snap-confine

lp://qastaging/~snappy-dev/snap-confine/ubuntu-core-launcher.xenial

Created by Jamie Strandboge on 2016-04-29 and last modified on 2016-04-29

Get this branch:: bzr branch lp://qastaging/~snappy-dev/snap-confine/ubuntu-core-launcher.xenial

Members of Snappy Developers can upload to this branch. Log in for directions.

Branch merges

No branches dependent on this one.

Related bugs

Link a bug report

Related blueprints

Branch information

Owner:: Snappy Developers

Project:: snap-confine

Status:: Development

Recent revisions

134. By Jamie Strandboge on 2016-04-29

Merge from trunk:

* SECURITY UPDATE: delayed attack snap data theft and privilege escalation
  when using Snappy on traditional Ubuntu (classic) systems (LP: #1576699)
  - src/main.c: remove glob code and hardcode /snap/ubuntu-core/current
    instead. The glob code both used an improper glob and performed an
    incorrect check due to a typo which allowed a snap named ubuntu-core-...
    to be bind mounted into application runtimes instead of the ubuntu-core
    OS snap. Ubuntu Core removed .<origin> and .sideload from the SNAP path
    so the glob can simply be dropped.
  - CVE-2016-1580
* debian/usr.bin.ubuntu-core-launcher:
  - only allow mounting /snap/ubuntu-core/*/... to safeguard against this in
    the future
  - add lib32 and libx32 to match setup_snappy_os_mounts()

133. By Jamie Strandboge on 2016-04-15

release 1.0.27

132. By Jamie Strandboge on 2016-04-15

- make whitelist_re strictly follow the 16.04 specification and adjust
testsuite accordingly

131. By Jamie Strandboge on 2016-04-15

src/main.c: don't prepend snap. or snap_ since snapd is doing that for us
now (LP: #1571048)

130. By Jamie Strandboge on 2016-04-15

release 1.0.26

129. By Jamie Strandboge on 2016-04-15

src/main.c: allow caps in appname (LP: #1570914)

128. By Michael Vogt on 2016-04-15

releasing package ubuntu-core-launcher version 1.0.25.1

127. By Michael Vogt on 2016-04-15

check for both src and dst mount points when doing the
ubuntu-core overlay mounts (LP: #1570712)

126. By Jamie Strandboge on 2016-04-14

release 1.0.25

125. By Jamie Strandboge on 2016-04-14

* update cgroup handling for 16.04 (LP: #1564401):
  - debian/usr.bin.ubuntu-core-launcher:
    + allow creating cgroups with snap.*
    + allow ixr of 'tr'
    + remove access to /var/lib/apparmor/clicks/
  - update README to more fully explain the cgroups implementation
  - src/80-snappy-assign.rules: append an app-specific tag instead of
    adding a generic tag and snap-specific property
  - src/snappy-app-dev: convert the new tag to the directory name
  - src/main.c:
    + refactor and simplify control flow to query udev for device assignment
      instead of searching apparmor policy for a specific string
    + adjust udev query for app-specific tag
    + raise real_uid after fork() before calling /lib/udev/snappy-app-dev
      so non-root app launches work with the device cgroup

Branch metadata

Branch format:: Branch format 7

Repository format:: Bazaar repository format 2a (needs bzr 1.16 or later)

Stacked on:: lp://qastaging/~snappy-dev/snap-confine/trunk

This branch contains Public information

Everyone can see this information.

Subscribers

Snappy Developers