Package changes:
-amavisd-new 1:2.11.0-6.1ubuntu1 all
+amavisd-new 1:2.11.0-6.1ubuntu1.1 all
-apache2 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 amd64
-apache2-bin 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 amd64
-apache2-data 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 all
-apache2-utils 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 amd64
+apache2 2.4.61-1+ubuntu20.04.1+deb.sury.org+1 amd64
+apache2-bin 2.4.61-1+ubuntu20.04.1+deb.sury.org+1 amd64
+apache2-data 2.4.61-1+ubuntu20.04.1+deb.sury.org+1 all
+apache2-utils 2.4.61-1+ubuntu20.04.1+deb.sury.org+1 amd64
-code-brand 23.05-32 all
-collaboraoffice 23.05.10-1 amd64
-collaboraoffice-ure 23.05.10-1 amd64
-collaboraofficebasis-calc 23.05.10-1 amd64
-collaboraofficebasis-core 23.05.10-1 amd64
-collaboraofficebasis-draw 23.05.10-1 amd64
-collaboraofficebasis-en-us 23.05.10-1 amd64
-collaboraofficebasis-extension-pdf-import 23.05.10-1 amd64
-collaboraofficebasis-graphicfilter 23.05.10-1 amd64
-collaboraofficebasis-images 23.05.10-1 amd64
-collaboraofficebasis-impress 23.05.10-1 amd64
-collaboraofficebasis-math 23.05.10-1 amd64
-collaboraofficebasis-ooofonts 23.05.10-1 amd64
-collaboraofficebasis-ooolinguistic 23.05.10-1 amd64
-collaboraofficebasis-writer 23.05.10-1 amd64
+code-brand 24.04-10 all
+collaboraoffice 24.04.5-1 amd64
+collaboraoffice-ure 24.04.5-1 amd64
+collaboraofficebasis-calc 24.04.5-1 amd64
+collaboraofficebasis-core 24.04.5-1 amd64
+collaboraofficebasis-draw 24.04.5-1 amd64
+collaboraofficebasis-en-us 24.04.5-1 amd64
+collaboraofficebasis-extension-pdf-import 24.04.5-1 amd64
+collaboraofficebasis-graphicfilter 24.04.5-1 amd64
+collaboraofficebasis-images 24.04.5-1 amd64
+collaboraofficebasis-impress 24.04.5-1 amd64
+collaboraofficebasis-math 24.04.5-1 amd64
+collaboraofficebasis-ooofonts 24.04.5-1 amd64
+collaboraofficebasis-ooolinguistic 24.04.5-1 amd64
+collaboraofficebasis-writer 24.04.5-1 amd64
-coolwsd 23.05.10.1-1 amd64
+coolwsd 24.04.5.1-1 amd64
-cpio 2.13+dfsg-2ubuntu0.3 amd64
+cpio 2.13+dfsg-2ubuntu0.4 amd64
-distro-info-data 0.43ubuntu1.15 all
+distro-info-data 0.43ubuntu1.16 all
-ghostscript 9.50~dfsg-5ubuntu4.11 amd64
+ghostscript 9.50~dfsg-5ubuntu4.13 amd64
-git 1:2.25.1-1ubuntu3.11 amd64
-git-man 1:2.25.1-1ubuntu3.11 all
+git 1:2.25.1-1ubuntu3.13 amd64
+git-man 1:2.25.1-1ubuntu3.13 all
-icinga-php-library 0.13.1-1+ubuntu20.04 all
+icinga-php-library 0.14.0-1+ubuntu20.04 all
-intel-microcode 3.
20231114.0ubuntu0.20.04.1 amd64
+intel-microcode 3.
