Ubuntu Pastebin

Paste from zyga at Wed, 7 Sep 2016 15:19:16 +0000

Download as text 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
diff -Nru snap-confine-1.0.38/debian/changelog snap-confine-1.0.38/debian/changelog
--- snap-confine-1.0.38/debian/changelog	2016-08-25 12:21:21.000000000 +0200
+++ snap-confine-1.0.38/debian/changelog	2016-09-07 17:17:40.000000000 +0200
@@ -1,3 +1,10 @@
+snap-confine (1.0.38-0ubuntu0.16.04.10~ppa2) xenial; urgency=medium
+
+  * debian/usr.lib.snapd.snap-confine:
+    - update apparmor profile to allow execution of snap-exec (LP: #1621127)
+
+ -- Zygmunt Krynicki <zygmunt.krynicki@canonical.com>  Wed, 07 Sep 2016 17:16:58 +0200
+
 snap-confine (1.0.38-0ubuntu0.16.04.10~ppa1) xenial; urgency=medium
 
   * ppa upload
diff -Nru snap-confine-1.0.38/debian/usr.lib.snapd.snap-confine snap-confine-1.0.38/debian/usr.lib.snapd.snap-confine
--- snap-confine-1.0.38/debian/usr.lib.snapd.snap-confine	2016-08-24 21:37:24.000000000 +0200
+++ snap-confine-1.0.38/debian/usr.lib.snapd.snap-confine	2016-09-07 17:10:41.000000000 +0200
@@ -21,6 +21,8 @@
     /usr/lib/@{multiarch}/libseccomp.so* mr,
     /lib/@{multiarch}/libseccomp.so* mr,
 
+    @{PROC}/@{pid}/auxv r,
+
     /usr/lib/snapd/snap-confine r,
 
     /dev/null rw,
@@ -55,23 +57,23 @@
 
     # don't allow changing profile to unconfined or profiles that start with
     # '/'
-    change_profile -> [^u/]**,
-    change_profile -> u[^n]**,
-    change_profile -> un[^c]**,
-    change_profile -> unc[^o]**,
-    change_profile -> unco[^n]**,
-    change_profile -> uncon[^f]**,
-    change_profile -> unconf[^i]**,
-    change_profile -> unconfi[^n]**,
-    change_profile -> unconfin[^e]**,
-    change_profile -> unconfine[^d]**,
-    change_profile -> unconfined?**,
+    change_profile unsafe /** -> [^u/]**,
+    change_profile unsafe /** -> u[^n]**,
+    change_profile unsafe /** -> un[^c]**,
+    change_profile unsafe /** -> unc[^o]**,
+    change_profile unsafe /** -> unco[^n]**,
+    change_profile unsafe /** -> uncon[^f]**,
+    change_profile unsafe /** -> unconf[^i]**,
+    change_profile unsafe /** -> unconfi[^n]**,
+    change_profile unsafe /** -> unconfin[^e]**,
+    change_profile unsafe /** -> unconfine[^d]**,
+    change_profile unsafe /** -> unconfined?**,
     # allow changing to a few not caught above
-    change_profile -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
+    change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
 
     # LP: #1446794 - when this bug is fixed, change the above to:
-    # deny change_profile -> {unconfined,/**},
-    # change_profile -> **,
+    # deny change_profile unsafe /** -> {unconfined,/**},
+    # change_profile unsafe /** -> **,
 
     # reading seccomp filters
     /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/profiles/* r,
Download as text