Change log for apparmor-easyprof-ubuntu package in Ubuntu RTM

apparmor-easyprof-ubuntu (1.2.41) 14.09; urgency=medium

  [ Alberto Mardegan ]
  * ubuntu/accounts: explictly deny access to the p2p socket. This will now be
    available only to unconfined apps to support a trusted socket for
    privileged processes (LP: #1415492)
 -- Jamie Strandboge <email address hidden>   Thu, 05 Feb 2015 12:33:59 -0600

Available diffs

• diff from 1.2.40 (in ~ci-train-ppa-service/ubuntu-rtm/landing-010-deletedppa) to 1.2.41 (740 bytes)

apparmor-easyprof-ubuntu (1.2.40) 14.09; urgency=medium

  * ubuntu/{music,pictures,video}_files*: temporarily allow read access to
    global SD card user directory (LP: #1392368). This can be removed once
    there is a proper API for apps to find the SD card label.
 -- Jamie Strandboge <email address hidden>   Thu, 08 Jan 2015 14:41:20 -0600

Available diffs

• diff from 1.2.39 (in ~ci-train-ppa-service/ubuntu-rtm/landing-002-deletedppa) to 1.2.40 (1015 bytes)

apparmor-easyprof-ubuntu (1.2.39) utopic; urgency=medium

  * ubuntu/{music,pictures,video}_files*: allow access to global SD card
    directories (LP: #1391930)
  * ubuntu/ubuntu-scope-network, pending/ubuntu-scope-local-content: allow
    scopes to read data from the apps data dir (LP: #1384286)
 -- Jamie Strandboge <email address hidden>   Thu, 13 Nov 2014 09:54:18 -0600

Available diffs

• diff from 1.2.38 (in ~ci-train-ppa-service/ubuntu-rtm/landing-003-deletedppa) to 1.2.39 (1.6 KiB)
• diff from 1.2.22 (in ~ubuntu-security-proposed/ubuntu/ppa) to 1.2.39 (10.2 KiB)

apparmor-easyprof-ubuntu (1.2.38) utopic; urgency=medium

  * ubuntu/networking: add rules for app-specific ubuntu-download-manager
    file downloads (LP: #1384349)
 -- Jamie Strandboge <email address hidden>   Wed, 22 Oct 2014 14:13:44 -0400

Available diffs

• diff from 1.2.37 (in Ubuntu) to 1.2.38 (674 bytes)

apparmor-easyprof-ubuntu (1.2.37) utopic; urgency=medium

  * ubuntu/audio: also allow access to GetArtistArt when accessing the
    thumbnailer (LP: #1381102)
 -- Jamie Strandboge <email address hidden>   Tue, 14 Oct 2014 09:37:24 -0500

Available diffs

• diff from 1.2.35 to 1.2.37 (1.5 KiB)
• diff from 1.2.36 to 1.2.37 (601 bytes)

apparmor-easyprof-ubuntu (1.2.35) utopic; urgency=medium

  * ubuntu/1.2/push-notification-client: don't deny access to the clipboard
    since sdk apps are supposed to be able to specify this policy group
  * ubuntu/1.2: add ubuntu-push-helper for push-helpers to use which (among
    other things) explicitly disables access to the clipboard (LP: #1371170)
  * adjust autopackagetest for ubuntu-push-helper
  * ubuntu/accounts: allow all on org.freedesktop.DBus.Properties for
    /com/google/code/AccountsSSO/SingleSignOn
  * ubuntu/1.2/ubuntu-scope-network, pending/ubuntu-scope-local-content: also
    add remaining libhybris paths (/{,var/}run/shm/hybris_shm_data and
    /system/build.prop)
  * ubuntu/ubuntu-sdk: explicitly disallow gsettings (dconf) access
    (LP: #1378115)
 -- Jamie Strandboge <email address hidden>   Mon, 06 Oct 2014 10:41:18 -0500

Available diffs

• diff from 1.2.34 to 1.2.35 (3.0 KiB)

apparmor-easyprof-ubuntu (1.2.34) utopic; urgency=medium

  * ubuntu/1.[12]/ubuntu-{sdk,webapp}: re-add still needed rule for
    /{,run/}shm/shm/WK2SharedMemory.[0-9]*. This needs to stay until qtwebkit
    is removed from the image (LP: #1377648)
 -- Jamie Strandboge <email address hidden>   Mon, 06 Oct 2014 07:10:09 -0500

