ubuntu-core-security (16.04.15.1) xenial; urgency=medium

  * ubuntu/default: adjust seccomp to allow setuid family of syscalls since
    the launcher is now dropping privs after seccomp_load()

 -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 21 Mar 2016 09:19:12 -0500

ubuntu-core-security (16.04.15) xenial; urgency=medium

  * ubuntu/default:
    - add read access to @{PROC}/@{pid}/statm
    - use @{pid} instead of [0-9]* for @{PROC}/@{pid}/stat

 -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 10 Feb 2016 09:31:55 -0600

ubuntu-core-security (16.04.14) xenial; urgency=medium

  * ubuntu-core/system-monitor: clarify ptrace (trace) comments
  * temporarily add a few more rules to display-server:
    - capabilities: dac_override, dac_read_search, and sys_tty_config
    - 'network netlink raw' to display-server
  * fix missing comma in unix rule for ubuntu-core/mir-client
  * add tests/aa.features and use it when /etc/apparmor.d/cache/.features is
    not present, such as on a buildd. This prevents the parser from falling
    back to only old rules.

 -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 19 Jan 2016 14:32:55 -0600

ubuntu-core-security (16.04.13) xenial; urgency=medium

  * add ubuntu-core/system-monitor reserved policy group
  * ubuntu/network-service: allow read on hosts.deny and hosts.allow

 -- Jamie Strandboge <jamie@ubuntu.com>  Thu, 14 Jan 2016 17:43:03 -0600

ubuntu-core-security (16.04.12) xenial; urgency=medium

  [ Jamie Strandboge ]
  * ubuntu-core/display-server: add sys_admin since it is needed to work with
    graphics drivers
  * ubuntu/default:
    - add read access to /etc/libnl-3/{classid,pktloc} for apps that use libnl
    - add read access to @{PROC}/@{pid}/status

  [ Michael Vogt ]
  * ubuntu/default: add /var/lib/snaps and $HOME/snaps. A future upload will
    remove /var/lib/apps and $HOME/apps once the migration is complete

 -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 11 Jan 2016 14:02:54 -0600

ubuntu-core-security (16.04.11) xenial; urgency=medium

  * update autopkgtests for mir-client

 -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 06 Jan 2016 08:43:06 -0600

ubuntu-core-security (16.04.10) xenial; urgency=medium

  * ubuntu-core/display-server:
    - sync with kgunn's work
    - remove seccomp calls that overlap with unix-listener
  * add ubuntu-core/16.04/mir-client
  * ubuntu-core/default: adjust to use INSTALL_DIR instead of CLICK_DIR

 -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 05 Jan 2016 15:04:01 -0600

ubuntu-core-security (16.04.9) xenial; urgency=medium

  * update autopkgtests for removed policy and don't depend on
    apparmor-easyprof
  * debian/control:
    - remove no longer needed conflicts/provides/replaces
    - rephrase description to not reference easyprof since snappy doesn't use
      it any more
    - removed unneeded dependency on python3-yaml

 -- Jamie Strandboge <jamie@ubuntu.com>  Thu, 17 Dec 2015 08:19:27 -0600

ubuntu-core-security (16.04.8) xenial; urgency=medium

  * ubuntu/default:
    - add timerfd and new mbarrier syscall
    - allow ixr on tset
    - remove explicit apparmor denials for ptrace, mount and mknod since
      others caps may add them (eg, container-management)
    - add a few rules that aren't information leak to ease hardware assignment
      policy
  * debian/README.seccomp: update for 4.3 syscalls
  * remove 15.04 and 15.10 policy
  * ubuntu/network-client:
    - don't explicitly deny network-manager in ubuntu-core policy. This made
      sense on Touch where everything was noisy, but network-manager only
      exists as a snap on core.
    - remove accept, accept4, listen and bind (must use either unix-listener
      or network-listener instead)
  * add the identified new caps for 16.04
  * rename network-admin to network-management
  * rename network-firewall to firewall-management
  * rename network-status to network-monitor
  * rename network-service to network-listener
  * rename snapd to snap-management
  * add compatibility symlinks for renamed caps (this will be removed for
    16.04 release)
  * ubuntu/network-listener: update comment for socket()

