mkdir -p './apm/event.d'
mkdir -p './apparmor.d/force-complain'
mkdir -p './apt/auth.conf.d'
-mkdir -p './apt/preferences.d'
mkdir -p './binfmt.d'
mkdir -p './ca-certificates/update.d'
mkdir -p './clamav/onerrorexecute.d'
maybe chmod 0644 'apache2/mods-available/proxy_ajp.load'
maybe chmod 0644 'apache2/mods-available/proxy_balancer.conf'
maybe chmod 0644 'apache2/mods-available/proxy_balancer.load'
+maybe chmod 0644 'apache2/mods-available/proxy_connect.conf'
maybe chmod 0644 'apache2/mods-available/proxy_connect.load'
maybe chmod 0644 'apache2/mods-available/proxy_express.load'
maybe chmod 0644 'apache2/mods-available/proxy_fcgi.load'
maybe chmod 0644 'apparmor.d/local/lsb_release'
maybe chmod 0644 'apparmor.d/local/nvidia_modprobe'
maybe chmod 0644 'apparmor.d/local/sbin.dhclient'
+maybe chmod 0644 'apparmor.d/local/ubuntu_pro_apt_news'
maybe chmod 0644 'apparmor.d/local/usr.bin.freshclam'
maybe chmod 0644 'apparmor.d/local/usr.bin.man'
maybe chmod 0644 'apparmor.d/local/usr.lib.ipsec.charon'
maybe chmod 0644 'apparmor.d/tunables/xdg-user-dirs'
maybe chmod 0755 'apparmor.d/tunables/xdg-user-dirs.d'
maybe chmod 0644 'apparmor.d/tunables/xdg-user-dirs.d/site.local'
+maybe chmod 0644 'apparmor.d/ubuntu_pro_apt_news'
maybe chmod 0644 'apparmor.d/usr.bin.freshclam'
maybe chmod 0644 'apparmor.d/usr.bin.man'
maybe chmod 0644 'apparmor.d/usr.lib.ipsec.charon'
maybe chmod 0644 'apt/apt.conf.d/70debconf'
maybe chmod 0755 'apt/auth.conf.d'
maybe chmod 0755 'apt/preferences.d'
+maybe chmod 0644 'apt/preferences.d/ubuntu-pro-esm-apps'
+maybe chmod 0644 'apt/preferences.d/ubuntu-pro-esm-infra'
maybe chmod 0644 'apt/sources.list'
maybe chmod 0755 'apt/sources.list.d'
maybe chmod 0644 'apt/sources.list.d/apache2.list'
maybe chmod 0644 'apt/sources.list.distUpgrade'
maybe chmod 0644 'apt/trusted.gpg'
maybe chmod 0755 'apt/trusted.gpg.d'
+maybe chmod 0644 'apt/trusted.gpg.d/debsuryorg-archive.gpg'
maybe chmod 0644 'apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg'
maybe chmod 0644 'apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg'
maybe chmod 0644 'apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg'
maybe chmod 0644 'ldap/schema/amavis.schema'
maybe chmod 0644 'legal'
maybe chmod 0755 'letsencrypt'
+maybe chmod 0600 'letsencrypt/.certbot.lock'
maybe chmod 0644 'letsencrypt/.updated-options-ssl-apache-conf-digest.txt'
maybe chmod 0700 'letsencrypt/accounts'
maybe chmod 0700 'letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org'
maybe chmod 0644 'logrotate.d/redis-server'
maybe chmod 0644 'logrotate.d/rsnapshot'
maybe chmod 0644 'logrotate.d/rsyslog'
-maybe chmod 0644 'logrotate.d/ubuntu-advantage-tools'
+maybe chmod 0644 'logrotate.d/ubuntu-pro-client'
maybe chmod 0644 'logrotate.d/ufw'
maybe chmod 0644 'logrotate.d/wtmp'
maybe chmod 0755 'loolwsd'
maybe chmod 0644 'tmpfiles.d/screen-cleanup.conf'
maybe chmod 0644 'turnserver.conf'
maybe chmod 0755 'ubuntu-advantage'
-maybe chmod 0644 'ubuntu-advantage/help_data.yaml'
maybe chmod 0644 'ubuntu-advantage/uaclient.conf'
maybe chmod 0644 'ucf.conf'
maybe chmod 0755 'udev'
--- /dev/null
+# Avoid having open-proxy when one vhost uses proxy_connect
+# See https://bugs.debian.org/1054564 for more
+AllowCONNECT 0
--- /dev/null
+
+include <tunables/global>
+
+profile ubuntu_pro_apt_news flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/openssl>
+ include <abstractions/python>
+
+ # Needed because apt-news calls apt_pkg.init() which tries to
+ # switch to the _apt system user/group.