Available diffs

• diff from 1.2.30 to 1.2.34 (3.3 KiB)
• diff from 1.2.33 to 1.2.34 (761 bytes)

apparmor-easyprof-ubuntu (1.2.30) utopic; urgency=medium

  * ubuntu/ubuntu-*: add owner /{run,dev}/shm/shmfd-* rwk (LP: #1370218)
  * ubuntu/microphone: remove shmfd access since it is in the templates now
 -- Jamie Strandboge <email address hidden>   Tue, 30 Sep 2014 09:33:57 -0500

Available diffs

• diff from 1.2.27 to 1.2.30 (2.2 KiB)
• diff from 1.2.29 to 1.2.30 (1.1 KiB)

apparmor-easyprof-ubuntu (1.2.27) utopic; urgency=medium

  * ubuntu/ubuntu-{sdk,webapp}: all apps can access the Mir clipboard
    (LP: #1372579). Note, LP: 1371170 will be fixed in a future update
  * ubuntu/push-notification-client: explit deny (with auditing) for access
    to the Mir clipboard (background apps should not have access)
  * ubuntu/ubuntu-scope-network: explicit deny (with auditing) for access
    to the Mir clipboard (scopes should not have access)
  * pending/ubuntu-scope-local-content: bring up to date with changes to
    ubuntu-scope-network
 -- Jamie Strandboge <email address hidden>   Tue, 23 Sep 2014 09:07:00 -0500

Available diffs

• diff from 1.2.22 (in ~ubuntu-security-proposed/ubuntu/ppa) to 1.2.27 (3.9 KiB)
• diff from 1.2.26 to 1.2.27 (2.1 KiB)

apparmor-easyprof-ubuntu (1.2.22) utopic; urgency=medium

  * Updates for abstract and anonymous socket mediation (LP: #1362199):
    - ubuntu/*/ubuntu-*:
      + use dbus-strict and dbus-session-strict abstractions and remove
        duplicated policy
      + allow ubuntu-sdk and ubuntu-webapp connect, receive and send on the
        maliit abstract socket
      + allow write access to owner /{,var/}run/user/*/@{APP_PKGNAME}/{,**}
    - ubuntu/*/unconfined: allow unix
    - ubuntu/webview:
      + allow oxide to talk to sandbox via unix sockets
      + allow sandbox to talk to @{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}
        peer
      + allow various unix perms from base abstract for the sandbox to use
        unix sockets
    - debian/control: Depends on apparmor >= 2.8.96~2541-0ubuntu4
  * ubuntu/webview: use @{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION} for
    signal now that we have @{APP_APPNAME} available (LP: #1363112)
  * ubuntu/debug: 'audit deny @{HOME}/.local/share/ r' which is used by the
    SDK to see if confined
  * debian/control: Depends on apparmor >= 2.8.96~2541-0ubuntu4~
 -- Jamie Strandboge <email address hidden>   Fri, 05 Sep 2014 15:17:07 -0500

Available diffs

• diff from 1.2.21 (in Ubuntu) to 1.2.22 (3.4 KiB)
• diff from 1.2.22~abstract8 to 1.2.22 (812 bytes)

apparmor-easyprof-ubuntu (1.2.21) utopic; urgency=medium

  * ubuntu/1.2/accounts: online accounts now has Mir trusted session support
    so move accounts policy group to reserved (LP: #1230091)
 -- Jamie Strandboge <email address hidden>   Wed, 20 Aug 2014 08:05:37 -0500

Available diffs

• diff from 1.2.20 to 1.2.21 (614 bytes)

apparmor-easyprof-ubuntu (1.2.20) utopic; urgency=medium

  * ubuntu/1.2/ubuntu-scope-network, pending/ubuntu-scope-local-content:
    - add DBus session and system accesses to scope templates like we have in
      the app templates. This allows scopes to talk to trusted helpers like
      online accounts and location-service. Actual communication with the
      services is still controlled by the respective policy groups.
    - add scope-specific access to /run/user/[0-9]*/scopes/leaf-{net,fs}/*
 -- Jamie Strandboge <email address hidden>   Fri, 15 Aug 2014 10:56:32 -0500

Available diffs

• diff from 1.2.15 to 1.2.20 (3.7 KiB)
• diff from 1.2.19 to 1.2.20 (1.4 KiB)

apparmor-easyprof-ubuntu (1.2.15) utopic; urgency=medium

  * ubuntu/*: explicitly deny noisy access to @{PROC}/xlog (LP: #1352432)
 -- Jamie Strandboge <email address hidden>   Mon, 04 Aug 2014 12:56:05 -0500

Available diffs

• diff from 1.2.14 to 1.2.15 (757 bytes)