20240514.0ubuntu0.20.04.1 amd64
-klibc-utils 2.0.7-1ubuntu5.1 amd64
+klibc-utils 2.0.7-1ubuntu5.2 amd64
-less 551-1ubuntu0.2 amd64
+less 551-1ubuntu0.3 amd64
-libapache2-mod-php7.4 7.4.3-4ubuntu2.20 amd64
+libapache2-mod-php7.4 7.4.3-4ubuntu2.23 amd64
-libc-bin 2.31-0ubuntu9.14 amd64
-libc-dev-bin 2.31-0ubuntu9.14 amd64
-libc6 2.31-0ubuntu9.14 amd64
-libc6-dev 2.31-0ubuntu9.14 amd64
+libc-bin 2.31-0ubuntu9.16 amd64
+libc-dev-bin 2.31-0ubuntu9.16 amd64
+libc6 2.31-0ubuntu9.16 amd64
+libc6-dev 2.31-0ubuntu9.16 amd64
-libcups2 2.3.1-9ubuntu1.6 amd64
+libcups2 2.3.1-9ubuntu1.8 amd64
-libgdk-pixbuf2.0-0 2.40.0+dfsg-3ubuntu0.4 amd64
-libgdk-pixbuf2.0-bin 2.40.0+dfsg-3ubuntu0.4 amd64
-libgdk-pixbuf2.0-common 2.40.0+dfsg-3ubuntu0.4 all
+libgdk-pixbuf2.0-0 2.40.0+dfsg-3ubuntu0.5 amd64
+libgdk-pixbuf2.0-bin 2.40.0+dfsg-3ubuntu0.5 amd64
+libgdk-pixbuf2.0-common 2.40.0+dfsg-3ubuntu0.5 all
-libglib2.0-0 2.64.6-1~ubuntu20.04.6 amd64
-libglib2.0-data 2.64.6-1~ubuntu20.04.6 all
+libglib2.0-0 2.64.6-1~ubuntu20.04.7 amd64
+libglib2.0-data 2.64.6-1~ubuntu20.04.7 all
-libgnutls30 3.6.13-2ubuntu1.10 amd64
+libgnutls30 3.6.13-2ubuntu1.11 amd64
-libgs9 9.50~dfsg-5ubuntu4.11 amd64
-libgs9-common 9.50~dfsg-5ubuntu4.11 all
+libgs9 9.50~dfsg-5ubuntu4.13 amd64
+libgs9-common 9.50~dfsg-5ubuntu4.13 all
-libklibc 2.0.7-1ubuntu5.1 amd64
+libklibc 2.0.7-1ubuntu5.2 amd64
-libmysqlclient21 8.0.36-0ubuntu0.20.04.1 amd64
+libmysqlclient21 8.0.37-0ubuntu0.20.04.3 amd64
-libnetplan0 0.104-0ubuntu2~20.04.4 amd64
+libnetplan0 0.104-0ubuntu2~20.04.6 amd64
-libnghttp2-14 1.40.0-1ubuntu0.2 amd64
+libnghttp2-14 1.40.0-1ubuntu0.3 amd64
-libnode64 10.19.0~dfsg-3ubuntu1.5 amd64
+libnode64 10.19.0~dfsg-3ubuntu1.6 amd64
-libpq5 12.18-0ubuntu0.20.04.1 amd64
+libpq5 12.19-0ubuntu0.20.04.1 amd64
-libpython3.8 3.8.10-0ubuntu1~20.04.9 amd64
-libpython3.8-dev 3.8.10-0ubuntu1~20.04.9 amd64
-libpython3.8-minimal 3.8.10-0ubuntu1~20.04.9 amd64
-libpython3.8-stdlib 3.8.10-0ubuntu1~20.04.9 amd64
+libpython3.8 3.8.10-0ubuntu1~20.04.10 amd64
+libpython3.8-dev 3.8.10-0ubuntu1~20.04.10 amd64
+libpython3.8-minimal 3.8.10-0ubuntu1~20.04.10 amd64
+libpython3.8-stdlib 3.8.10-0ubuntu1~20.04.10 amd64
-libruby2.7 2.7.0-5ubuntu1.12 amd64
+libruby2.7 2.7.0-5ubuntu1.14 amd64
-libtiff5 4.1.0+git191117-2ubuntu0.20.04.12 amd64
+libtiff5 4.1.0+git191117-2ubuntu0.20.04.13 amd64
-libunbound8 1.9.4-2ubuntu1.5 amd64
+libunbound8 1.9.4-2ubuntu1.6 amd64
