[ubuntu/saucy-proposed] apparmor-easyprof-ubuntu 1.0.32 (Accepted)
Jamie Strandboge
jamie at ubuntu.com
Fri Sep 20 02:29:11 UTC 2013
apparmor-easyprof-ubuntu (1.0.32) saucy; urgency=low
* accounts:
- needs lock ('k') access to .config/libaccounts-glib/accounts.db and read
access to .config/libaccounts-glib/accounts.db*.
- read access to /usr/share/accounts/**
- deny write to .config/libaccounts-glib/accounts.db* (LP: #1220552)
* refine audio policy group:
- remove /tmp/ accesses now that TMPDIR is set by the sandbox
- allow access to only the native socket (ie, disallow dbus-socket (only
needed by pacmd), access to pid and the cli debugging socket)
(LP: #1211380)
- remove 'w' access to /{,var/}run/user/*/pulse/ - this should already
exist when click apps run
- remove /dev/binder, no longer needed now that we use audio HAL and
pulseaudio
- silence the denial for creating ~/.gstreamer-0.10/ if it doesn't exist
* camera:
- add rw for /dev/ashmem. This will go away when camera moves to HAL
- rw /run/shm/hybris_shm_data
- add read on /android/system/media/audio/ui/camera_click.ogg
* connectivity:
- add policy as used by QML's QtSystemInfo and also Qt's QHostAddress,
QNetworkInterface
- add commented out rules for ofono (LP: 1226844)
* finalize content_exchange policy for the content-hub. We now have two
different policy groups: content_exchange for requesting/importing data
and content_exchange_source for providing/exporting data
* microphone:
- remove /dev/binder, no longer needed now that we use audio HAL and
pulseaudio
- add gstreamer and pulseaudio accesses and silence ALSA denials (we
force pulseaudio). Eventually we should consolidate these and the ones
in audio into a separate abstraction.
* networking
- explicitly deny access to NetworkManager. This technically should be
needed at all, but depending on how apps connect, the lowlevel
libraries get NM involved. Do the same for ofono
- add access to the download manager (LP: #1227860)
* video: add gstreamer accesses. Eventually we should consolidate these
and the ones in audio into a gstreamer abstraction
* add the following new reserved policy groups (reserved because they need
integration with trust-store to be used by untrusted apps):
- calendar - to access /org/gnome/evolution/dataserver/SourceManager,
/org/gnome/evolution/dataserver/CalendarFactory and
/org/gnome/evolution/dataserver/Calendar/**
- contacts - to access com.canonical.pim and org.freedesktop.Telepathy.
Note, org.freedesktop.Telepathy will go away when LP: 1227818 is fixed
- history - to access com.canonical.HistoryService
* remove unused policy groups. This would normally constitute a new minor
version, but no one is using these yet. When there is an API to use for
this sort of thing, we can reintroduce them
- read_connectivity_details
- bluetooth (no supported Qt5 API for these per the SDK team)
- nfc (no supported Qt5 API for these per the SDK team)
* ubuntu* templates:
- remove workaround HUD rule for DBus access to hud/applications/* now
that the HUD is fixed.
- allow connecting to dbus-daemon system daemon (org.freedesktop.DBus)
for Hello, GetNameOwner, NameHasOwner, AddMatch and RemoveMatch which
are all currently used when connecting to the network depending on the
application API used. Allow the accesses to silence the denials: they
are harmless and allows us to add more allow rules for other policy
groups for system bus APIs down the line (as opposed to if we
explicitly denied the accesses to org.freedesktop.DBus).
