From: root <root@localhost>
Date: Thu, 26 Apr 2018 13:32:59 +0000 (+0200)
Subject: committing changes in /etc after apt run
X-Git-Url: https://git.hoellein.online/?a=commitdiff_plain;h=da45c7c4744b74f09b547bb76d10689601717435;p=zenbook

committing changes in /etc after apt run

Package changes:
-abigen 1.8.2+build12774+xenial amd64
+abigen 1.8.6+build13246+xenial amd64
-avahi-autoipd 0.6.32~rc+dfsg-1ubuntu2.1 amd64
-avahi-daemon 0.6.32~rc+dfsg-1ubuntu2.1 amd64
-avahi-utils 0.6.32~rc+dfsg-1ubuntu2.1 amd64
+avahi-autoipd 0.6.32~rc+dfsg-1ubuntu2.2 amd64
+avahi-daemon 0.6.32~rc+dfsg-1ubuntu2.2 amd64
+avahi-utils 0.6.32~rc+dfsg-1ubuntu2.2 amd64
-bootnode 1.8.2+build12774+xenial amd64
+bootnode 1.8.6+build13246+xenial amd64
-ethereum 1.8.2+build12774+xenial amd64
+ethereum 1.8.6+build13246+xenial amd64
-evm 1.8.2+build12774+xenial amd64
+evm 1.8.6+build13246+xenial amd64
-firefox 60.0~b13+build1-0ubuntu0.16.04.1 amd64
-firefox-locale-de 60.0~b13+build1-0ubuntu0.16.04.1 amd64
-firefox-locale-en 60.0~b13+build1-0ubuntu0.16.04.1 amd64
+firefox 60.0~b15+build1-0ubuntu0.16.04.1 amd64
+firefox-locale-de 60.0~b15+build1-0ubuntu0.16.04.1 amd64
+firefox-locale-en 60.0~b15+build1-0ubuntu0.16.04.1 amd64
-geth 1.8.2+build12774+xenial amd64
+geth 1.8.6+build13246+xenial amd64
-libavahi-client3 0.6.32~rc+dfsg-1ubuntu2.1 amd64
-libavahi-client3 0.6.32~rc+dfsg-1ubuntu2.1 i386
-libavahi-common-data 0.6.32~rc+dfsg-1ubuntu2.1 amd64
-libavahi-common-data 0.6.32~rc+dfsg-1ubuntu2.1 i386
-libavahi-common3 0.6.32~rc+dfsg-1ubuntu2.1 amd64
-libavahi-common3 0.6.32~rc+dfsg-1ubuntu2.1 i386
-libavahi-core7 0.6.32~rc+dfsg-1ubuntu2.1 amd64
-libavahi-glib1 0.6.32~rc+dfsg-1ubuntu2.1 amd64
-libavahi-gobject0 0.6.32~rc+dfsg-1ubuntu2.1 amd64
-libavahi-ui-gtk3-0 0.6.32~rc+dfsg-1ubuntu2.1 amd64
+libavahi-client3 0.6.32~rc+dfsg-1ubuntu2.2 amd64
+libavahi-client3 0.6.32~rc+dfsg-1ubuntu2.2 i386
+libavahi-common-data 0.6.32~rc+dfsg-1ubuntu2.2 amd64
+libavahi-common-data 0.6.32~rc+dfsg-1ubuntu2.2 i386
+libavahi-common3 0.6.32~rc+dfsg-1ubuntu2.2 amd64
+libavahi-common3 0.6.32~rc+dfsg-1ubuntu2.2 i386
+libavahi-core7 0.6.32~rc+dfsg-1ubuntu2.2 amd64
+libavahi-glib1 0.6.32~rc+dfsg-1ubuntu2.2 amd64
+libavahi-gobject0 0.6.32~rc+dfsg-1ubuntu2.2 amd64
+libavahi-ui-gtk3-0 0.6.32~rc+dfsg-1ubuntu2.2 amd64
-libmysqlclient20 5.7.21-0ubuntu0.16.04.1 amd64
+libmysqlclient20 5.7.22-0ubuntu0.16.04.1 amd64
-libpulse-mainloop-glib0 1:8.0-0ubuntu3.8 amd64
-libpulse0 1:8.0-0ubuntu3.8 amd64
-libpulsedsp 1:8.0-0ubuntu3.8 amd64
+libpulse-mainloop-glib0 1:8.0-0ubuntu3.9 amd64
+libpulse0 1:8.0-0ubuntu3.9 amd64
+libpulsedsp 1:8.0-0ubuntu3.9 amd64
-libssl-dev 1.0.2g-1ubuntu4.11 amd64
-libssl-doc 1.0.2g-1ubuntu4.11 all
-libssl1.0.0 1.0.2g-1ubuntu4.11 amd64
+libssl-dev 1.0.2g-1ubuntu4.12 amd64
+libssl-doc 1.0.2g-1ubuntu4.12 all
+libssl1.0.0 1.0.2g-1ubuntu4.12 amd64
-linux-libc-dev 4.4.0-119.143 amd64
-linux-libc-dev 4.4.0-119.143 i386
+linux-libc-dev 4.4.0-121.145 amd64
+linux-libc-dev 4.4.0-121.145 i386
-mysql-common 5.7.21-0ubuntu0.16.04.1 all
+mysql-common 5.7.22-0ubuntu0.16.04.1 all
-openssl 1.0.2g-1ubuntu4.11 amd64
+openssl 1.0.2g-1ubuntu4.12 amd64
-oracle-java8-installer 8u161-1~webupd8~0 all
-oracle-java8-set-default 8u161-1~webupd8~0 all
+oracle-java8-installer 8u171-1~webupd8~0 all
+oracle-java8-set-default 8u171-1~webupd8~0 all
-pulseaudio 1:8.0-0ubuntu3.8 amd64
-pulseaudio-module-bluetooth 1:8.0-0ubuntu3.8 amd64
-pulseaudio-module-x11 1:8.0-0ubuntu3.8 amd64
-pulseaudio-utils 1:8.0-0ubuntu3.8 amd64
-puppeth 1.8.2+build12774+xenial amd64
+pulseaudio 1:8.0-0ubuntu3.9 amd64
+pulseaudio-module-bluetooth 1:8.0-0ubuntu3.9 amd64
+pulseaudio-module-x11 1:8.0-0ubuntu3.9 amd64
+pulseaudio-utils 1:8.0-0ubuntu3.9 amd64
+puppeth 1.8.6+build13246+xenial amd64
-rlpdump 1.8.2+build12774+xenial amd64
+rlpdump 1.8.6+build13246+xenial amd64
-snapd 2.29.4.2 amd64
+snapd 2.32.3.2 amd64
-ubuntu-core-launcher 2.29.4.2 amd64
+ubuntu-core-launcher 2.32.3.2 amd64
-wnode 1.8.2+build12774+xenial amd64
+wnode 1.8.6+build13246+xenial amd64
---

