support @complain directive
Bug #1570578 reported by
Jamie Strandboge
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-core-launcher (Ubuntu) |
Fix Released
|
Critical
|
Jamie Strandboge |
Bug Description
We need to implement @complain as a synonym for @unrestricted for now since snappy will use @complain to toggle developer mode. This allows snaps to work in developer mode while seccomp logging is being developed.
Related branches
lp:~jdstrand/snap-confine/ubuntu-core-launcher.complain-as-unrestricted
- Tyler Hicks (community): Approve
- Snappy Developers: Pending requested
-
Diff: 115 lines (+66/-0)4 files modifieddebian/changelog (+8/-0)
src/seccomp.c (+11/-0)
tests/test_complain (+17/-0)
tests/test_complain_missed (+30/-0)
Changed in ubuntu-core-launcher (Ubuntu): | |
status: | In Progress → Fix Committed |
To post a comment you must log in.
This bug was fixed in the package ubuntu- core-launcher - 1.0.25
--------------- core-launcher (1.0.25) xenial; urgency=medium
ubuntu-
* update cgroup handling for 16.04 (LP: #1564401): usr.bin. ubuntu- core-launcher: apparmor/ clicks/ snappy- assign. rules: append an app-specific tag instead of snappy- app-dev
- debian/
+ allow creating cgroups with snap.*
+ allow ixr of 'tr'
+ remove access to /var/lib/
- update README to more fully explain the cgroups implementation
- src/80-
adding a generic tag and snap-specific property
- src/snappy-app-dev: convert the new tag to the directory name
- src/main.c:
+ refactor and simplify control flow to query udev for device assignment
instead of searching apparmor policy for a specific string
+ adjust udev query for app-specific tag
+ raise real_uid after fork() before calling /lib/udev/
so non-root app launches work with the device cgroup
ubuntu- core-launcher (1.0.24) xenial; urgency=medium
[ Michael Vogt ]
* ignore non-existing dirs when doing the overlay mount
* add /lib32, /libx32 to the overlay mounts
[ Jamie Strandboge ]
* add back the use of /usr from the ubuntu-core snap instead of the host
system (LP: #1570581)
* implement @complain as a synonym for @unrestricted since snappy will use
@complain to toggle developer mode. This allows snaps to work in developer
mode while seccomp logging is being developed (LP: #1570578)
-- Jamie Strandboge <email address hidden> Thu, 14 Apr 2016 18:05:57 -0500