Package changes:
-adduser 3.116 all
+adduser 3.117 all
-apticron 1.1.62 all
+apticron 1.2.0 all
-aspell-de
20161207-3 all
-aspell-de-1901 1:2-32 all
+aspell-de
20161207-4 all
+aspell-de-1901 1:2-33 all
-bash 4.4-5 amd64
-bash-completion 1:2.1-4.3 all
+bash 4.4.18-1.1 amd64
+bash-completion 1:2.7-1 all
-binutils 2.29.1-13 amd64
-binutils-common 2.29.1-13 amd64
-binutils-x86-64-linux-gnu 2.29.1-13 amd64
+binutils 2.30-5 amd64
+binutils-common 2.30-5 amd64
+binutils-x86-64-linux-gnu 2.30-5 amd64
-bsdutils 1:2.30.2-0.3 amd64
+bsdutils 1:2.31.1-0.4 amd64
-chrony 3.2-1+b1 amd64
+chrony 3.2-4 amd64
-console-setup 1.175 all
-console-setup-linux 1.175 all
+console-setup 1.178 all
+console-setup-linux 1.178 all
-cpp-7 7.2.0-19 amd64
+cpp-7 7.3.0-5 amd64
-dash 0.5.8-2.5 amd64
-dbus 1.12.2-1 amd64
+dash 0.5.8-2.10 amd64
+dbus 1.12.4-1 amd64
-dirmngr 2.2.4-1 amd64
+dirmngr 2.2.4-3 amd64
-dns-root-data
2017072601 all
-dnsmasq-base 2.78-1 amd64
+dns-root-data
2018013001 all
+dnsmasq-base 2.78-3 amd64
-e2fslibs 1.43.8-2 amd64
-e2fsprogs 1.43.8-2 amd64
+e2fslibs 1.43.9-1 all
+e2fsprogs 1.43.9-1 amd64
-fdisk 2.30.2-0.3 amd64
+fdisk 2.31.1-0.4 amd64
-file 1:5.32-1 amd64
+file 1:5.32-2 amd64
-fortunes-de 0.33-1 all
+fortunes-de 0.34-1 all
-g++-7 7.2.0-19 amd64
+g++-7 7.3.0-5 amd64
-gcc-6-base 6.4.0-11 amd64
-gcc-7 7.2.0-19 amd64
-gcc-7-base 7.2.0-19 amd64
-geoip-database
20171107-1 all
+gcc-6-base 6.4.0-12 amd64
+gcc-7 7.3.0-5 amd64
+gcc-7-base 7.3.0-5 amd64
+gcc-8-base 8-
20180218-1 amd64
+geoip-database
20180215-1 all
-git 1:2.15.1-3 amd64
-git-email 1:2.15.1-3 all
-git-man 1:2.15.1-3 all
-gnupg 2.2.4-1 amd64
+git 1:2.16.1-1 amd64
+git-email 1:2.16.1-1 all
+git-man 1:2.16.1-1 all
+gnupg 2.2.4-3 amd64
-gnupg-l10n 2.2.4-1 all
-gnupg-utils 2.2.4-1 amd64
-gpg 2.2.4-1 amd64
-gpg-agent 2.2.4-1 amd64
-gpg-wks-client 2.2.4-1 amd64
-gpg-wks-server 2.2.4-1 amd64
-gpgconf 2.2.4-1 amd64
-gpgsm 2.2.4-1 amd64
-gpgv 2.2.4-1 amd64
+gnupg-l10n 2.2.4-3 all
+gnupg-utils 2.2.4-3 amd64
+gpg 2.2.4-3 amd64
+gpg-agent 2.2.4-3 amd64
+gpg-wks-client 2.2.4-3 amd64
+gpg-wks-server 2.2.4-3 amd64
+gpgconf 2.2.4-3 amd64
+gpgsm 2.2.4-3 amd64
+gpgv 2.2.4-3 amd64
-groff-base 1.22.3-9 amd64
-grub-common 2.02-2 amd64
-grub-pc 2.02-2 amd64
-grub-pc-bin 2.02-2 amd64
-grub2-common 2.02-2 amd64
+groff-base 1.22.3-10 amd64
+grub-common 2.02+dfsg1-1 amd64
+grub-pc 2.02+dfsg1-1 amd64
+grub-pc-bin 2.02+dfsg1-1 amd64
+grub2-common 2.02+dfsg1-1 amd64
-hostname 3.18+b1 amd64
-htop 2.0.2-1 amd64
+hostname 3.20 amd64
+htop 2.1.0-3 amd64
-ingerman
20161207-3 all