-linux-libc-dev 5.4.0-176.196 amd64
+linux-libc-dev 5.4.0-189.209 amd64
-locales 2.31-0ubuntu9.14 all
+locales 2.31-0ubuntu9.16 all
-mysql-client-8.0 8.0.36-0ubuntu0.20.04.1 amd64
-mysql-client-core-8.0 8.0.36-0ubuntu0.20.04.1 amd64
+mysql-client-8.0 8.0.37-0ubuntu0.20.04.3 amd64
+mysql-client-core-8.0 8.0.37-0ubuntu0.20.04.3 amd64
-mysql-server 8.0.36-0ubuntu0.20.04.1 all
-mysql-server-8.0 8.0.36-0ubuntu0.20.04.1 amd64
-mysql-server-core-8.0 8.0.36-0ubuntu0.20.04.1 amd64
+mysql-server 8.0.37-0ubuntu0.20.04.3 all
+mysql-server-8.0 8.0.37-0ubuntu0.20.04.3 amd64
+mysql-server-core-8.0 8.0.37-0ubuntu0.20.04.3 amd64
-netplan.io 0.104-0ubuntu2~20.04.4 amd64
+netplan.io 0.104-0ubuntu2~20.04.6 amd64
-nodejs 10.19.0~dfsg-3ubuntu1.5 amd64
-nodejs-doc 10.19.0~dfsg-3ubuntu1.5 all
+nodejs 10.19.0~dfsg-3ubuntu1.6 amd64
+nodejs-doc 10.19.0~dfsg-3ubuntu1.6 all
-php7.4 7.4.3-4ubuntu2.20 all
-php7.4-bcmath 7.4.3-4ubuntu2.20 amd64
-php7.4-bz2 7.4.3-4ubuntu2.20 amd64
-php7.4-cli 7.4.3-4ubuntu2.20 amd64
-php7.4-common 7.4.3-4ubuntu2.20 amd64
-php7.4-curl 7.4.3-4ubuntu2.20 amd64
-php7.4-gd 7.4.3-4ubuntu2.20 amd64
-php7.4-gmp 7.4.3-4ubuntu2.20 amd64
-php7.4-intl 7.4.3-4ubuntu2.20 amd64
-php7.4-json 7.4.3-4ubuntu2.20 amd64
-php7.4-ldap 7.4.3-4ubuntu2.20 amd64
-php7.4-mbstring 7.4.3-4ubuntu2.20 amd64
-php7.4-mysql 7.4.3-4ubuntu2.20 amd64
-php7.4-opcache 7.4.3-4ubuntu2.20 amd64
-php7.4-pgsql 7.4.3-4ubuntu2.20 amd64
-php7.4-phpdbg 7.4.3-4ubuntu2.20 amd64
-php7.4-readline 7.4.3-4ubuntu2.20 amd64
-php7.4-soap 7.4.3-4ubuntu2.20 amd64
-php7.4-xml 7.4.3-4ubuntu2.20 amd64
-php7.4-zip 7.4.3-4ubuntu2.20 amd64
+php7.4 7.4.3-4ubuntu2.23 all
+php7.4-bcmath 7.4.3-4ubuntu2.23 amd64
+php7.4-bz2 7.4.3-4ubuntu2.23 amd64
+php7.4-cli 7.4.3-4ubuntu2.23 amd64
+php7.4-common 7.4.3-4ubuntu2.23 amd64
+php7.4-curl 7.4.3-4ubuntu2.23 amd64
+php7.4-gd 7.4.3-4ubuntu2.23 amd64
+php7.4-gmp 7.4.3-4ubuntu2.23 amd64
+php7.4-intl 7.4.3-4ubuntu2.23 amd64
+php7.4-json 7.4.3-4ubuntu2.23 amd64
+php7.4-ldap 7.4.3-4ubuntu2.23 amd64
+php7.4-mbstring 7.4.3-4ubuntu2.23 amd64
+php7.4-mysql 7.4.3-4ubuntu2.23 amd64
+php7.4-opcache 7.4.3-4ubuntu2.23 amd64
+php7.4-pgsql 7.4.3-4ubuntu2.23 amd64
+php7.4-phpdbg 7.4.3-4ubuntu2.23 amd64
+php7.4-readline 7.4.3-4ubuntu2.23 amd64
+php7.4-soap 7.4.3-4ubuntu2.23 amd64
+php7.4-xml 7.4.3-4ubuntu2.23 amd64
+php7.4-zip 7.4.3-4ubuntu2.23 amd64
-python3-django 2:2.2.12-1ubuntu0.22 all