 -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 16 Dec 2015 16:46:59 -0600

ubuntu-core-security (16.04.7) xenial; urgency=medium

  * ubuntu/default: allow owner match on @{HOME} instead of @{HOMEDIRS}/*/
    to allow root access to SNAP_APP_USER_DATA_PATH when it is set to
    '/root/apps/...' (LP: #1466234)

 -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 01 Dec 2015 13:43:20 -0600

ubuntu-core-security (16.04.6) xenial; urgency=medium

  * ubuntu/default: allow less, lessfile, lesspipe and more

 -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 01 Dec 2015 09:20:43 -0600

ubuntu-core-security (16.04.5) xenial; urgency=medium

  * snappy now generates policy with 'snappy policygen' so update this package
    accordingly:
    - remove sc-filtergen, tests and docs
    - debian/control: only depends on seccomp (to pull in scmp_sys_resolver)
    - remove ubuntu-core-security-apparmor.postinst
    - remove ubuntu-core-security-utils.dirs
    - remove ubuntu-core-security-utils.manpages
    - debian/rules: adjust to not run (now non-existent) seccomp tests
  * adjust sc-logresolve to point to the more user friendly snappy-debug

 -- Jamie Strandboge <jamie@ubuntu.com>  Thu, 19 Nov 2015 09:53:07 -0600

ubuntu-core-security (16.04.4) xenial; urgency=medium

  * ubuntu/network-firewall: allow reading sysctl and writing out some
    firewall related items

 -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 18 Nov 2015 15:31:42 -0600

ubuntu-core-security (16.04.3) xenial; urgency=medium

  * default/template: allow capset (AppArmor mediates capabilities so this is
    ok)

 -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 10 Nov 2015 14:04:47 -0600

ubuntu-core-security (16.04.2) xenial; urgency=medium

  * ubuntu-core/snapd: use /run/snapd.socket instead of abstract socket

 -- Jamie Strandboge <jamie@ubuntu.com>  Thu, 29 Oct 2015 10:15:47 -0500

ubuntu-core-security (16.04.1) xenial; urgency=medium

  * add 16.04 policy
  * remove previously deprecated ubuntu-core/networking
  * remove 'ubuntu-snappy' and '1.3' compatibility symlinks
  * adjust autopkgtests for policy version 16.04
  * ubuntu-core/default: add read access to @{PROC}/sys/kernel/random/uuid

 -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 26 Oct 2015 16:18:14 -0500

ubuntu-core-security (15.10.17) wily; urgency=medium

  * ubuntu-core/default: also allow gzip (we already allow xz and bzip2)

 -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 05 Oct 2015 09:06:48 -0500

ubuntu-core-security (15.10.16) wily; urgency=medium

  * Build ubuntu-core-security-utils everywhere.

 -- Matthias Klose <doko@ubuntu.com>  Sat, 03 Oct 2015 21:53:48 +0200

ubuntu-core-security (15.10.15) wily; urgency=medium

  * ubuntu-core/unconfined: - use 'ix' instead of 'pix' with unconfined
    template
  * ubuntu-core/default:
    - allow access to user and group information since non-networking snaps
      may have legitimate use for them
    - add a few accesses for bash
  * add snappy-debug/snappy-security-scanlog
  * move snappy-security to snappy-debug since it will be shipped in a
    separate snap now
  * snappy-debug/snappy-security:
    - update to use snappy-security-scanlog
    - add 'reload' option to reload apparmor policy (in lieu of
      apparmor_parser)
    - add 'regenerate' option to regenerate apparmor policy (in lieu of
      aa-clickhook and aa-profile-hook)
    - add 'disable-rate-limiting' to run 'sysctl -w kernel.printk_ratelimit=0'

