ffbaf7407a0957a41daf28da7c07b1e3cd2c3d2b807bf553ee090e 23128 ubuntu-core-security_15.10.13.tar.xz
Files:
a940a53b074cae790ad091f9535881ec 1938 admin optional ubuntu-core-security_15.10.13.dsc
29a884998fad1f2ecbfa83f03eae9a6b 23128 admin optional ubuntu-core-security_15.10.13.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWAIUTAAoJEFHb3FjMVZVz2esQAIzLoU9QwaibI4SwmO3eWFZs
iRED764idVezavv9O9fYRLq0yfIqiQ7jPl/DDCg9WegPDexK5ipbY+hc7zvqVnhn
QVy0IwUMjjK5lVYewAHOFfXitxoEP8mhUEzZCIsenhzzxEv5DuixTqNLZwbPaHrd
+7K+cj8uZHlmJ7HQmSiah6WoPdqajgsWwtXBMm+o6k60UAvsLaRi1Fe0a7cLKRCE
gGHwj2h+EPYrJUrpPLYYtCDkHnsmhF/jOh0BYJ2sjunFtUwbF5gYEJgZiPCvyOLD
cqhWci06j9l+jkRHqyRXooBllhhNtMAN7YFUZtxvdzhyZSy/MezA4Ha24eqN0JQM
2o+fa7iSEpDypM30gmiY4XqRoggoJOgTW9JsuAbfLAzL/NIibLskxvvoEcUL3+FX
0aK8CxHggpamXkgK3/qnSAe0slcFQPWaZWGMhATZ4GhY26qdoxycWXG53u4fxO4P
Mb/k4Kx2PRRqu5MQYJBulDGE26eEOzGYclNjm52H4AykxqqMqKQwf7hdilXFHLtQ
9kbmJQOxQJ7G38FP9ZZ/I4b9eWzAVjC9OLl9bzX2tHes7XpILGJnOFEJ4J//9qbk
5u9fdj7SPhHUnPCII/0PhmPKlJyffQKWeq6FT27NfyYMmcvg7rovy7jfDG58jihc
VWgEKfs652ahPf2/5cPM
=ydRN
-----END PGP SIGNATURE-----
More information about the Wily-changes
mailing list