+python3-django 2:2.2.12-1ubuntu0.23 all
-python3-idna 2.8-1 all
+python3-idna 2.8-1ubuntu0.1 all
-python3-jinja2 2.10.1-2ubuntu0.2 all
+python3-jinja2 2.10.1-2ubuntu0.3 all
-python3-pymysql 0.9.3-2ubuntu3 all
+python3-pymysql 0.9.3-2ubuntu3.1 all
-python3-update-manager 1:20.04.10.20 all
+python3-update-manager 1:20.04.10.21 all
-python3-werkzeug 0.16.1+dfsg1-2ubuntu0.1 all
+python3-werkzeug 0.16.1+dfsg1-2ubuntu0.2 all
-python3.8 3.8.10-0ubuntu1~20.04.9 amd64
-python3.8-dev 3.8.10-0ubuntu1~20.04.9 amd64
-python3.8-minimal 3.8.10-0ubuntu1~20.04.9 amd64
+python3.8 3.8.10-0ubuntu1~20.04.10 amd64
+python3.8-dev 3.8.10-0ubuntu1~20.04.10 amd64
+python3.8-minimal 3.8.10-0ubuntu1~20.04.10 amd64
-ruby2.7 2.7.0-5ubuntu1.12 amd64
+ruby2.7 2.7.0-5ubuntu1.14 amd64
-tzdata 2024a-0ubuntu0.20.04 all
-ubuntu-advantage-tools 31.2~20.04 all
+tzdata 2024a-0ubuntu0.20.04.1 all
+ubuntu-advantage-tools 32.3.1~20.04 all
-ubuntu-pro-client 31.2~20.04 amd64
-ubuntu-pro-client-l10n 31.2~20.04 amd64
+ubuntu-pro-client 32.3.1~20.04 amd64
+ubuntu-pro-client-l10n 32.3.1~20.04 amd64
-update-manager-core 1:20.04.10.20 all
+update-manager-core 1:20.04.10.21 all
-vim 2:8.1.2269-1ubuntu5.22 amd64
+vim 2:8.1.2269-1ubuntu5.23 amd64
-vim-common 2:8.1.2269-1ubuntu5.22 all
+vim-common 2:8.1.2269-1ubuntu5.23 all
-vim-runtime 2:8.1.2269-1ubuntu5.22 all
-vim-tiny 2:8.1.2269-1ubuntu5.22 amd64
+vim-runtime 2:8.1.2269-1ubuntu5.23 all
+vim-tiny 2:8.1.2269-1ubuntu5.23 amd64
-wget 1.20.3-1ubuntu2 amd64
+wget 1.20.3-1ubuntu2.1 amd64
-xxd 2:8.1.2269-1ubuntu5.22 amd64
+xxd 2:8.1.2269-1ubuntu5.23 amd64
mkdir -p './ssh/sshd_config.d'
mkdir -p './systemd/network'
mkdir -p './udev/hwdb.d'
+mkdir -p './ufw/applications.d/apache2'
mkdir -p './vulkan/explicit_layer.d'
mkdir -p './vulkan/icd.d'
mkdir -p './vulkan/implicit_layer.d'
maybe chmod 0644 'apparmor.d/local/nvidia_modprobe'
maybe chmod 0644 'apparmor.d/local/sbin.dhclient'
maybe chmod 0644 'apparmor.d/local/ubuntu_pro_apt_news'
+maybe chmod 0644 'apparmor.d/local/ubuntu_pro_esm_cache'
maybe chmod 0644 'apparmor.d/local/usr.bin.freshclam'
maybe chmod 0644 'apparmor.d/local/usr.bin.man'
maybe chmod 0644 'apparmor.d/local/usr.lib.ipsec.charon'
maybe chmod 0755 'apparmor.d/tunables/xdg-user-dirs.d'
maybe chmod 0644 'apparmor.d/tunables/xdg-user-dirs.d/site.local'
maybe chmod 0644 'apparmor.d/ubuntu_pro_apt_news'
+maybe chmod 0644 'apparmor.d/ubuntu_pro_esm_cache'
maybe chmod 0644 'apparmor.d/usr.bin.freshclam'