 -- Jamie Strandboge <jamie@ubuntu.com>  Fri, 02 Oct 2015 09:57:59 -0500

ubuntu-core-security (15.10.14) wily; urgency=medium

  * update templates to give a better description
  * ubuntu-core/default:
    - actually explicitly deny mknod in apparmor policy like we say we do
      (mknod currently doesn't work for other reasons so this is safe)
    - allow connect and socket so 'ls -l' can work in the default template
  * ubuntu-core/network-service: explicitly deny 'network netlink dgram' to
    silence a java denial. Once fine-grained netlink mediation is available,
    we can revisit this. See LP: 1499897 for details.

 -- Jamie Strandboge <jamie@ubuntu.com>  Fri, 25 Sep 2015 18:15:38 -0500

ubuntu-core-security (15.10.13) wily; urgency=medium

  * update autopkgtests for new policy groups

 -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 21 Sep 2015 17:23:42 -0500

ubuntu-core-security (15.10.12) wily; urgency=medium

  * add restricted network-admin policy group
  * ubuntu-core/default:
    - allow reading unversioned package dirs in $HOME
    - suppress noisy write denials to .pyc files in the install dir
      (LP: #1496892). This might be able to be removed when LP: 1496895 is
      fixed.
  * ubuntu-core/default: handle miscellaneous java accesses (LP: #1496895)
    - read to @PROC/@{pid}/ and @PROC/@{pid}/fd/
    - owner read to owner @PROC/@{pid}/auxv
    - reads to @PROC/@{pid}/version_signature, @PROC/@{pid}/version,
      /etc/lsb-release
    - read to @PROC/sys/vm/zone_reclaim_mode
    - read to /sys/devices/**/read_ahead_kb and /sys/devices/system/cpu/**
    - read to /sys/kernel/mm/transparent_hugepage/enabled and
      /sys/kernel/mm/transparent_hugepage/defrag
    - explicit deny to @{PROC}/@{pid}/cmdline. This seems to be ok for now,
      but if it breaks things, allow with owner match (an info leak) until we
      have kernel side pid variable in AppArmor
    - allow reads on /etc/{,writable/}localtime and /etc/{,writable/}timezone
  * add restricted snapd policy group
  * add restricted network-firewall policy group
  * add restricted network-status policy group
  * bin/snappy-security: use 'Caps' instead of 'Policy groups' in output
  * ubuntu/network-service: reluctantly allow access to /proc/*/net/if_inet6
    and /proc/*/net/ipv6_route until we can find a better way (LP: #1496906)
  * add test-format.sh to make sure we have properly formatted policy
  * debian/rules: use test-format.sh
  * ubuntu/unconfined: use 'Usage: reserved' not 'restricted' since
    'restricted' is not a valid 'Usage' value

 -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 21 Sep 2015 16:30:32 -0500

ubuntu-core-security (15.10.11) wily; urgency=medium

  * ubuntu-core/default: allow reads on directories in /sys/devices and
    /sys/class to ease using hw-assign

 -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 08 Sep 2015 15:27:25 -0500

ubuntu-core-security (15.10.10) wily; urgency=medium

  * ubuntu-core/default: deny noisy writes to system __pycache__ directory

 -- Jamie Strandboge <jamie@ubuntu.com>  Thu, 27 Aug 2015 08:13:15 -0500

ubuntu-core-security (15.10.9) wily; urgency=medium

  * ubuntu-core/default, ubuntu-core/network-service: move socketpair from
    network-service policy group to default template since on Linux socketpair
    only supports AF_UNIX (LP: #1470995)
  * ubuntu-core/default: allow ixr of openssl (LP: #1480366)