- add more Nexus 7 accesses
* ubuntu-sdk template:
- remove workaround access for /tmp/*.sci now that TMPDIR is set
(LP: #1197047)
- remove workaround access for /var/tmp/etilqs_* now that TMPDIR is set
(LP: #1197049)
- add support for HTC vision thanks to Florian Will (LP: #1214975)
* ubuntu-webapp template: use only application specific directories rather
then the global webbrowser-app one (LP: #1226085)
* debian/rules: enable tests during build
* debian/control: Build-Depends on python3-minimal (for tests)
* apparmor-easyprof-ubuntu.postinst: run aa-clickhook -f if it is available
Date: Wed, 18 Sep 2013 15:06:15 -0500
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
https://launchpad.net/ubuntu/saucy/+source/apparmor-easyprof-ubuntu/1.0.32
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Sep 2013 15:06:15 -0500
Source: apparmor-easyprof-ubuntu
Binary: apparmor-easyprof-ubuntu
Architecture: source
Version: 1.0.32
Distribution: saucy
Urgency: low
Maintainer: Jamie Strandboge <jamie at ubuntu.com>
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Description:
apparmor-easyprof-ubuntu - AppArmor easyprof templates for Ubuntu
Launchpad-Bugs-Fixed: 1197047 1197049 1211380 1214975 1220552 1226085 1227860
Changes:
apparmor-easyprof-ubuntu (1.0.32) saucy; urgency=low
.
* accounts:
- needs lock ('k') access to .config/libaccounts-glib/accounts.db and read
access to .config/libaccounts-glib/accounts.db*.
- read access to /usr/share/accounts/**
- deny write to .config/libaccounts-glib/accounts.db* (LP: #1220552)
* refine audio policy group:
- remove /tmp/ accesses now that TMPDIR is set by the sandbox
- allow access to only the native socket (ie, disallow dbus-socket (only
needed by pacmd), access to pid and the cli debugging socket)
(LP: #1211380)
- remove 'w' access to /{,var/}run/user/*/pulse/ - this should already
exist when click apps run
- remove /dev/binder, no longer needed now that we use audio HAL and
pulseaudio
- silence the denial for creating ~/.gstreamer-0.10/ if it doesn't exist
* camera:
- add rw for /dev/ashmem. This will go away when camera moves to HAL
- rw /run/shm/hybris_shm_data
- add read on /android/system/media/audio/ui/camera_click.ogg
* connectivity:
- add policy as used by QML's QtSystemInfo and also Qt's QHostAddress,
QNetworkInterface
- add commented out rules for ofono (LP: 1226844)
* finalize content_exchange policy for the content-hub. We now have two
different policy groups: content_exchange for requesting/importing data
and content_exchange_source for providing/exporting data
* microphone:
- remove /dev/binder, no longer needed now that we use audio HAL and
pulseaudio
- add gstreamer and pulseaudio accesses and silence ALSA denials (we
force pulseaudio). Eventually we should consolidate these and the ones
in audio into a separate abstraction.
* networking
- explicitly deny access to NetworkManager. This technically should be
needed at all, but depending on how apps connect, the lowlevel
libraries get NM involved. Do the same for ofono
- add access to the download manager (LP: #1227860)
* video: add gstreamer accesses. Eventually we should consolidate these
and the ones in audio into a gstreamer abstraction
* add the following new reserved policy groups (reserved because they need
integration with trust-store to be used by untrusted apps):
- calendar - to access /org/gnome/evolution/dataserver/SourceManager,
/org/gnome/evolution/dataserver/CalendarFactory and
/org/gnome/evolution/dataserver/Calendar/**
- contacts - to access com.canonical.pim and org.freedesktop.Telepathy.
Note, org.freedesktop.Telepathy will go away when LP: 1227818 is fixed
- history - to access com.canonical.HistoryService
* remove unused policy groups. This would normally constitute a new minor
version, but no one is using these yet. When there is an API to use for
this sort of thing, we can reintroduce them
- read_connectivity_details
- bluetooth (no supported Qt5 API for these per the SDK team)
- nfc (no supported Qt5 API for these per the SDK team)
* ubuntu* templates:
- remove workaround HUD rule for DBus access to hud/applications/* now
that the HUD is fixed.
