lp://qastaging/~snappy-dev/snap-confine/ubuntu-core-launcher.xenial
- Get this branch:
- bzr branch lp://qastaging/~snappy-dev/snap-confine/ubuntu-core-launcher.xenial
Branch merges
Branch information
Recent revisions
- 134. By Jamie Strandboge
-
Merge from trunk:
* SECURITY UPDATE: delayed attack snap data theft and privilege escalation
when using Snappy on traditional Ubuntu (classic) systems (LP: #1576699)
- src/main.c: remove glob code and hardcode /snap/ubuntu-core/current
instead. The glob code both used an improper glob and performed an
incorrect check due to a typo which allowed a snap named ubuntu-core-...
to be bind mounted into application runtimes instead of the ubuntu-core
OS snap. Ubuntu Core removed .<origin> and .sideload from the SNAP path
so the glob can simply be dropped.
- CVE-2016-1580
* debian/usr.bin. ubuntu- core-launcher:
- only allow mounting /snap/ubuntu-core/*/ ... to safeguard against this in
the future
- add lib32 and libx32 to match setup_snappy_os_mounts( ) - 132. By Jamie Strandboge
-
- make whitelist_re strictly follow the 16.04 specification and adjust
testsuite accordingly - 131. By Jamie Strandboge
-
src/main.c: don't prepend snap. or snap_ since snapd is doing that for us
now (LP: #1571048) - 127. By Michael Vogt
-
check for both src and dst mount points when doing the
ubuntu-core overlay mounts (LP: #1570712) - 125. By Jamie Strandboge
-
* update cgroup handling for 16.04 (LP: #1564401):
- debian/usr.bin. ubuntu- core-launcher:
+ allow creating cgroups with snap.*
+ allow ixr of 'tr'
+ remove access to /var/lib/apparmor/ clicks/
- update README to more fully explain the cgroups implementation
- src/80-snappy- assign. rules: append an app-specific tag instead of
adding a generic tag and snap-specific property
- src/snappy-app-dev: convert the new tag to the directory name
- src/main.c:
+ refactor and simplify control flow to query udev for device assignment
instead of searching apparmor policy for a specific string
+ adjust udev query for app-specific tag
+ raise real_uid after fork() before calling /lib/udev/snappy- app-dev
so non-root app launches work with the device cgroup
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp://qastaging/~snappy-dev/snap-confine/trunk