 -- Jamie Strandboge <jamie@ubuntu.com>  Fri, 31 Jul 2015 15:35:43 -0500

ubuntu-core-security (15.10.8) wily; urgency=medium

  * debian/control: complete fix for seccomp is now supported on arm64

 -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 13 Jul 2015 09:05:25 -0500

ubuntu-core-security (15.10.7) wily; urgency=medium

  * debian/control: seccomp is now supported on arm64

 -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 13 Jul 2015 08:41:32 -0500

ubuntu-core-security (15.10.6) wily; urgency=medium

  [ John Lenton ]
  * sc-logresolve:
    - show usage if -h or --help is given
    - drop spurious cat
    - use '--' to avoid grep treating logfile as an option

  [ Jamie Strandboge ]
  * add pivot_root to unconfined template
  * debian/ubuntu-core-security-apparmor.post{inst,rm}: use the correct
    package name
  * apparmor/default:
    - allow apps from the same package to communicate with each other via an
      abstract or anonymous socket
    - allow apps from the same package to signal each other via signals

 -- Jamie Strandboge <jamie@ubuntu.com>  Fri, 10 Jul 2015 16:47:49 -0500

ubuntu-core-security (15.10.5) wily; urgency=medium

  * bin/snappy-security:
    - add -i option for more info
    - 'better' detect if running on actual snappy system

 -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 10 Jun 2015 17:32:25 -0500

ubuntu-core-security (15.10.4) wily; urgency=low

  [ Michael Vogt ]
  * allow /tmp access now that the ubuntu-core-launcher creates a private /tmp
    for each snap

 -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 08 Jun 2015 15:06:00 -0500

ubuntu-core-security (15.10.3) wily; urgency=medium

  * apparmor/default: allow xargs (LP: #1461243)

 -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 02 Jun 2015 15:57:31 -0500

ubuntu-core-security (15.10.2) wily; urgency=medium

  * seccomp/default: allow setpgid and setpgrp (they are commonly used and
    can't be mediated via arg filtering)

 -- Jamie Strandboge <jamie@ubuntu.com>  Fri, 29 May 2015 11:59:10 -0500

ubuntu-core-security (15.10.1) wily; urgency=medium

  * seccomp/network-*: add comment on socketcall (but continue to disallow it)
  * seccomp/default:
    - continue to disallow but add comments for: fanotify_init, fanotify_mark,
      ioprio_set, mq_*, and nice
    - remove nonexistent 'wait' syscall (there is only 'wait4', which we
      already have)
    - allow the following: get_mempolicy, get_thread_area, inotify_*, llseek,
      mbind, prlimit64, set_mempolicy, ustat, syncfs, oldwait4, writev
    - continue to allow sched_setscheduler but add comment that we should do
      syscall arg filtering when LP: 1446748 is implemented
  * apparmor/default:
    - allow exec of logger (we already allow writing to /dev/log)
    - add attach_disconnected for default policy in preparation of new /tmp
      handling
  * add 'debian/make-new-version.sh 15.04 15.10' and update autopkgtests
  * sc-filtergen: handle float stripping off trailing 0 when loading/dumping
    yaml floats

 -- Jamie Strandboge <jamie@ubuntu.com>  Thu, 21 May 2015 16:26:42 -0500

ubuntu-core-security (15.04.11) vivid; urgency=medium

  * seccomp/default:
    - add ARM private syscalls: breakpoint, cacheflush, set_tls, usr26, usr32
    - add getrandom, ugetrlimit, sched_getattr, sched_rr_get_interval
    - add getxattr, setxattr and listxattr family of calls

 -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 22 Apr 2015 16:48:28 -0500

ubuntu-core-security (15.04.10) vivid; urgency=medium

  * seccomp/default: allow futimesat, utime, utimensat, and utimes
  * apparmor/default: revert /dev/** change. Snappy will instead maintain
    click-apparmor .additional files for these (and add the access only if
    cgroups restrictions are in effect)
  * allow 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign'.
    Access for using '--property-match=SNAPPY_APP=<pkgname>' will be handled
    elsewhere for now