+ capability setgid,
+ capability setuid,
+ capability dac_read_search,
+
+ /etc/apt/** r,
+ /etc/default/apport r,
+ /etc/ubuntu-advantage/* r,
+ /usr/bin/python3.{1,}[0-9] mrix,
+
+ # "import uuid" in focal triggers an uname call
+ /usr/bin/uname mrix,
+
+ /usr/lib/apt/methods/http mrix,
+ /usr/lib/apt/methods/https mrix,
+ /usr/lib/ubuntu-advantage/apt_news.py r,
+ /usr/share/dpkg/* r,
+ /var/log/ubuntu-advantage.log rw,
+ /var/lib/ubuntu-advantage/** r,
+ /var/lib/ubuntu-advantage/messages/ rw,
+ /var/lib/ubuntu-advantage/messages/* rw,
+ /run/ubuntu-advantage/ rw,
+ /run/ubuntu-advantage/* rw,
+
+ /tmp/** r,
+
+ owner @{PROC}/@{pid}/fd/ r,
+ @{PROC}/@{pid}/cgroup r,
+
+
+}
\ No newline at end of file
--- /dev/null
+# This file is used by Ubuntu Pro and supplied by the ubuntu-pro-client
+# package. It has no effect if Ubuntu Pro services are not in use since no
+# other apt repositories are expected to match o=UbuntuESMApps.
+#
+# Pin esm-apps packages to a slightly higher value than the default,
+# so those are preferred over a non-ESM package from the archive when the
+# service is enabled.
+
+Package: *
+Pin: release o=UbuntuESMApps
+Pin-Priority: 510
--- /dev/null
+# This file is used by Ubuntu Pro and supplied by the ubuntu-pro-client
+# package. It has no effect if Ubuntu Pro services are not in use since no
+# other apt repositories are expected to match o=UbuntuESM.
+#
+# Pin esm-infra packages to a slightly higher value than the default,
+# so those are preferred over a non-ESM package from the archive when the
+# service is enabled.
+Package: *
+Pin: release o=UbuntuESM
+Pin-Priority: 510
+++ /dev/null
-# use the root group by default, since this is the owning group
-# of /var/log/ubuntu-advantage*.log files.
-/var/log/ubuntu-advantage*.log {
- su root root
- create 0644 root root
- rotate 6
- monthly
- compress
- delaycompress
- missingok
- notifempty
-}
--- /dev/null
+# use the root group by default, since this is the owning group
+# of /var/log/ubuntu-advantage*.log files.
+/var/log/ubuntu-advantage*.log {
+ su root root
+ create 0644 root root
+ rotate 6
+ monthly
+ compress
+ delaycompress
+ missingok
+ notifempty
+}
+++ /dev/null
-anbox-cloud:
- help: |
- Anbox Cloud lets you stream mobile apps securely, at any scale, to any
- device, letting you focus on your apps. Run Android in system
- containers on public or private clouds with ultra low streaming
- latency. When the anbox-cloud service is enabled, by default, the
- Appliance variant is enabled. Enabling this service allows
- orchestration to provision a PPA with the Anbox Cloud resources. This
- step also configures the Anbox Management Service (AMS) with the
- necessary image server credentials. To learn more about Anbox Cloud,
- see https://anbox-cloud.io
-
-cc-eal:
- help: |
- Common Criteria is an Information Technology Security Evaluation standard
- (ISO/IEC IS 15408) for computer security certification. Ubuntu 16.04 has
- been evaluated to assurance level EAL2 through CSEC. The evaluation was
- performed on Intel x86_64, IBM Power8 and IBM Z hardware platforms.