+ingerman
20161207-4 all
-installation-report 2.66 all
-iproute2 4.14.1-1 amd64
-iptables 1.6.1-2+b1 amd64
+installation-report 2.68 all
+iproute2 4.15.0-2 amd64
+iptables 1.6.2-1 amd64
-iso-codes 3.77-1 all
-isoquery 3.2.2-1 amd64
+iso-codes 3.78-1 all
+isoquery 3.2.2-2 amd64
-iswiss
20161207-3 all
-iw 4.9-0.1 amd64
+iswiss
20161207-4 all
+iw 4.14-0.1 amd64
-keyboard-configuration 1.175 all
+keyboard-configuration 1.178 all
-libalgorithm-diff-xs-perl 0.04-4+b4 amd64
+libalgorithm-diff-xs-perl 0.04-5 amd64
-libapparmor1 2.12-1 amd64
+libapparmor1 2.12-2 amd64
-libasan4 7.2.0-19 amd64
+libargon2-0 0~
20161029-1.1 amd64
+libasan4 7.3.0-5 amd64
-libassuan0 2.5.1-1 amd64
-libatomic1 7.2.0-19 amd64
+libassuan0 2.5.1-2 amd64
+libatomic1 8-
20180218-1 amd64
-libbinutils 2.29.1-13 amd64
-libblkid1 2.30.2-0.3 amd64
+libbinutils 2.30-5 amd64
+libblkid1 2.31.1-0.4 amd64
-libc-bin 2.26-4 amd64
-libc-dev-bin 2.26-4 amd64
-libc-l10n 2.26-4 all
-libc6 2.26-4 amd64
-libc6-dev 2.26-4 amd64
+libc-bin 2.26-6 amd64
+libc-dev-bin 2.26-6 amd64
+libc-l10n 2.26-6 all
+libc6 2.26-6 amd64
+libc6-dev 2.26-6 amd64
-libcc1-0 7.2.0-19 amd64
-libcilkrts5 7.2.0-19 amd64
+libcc1-0 8-
20180218-1 amd64
+libcilkrts5 7.3.0-5 amd64
-libcomerr2 1.43.8-2 amd64
+libcom-err2 1.43.9-1 amd64
+libcomerr2 1.43.9-1 all
+libcryptsetup12 2:2.0.1-1 amd64
-libcurl3-gnutls 7.57.0-1 amd64
+libcurl3-gnutls 7.58.0-2 amd64
-libdbus-1-3 1.12.2-1 amd64
-libdebconfclient0 0.238 amd64
+libdbus-1-3 1.12.4-1 amd64
+libdebconfclient0 0.241 amd64
-libelf1 0.170-0.2 amd64
+libelf1 0.170-0.3 amd64
+libext2fs2 1.43.9-1 amd64
-libfdisk1 2.30.2-0.3 amd64
+libfdisk1 2.31.1-0.4 amd64
-libfreetype6 2.8.1-1 amd64
+libfreetype6 2.8.1-2 amd64
-libgcc-7-dev 7.2.0-19 amd64
-libgcc1 1:7.2.0-19 amd64
+libgcc-7-dev 7.3.0-5 amd64
+libgcc1 1:8-
20180218-1 amd64
-libgeoip1 1.6.11-3 amd64
-libglib2.0-0 2.54.3-1 amd64
-libglib2.0-data 2.54.3-1 all
-libgmp10 2:6.1.2+dfsg-1.2 amd64
-libgnutls-openssl27 3.5.16-1 amd64
-libgnutls30 3.5.16-1 amd64
-libgomp1 7.2.0-19 amd64
-libgpg-error0 1.27-5 amd64
-libgpm2 1.20.7-4 amd64
+libgdbm5 1.14.1-4 amd64
+libgeoip1 1.6.12-1 amd64
+libglib2.0-0 2.54.3-2 amd64
+libglib2.0-data 2.54.3-2 all
+libgmp10 2:6.1.2+dfsg-2 amd64
+libgnutls-openssl27 3.5.18-1 amd64
+libgnutls30 3.5.18-1 amd64
+libgomp1 8-
20180218-1 amd64
+libgpg-error0 1.27-6 amd64
+libgpm2 1.20.7-5 amd64
-libgudev-1.0-0 232-1 amd64
+libgudev-1.0-0 232-2 amd64
-libip4tc0 1.6.1-2+b1 amd64
-libip6tc0 1.6.1-2+b1 amd64
-libiptc0 1.6.1-2+b1 amd64
+libip4tc0 1.6.2-1 amd64
