-
ubuntu-core-security (15.04.11) vivid; urgency=medium
* seccomp/default:
- add ARM private syscalls: breakpoint, cacheflush, set_tls, usr26, usr32
- add getrandom, ugetrlimit, sched_getattr, sched_rr_get_interval
- add getxattr, setxattr and listxattr family of calls
-- Jamie Strandboge <email address hidden> Wed, 22 Apr 2015 16:48:28 -0500
-
ubuntu-core-security (15.04.10) vivid; urgency=medium
* seccomp/default: allow futimesat, utime, utimensat, and utimes
* apparmor/default: revert /dev/** change. Snappy will instead maintain
click-apparmor .additional files for these (and add the access only if
cgroups restrictions are in effect)
* allow 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign'.
Access for using '--property-match=SNAPPY_APP=<pkgname>' will be handled
elsewhere for now
-- Jamie Strandboge <email address hidden> Wed, 22 Apr 2015 10:22:04 -0500
-
ubuntu-core-security (15.04.8) vivid; urgency=medium
* debian/control: ubuntu-core-security-utils Depends on python3-yaml
-- Jamie Strandboge <email address hidden> Tue, 21 Apr 2015 20:46:44 -0500
-
ubuntu-core-security (15.04.4) vivid; urgency=medium
* explicity deny mount and mknod too
* add some missing syscalls: eventfd, eventfd2, exit, ftime, get_mempolicy,
get_robust_list, ipc, mremap, msgctl, msgget, msgrcv, msgsnd,
restart_syscall, rt_sigqueueinfo, rt_tgsigqueueinfo, set_thread_area,
signal, sigaction, sigaltstack, sigpending, sigprocmask, sigreturn and
sigsuspend to seccomp default policy
-- Jamie Strandboge <email address hidden> Mon, 20 Apr 2015 14:35:59 -0500
-
ubuntu-core-security (15.04.3) vivid; urgency=medium
* explicitly deny ptrace (trace) in the policy since it currently allows
breaking out of seccomp sandbox
* correct path to policy groups for --include-policy-dir
-- Jamie Strandboge <email address hidden> Tue, 14 Apr 2015 18:04:22 -0500
-
ubuntu-core-security (15.04.2) vivid; urgency=medium
* update autopkgtests to include compatibility templates and policy groups
* debian/control:
- don't Build-Depends on seccomp (it is not needed at this time)
- adjust ubuntu-core-security-seccomp to not Depends on seccomp (it only
ships data files)
- adjust ubuntu-core-security-utils to Depends on seccomp for amd64, i386
and armhf
* update default apparmor policy to allow running /usr/bin/ldd
* add app-specific rules for access to /{dev,run}/shm (LP: #1443612)
-- Jamie Strandboge <email address hidden> Fri, 10 Apr 2015 17:06:11 -0500
-
ubuntu-core-security (15.04.1) vivid; urgency=medium
* Initial release. It provides:
- the apparmor policies for Ubuntu Core
- the seccomp policies for Ubuntu Core
- various utilies including sc-filtergen for generating template-based
seccomp filters
- replaces apparmor-easyprof-ubuntu-snappy and sets up compatibility
symlinks which can be dropped when packages stop using them
-- Jamie Strandboge <email address hidden> Thu, 09 Apr 2015 22:32:20 -0500