maybe chmod 0644 'apparmor.d/usr.bin.man'
maybe chmod 0644 'apparmor.d/usr.lib.ipsec.charon'
maybe chmod 0640 'ufw/after.rules'
maybe chmod 0640 'ufw/after6.rules'
maybe chmod 0755 'ufw/applications.d'
+maybe chmod 0755 'ufw/applications.d/apache2'
maybe chmod 0644 'ufw/applications.d/apache2-utils.ufw.profile'
maybe chmod 0644 'ufw/applications.d/bind9'
maybe chmod 0644 'ufw/applications.d/dovecot-imapd'
include <tunables/global>
+# attach_disconnected is needed here because this service runs with systemd's
+# PrivateTmp=true
+
profile ubuntu_pro_apt_news flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
capability setgid,
capability setuid,
capability dac_read_search,
+ # GH: 3079
+ capability dac_override,
/etc/apt/** r,
/etc/default/apport r,
/etc/ubuntu-advantage/* r,
- /usr/bin/python3.{1,}[0-9] mrix,
+ # GH: #3109
+ # Allow reading the os-release file (possibly a symlink to /usr/lib).
+ /{etc/,usr/lib/,lib/}os-release r,
+ /{,usr/}bin/python3.{1,}[0-9] mrix,
# "import uuid" in focal triggers an uname call
- /usr/bin/uname mrix,
+ # And also see LP: #2067319
+ /{,usr/}bin/uname mrix,
- /usr/lib/apt/methods/http mrix,
- /usr/lib/apt/methods/https mrix,
- /usr/lib/ubuntu-advantage/apt_news.py r,
+ /{,usr/}lib/apt/methods/http mrix,
+ /{,usr/}lib/apt/methods/https mrix,
+ /{,usr/}lib/ubuntu-advantage/apt_news.py r,
/usr/share/dpkg/* r,
/var/log/ubuntu-advantage.log rw,
/var/lib/ubuntu-advantage/** r,
/tmp/** r,
owner @{PROC}/@{pid}/fd/ r,
+ @{PROC}/@{pid}/status r,
@{PROC}/@{pid}/cgroup r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/ubuntu_pro_apt_news>
}
\ No newline at end of file
--- /dev/null
+
+include <tunables/global>
+
+# attach_disconnected is needed in all profiles defined here because this
+# service runs with systemd's PrivateTmp=true
+
+profile ubuntu_pro_esm_cache flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/openssl>
+ include <abstractions/python>
+ include <abstractions/user-tmp>
+
+ capability chown,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability kill,
+ capability setgid,
+ capability setuid,
+
+ signal send set=int peer=ubuntu_pro_esm_cache//apt_methods,
+ signal send set=int peer=ubuntu_pro_esm_cache//apt_methods_gpgv,
+
+ /etc/apt/** r,
+ /etc/machine-id r,
+ /etc/ubuntu-advantage/uaclient.conf r,
+ # GH: #3109
+ # Allow reading the os-release file (possibly a symlink to /usr/lib).
