diff -Nru ubuntu-core-security-15.04.11/data/apparmor/templates/ubuntu-core/15.04/default ubuntu-core-security-15.04.12/data/apparmor/templates/ubuntu-core/15.04/default
--- ubuntu-core-security-15.04.11/data/apparmor/templates/ubuntu-core/15.04/default	2015-04-22 11:43:52.000000000 -0500
+++ ubuntu-core-security-15.04.12/data/apparmor/templates/ubuntu-core/15.04/default	2015-04-27 11:48:03.000000000 -0500
@@ -77,6 +77,7 @@
   /{,usr/}bin/ln ixr,
   /{,usr/}bin/line ixr,
   /{,usr/}bin/link ixr,
+  /{,usr/}bin/logger ixr,
   /{,usr/}bin/ls ixr,
   /{,usr/}bin/md5sum ixr,
   /{,usr/}bin/mkdir ixr,
diff -Nru ubuntu-core-security-15.04.11/data/seccomp/policygroups/ubuntu-core/15.04/network-client ubuntu-core-security-15.04.12/data/seccomp/policygroups/ubuntu-core/15.04/network-client
--- ubuntu-core-security-15.04.11/data/seccomp/policygroups/ubuntu-core/15.04/network-client	2015-04-21 11:39:56.000000000 -0500
+++ ubuntu-core-security-15.04.12/data/seccomp/policygroups/ubuntu-core/15.04/network-client	2015-04-24 11:15:31.000000000 -0500
@@ -21,3 +21,9 @@
 
 # LP: #1446748 - limit this to AF_UNIX/AF_LOCAL and perhaps AF_NETLINK
 socket
+
+# This is an older interface and single entry point that can be used instead
+# of socket(), bind(), connect(), etc individually. While we could allow it,
+# we wouldn't be able to properly arg filter socketcall for AF_INET/AF_INET6
+# when LP: #1446748 is implemented.
+#socketcall
diff -Nru ubuntu-core-security-15.04.11/data/seccomp/policygroups/ubuntu-core/15.04/network-service ubuntu-core-security-15.04.12/data/seccomp/policygroups/ubuntu-core/15.04/network-service
--- ubuntu-core-security-15.04.11/data/seccomp/policygroups/ubuntu-core/15.04/network-service	2015-04-21 11:40:36.000000000 -0500
+++ ubuntu-core-security-15.04.12/data/seccomp/policygroups/ubuntu-core/15.04/network-service	2015-04-24 11:14:37.000000000 -0500
@@ -24,3 +24,9 @@
 # LP: #1446748 - limit this to AF_INET/AF_INET6 and possibly others not
 # included in network-client
 socket
+
+# This is an older interface and single entry point that can be used instead
+# of socket(), bind(), connect(), etc individually. While we could allow it,
+# we wouldn't be able to properly arg filter socketcall for AF_INET/AF_INET6
+# when LP: #1446748 is implemented.
+#socketcall
diff -Nru ubuntu-core-security-15.04.11/data/seccomp/policygroups/ubuntu-core/15.04/networking ubuntu-core-security-15.04.12/data/seccomp/policygroups/ubuntu-core/15.04/networking
--- ubuntu-core-security-15.04.11/data/seccomp/policygroups/ubuntu-core/15.04/networking	2015-04-21 11:39:56.000000000 -0500
+++ ubuntu-core-security-15.04.12/data/seccomp/policygroups/ubuntu-core/15.04/networking	2015-04-24 11:15:31.000000000 -0500
@@ -21,3 +21,9 @@
 
 # LP: #1446748 - limit this to AF_UNIX/AF_LOCAL and perhaps AF_NETLINK
 socket
+
+# This is an older interface and single entry point that can be used instead
+# of socket(), bind(), connect(), etc individually. While we could allow it,
+# we wouldn't be able to properly arg filter socketcall for AF_INET/AF_INET6
+# when LP: #1446748 is implemented.
+#socketcall
diff -Nru ubuntu-core-security-15.04.11/data/seccomp/templates/ubuntu-core/15.04/default ubuntu-core-security-15.04.12/data/seccomp/templates/ubuntu-core/15.04/default
--- ubuntu-core-security-15.04.11/data/seccomp/templates/ubuntu-core/15.04/default	2015-04-22 16:57:43.000000000 -0500
+++ ubuntu-core-security-15.04.12/data/seccomp/templates/ubuntu-core/15.04/default	2015-04-27 15:02:20.000000000 -0500
@@ -13,7 +13,9 @@
 deny finit_module
 deny delete_module
 
-# these have a history of vulnerabilities and are not widely used
+# these have a history of vulnerabilities, are not widely used, and
+# open_by_handle_at has been used to break out of docker containers by brute
+# forcing the handle value: http://stealth.openwall.net/xSports/shocker.c
 deny name_to_handle_at
 deny open_by_handle_at
 