diff --git a/apparmor.d/usr.lib.snapd.snap-confine.real b/apparmor.d/usr.lib.snapd.snap-confine.real
index aea0deb..54a1015 100644
--- a/apparmor.d/usr.lib.snapd.snap-confine.real
+++ b/apparmor.d/usr.lib.snapd.snap-confine.real
@@ -8,7 +8,7 @@
     #
     # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor
     # and https://forum.snapcraft.io/t/snaps-and-nfs-home/
-    #include "/var/lib/snapd/apparmor/snap-confine.d"
+    #include "/var/lib/snapd/apparmor/snap-confine"
 
     # We run privileged, so be fanatical about what we include and don't use
     # any abstractions
@@ -17,8 +17,10 @@
     # libc, you are funny
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
+    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
+    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
@@ -53,14 +55,17 @@
     # cgroup: freezer
     # Allow creating per-snap cgroup freezers and adding snap command (task)
     # invocations to the freezer. This allows for reliably enumerating all
-    # running tasks for the snap.
+    # running tasks for the snap. In addition, allow enumerating processes in
+    # the cgroup to determine if it is occupied.
     /sys/fs/cgroup/freezer/ r,
     /sys/fs/cgroup/freezer/snap.*/ w,
     /sys/fs/cgroup/freezer/snap.*/tasks w,
+    /sys/fs/cgroup/freezer/snap.*/cgroup.procs r,
 