+libip6tc0 1.6.2-1 amd64
+libiptc0 1.6.2-1 amd64
-libitm1 7.2.0-19 amd64
-libjansson4 2.10-1 amd64
+libitm1 8-
20180218-1 amd64
+libjansson4 2.11-1 amd64
-libjs-sphinxdoc 1.6.6-1 all
+libjs-sphinxdoc 1.6.7-1 all
-liblsan0 7.2.0-19 amd64
+liblsan0 8-
20180218-1 amd64
-libmagic-mgc 1:5.32-1 amd64
-libmagic1 1:5.32-1 amd64
+libmagic-mgc 1:5.32-2 amd64
+libmagic1 1:5.32-2 amd64
-libmount1 2.30.2-0.3 amd64
-libmpc3 1.0.3-2 amd64
+libmount1 2.31.1-0.4 amd64
+libmpc3 1.1.0-1 amd64
-libmpx2 7.2.0-19 amd64
-libncurses5 6.0+
20171125-1 amd64
-libncursesw5 6.0+
20171125-1 amd64
+libmpfr6 4.0.0-7 amd64
+libmpx2 8-
20180218-1 amd64
+libncurses5 6.1-1 amd64
+libncursesw5 6.1-1 amd64
-libnet1 1.1.6+dfsg-3 amd64
+libnet1 1.1.6+dfsg-3.1 amd64
-libnewt0.52 0.52.20-1+b1 amd64
+libnewt0.52 0.52.20-2 amd64
-libnghttp2-14 1.29.0-1 amd64
+libnghttp2-14 1.30.0-1 amd64
-libnm0 1.10.2-1 amd64
+libnm0 1.10.4-1+b1 amd64
-libpam-modules 1.1.8-3.6 amd64
-libpam-modules-bin 1.1.8-3.6 amd64
-libpam-runtime 1.1.8-3.6 all
-libpam-systemd 236-3 amd64
-libpam0g 1.1.8-3.6 amd64
+libpam-modules 1.1.8-3.7 amd64
+libpam-modules-bin 1.1.8-3.7 amd64
+libpam-runtime 1.1.8-3.7 all
+libpam-systemd 237-3 amd64
+libpam0g 1.1.8-3.7 amd64
-libpcre2-8-0 10.22-5 amd64
-libpcre3 2:8.39-8 amd64
+libpcre2-8-0 10.22-6 amd64
+libpcre3 2:8.39-9 amd64
-libperl5.26 5.26.1-4 amd64
+libperl5.26 5.26.1-4+b1 amd64
-libprocps6 2:3.3.12-3 amd64
+libprocps6 2:3.3.12-4 amd64
-libpython2.7 2.7.14-4 amd64
-libpython2.7-minimal 2.7.14-4 amd64
-libpython2.7-stdlib 2.7.14-4 amd64
+libpython2.7 2.7.14-6 amd64
+libpython2.7-minimal 2.7.14-6 amd64
+libpython2.7-stdlib 2.7.14-6 amd64
-libpython3.6-minimal 3.6.4-3 amd64
-libpython3.6-stdlib 3.6.4-3 amd64
+libpython3.6-minimal 3.6.4-4 amd64
+libpython3.6-stdlib 3.6.4-4 amd64
-libquadmath0 7.2.0-19 amd64
+libquadmath0 8-
20180218-1 amd64
-libselinux1 2.7-2 amd64
+libselinux1 2.7-2+b1 amd64
-libsemanage1 2.7-2 amd64
+libsemanage1 2.7-2+b1 amd64
-libslang2 2.3.1a-1 amd64
-libsmartcols1 2.30.2-0.3 amd64
+libslang2 2.3.1a-3 amd64
+libsmartcols1 2.31.1-0.4 amd64
-libsqlite3-0 3.21.0-1 amd64
-libss2 1.43.8-2 amd64
+libsqlite3-0 3.22.0-1 amd64
+libss2 1.43.9-1 amd64
-libstdc++-7-dev 7.2.0-19 amd64
-libstdc++6 7.2.0-19 amd64
+libstdc++-7-dev 7.3.0-5 amd64
+libstdc++6 8-
20180218-1 amd64
-libsystemd0 236-3 amd64
-libtasn1-6 4.12-3 amd64
+libsystemd0 237-3 amd64
+libtasn1-6 4.13-2 amd64
-libtinfo5 6.0+
20171125-1 amd64
-libtomcrypt1 1.18.0-1 amd64
+libtinfo5 6.1-1 amd64
+libtomcrypt1 1.18.1-1 amd64
-libtsan0 7.2.0-19 amd64
-libubsan0 7.2.0-19 amd64
