[Bug 1496892] Re: update policy for .pyc denial and common java accesses

Tue, 22 Sep 2015 14:36:08 -0700 

This bug was fixed in the package ubuntu-core-security - 15.10.13

---------------
ubuntu-core-security (15.10.13) wily; urgency=medium

  * update autopkgtests for new policy groups

ubuntu-core-security (15.10.12) wily; urgency=medium

  * add restricted network-admin policy group
  * ubuntu-core/default:
    - allow reading unversioned package dirs in $HOME
    - suppress noisy write denials to .pyc files in the install dir
      (LP: #1496892). This might be able to be removed when LP: 1496895 is
      fixed.
  * ubuntu-core/default: handle miscellaneous java accesses (LP: #1496895)
    - read to @PROC/@{pid}/ and @PROC/@{pid}/fd/
    - owner read to owner @PROC/@{pid}/auxv
    - reads to @PROC/@{pid}/version_signature, @PROC/@{pid}/version,
      /etc/lsb-release
    - read to @PROC/sys/vm/zone_reclaim_mode
    - read to /sys/devices/**/read_ahead_kb and /sys/devices/system/cpu/**
    - read to /sys/kernel/mm/transparent_hugepage/enabled and
      /sys/kernel/mm/transparent_hugepage/defrag
    - explicit deny to @{PROC}/@{pid}/cmdline. This seems to be ok for now,
      but if it breaks things, allow with owner match (an info leak) until we
      have kernel side pid variable in AppArmor
    - allow reads on /etc/{,writable/}localtime and /etc/{,writable/}timezone
  * add restricted snapd policy group
  * add restricted network-firewall policy group
  * add restricted network-status policy group
  * bin/snappy-security: use 'Caps' instead of 'Policy groups' in output
  * ubuntu/network-service: reluctantly allow access to /proc/*/net/if_inet6
    and /proc/*/net/ipv6_route until we can find a better way (LP: #1496906)
  * add test-format.sh to make sure we have properly formatted policy
  * debian/rules: use test-format.sh
  * ubuntu/unconfined: use 'Usage: reserved' not 'restricted' since
    'restricted' is not a valid 'Usage' value

ubuntu-core-security (15.10.11) wily; urgency=medium

  * ubuntu-core/default: allow reads on directories in /sys/devices and
    /sys/class to ease using hw-assign

 -- Jamie Strandboge <[email protected]>  Mon, 21 Sep 2015 17:23:42 -0500

** Changed in: ubuntu-core-security (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1496892

Title:
  update policy for .pyc denial and common java accesses

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1496892/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to