- allow connecting to dbus-daemon system daemon (org.freedesktop.DBus)
for Hello, GetNameOwner, NameHasOwner, AddMatch and RemoveMatch which
are all currently used when connecting to the network depending on the
application API used. Allow the accesses to silence the denials: they
are harmless and allows us to add more allow rules for other policy
groups for system bus APIs down the line (as opposed to if we
explicitly denied the accesses to org.freedesktop.DBus).
- add more Nexus 7 accesses
* ubuntu-sdk template:
- remove workaround access for /tmp/*.sci now that TMPDIR is set
(LP: #1197047)
- remove workaround access for /var/tmp/etilqs_* now that TMPDIR is set
(LP: #1197049)
- add support for HTC vision thanks to Florian Will (LP: #1214975)
* ubuntu-webapp template: use only application specific directories rather
then the global webbrowser-app one (LP: #1226085)
* debian/rules: enable tests during build
* debian/control: Build-Depends on python3-minimal (for tests)
* apparmor-easyprof-ubuntu.postinst: run aa-clickhook -f if it is available
Checksums-Sha1:
c6b11344c90a74c0cab73d8fb8e360014164c085 1510 apparmor-easyprof-ubuntu_1.0.32.dsc
b3320950254eff2f9a48ae98e4ba450823871cad 16114 apparmor-easyprof-ubuntu_1.0.32.tar.gz
Checksums-Sha256:
cc30776ec5b24d6dad03502289e4888a0d79fd646cdcf4ba9cb7b90edd0ce04b 1510 apparmor-easyprof-ubuntu_1.0.32.dsc
002a6e0bb89f03b8d411d561143014938f43b00d470647f9ce7e534a1ae3e09a 16114 apparmor-easyprof-ubuntu_1.0.32.tar.gz
Files:
5c2be0ca213c2a0810ee08a0992727e2 1510 admin optional apparmor-easyprof-ubuntu_1.0.32.dsc
a7b1acd20eaeff432df6a9a400b70a5d 16114 admin optional apparmor-easyprof-ubuntu_1.0.32.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBCgAGBQJSO682AAoJEFHb3FjMVZVz3DwQAJJr5KIu59A8dYPsOR9Zc3Ba
jTE5vQcSuCKFzsY0JnrzOKf5gAWHNTwIxLe2puG6qNQoHNb7MQWQK6swR0aB9DWM
Eas2zzrtRAPhOsxiqQ1BA+BDDDu4X9m3ezxyjAqgkLwJqu1b3VQkHc0Bnv9Kyk6T
OVG8oH5OUWF7iGxkv8kWEy6fI6UqdHyX8fNdNBvh/6XAFOh0EOpguTfcRLJTy3Ls
DjyK/5O0Ar5NYEZcTR6VnGztePXjRN153WdQQSImz5e4vY6Y3f4gM5186+dD5LbL
KahqUiBwuIdhV4biuyA29Qf5WJIBYMqgeWZQKOa35vkLNeVBvsbVUFxcDSqGG/E3
p2jA1iBJJzrBX0ok8HMRKBBiajDJTO4LVM4ayfADgwGd5wd3qhSgnz7g0WAWi7YN
TffVTl/E1/0htfCeC7AR7KqZEu3cy5oFBlJKBF8Dqo9bgWe+KIila83LXxIF4j8D
aUa4hwRLdbdVzAjZ/Cj9GN6ylLw16W3WYsLerx+W1wtG0Idlpo0r3buKnpzanwhB
JqmIuaQZvm63Qlf701j9HzQwjTke/r/UW6ZFVmD1nfJOhMKJCSZ5cafP5PxIHdb6
VeKF06u1EZiGiCDaMxoSDUyL935d39ISptoWXV5akDGp0cRfevyMZmjY0PxKZ6zl
z2wjXWMP9NsAbn7PpTnF
=tfYk
-----END PGP SIGNATURE-----
More information about the Saucy-changes
mailing list