-libudev1 236-3 amd64
+libtsan0 8-
20180218-1 amd64
+libubsan0 7.3.0-5 amd64
+libudev1 237-3 amd64
+libunwind8 1.2.1-6 amd64
-libuuid1 2.30.2-0.3 amd64
+libuuid1 2.31.1-0.4 amd64
-libxtables12 1.6.1-2+b1 amd64
+libxtables12 1.6.2-1 amd64
-linux-image-4.14.0-3-amd64 4.14.13-1 amd64
+linux-image-4.14.0-3-amd64 4.14.17-1 amd64
-linux-libc-dev 4.14.13-1 amd64
-locales 2.26-4 all
+linux-libc-dev 4.15.4-1 amd64
+locales 2.26-6 all
-man-db 2.7.6.1-4 amd64
-manpages 4.14-1 all
+man-db 2.8.1-1 amd64
+manpages 4.15-1 all
-manpages-dev 4.14-1 all
+manpages-dev 4.15-1 all
-mount 2.30.2-0.3 amd64
-multiarch-support 2.26-4 amd64
+mount 2.31.1-0.4 amd64
+multiarch-support 2.26-6 amd64
-nano 2.9.2-1 amd64
-ncurses-base 6.0+
20171125-1 all
-ncurses-bin 6.0+
20171125-1 amd64
-ncurses-term 6.0+
20171125-1 all
+nano 2.9.3-1 amd64
+ncurses-base 6.1-1 all
+ncurses-bin 6.1-1 amd64
+ncurses-term 6.1-1 all
-network-manager 1.10.2-1 amd64
-openssh-client 1:7.6p1-3 amd64
-openssh-server 1:7.6p1-3 amd64
-openssh-sftp-server 1:7.6p1-3 amd64
+network-manager 1.10.4-1+b1 amd64
+openssh-client 1:7.6p1-4 amd64
+openssh-server 1:7.6p1-4 amd64
+openssh-sftp-server 1:7.6p1-4 amd64
-patch 2.7.5-1+b2 amd64
+patch 2.7.6-1 amd64
-perl 5.26.1-4 amd64
-perl-base 5.26.1-4 amd64
+perl 5.26.1-4+b1 amd64
+perl-base 5.26.1-4+b1 amd64
-pinentry-curses 1.0.0-3 amd64
+pinentry-curses 1.1.0-1 amd64
-ppp 2.4.7-1+4 amd64
-procps 2:3.3.12-3 amd64
+ppp 2.4.7-2+1 amd64
+procps 2:3.3.12-4 amd64
-python-certifi 2017.11.5-1 all
-python-cffi-backend 1.9.1-2+b1 amd64
+python-certifi 2018.1.18-2 all
+python-cffi-backend 1.11.4-1 amd64
-python-pkg-resources 38.2.4-2 all
+python-pkg-resources 38.4.0-1 all
-python-requests 2.18.4-1 all
-python-scandir 1.6-1 amd64
-python-setuptools 38.2.4-2 all
+python-requests 2.18.4-2 all
+python-scandir 1.7-1 amd64
+python-setuptools 38.4.0-1 all
-python-six 1.11.0-1 all
+python-six 1.11.0-2 all
-python-tz 2017.2-2 all
+python-tz 2018.3-2 all
-python2.7 2.7.14-4 amd64
-python2.7-minimal 2.7.14-4 amd64
+python2.7 2.7.14-6 amd64
+python2.7-minimal 2.7.14-6 amd64
-python3-certifi 2017.11.5-1 all
-python3-cffi-backend 1.9.1-2+b1 amd64
+python3-certifi 2018.1.18-2 all
+python3-cffi-backend 1.11.4-1 amd64
-python3-debian 0.1.31 all
-python3-debianbts 2.7.1 all
+python3-debian 0.1.32 all
+python3-debianbts 2.7.2 all
-python3-distutils 3.6.4-2 all
+python3-distutils 3.6.4-4 all
-python3-lib2to3 3.6.4-2 all
+python3-lib2to3 3.6.4-4 all
-python3-pkg-resources 38.2.4-2 all
+python3-pkg-resources 38.4.0-1 all