+ /{etc/,usr/lib/,lib/}os-release r,
+
+ /run/ubuntu-advantage/ rw,
+ /run/ubuntu-advantage/** rw,
+
+ /run/systemd/container/ r,
+ /run/systemd/container/** r,
+
+ /{,usr/}bin/apt mrix,
+ /{,usr/}bin/apt-cache mrix,
+ /{,usr/}bin/ischroot mrix,
+ /{,usr/}bin/python3.{1,}[0-9] mrix,
+ # LP: #2067319
+ /{,usr/}bin/uname mrix,
+
+ /{,usr/}bin/cloud-id Cx -> cloud_id,
+ # LP: #2067319
+ /{,usr/}bin/ps Cx -> ps,
+ /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt,
+ /{,usr/}bin/dpkg Cx -> dpkg,
+ /{,usr/}bin/ubuntu-distro-info Cx -> ubuntu_distro_info,
+ /{,usr/}lib/apt/methods/gpgv Cx -> apt_methods_gpgv,
+ /{,usr/}lib/apt/methods/http Cx -> apt_methods,
+ /{,usr/}lib/apt/methods/https Cx -> apt_methods,
+ /{,usr/}lib/apt/methods/store Cx -> apt_methods,
+ # when there is no status.json cached, esm-cache.service will invoke "snap status"
+ /{,usr/}bin/snap PUx,
+
+ /usr/share/dpkg/** r,
+ /usr/share/keyrings/* r,
+
+ /var/cache/apt/** rw,
+
+ /var/lib/apt/** r,
+ /var/lib/dpkg/** r,
+ /var/lib/ubuntu-advantage/** rwk,
+
+ /var/log/ubuntu-advantage.log rw,
+
+ @{PROC}/@{pid}/fd/ r,
+ @{PROC}/1/cgroup r,
+ @{PROC}/version_signature r,
+ @{PROC}/@{pid}/mountinfo r,
+ @{PROC}/@{pid}/status r,
+ @{PROC}/@{pid}/stat r,
+ @{PROC}/sys/kernel/osrelease r,
+
+
+
+ profile ps flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+
+ capability sys_ptrace,
+
+ # GH: #3079
+ capability dac_read_search,
+ capability dac_override,
+
+ # GH: #3119
+ ptrace (read,trace),
+
+ # LP: #2067319
+ /{,usr/}bin/ps mrix,
+
+ /dev/tty r,
+
+ @{PROC}/ r,
+ @{PROC}/@{pid}/** r,
+ @{PROC}/uptime r,
+ @{PROC}/sys/kernel/** r,
+ # GH: #3079
+ @{PROC}/tty/drivers r,
+ /sys/devices/system/node/ r,
+ /sys/devices/system/node/** r,
+ }
+
+ profile cloud_id flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/python>
+
+ ptrace read peer=unconfined,
+
+ /etc/cloud/** r,
+ /etc/apt/** r,
+ /etc/apport/** r,
+ /etc/ssl/openssl.cnf r,
+
+ @{PROC}/@{pid}/fd/ r,
+ @{PROC}/cmdline r,
+ @{PROC}/1/environ r,
+ @{PROC}/1/cmdline r,
+ @{PROC}/@{pid}/status r,
+
+ /run/cloud-init/** r,
+
+ /{,usr/}bin/ r,
+ /{,usr/}bin/cloud-id r,
+ /{,usr/}bin/python3.{1,}[0-9] mrix,
+ # LP: #2067319
+ /{,usr/}bin/uname mrix,
+
+ /usr/share/dpkg/** r,
+
+ # workarounds for
+ # https://gitlab.com/apparmor/apparmor/-/issues/346
+ # LP: #2067319
+ /{,usr/}bin/systemctl Px -> ubuntu_pro_esm_cache_systemctl,
+ /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt,
+
+ /var/lib/cloud/** r,
+
+
+
+ }
+
+ profile dpkg flags=(attach_disconnected) {
+ include <abstractions/base>
+
+ capability setgid,
+
+ /etc/dpkg/** r,
+
+ /{,usr/}bin/dpkg mr,
+
+ # LP: #2067810
+ /var/lib/dpkg/** r,
+
+ }
+
+ profile ubuntu_distro_info flags=(attach_disconnected) {
+ include <abstractions/base>
+
+ /{,usr/}bin/ubuntu-distro-info mr,
+
+ /usr/share/distro-info/** r,
+
+ }
+
+ profile apt_methods flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/ssl_certs>