     # querying udev
     /etc/udev/udev.conf r,
     /sys/**/uevent r,
+    /usr/lib/snapd/snap-device-helper ixr, # drop
     /lib/udev/snappy-app-dev ixr, # drop
     /run/udev/** rw,
     /{,usr/}bin/tr ixr,
@@ -171,8 +176,8 @@
     mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/,
     mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/,
 
-    mount options=(rw rbind) {/usr,}/lib/modules/ -> /tmp/snap.rootfs_*{/usr,}/lib/modules/,
-    mount options=(rw rslave) -> /tmp/snap.rootfs_*{/usr,}/lib/modules/,
+    mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
+    mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
 
     mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/,
     mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/,
@@ -250,7 +255,27 @@
     /dev/nvidiactl r,
     /dev/nvidia-uvm r,
     /usr/** r,
-    mount options=(rw bind) /usr/lib/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl/,
+    mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
+    mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
+    /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w,
+    mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
+    mount options=(remount ro) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
+
+    # Vulkan support
+    /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w,
+    mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
+    mount options=(remount ro) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
+
+    # create gl dirs as needed
+    /tmp/snap.rootfs_*/ r,
+    /tmp/snap.rootfs_*/var/ r,
+    /tmp/snap.rootfs_*/var/lib/ r,
+    /tmp/snap.rootfs_*/var/lib/snapd/ r,
+    /tmp/snap.rootfs_*/var/lib/snapd/lib/ r,
+    /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/ r,
+    /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw,
+    /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r,
+    /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw,
 
     # for chroot on steroids, we use pivot_root as a better chroot that makes
     # apparmor rules behave the same on classic and outside of classic.
@@ -288,6 +313,12 @@
     # Allow snap-confine to read snap contexts
     /var/lib/snapd/context/snap.* r,
 
+    # Allow snap-confine to unmount stale mount namespaces.
+    umount /run/snapd/ns/*.mnt,
+    # Required to correctly unmount bound mount namespace.
+    # See LP: #1735459 for details.
+    umount /,
+
     # Support for the quirk system
     /var/ r,
     /var/lib/ r,
@@ -336,9 +367,13 @@
     capability sys_admin,
     signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine,
     signal (send) set=(int) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
-    signal (send, receive) set=(alrm, exists) peer=/usr/lib/snapd/snap-confine,
+    signal (send, receive) set=(int, alrm, exists) peer=/usr/lib/snapd/snap-confine,
     signal (receive) set=(exists) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
 
+    # workaround for linux 4.13/upstream, see
+    # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3
+    ptrace (trace, tracedby) peer=/usr/lib/snapd/snap-confine,
+
     # For aa_change_hat() to go into ^mount-namespace-capture-helper
     @{PROC}/[0-9]*/attr/current w,
 
@@ -350,8 +385,10 @@
         # libc, you are funny
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
+        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
+        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
@@ -407,26 +444,29 @@
     # Allow snap-confine to be killed
     signal (receive) peer=unconfined,
 
+    # Allow switching to snap-update-ns with a per-snap profile.
+    change_profile -> snap-update-ns.*,
+
     # Allow executing snap-update-ns when...
 
     # ...snap-confine is, conceptually, re-executing and uses snap-update-ns
     # from the distribution package. This is also the location used when using
     # the core/base snap on all-snap systems. The variants here represent
     # various locations of libexecdir across distributions.
-    /usr/lib{,exec,64}/snapd/snap-update-ns Cxr -> snap_update_ns,
+    /usr/lib{,exec,64}/snapd/snap-update-ns r,
 
     # ...snap-confine is not, conceptually, re-executing and uses
     # snap-update-ns from the distribution package but we are already inside
     # the constructed mount namespace so we must traverse "hostfs". The
     # variants here represent various locations of libexecdir across
     # distributions.
-    /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns Cxr -> snap_update_ns,
+    /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r,
 
     # ..snap-confine is, conceptually, re-executing and uses snap-update-ns
     # from the core snap. Note that the location of the core snap varies from
     # distribution to distribution. The variants here represent different
     # locations of snap mount directory across distributions.
-    /{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns Cxr -> snap_update_ns,
+    /{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,
 