-python3-pycurl 7.43.0-2+b1 amd64
+python3-pycurl 7.43.0.1-0.2 amd64
-python3-requests 2.18.4-1 all
-python3-setuptools 38.2.4-2 all
+python3-requests 2.18.4-2 all
+python3-setuptools 38.4.0-1 all
-python3-six 1.11.0-1 all
+python3-six 1.11.0-2 all
-python3.6 3.6.4-3 amd64
-python3.6-minimal 3.6.4-3 amd64
+python3.6 3.6.4-4 amd64
+python3.6-minimal 3.6.4-4 amd64
-s-nail 14.9.6-1 amd64
+s-nail 14.9.6-2 amd64
-sed 4.4-1 amd64
+sed 4.4-2 amd64
-strace 4.19-1 amd64
+strace 4.21-1 amd64
-systemd 236-3 amd64
-systemd-sysv 236-3 amd64
+systemd 237-3 amd64
+systemd-sysv 237-3 amd64
-task-german 3.42 all
-task-ssh-server 3.42 all
-tasksel 3.42 all
-tasksel-data 3.42 all
+task-german 3.43 all
+task-ssh-server 3.43 all
+tasksel 3.43 all
+tasksel-data 3.43 all
-tzdata 2018b-1 all
-ucf 3.0036 all
-udev 236-3 amd64
+tzdata 2018c-1 all
+ucf 3.0037 all
+udev 237-3 amd64
-util-linux 2.30.2-0.3 amd64
-vim 2:8.0.1401-2 amd64
-vim-common 2:8.0.1401-2 all
-vim-runtime 2:8.0.1401-2 all
-vim-tiny 2:8.0.1401-2 amd64
+util-linux 2.31.1-0.4 amd64
+vim 2:8.0.1453-1 amd64
+vim-common 2:8.0.1453-1 all
+vim-runtime 2:8.0.1453-1 all
+vim-tiny 2:8.0.1453-1 amd64
-wget 1.19.2-2 amd64
-whiptail 0.52.20-1+b1 amd64
+wget 1.19.4-1 amd64
+whiptail 0.52.20-2 amd64
-wngerman
20161207-3 all
+wngerman
20161207-4 all
-xkb-data 2.19-1.1 all
+xkb-data 2.23.1-1 all
-xxd 2:8.0.1401-2 amd64
+xxd 2:8.0.1453-1 amd64
maybe chmod 0755 'apm/event.d'
maybe chmod 0755 'apm/event.d/20hdparm'
maybe chmod 0755 'apparmor.d'
+maybe chmod 0755 'apparmor.d/force-complain'
maybe chmod 0755 'apparmor.d/local'
maybe chmod 0644 'apparmor.d/local/usr.bin.man'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.chronyd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.haveged'
maybe chmod 0644 'apparmor.d/usr.bin.man'
+maybe chmod 0644 'apparmor.d/usr.sbin.chronyd'
maybe chmod 0644 'apparmor.d/usr.sbin.haveged'
maybe chmod 0755 'apt'
maybe chmod 0644 'apt/SALTSTACK-GPG-KEY.pub'
maybe chmod 0644 'dhcp/debug'
maybe chmod 0755 'dhcp/dhclient-enter-hooks.d'
maybe chmod 0755 'dhcp/dhclient-exit-hooks.d'
+maybe chmod 0644 'dhcp/dhclient-exit-hooks.d/chrony'
maybe chmod 0644 'dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes'
maybe chmod 0644 'dhcp/dhclient-exit-hooks.d/timesyncd'
maybe chmod 0644 'dhcp/dhclient.conf'
maybe chmod 0644 'sysctl.conf'
maybe chmod 0755 'sysctl.d'
maybe chmod 0644 'sysctl.d/README.sysctl'
+maybe chmod 0644 'sysctl.d/protect-links.conf'
maybe chmod 0755 'systemd'
maybe chmod 0644 'systemd/journald.conf'
maybe chmod 0644 'systemd/logind.conf'