 -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 22 Apr 2015 10:22:04 -0500

ubuntu-core-security (15.04.9) vivid; urgency=medium

  * apparmor/default: also allow reads on /dev/ now that the device cgroup
    only contains the devices specific to this app

 -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 22 Apr 2015 05:53:11 -0500

ubuntu-core-security (15.04.8) vivid; urgency=medium

  * debian/control: ubuntu-core-security-utils Depends on python3-yaml

 -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 21 Apr 2015 20:46:44 -0500

ubuntu-core-security (15.04.7) vivid; urgency=medium

  * seccomp/default:
    - add clock_getres, clock_gettime and clock_nanosleep
    - add statfs, statfs64, fstatfs and fstatfs64
    - remove rarely used NUMA memory syscalls
    - remove restart_syscall (only to be used by the kernel) and uselib (not
      used on modern systems)
    - explicityly kernel keyring syscalls
  * debian/README.seccomp: add switch_endian to list (added since last time
    for powerpc)

 -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 21 Apr 2015 18:38:49 -0500

ubuntu-core-security (15.04.6) vivid; urgency=medium

  * add capget to default seccomp policy
  * explicitly deny umount in apparmor and seccomp default policy
  * explicitly deny remount in the apparmor default policy

 -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 21 Apr 2015 15:18:28 -0500

ubuntu-core-security (15.04.5) vivid; urgency=medium

  * add statvfs (and fstatvfs) needed by 'sed'
  * adjust default policy to allow /dev/[^s][^h][^m]** since we will be using
    cgroups to enforce hardware restrictions until LP: 1444679 is implemented
    in apparmor
  * network-client and network-service actually should have all the same
    syscalls except: network-service has socketpair. When LP: 1446748 is
    implemented we can use syscall arg filtering to make 'socket' more
    fine-grained
  * debian/control: Conflicts, not Breaks on apparmor-easyprof-ubuntu-snappy

 -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 21 Apr 2015 07:52:22 -0500

ubuntu-core-security (15.04.4) vivid; urgency=medium

  * explicity deny mount and mknod too
  * add some missing syscalls: eventfd, eventfd2, exit, ftime, get_mempolicy,
    get_robust_list, ipc, mremap, msgctl, msgget, msgrcv, msgsnd,
    restart_syscall, rt_sigqueueinfo, rt_tgsigqueueinfo, set_thread_area,
    signal, sigaction, sigaltstack, sigpending, sigprocmask, sigreturn and
    sigsuspend to seccomp default policy

 -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 20 Apr 2015 14:35:59 -0500

ubuntu-core-security (15.04.3) vivid; urgency=medium

  * explicitly deny ptrace (trace) in the policy since it currently allows
    breaking out of seccomp sandbox
  * correct path to policy groups for --include-policy-dir

 -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 14 Apr 2015 18:04:22 -0500

ubuntu-core-security (15.04.2) vivid; urgency=medium

  * update autopkgtests to include compatibility templates and policy groups
  * debian/control:
    - don't Build-Depends on seccomp (it is not needed at this time)
    - adjust ubuntu-core-security-seccomp to not Depends on seccomp (it only
      ships data files)
    - adjust ubuntu-core-security-utils to Depends on seccomp for amd64, i386
      and armhf
  * update default apparmor policy to allow running /usr/bin/ldd
  * add app-specific rules for access to /{dev,run}/shm (LP: #1443612)

 -- Jamie Strandboge <jamie@ubuntu.com>  Fri, 10 Apr 2015 17:06:11 -0500

ubuntu-core-security (15.04.1) vivid; urgency=medium

  * Initial release. It provides:
    - the apparmor policies for Ubuntu Core
    - the seccomp policies for Ubuntu Core
    - various utilies including sc-filtergen for generating template-based
      seccomp filters
    - replaces apparmor-easyprof-ubuntu-snappy and sets up compatibility
      symlinks which can be dropped when packages stop using them

 -- Jamie Strandboge <jamie@ubuntu.com>  Thu, 09 Apr 2015 22:32:20 -0500