-
-cis:
- help: |
- Ubuntu Security Guide is a tool for hardening and auditing and allows for
- environment-specific customizations. It enables compliance with profiles
- such as DISA-STIG and the CIS benchmarks. Find out more at
- https://ubuntu.com/security/certifications/docs/usg
-
-
-esm-apps:
- help: |
- Expanded Security Maintenance for Applications is enabled by default
- on entitled workloads. It provides access to a private PPA which includes
- available high and critical CVE fixes for Ubuntu LTS packages in the Ubuntu
- Main and Ubuntu Universe repositories from the Ubuntu LTS release date until
- its end of life. You can find out more about the esm service at
- https://ubuntu.com/security/esm
-
-esm-infra:
- help: |
- Expanded Security Maintenance for Infrastructure provides access
- to a private ppa which includes available high and critical CVE fixes
- for Ubuntu LTS packages in the Ubuntu Main repository between the end
- of the standard Ubuntu LTS security maintenance and its end of life.
- It is enabled by default with Ubuntu Pro. You can find out more about
- the service at https://ubuntu.com/security/esm
-
-fips:
- help: |
- FIPS 140-2 is a set of publicly announced cryptographic standards
- developed by the National Institute of Standards and Technology
- applicable for FedRAMP, HIPAA, PCI and ISO compliance use cases.
- Note that "fips" does not provide security patching. For fips certified
- modules with security patches please refer to fips-updates. The modules
- are certified on Intel x86_64 and IBM Z hardware platforms for Ubuntu
- 18.04 and Intel x86_64, IBM Power8 and IBM Z hardware platforms for
- Ubuntu 16.04. Below is the list of fips certified components per an
- Ubuntu Version. You can find out more at
- https://ubuntu.com/security/certifications#fips
-
-fips-updates:
- help: |
- fips-updates installs fips modules including all security patches
- for those modules that have been provided since their certification date.
- You can find out more at https://ubuntu.com/security/certifications#fips.
-
-landscape:
- help: |
- Landscape Client can be installed on this machine and enrolled in
- Canonical's Landscape SaaS: https://landscape.canonical.com
- or a self-hosted Landscape: https://ubuntu.com/landscape/install
- Landscape allows you to manage many machines as easily as one,
- with an intuitive dashboard and API interface for automation,
- hardening, auditing, and more. Find out more about Landscape at
- https://ubuntu.com/landscape
-
-livepatch:
- help: |
- Livepatch provides selected high and critical kernel CVE fixes and other
- non-security bug fixes as kernel livepatches. Livepatches are applied
- without rebooting a machine which drastically limits the need for
- unscheduled system reboots. Due to the nature of fips compliance,
- livepatches cannot be enabled on fips-enabled systems. You can find out
- more about Ubuntu Kernel Livepatch service at
- https://ubuntu.com/security/livepatch
-
-realtime-kernel:
- help: |
- The Real-time kernel is an Ubuntu kernel with PREEMPT_RT patches integrated.
- It services latency-dependent use cases by providing deterministic response times.
- The Real-time kernel meets stringent preemption specifications and is suitable for
- telco applications and dedicated devices in industrial automation and robotics.
- The Real-time kernel is currently incompatible with FIPS and Livepatch.
-
-ros:
- help: |
- ros provides access to a private PPA which includes security-related
- updates for available high and critical CVE fixes for Robot Operating
- System (ROS) packages. For access to ROS ESM and security updates, both
- esm-infra and esm-apps services will also be enabled. To get additional
- non-security updates, enable ros-updates. You can find out more about the
- ROS ESM service at https://ubuntu.com/robotics/ros-esm
-
-ros-updates:
- help: |
- ros-updates provides access to a private PPA which includes
- non-security-related updates for Robot Operating System (ROS) packages.
- For full access to ROS ESM, security and non-security updates,
- the esm-infra, esm-apps, and ros services will also be enabled. You can
- find out more about the ROS ESM service at
- https://ubuntu.com/robotics/ros-esm
[Sources]
Pockets=security,updates,proposed,backports,infra-security,infra-updates,apps-security,apps-updates
[Distro]
-PostInstallScripts=./xorg_fix_proprietary.py, /usr/lib/ubuntu-advantage/upgrade_lts_contract.py
+PostInstallScripts=./xorg_fix_proprietary.py, /usr/lib/ubuntu-advantage/convert_list_to_deb822.py, /usr/lib/ubuntu-advantage/upgrade_lts_contract.py
projects / vserver / commitdiff