--- /dev/null
+/etc/apparmor.d/usr.sbin.chronyd
\ No newline at end of file
# include the programs that actually parse input data in a non-trivial
# way, not wrappers such as groff and nroff, since the latter would need a
# broader profile.
- /usr/bin/eqn rmCx -> groff,
- /usr/bin/grap rmCx -> groff,
- /usr/bin/pic rmCx -> groff,
- /usr/bin/preconv rmCx -> groff,
- /usr/bin/refer rmCx -> groff,
- /usr/bin/tbl rmCx -> groff,
- /usr/bin/troff rmCx -> groff,
- /usr/bin/vgrind rmCx -> groff,
+ /usr/bin/eqn rmCx -> &man_groff,
+ /usr/bin/grap rmCx -> &man_groff,
+ /usr/bin/pic rmCx -> &man_groff,
+ /usr/bin/preconv rmCx -> &man_groff,
+ /usr/bin/refer rmCx -> &man_groff,
+ /usr/bin/tbl rmCx -> &man_groff,
+ /usr/bin/troff rmCx -> &man_groff,
+ /usr/bin/vgrind rmCx -> &man_groff,
# Similarly, use a special profile when man calls decompressors and other
# simple filters.
- /bin/bzip2 rmCx -> filter,
- /bin/gzip rmCx -> filter,
- /usr/bin/col rmCx -> filter,
- /usr/bin/compress rmCx -> filter,
- /usr/bin/iconv rmCx -> filter,
- /usr/bin/lzip.lzip rmCx -> filter,
- /usr/bin/tr rmCx -> filter,
- /usr/bin/xz rmCx -> filter,
+ /bin/bzip2 rmCx -> &man_filter,
+ /bin/gzip rmCx -> &man_filter,
+ /usr/bin/col rmCx -> &man_filter,
+ /usr/bin/compress rmCx -> &man_filter,
+ /usr/bin/iconv rmCx -> &man_filter,
+ /usr/bin/lzip.lzip rmCx -> &man_filter,
+ /usr/bin/tr rmCx -> &man_filter,
+ /usr/bin/xz rmCx -> &man_filter,
# Allow basically anything in terms of file system access, subject to DAC.
# The purpose of this profile isn't to confine man itself (that might be
capability setuid,
capability setgid,
- profile groff {
- #include <abstractions/base>
- # Recent kernels revalidate open FDs, and there are often some still
- # open on TTYs. This is temporary until man learns to close irrelevant
- # open FDs before execve.
- #include <abstractions/consoles>
- # man always runs its groff pipeline with the input file open on stdin,
- # so we can skip <abstractions/user-manpages>.
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.bin.man>
+}
- /usr/bin/eqn rm,
- /usr/bin/grap rm,
- /usr/bin/pic rm,
- /usr/bin/preconv rm,
- /usr/bin/refer rm,
- /usr/bin/tbl rm,
- /usr/bin/troff rm,
- /usr/bin/vgrind rm,
+profile man_groff {
+ #include <abstractions/base>
+ # Recent kernels revalidate open FDs, and there are often some still
+ # open on TTYs. This is temporary until man learns to close irrelevant
+ # open FDs before execve.
+ #include <abstractions/consoles>
+ # man always runs its groff pipeline with the input file open on stdin,
+ # so we can skip <abstractions/user-manpages>.
- /etc/groff/** r,
- /usr/lib/groff/site-tmac/** r,
- /usr/share/groff/** r,
- }
+ /usr/bin/eqn rm,
+ /usr/bin/grap rm,
+ /usr/bin/pic rm,
+ /usr/bin/preconv rm,
+ /usr/bin/refer rm,
+ /usr/bin/tbl rm,
+ /usr/bin/troff rm,
+ /usr/bin/vgrind rm,
- profile filter {
- #include <abstractions/base>
- # Recent kernels revalidate open FDs, and there are often some still
- # open on TTYs. This is temporary until man learns to close irrelevant
- # open FDs before execve.
- #include <abstractions/consoles>
+ /etc/groff/** r,
+ /usr/lib/groff/site-tmac/** r,
+ /usr/share/groff/** r,
+}
- /bin/bzip2 rm,
- /bin/gzip rm,
- /usr/bin/col rm,
- /usr/bin/compress rm,
- /usr/bin/iconv rm,
- /usr/bin/lzip.lzip rm,
- /usr/bin/tr rm,
- /usr/bin/xz rm,
- }
+profile man_filter {
+ #include <abstractions/base>
+ # Recent kernels revalidate open FDs, and there are often some still
+ # open on TTYs. This is temporary until man learns to close irrelevant
+ # open FDs before execve.
+ #include <abstractions/consoles>
- # Site-specific additions and overrides. See local/README for details.
