touch-packages team mailing list archive

[Launchpad Bug Tracker <1373555@xxxxxxxxxxxxxxxxxx>]

This bug was fixed in the package lxc - 1.1.0~alpha1-0ubuntu5

---------------
lxc (1.1.0~alpha1-0ubuntu5) utopic; urgency=medium

  * d/p/0003-apparmor-also-deny-silent-remount.patch: update to also patch
    container-base.in
  * d/p/0004-apparmor-signal-ptrace-unix-mediation.patch: refine signal and
    ptrace rules and add unix rules for container enforcement (LP: #1373555)
  * debian/rules:
    - don't delete the dbus, ptrace and signal lines, but instead comment them
      out. This is more consistent with the comment in the policy and lets
      people see what the policy would be
    - adjust for unix rules
    - adjust versioned depends
 -- Jamie Strandboge <jamie@xxxxxxxxxx>   Fri, 26 Sep 2014 10:59:21 -0500

** Changed in: lxc (Ubuntu)
       Status: Triaged => Fix Released

** Changed in: apparmor (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1373555

Title:
  please restrict signal, ptrace and unix mediation to the container

Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “lxc” package in Ubuntu:
  Fix Released

Bug description:
  Right now the container policy uses bare rules for ptrace and signal.
  We should refine these rules to be container specific and add unix
  rules to do the same. Obviously, namespaces are intended to block
  these accesses in and of themselves, but this add an incremental
  improvement and security in depth in case something goes wrong there.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1373555/+subscriptions