ubuntu-core-security 15.10.12 source package in Ubuntu

Changelog

ubuntu-core-security (15.10.12) wily; urgency=medium

  * add restricted network-admin policy group
  * ubuntu-core/default:
    - allow reading unversioned package dirs in $HOME
    - suppress noisy write denials to .pyc files in the install dir
      (LP: #1496892). This might be able to be removed when LP: 1496895 is
      fixed.
  * ubuntu-core/default: handle miscellaneous java accesses (LP: #1496895)
    - read to @PROC/@{pid}/ and @PROC/@{pid}/fd/
    - owner read to owner @PROC/@{pid}/auxv
    - reads to @PROC/@{pid}/version_signature, @PROC/@{pid}/version,
      /etc/lsb-release
    - read to @PROC/sys/vm/zone_reclaim_mode
    - read to /sys/devices/**/read_ahead_kb and /sys/devices/system/cpu/**
    - read to /sys/kernel/mm/transparent_hugepage/enabled and
      /sys/kernel/mm/transparent_hugepage/defrag
    - explicit deny to @{PROC}/@{pid}/cmdline. This seems to be ok for now,
      but if it breaks things, allow with owner match (an info leak) until we
      have kernel side pid variable in AppArmor
    - allow reads on /etc/{,writable/}localtime and /etc/{,writable/}timezone
  * add restricted snapd policy group
  * add restricted network-firewall policy group
  * add restricted network-status policy group
  * bin/snappy-security: use 'Caps' instead of 'Policy groups' in output
  * ubuntu/network-service: reluctantly allow access to /proc/*/net/if_inet6
    and /proc/*/net/ipv6_route until we can find a better way (LP: #1496906)
  * add test-format.sh to make sure we have properly formatted policy
  * debian/rules: use test-format.sh
  * ubuntu/unconfined: use 'Usage: reserved' not 'restricted' since
    'restricted' is not a valid 'Usage' value

ubuntu-core-security (15.10.11) wily; urgency=medium

  * ubuntu-core/default: allow reads on directories in /sys/devices and
    /sys/class to ease using hw-assign

 -- Jamie Strandboge <email address hidden>  Mon, 21 Sep 2015 16:30:32 -0500