- #include <local/usr.bin.man>
+ /bin/bzip2 rm,
+ /bin/gzip rm,
+ /usr/bin/col rm,
+ /usr/bin/compress rm,
+ /usr/bin/iconv rm,
+ /usr/bin/lzip.lzip rm,
+ /usr/bin/tr rm,
+ /usr/bin/xz rm,
}
--- /dev/null
+# Last Modified: Sat Jan 20 10:45:05 2018
+#include <tunables/global>
+#include <tunables/sys>
+
+/usr/sbin/chronyd (attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability sys_time,
+ capability net_bind_service,
+ capability setuid,
+ capability setgid,
+ capability sys_nice,
+ capability sys_resource,
+ # for /run/chrony to be created
+ capability chown,
+
+ /usr/sbin/chronyd mr,
+
+ /etc/chrony/{,**} r,
+ /{,var/}run/chronyd.pid w,
+ /{,var/}run/chrony/{,*} rw,
+ /var/lib/chrony/{,*} r,
+ /var/lib/chrony/* w,
+ /var/log/chrony/{,*} r,
+ /var/log/chrony/* w,
+
+ # Using the “tempcomp” directive gives chronyd the ability to improve
+ # the stability and accuracy of the clock by compensating the temperature
+ # changes measured by a sensor close to the oscillator.
+ @{sys}/class/hwmon/hwmon[0-9]*/temp[0-9]*_input r,
+
+ # rtc
+ /etc/adjtime r,
+ /dev/rtc{,[0-9]*} r,
+
+ # gps devices
+ /dev/pps[0-9]* r,
+ /dev/ptp[0-9]* r,
+
+ # For use with clocks that report via shared memory (e.g. gpsd),
+ # you may need to give ntpd access to all of shared memory, though
+ # this can be considered dangerous. See https://launchpad.net/bugs/722815
+ # for details. To enable, add this to local/usr.sbin.chronyd:
+ # capability ipc_owner,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.chronyd>
+}
/* Debug information:
# dpkg list:
rc linux-image-4.11.0-1-amd64 4.11.6-1 amd64 Linux 4.11 for 64-bit PCs
-ii linux-image-4.12.0-1-amd64 4.12.6-1 amd64 Linux 4.12 for 64-bit PCs
-ii linux-image-4.13.0-1-amd64 4.13.13-1 amd64 Linux 4.13 for 64-bit PCs
ii linux-image-4.14.0-2-amd64 4.14.7-1 amd64 Linux 4.14 for 64-bit PCs
-iF linux-image-4.14.0-3-amd64 4.14.13-1 amd64 Linux 4.14 for 64-bit PCs
+iF linux-image-4.14.0-3-amd64 4.14.17-1 amd64 Linux 4.14 for 64-bit PCs
rc linux-image-4.9.0-3-amd64 4.9.30-2+deb9u2 amd64 Linux 4.9 for 64-bit PCs
-iU linux-image-amd64 4.14+89 amd64 Linux for 64-bit PCs (meta-package)
+ii linux-image-amd64 4.14+89 amd64 Linux for 64-bit PCs (meta-package)
# list of installed kernel packages:
-4.12.0-1-amd64 4.12.6-1
-4.13.0-1-amd64 4.13.13-1
4.14.0-2-amd64 4.14.7-1
-4.14.0-3-amd64 4.14.13-1
+4.14.0-3-amd64 4.14.17-1
# list of different kernel versions:
-4.14.13-1
+4.14.17-1
4.14.7-1
-4.13.13-1
-4.12.6-1
-# Installing kernel: 4.14.13-1 (4.14.0-3-amd64)
-# Running kernel: 4.14.7-1 (4.14.0-2-amd64)
-# Last kernel: 4.14.13-1
+# Installing kernel: 4.14.17-1 (4.14.0-3-amd64)
+# Running kernel: 4.14.17-1 (4.14.0-3-amd64)
+# Last kernel: 4.14.17-1
# Previous kernel: 4.14.7-1
# Kernel versions list to keep:
-4.14.13-1
+4.14.17-1
4.14.7-1
# Kernel packages (version part) to protect:
4\.14\.0-2-amd64
fi
# set a fancy prompt (non-color, overwrite the one in /etc/profile)
-PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
+# but only if not SUDOing and have SUDO_PS1 set; then assume smart user.
+if ! [ -n "${SUDO_USER}" -a -n "${SUDO_PS1}" ]; then
+ PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
+fi
# Commented out, don't overwrite xterm -T "title" -n "icontitle" by default.
# If this is an xterm set the title to user@host:dir
kbd_mode '-u' < '/dev/tty4'
kbd_mode '-u' < '/dev/tty5'
kbd_mode '-u' < '/dev/tty6'
-loadkeys '/tmp/tmpkbd.PupXh4' > '/dev/null'
+loadkeys '/etc/console-setup/cached_UTF-8_del.kmap.gz' > '/dev/null'
-# This is a configuration file for /etc/init.d/chrony; it allows you to
-# pass various options to the chrony daemon without editing the init script.