     # ...snap-confine is, conceptually, re-executing and uses snap-update-ns
     # from the core snap but we are already inside the constructed mount
@@ -435,91 +475,5 @@
     # "natural" /snap mount entry but we have no control over that.  This is
     # reported as (LP: #1716339). The variants here represent different
     # locations of snap mount directory across distributions.
-    /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns Cxr -> snap_update_ns,
-
-    profile snap_update_ns (attach_disconnected) {
-        # The next four rules mirror those above. We want to be able to read
-        # and map snap-update-ns into memory but it may come from a variety of places.
-        /usr/lib{,exec,64}/snapd/snap-update-ns mr,
-        /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr,
-        /{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr,
-        /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr,
-
-        # Allow reading the dynamic linker cache.
-        /etc/ld.so.cache r,
-        # Allow reading, mapping and executing the dynamic linker.
-        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix,
-        # Allow reading and mapping various parts of the standard library and
-        # dynamically loaded nss modules and what not.
-        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
-        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
-
-        # Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code).
-        @{PROC}/@{pid}/cmdline r,
-
-        # Allow reading the os-release file (possibly a symlink to /usr/lib).
-        /{etc/,usr/lib/}os-release r,
-
-        # Allow creating/grabbing various snapd lock files.
-        /run/snapd/lock/*.lock rwk,
-
-        # Allow reading stored mount namespaces,
-        /run/snapd/ns/ r,
-        /run/snapd/ns/*.mnt r,
-
-        # Allow reading per-snap desired mount profiles. Those are written by
-        # snapd and represent the desired layout and content connections.
-        /var/lib/snapd/mount/snap.*.fstab r,
-
-        # Allow reading and writing actual per-snap mount profiles. Note that
-        # the second rule is generic to allow our tmpfile-rename approach to
-        # writing them. Those are written by snap-update-ns and represent the
-        # actual layout at a given moment.
-        /run/snapd/ns/*.fstab rw,
-        /run/snapd/ns/*.fstab.* rw,
-
-        # NOTE: at this stage the /snap directory is stable as we have called
-        # pivot_root already.
-
-        # Needed to perform mount/unmounts.
-        capability sys_admin,
-
-        # Support mount profiles via the content interface. This should correspond
-        # to permutations of $SNAP -> $SNAP for reading and $SNAP_{DATA,COMMON} ->
-        # $SNAP_{DATA,COMMON} for both reading and writing.
-        #
-        # Note that:
-        #   /snap/*/*/**
-        # is meant to mean:
-        #   /snap/$SNAP_NAME/$SNAP_REVISION/and-any-subdirectory
-        # but:
-        #   /var/snap/*/**
-        # is meant to mean:
-        #   /var/snap/$SNAP_NAME/$SNAP_REVISION/
-        mount options=(ro bind) /snap/*/** -> /snap/*/*/**,
-        mount options=(ro bind) /snap/*/** -> /var/snap/*/**,
-        mount options=(rw bind) /var/snap/*/** -> /var/snap/*/**,
-        mount options=(ro bind) /var/snap/*/** -> /var/snap/*/**,
-
-        # Allow the content interface to bind fonts from the host filesystem
-        mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/*/*/**,
-        # Allow the desktop interface to bind fonts from the host filesystem
-        mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /usr/share/fonts/,
-        mount options=(ro bind) /var/lib/snapd/hostfs/usr/local/share/fonts/ -> /usr/local/share/fonts/,
-        mount options=(ro bind) /var/lib/snapd/hostfs/var/cache/fontconfig/ -> /var/cache/fontconfig/,
-
-        # Allow unmounts matching possible mounts listed above.
-        umount /snap/*/*/**,
-        umount /var/snap/*/**,
-        umount /usr/share/fonts,
-        umount /usr/local/share/fonts,
-        umount /var/cache/fontconfig,
-
-        # But we don't want anyone to touch /snap/bin
-        audit deny mount /snap/bin/** -> /**,
-        audit deny mount /** -> /snap/bin/**,
-
-        # Allow the content interface to bind fonts from the host filesystem
-        mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/*/*/**,
-    }
+    /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,
 }