+ include <abstractions/user-tmp>
+
+ capability setgid,
+ capability setuid,
+
+ network inet stream,
+ network inet6 stream,
+
+ signal receive set=int peer=ubuntu_pro_esm_cache,
+
+ / r,
+ /etc/dpkg/** r,
+
+ /{,usr/}lib/apt/methods/gpgv mr,
+ /{,usr/}lib/apt/methods/http mr,
+ /{,usr/}lib/apt/methods/https mr,
+ /{,usr/}lib/apt/methods/store mr,
+
+ /usr/share/dpkg/** r,
+
+ # LP: #2067810
+ /var/lib/dpkg/** r,
+
+ /var/lib/ubuntu-advantage/apt-esm/** rwk,
+
+ @{PROC}/@{pid}/cgroup r,
+ @{PROC}/@{pid}/fd/ r,
+
+ }
+
+ profile apt_methods_gpgv flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/ssl_certs>
+ include <abstractions/user-tmp>
+
+ capability setgid,
+ capability setuid,
+
+ signal receive set=int peer=ubuntu_pro_esm_cache,
+
+ / r,
+ /etc/dpkg/** r,
+
+ # there are just too many shell script tools that are called, like head,
+ # tail, cut, sed, etc
+ /{,usr/}bin/* mrix,
+
+ /{,usr/}lib/apt/methods/gpgv mr,
+
+ /usr/share/dpkg/** r,
+ /usr/share/keyrings/* r,
+
+ /var/lib/ubuntu-advantage/apt-esm/** r,
+
+ @{PROC}/@{pid}/fd/ r,
+
+ # apt-config command needs these
+ # Note: observed only in xenial tests, but makes sense for all releases
+ /etc/apt/** r,
+ /var/lib/apt/** r,
+
+ # LP: #2067810
+ /var/lib/dpkg/** r,
+
+ }
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/ubuntu_pro_esm_cache>
+}
+
+ # these profiles were initially subprofiles of cloud-id, but:
+ # a) that crashes the kernel
+ # https://gitlab.com/apparmor/apparmor/-/issues/346
+ # b) <= bionic doesn't like the // or - chars in profile names
+ # https://gitlab.com/apparmor/apparmor/-/commit/99755daafb8cfde4df542b66f656597a482129ac
+
+ profile ubuntu_pro_esm_cache_systemctl flags=(attach_disconnected) {
+ include <abstractions/base>
+
+ capability net_admin,
+ capability sys_ptrace,
+
+ ptrace read peer=unconfined,
+
+
+
+ # LP: #2067319
+ /{,usr/}bin/systemctl mr,
+
+ /run/systemd/private rw,
+ /run/systemd/** r,
+
+ @{PROC}/cmdline r,
+ # GH: #3119
+ @{PROC}/1/* r,
+ @{PROC}/@{pid}/stat r,
+ @{PROC}/sys/kernel/osrelease r,
+ # GH: 3119
+ /sys/firmware/efi/efivars/** r,
+ }
+
+ profile ubuntu_pro_esm_cache_systemd_detect_virt flags=(attach_disconnected) {
+ include <abstractions/base>
+
+ capability sys_ptrace,
+
+ ptrace read peer=unconfined,
+
+ /{,usr/}bin/systemd-detect-virt mr,
+
+ /run/systemd/** r,
+
+ /sys/devices/virtual/** r,
+ # GH: #3119
+ /sys/firmware/efi/efivars/** r,
+ @{PROC}/@{pid}/status r,
+ @{PROC}/@{pid}/stat r,
+ @{PROC}/1/environ r,
+ @{PROC}/1/sched r,
+ @{PROC}/cmdline r,
+ @{PROC}/1/cmdline r,
+ @{PROC}/sys/kernel/osrelease r,
+
+ }
\ No newline at end of file
</node>
<node oor:name="FontColor">
<prop oor:name="Color" oor:op="fuse">
- <value>0</value>
+ <value>0xFFFFFF</value>
</prop>
</node>
<node oor:name="Links">
--- /dev/null
+../../usr/share/doc/mysql-common/frozen-mode/downgrade
\ No newline at end of file
projects / vserver / commitdiff