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
# Options to pass to chrony.
DAEMON_OPTS=""
--- /dev/null
+SERVERFILE=/var/lib/dhcp/chrony.servers.$interface
+
+chrony_config() {
+ rm -f $SERVERFILE
+ for server in $new_ntp_servers; do
+ echo "$server iburst" >> $SERVERFILE
+ done
+ /usr/lib/chrony/chrony-helper update-daemon || :
+}
+
+chrony_restore() {
+ if [ -f $SERVERFILE ]; then
+ rm -f $SERVERFILE
+ /usr/lib/chrony/chrony-helper update-daemon || :
+ fi
+}
+
+case $reason in
+ BOUND|RENEW|REBIND|REBOOT)
+ chrony_config
+ ;;
+ EXPIRE|FAIL|RELEASE|STOP)
+ chrony_restore
+ ;;
+esac
NAME="chronyd"
DESC="time daemon"
PIDFILE=/run/chronyd.pid
+CHRONY_HELPER=/usr/lib/chrony/chrony-helper
[ -x "$DAEMON" ] || exit 0
else
log_daemon_msg "Starting $DESC" "$NAME"
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
+ if [ -x $CHRONY_HELPER ]; then
+ $CHRONY_HELPER update-daemon
+ fi
log_end_msg $?
fi
;;
## Remember the used search/replace strings for the next session.
set historylog
-## Make the justify command kill whitespace at the end of lines.
-# set justifytrim
-
## Display line numbers to the left of the text.
# set linenumbers
## Save automatically on exit; don't prompt.
# set tempfile
+## Snip whitespace at the end of lines when justifying or hard-wrapping.
+# set trimblanks
+
## Disallow file modification. Why would you want this in an rcfile? ;)
# set view
# Check for interactive bash and that we haven't already been sourced.
-if [ -n "$BASH_VERSION" -a -n "$PS1" -a -z "$BASH_COMPLETION_COMPAT_DIR" ]; then
+if [ -n "${BASH_VERSION-}" -a -n "${PS1-}" -a -z "${BASH_COMPLETION_VERSINFO-}" ]; then
-# Check for recent enough version of bash.
-bash=${BASH_VERSION%.*}; bmajor=${bash%.*}; bminor=${bash#*.}
-if [ $bmajor -gt 4 ] || [ $bmajor -eq 4 -a $bminor -ge 1 ]; then
- [ -r "${XDG_CONFIG_HOME:-$HOME/.config}/bash_completion" ] && \
- . "${XDG_CONFIG_HOME:-$HOME/.config}/bash_completion"
- if shopt -q progcomp && [ -r /usr/share/bash-completion/bash_completion ]; then
- # Source completion code.
- . /usr/share/bash-completion/bash_completion
+ # Check for recent enough version of bash.
+ if [ ${BASH_VERSINFO[0]} -gt 4 ] || \
+ [ ${BASH_VERSINFO[0]} -eq 4 -a ${BASH_VERSINFO[1]} -ge 1 ]; then
+ [ -r "${XDG_CONFIG_HOME:-$HOME/.config}/bash_completion" ] && \
+ . "${XDG_CONFIG_HOME:-$HOME/.config}/bash_completion"
+ if shopt -q progcomp && [ -r /usr/share/bash-completion/bash_completion ]; then
+ # Source completion code.
+ . /usr/share/bash-completion/bash_completion
+ fi
fi
-fi
-unset bash bmajor bminor
fi
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
+
+# set PATH so it includes user's private bin if it exists
+if [ -d "$HOME/.local/bin" ] ; then
+ PATH="$HOME/.local/bin:$PATH"
+fi
###################################################################
# Magic system request Key
-# 0=disable, 1=enable all
-# Debian kernels have this set to 0 (disable the key)
-# See https://www.kernel.org/doc/Documentation/sysrq.txt
+# 0=disable, 1=enable all, >1 bitmask of sysrq functions
+# Debian kernels have this set to 438 which is the OR of:
+# 64 = enable signalling of processes
+# 128 = allow reboot/poweroff
+# 256 = allow nicing of all RT tasks
+#
+# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
# for what other values do
-#kernel.sysrq=1
+#kernel.sysrq=438
-###################################################################
-# Protected links
-#
-# Protects against creating or following links under certain conditions
-# Debian kernels have both set to 1 (restricted)
-# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
-#fs.protected_hardlinks=0
-#fs.protected_symlinks=0
--- /dev/null
+###################################################################
+# Protected links
+#
+# Protects against creating or following links under certain conditions
+# Debian kernels have both set to 1 (restricted)
+# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1