@@ -96,13 +98,20 @@
 exit
 exit_group
 fallocate
+
+# requires CAP_SYS_ADMIN
+#fanotify_init
+#fanotify_mark
+
 fcntl
 fcntl64
 flock
 fork
 ftime
 futex
+get_mempolicy
 get_robust_list
+get_thread_area
 getcpu
 getcwd
 getdents
@@ -141,6 +150,11 @@
 fgetxattr
 lgetxattr
 
+inotify_add_watch
+inotify_init
+inotify_init1
+inotify_rm_watch
+
 # Needed by shell
 ioctl
 
@@ -150,6 +164,9 @@
 io_setup
 io_submit
 ioprio_get
+# affects other processes, requires CAP_SYS_ADMIN. Potentially allow with
+# syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748)
+#ioprio_set
 
 ipc
 kill
@@ -161,6 +178,7 @@
 flistxattr
 
 lseek
+llseek
 _llseek
 lstat
 lstat64
@@ -170,6 +188,7 @@
 fadvise64_64
 arm_fadvise64_64
 
+mbind
 mincore
 mkdir
 mkdirat
@@ -178,6 +197,15 @@
 mmap
 mmap2
 mprotect
+
+# LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now
+#mq_getsetattr
+#mq_notify
+#mq_open
+#mq_timedreceive
+#mq_timedsend
+#mq_unlink
+
 mremap
 msgctl
 msgget
@@ -190,6 +218,11 @@
 
 nanosleep
 
+# LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set
+# RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value
+# and allow this call
+#nice
+
 # LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT
 open
 
@@ -244,7 +277,10 @@
 sched_get_priority_min
 sched_getscheduler
 sched_rr_get_interval
+# LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the
+# app may only change its own scheduler
 sched_setscheduler
+
 sched_yield
 
 select
@@ -281,7 +317,13 @@
 
 set_thread_area
 setitimer
+
+# apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard
+# limits
 setrlimit
+prlimit64
+
+set_mempolicy
 set_robust_list
 setsid
 set_tid_address
@@ -324,6 +366,7 @@
 fstatfs64
 statvfs
 fstatvfs
+ustat
 
 symlink
 symlinkat
@@ -334,7 +377,7 @@
 arm_sync_file_range
 fdatasync
 fsync
-
+syncfs
 sysinfo
 syslog
 tee
@@ -372,12 +415,13 @@
 
 vfork
 vmsplice
-wait
 wait4
+oldwait4
 waitpid
 waitid
 
 write
+writev
 pwrite
 pwrite64
 pwritev
diff -Nru ubuntu-core-security-15.04.11/debian/README.seccomp ubuntu-core-security-15.04.12/debian/README.seccomp
--- ubuntu-core-security-15.04.11/debian/README.seccomp	2015-04-22 16:34:36.000000000 -0500
+++ ubuntu-core-security-15.04.12/debian/README.seccomp	2015-04-27 15:01:50.000000000 -0500
@@ -9,6 +9,10 @@
 
 for i in `find . -name "unistd*.h"|grep gnu` ; do egrep '^#define .*_NR_([a-z0-9_\-]*)' $i | awk '{print $2}' | sed 's/.*_NR_//' ; done|sort -u
 
+NOTE: syscall() isn't actually a syscall, it is a glibc wrapping to reference
+a syscall by number (therefore, it should be omitted from filter policy). ARM
+OABI did define this, but it has been obsoleted in EABI.
+
 IMPORTANT:
 __ARM_NR_... defines the following 5 private ARM syscalls that were not
 included in seccomp and have to be manually patched in (until upstream):
diff -Nru ubuntu-core-security-15.04.11/debian/changelog ubuntu-core-security-15.04.12/debian/changelog
--- ubuntu-core-security-15.04.11/debian/changelog	2015-04-22 17:07:59.000000000 -0500
+++ ubuntu-core-security-15.04.12/debian/changelog	2015-04-27 15:17:34.000000000 -0500
@@ -1,3 +1,20 @@
+ubuntu-core-security (15.04.12) vivid-proposed; urgency=medium
+
+  * seccomp/network-*: add comment on socketcall (but continue to disallow it)
+  * seccomp/default:
+    - continue to disallow but add comments for: fanotify_init, fanotify_mark,
+      ioprio_set, mq_*, and nice
+    - remove nonexistent 'wait' syscall (there is only 'wait4', which we
+      already have)
+    - allow the following: get_mempolicy, get_thread_area, inotify_*, llseek,
+      mbind, prlimit64, set_mempolicy, ustat, syncfs, oldwait4, writev
+    - continue to allow sched_setscheduler but add comment that we should do
+      syscall arg filtering when LP: 1446748 is implemented
+  * apparmor/default: allow exec of logger (we already allow writing to
+    /dev/log)
+
+ -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 27 Apr 2015 15:17:27 -0500
+
 ubuntu-core-security (15.04.11) vivid; urgency=medium
 
   * seccomp/default: