github.com/chipaca/snappy@v0.0.0-20210104084008-1f06296fe8ad/interfaces/apparmor/template.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2020 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package apparmor 21 22 // Rules for app snaps are comprised of: 23 // 24 // - preamble and rules common regardless of base runtime 25 // - base-specific runtime rules 26 // - snippet rules from interfaces, etc, regardless of base runtime 27 // 28 // As part of the mount namespace setup, some directories from the host will be 29 // bind mounted onto the base snap (these are defined by snap-confine). The 30 // locations of the target mounts that the snap sees at runtime are (for 31 // clarity, not all subdirectories are listed (eg, /var/lib/snapd/hostfs is not 32 // listed since /var/lib/snapd is)): 33 // 34 // - /dev 35 // - /etc 36 // - /home 37 // - /lib/modules and /usr/lib/modules 38 // - /lib/firmware and /usr/lib/firmware 39 // - /mnt, /media and /run/media 40 // - /proc 41 // - /root 42 // - /run 43 // - /snap and /var/snap 44 // - /sys 45 // - /usr/lib/snapd 46 // - /usr/src 47 // - /var/lib/dhcp 48 // - /var/lib/extrausers 49 // - /var/lib/jenkins 50 // - /var/lib/snapd 51 // - /var/log 52 // - /var/tmp 53 // 54 // For files coming from the host in this manner, accesses should be common to 55 // all bases, either via the template or interface rules (eg, given the same 56 // connected interfaces, access to devices in /dev should generally be the 57 // same, regardless of whether the snap specifies 'base: core18' or 58 // 'base: other'). 59 // 60 // The preamble and default accesses common to all bases go in templateCommon. 61 // These rules include the aformentioned host file rules as well as non-file 62 // rules (eg signal, dbus, unix, etc). 63 // 64 var templateCommon = ` 65 # vim:syntax=apparmor 66 67 #include <tunables/global> 68 69 # snapd supports the concept of 'parallel installs' where snaps with the same 70 # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz 71 # may all be installed on the system. To support this, SNAP_NAME is set to the 72 # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg 73 # 'foo_bar'). The profile name and most rules therefore reference 74 # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime 75 # environment so the snap doesn't have to be aware of the distinction (eg, 76 # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with 77 # SNAP_NAME so the security policy will allow writing to both locations (since 78 # they are equivalent). 79 80 ###VAR### 81 82 ###PROFILEATTACH### (attach_disconnected,mediate_deleted) { 83 #include <abstractions/base> 84 #include <abstractions/consoles> 85 #include <abstractions/openssl> 86 87 # While in later versions of the base abstraction, include this explicitly 88 # for series 16 and cross-distro 89 /etc/ld.so.preload r, 90 91 # The base abstraction doesn't yet have this 92 /etc/sysconfig/clock r, 93 owner @{PROC}/@{pid}/maps k, 94 # While the base abstraction has rules for encryptfs encrypted home and 95 # private directories, it is missing rules for directory read on the toplevel 96 # directory of the mount (LP: #1848919) 97 owner @{HOME}/.Private/ r, 98 owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r, 99 100 # for python apps/services 101 #include <abstractions/python> 102 /etc/python3.[0-9]/** r, 103 104 # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 105 # for details) 106 deny /usr/lib/python3*/{,**/}__pycache__/ w, 107 deny /usr/lib/python3*/{,**/}__pycache__/**.pyc.[0-9]* w, 108 # bind mount used here (see 'parallel installs', above) 109 deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/ w, 110 deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/*.pyc.[0-9]* w, 111 112 # for perl apps/services 113 #include <abstractions/perl> 114 # Missing from perl abstraction 115 /usr/lib/@{multiarch}/perl{,5,-base}/auto/**.so* mr, 116 117 # Note: the following dangerous accesses should not be allowed in most 118 # policy, but we cannot explicitly deny since other trusted interfaces might 119 # add them. 120 # Explicitly deny ptrace for now since it can be abused to break out of the 121 # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 122 #audit deny ptrace (trace), 123 124 # Explicitly deny capability mknod so apps can't create devices 125 #audit deny capability mknod, 126 127 # Explicitly deny mount, remount and umount so apps can't modify things in 128 # their namespace 129 #audit deny mount, 130 #audit deny remount, 131 #audit deny umount, 132 133 # End dangerous accesses 134 135 # Note: this potentially allows snaps to DoS other snaps via resource 136 # exhaustion but we can't sensibly mediate this today. In the future we may 137 # employ cgroup limits, AppArmor rlimit mlock rules or something else. 138 capability ipc_lock, 139 140 # for bash 'binaries' (do *not* use abstractions/bash) 141 # user-specific bash files 142 /etc/bash.bashrc r, 143 /etc/inputrc r, 144 /etc/environment r, 145 /etc/profile r, 146 147 # user/group/seat lookups 148 /etc/{passwd,group,nsswitch.conf} r, # very common 149 /var/lib/extrausers/{passwd,group} r, 150 /run/systemd/users/[0-9]* r, 151 /etc/default/nss r, 152 153 # libnss-systemd (subset from nameservice abstraction) 154 # 155 # https://systemd.io/USER_GROUP_API/ 156 # https://systemd.io/USER_RECORD/ 157 # https://www.freedesktop.org/software/systemd/man/nss-systemd.html 158 # 159 # Allow User/Group lookups via common VarLink socket APIs. Applications need 160 # to either consult all of them or the io.systemd.Multiplexer frontend. 161 /run/systemd/userdb/ r, 162 /run/systemd/userdb/io.systemd.Multiplexer rw, 163 /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users 164 /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs 165 /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS 166 167 /etc/libnl-3/{classid,pktloc} r, # apps that use libnl 168 169 # For snappy reexec on 4.8+ kernels 170 /usr/lib/snapd/snap-exec m, 171 172 # For gdb support 173 /usr/lib/snapd/snap-gdb-shim ixr, 174 /usr/lib/snapd/snap-gdbserver-shim ixr, 175 176 # For in-snap tab completion 177 /etc/bash_completion.d/{,*} r, 178 /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) 179 /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here 180 181 # uptime 182 @{PROC}/uptime r, 183 @{PROC}/loadavg r, 184 185 # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib 186 # which is allowed by the base abstraction, but on 14.04 it is an actual file 187 # so need to add it here. Also allow read locks on the file. 188 /etc/os-release rk, 189 /usr/lib/os-release k, 190 191 # systemd native journal API (see sd_journal_print(4)). This should be in 192 # AppArmor's base abstraction, but until it is, include here. 193 /run/systemd/journal/socket w, 194 /run/systemd/journal/stdout rw, # 'r' shouldn't be needed, but journald 195 # doesn't leak anything so allow 196 197 # snapctl and its requirements 198 /usr/bin/snapctl ixr, 199 /usr/lib/snapd/snapctl ixr, 200 @{PROC}/sys/net/core/somaxconn r, 201 /run/snapd-snap.socket rw, 202 203 # Note: for now, don't explicitly deny this noisy denial so --devmode isn't 204 # broken but eventually we may conditionally deny this since it is an 205 # information leak. 206 #deny /{,var/}run/utmp r, 207 208 # java 209 @{PROC}/@{pid}/ r, 210 @{PROC}/@{pid}/fd/ r, 211 owner @{PROC}/@{pid}/auxv r, 212 @{PROC}/sys/vm/zone_reclaim_mode r, 213 /etc/lsb-release r, 214 /sys/devices/**/read_ahead_kb r, 215 /sys/devices/system/cpu/** r, 216 /sys/devices/system/node/node[0-9]*/* r, 217 /sys/kernel/mm/transparent_hugepage/enabled r, 218 /sys/kernel/mm/transparent_hugepage/defrag r, 219 # NOTE: this leaks running process but java seems to want it (even though it 220 # seems to operate ok without it) and SDL apps crash without it. Allow owner 221 # match until AppArmor kernel var is available to solve this properly (see 222 # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. 223 owner @{PROC}/@{pid}/cmdline r, 224 owner @{PROC}/@{pid}/comm r, 225 226 # Per man(5) proc, the kernel enforces that a thread may only modify its comm 227 # value or those in its thread group. 228 owner @{PROC}/@{pid}/task/@{tid}/comm rw, 229 230 # Allow reading and writing to our file descriptors in /proc which, for 231 # example, allow access to /dev/std{in,out,err} which are all symlinks to 232 # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) 233 # linkat() temporary file technique, allow all fds. Importantly, access to 234 # another task's fd via this proc interface is mediated via 'ptrace (read)' 235 # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so 236 # this rule by itself doesn't allow opening another snap's fds via proc. 237 owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, 238 239 # Miscellaneous accesses 240 /dev/{,u}random w, 241 /etc/machine-id r, 242 /etc/mime.types r, 243 @{PROC}/ r, 244 @{PROC}/version r, 245 @{PROC}/version_signature r, 246 /etc/{,writable/}hostname r, 247 /etc/{,writable/}localtime r, 248 /etc/{,writable/}mailname r, 249 /etc/{,writable/}timezone r, 250 owner @{PROC}/@{pid}/cgroup rk, 251 @{PROC}/@{pid}/io r, 252 owner @{PROC}/@{pid}/limits r, 253 owner @{PROC}/@{pid}/loginuid r, 254 @{PROC}/@{pid}/smaps r, 255 @{PROC}/@{pid}/stat r, 256 @{PROC}/@{pid}/statm r, 257 @{PROC}/@{pid}/status r, 258 @{PROC}/@{pid}/task/ r, 259 @{PROC}/@{pid}/task/[0-9]*/smaps r, 260 @{PROC}/@{pid}/task/[0-9]*/stat r, 261 @{PROC}/@{pid}/task/[0-9]*/statm r, 262 @{PROC}/@{pid}/task/[0-9]*/status r, 263 @{PROC}/sys/fs/pipe-max-size r, 264 @{PROC}/sys/kernel/hostname r, 265 @{PROC}/sys/kernel/osrelease r, 266 @{PROC}/sys/kernel/ostype r, 267 @{PROC}/sys/kernel/pid_max r, 268 @{PROC}/sys/kernel/yama/ptrace_scope r, 269 @{PROC}/sys/kernel/shmmax r, 270 @{PROC}/sys/fs/file-max r, 271 @{PROC}/sys/fs/file-nr r, 272 @{PROC}/sys/fs/inotify/max_* r, 273 @{PROC}/sys/kernel/pid_max r, 274 @{PROC}/sys/kernel/random/boot_id r, 275 @{PROC}/sys/kernel/random/uuid r, 276 # Allow access to the uuidd daemon (this daemon is a thin wrapper around 277 # time and getrandom()/{,u}random and, when available, runs under an 278 # unprivilged, dedicated user). 279 /run/uuidd/request rw, 280 /sys/devices/virtual/tty/{console,tty*}/active r, 281 /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, 282 /sys/fs/cgroup/memory/{,**/}snap.@{SNAP_INSTANCE_NAME}{,.*}/memory.limit_in_bytes r, 283 /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, 284 /sys/fs/cgroup/cpu,cpuacct/{,**/}snap.@{SNAP_INSTANCE_NAME}{,.*}/cpu.cfs_{period,quota}_us r, 285 /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, 286 /sys/fs/cgroup/cpu,cpuacct/{,**/}snap.@{SNAP_INSTANCE_NAME}{,.*}/cpu.shares r, 287 /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 288 /sys/module/apparmor/parameters/enabled r, 289 /{,usr/}lib/ r, 290 291 # Reads of oom_adj and oom_score_adj are safe 292 owner @{PROC}/@{pid}/oom_{,score_}adj r, 293 294 # Note: for now, don't explicitly deny write access so --devmode isn't broken 295 # but eventually we may conditionally deny this since it allows the process 296 # to increase the oom heuristic of other processes (make them more likely to 297 # be killed). Once AppArmor kernel var is available to solve this properly, 298 # this can safely be allowed since non-root processes won't be able to 299 # decrease the value and root processes will only be able to with 300 # 'capability sys_resource,' which we deny be default. 301 # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, 302 303 # Eases hardware assignment (doesn't give anything away) 304 /etc/udev/udev.conf r, 305 /sys/ r, 306 /sys/bus/ r, 307 /sys/class/ r, 308 309 # this leaks interface names and stats, but not in a way that is traceable 310 # to the user/device 311 @{PROC}/net/dev r, 312 @{PROC}/@{pid}/net/dev r, 313 314 # Read-only of this snap 315 /var/lib/snapd/snaps/@{SNAP_NAME}_*.snap r, 316 317 # Read-only of snapd restart state for snapctl specifically 318 /var/lib/snapd/maintenance.json r, 319 320 # Read-only for the install directory 321 # bind mount used here (see 'parallel installs', above) 322 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, 323 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, 324 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/** mrklix, 325 326 # Read-only install directory for other revisions to help with bugs like 327 # LP: #1616650 and LP: #1655992 328 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, 329 330 # Read-only home area for other versions 331 # bind mount *not* used here (see 'parallel installs', above) 332 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, 333 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/** mrkix, 334 335 # Writable home area for this version. 336 # bind mount *not* used here (see 'parallel installs', above) 337 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/** wl, 338 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/** wl, 339 340 # Read-only system area for other versions 341 # bind mount used here (see 'parallel installs', above) 342 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, 343 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, 344 345 # Writable system area only for this version 346 # bind mount used here (see 'parallel installs', above) 347 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/** wl, 348 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/** wl, 349 350 # The ubuntu-core-launcher creates an app-specific private restricted /tmp 351 # and will fail to launch the app if something goes wrong. As such, we can 352 # simply allow full access to /tmp. 353 /tmp/ r, 354 /tmp/** mrwlkix, 355 356 # App-specific access to files and directories in /dev/shm. We allow file 357 # access in /dev/shm for shm_open() and files in subdirectories for open() 358 # bind mount *not* used here (see 'parallel installs', above) 359 /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, 360 # Also allow app-specific access for sem_open() 361 /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, 362 363 # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user 364 # bind mount *not* used here (see 'parallel installs', above) 365 owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/ rw, 366 owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/** mrwklix, 367 368 # Allow apps from the same package to communicate with each other via an 369 # abstract or anonymous socket 370 unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.**", 371 unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.*), 372 373 # Allow apps from the same package to communicate with each other via DBus. 374 # Note: this does not grant access to the DBus sockets of well known buses 375 # (will still need to use an appropriate interface for that). 376 dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.*), 377 # In addition to the above, dbus-run-session attempts reading these files 378 # from the snap base runtime. 379 /usr/share/dbus-1/services/{,*} r, 380 /usr/share/dbus-1/system-services/{,*} r, 381 # Allow apps to perform DBus introspection on org.freedesktop.DBus for both 382 # the system and session buses. 383 # Note: this does not grant access to the DBus sockets of these buses, but 384 # we grant it here since it is missing from the dbus abstractions 385 # (LP: #1866168) 386 dbus (send) 387 bus={session,system} 388 path=/org/freedesktop/DBus 389 interface=org.freedesktop.DBus.Introspectable 390 member=Introspect 391 peer=(label=unconfined), 392 393 # Allow apps from the same package to signal each other via signals 394 signal peer=snap.@{SNAP_INSTANCE_NAME}.*, 395 396 # Allow receiving signals from all snaps (and focus on mediating sending of 397 # signals) 398 signal (receive) peer=snap.*, 399 400 # Allow receiving signals from unconfined (eg, systemd) 401 signal (receive) peer=unconfined, 402 403 # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' 404 /{,s}bin/udevadm ixr, 405 /etc/udev/udev.conf r, 406 /{,var/}run/udev/tags/snappy-assign/ r, 407 @{PROC}/cmdline r, 408 /sys/devices/**/uevent r, 409 410 # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above 411 # requires: 412 # /run/udev/data/* r, 413 # but that reveals too much about the system and cannot be granted to apps 414 # by default at this time. 415 416 # For convenience, allow apps to see what is in /dev even though cgroups 417 # will block most access 418 /dev/ r, 419 /dev/**/ r, 420 421 # Allow setting up pseudoterminal via /dev/pts system. This is safe because 422 # the launcher uses a per-app devpts newinstance. 423 /dev/ptmx rw, 424 425 # Do the same with /sys/devices and /sys/class to help people using hw-assign 426 /sys/devices/ r, 427 /sys/devices/**/ r, 428 /sys/class/ r, 429 /sys/class/**/ r, 430 431 # Allow all snaps to chroot 432 capability sys_chroot, 433 434 # Lttng tracing is very noisy and should not be allowed by confined apps. Can 435 # safely deny for the normal case (LP: #1260491). If/when an lttng-trace 436 # interface is needed, we can rework this. 437 deny /{dev,run,var/run}/shm/lttng-ust-* rw, 438 439 # Allow read-access on /home/ for navigating to other parts of the 440 # filesystem. While this allows enumerating users, this is already allowed 441 # via /etc/passwd and getent. 442 @{HOMEDIRS}/ r, 443 444 # Allow read-access to / for navigating to other parts of the filesystem. 445 / r, 446 447 # Snap-specific run directory. Bind mount *not* used here 448 # (see 'parallel installs', above) 449 /run/snap.@{SNAP_INSTANCE_NAME}/ rw, 450 /run/snap.@{SNAP_INSTANCE_NAME}/** mrwklix, 451 452 # Snap-specific lock directory and prerequisite navigation permissions. 453 /run/lock/ r, 454 /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, 455 /run/lock/snap.@{SNAP_INSTANCE_NAME}/** mrwklix, 456 ` 457 458 var templateFooter = ` 459 ###SNIPPETS### 460 } 461 ` 462 463 // defaultCoreRuntimeTemplateRules contains core* runtime-specific rules. In general, 464 // binaries exposed here declare what the core runtime has historically been 465 // expected to support. 466 var defaultCoreRuntimeTemplateRules = ` 467 # Default rules for core base runtimes 468 469 # The base abstraction doesn't yet have this 470 /lib/terminfo/** rk, 471 /usr/share/terminfo/** k, 472 /usr/share/zoneinfo/** k, 473 474 # for python apps/services 475 /usr/bin/python{,2,2.[0-9]*,3,3.[0-9]*} ixr, 476 # additional accesses needed for newer pythons in later bases 477 /usr/lib{,32,64}/python3.[0-9]/**.{pyc,so} mr, 478 /usr/lib{,32,64}/python3.[0-9]/**.{egg,py,pth} r, 479 /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, 480 /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr, 481 /usr/include/python3.[0-9]*/pyconfig.h r, 482 483 # for perl apps/services 484 /usr/bin/perl{,5*} ixr, 485 # AppArmor <2.12 doesn't have rules for perl-base, so add them here 486 /usr/lib/@{multiarch}/perl{,5,-base}/** r, 487 /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr, 488 489 # for bash 'binaries' (do *not* use abstractions/bash) 490 # user-specific bash files 491 /{,usr/}bin/bash ixr, 492 /{,usr/}bin/dash ixr, 493 /usr/share/terminfo/** r, 494 495 # Common utilities for shell scripts 496 /{,usr/}bin/arch ixr, 497 /{,usr/}bin/{,g,m}awk ixr, 498 /{,usr/}bin/base32 ixr, 499 /{,usr/}bin/base64 ixr, 500 /{,usr/}bin/basename ixr, 501 /{,usr/}bin/bunzip2 ixr, 502 /{,usr/}bin/bzcat ixr, 503 /{,usr/}bin/bzdiff ixr, 504 /{,usr/}bin/bzgrep ixr, 505 /{,usr/}bin/bzip2 ixr, 506 /{,usr/}bin/cat ixr, 507 /{,usr/}bin/chgrp ixr, 508 /{,usr/}bin/chmod ixr, 509 /{,usr/}bin/chown ixr, 510 /{,usr/}bin/clear ixr, 511 /{,usr/}bin/cmp ixr, 512 /{,usr/}bin/cp ixr, 513 /{,usr/}bin/cpio ixr, 514 /{,usr/}bin/cut ixr, 515 /{,usr/}bin/date ixr, 516 /{,usr/}bin/dbus-daemon ixr, 517 /{,usr/}bin/dbus-run-session ixr, 518 /{,usr/}bin/dbus-send ixr, 519 /{,usr/}bin/dd ixr, 520 /{,usr/}bin/diff{,3} ixr, 521 /{,usr/}bin/dir ixr, 522 /{,usr/}bin/dirname ixr, 523 /{,usr/}bin/du ixr, 524 /{,usr/}bin/echo ixr, 525 /{,usr/}bin/{,e,f,r}grep ixr, 526 /{,usr/}bin/env ixr, 527 /{,usr/}bin/expr ixr, 528 /{,usr/}bin/false ixr, 529 /{,usr/}bin/find ixr, 530 /{,usr/}bin/flock ixr, 531 /{,usr/}bin/fmt ixr, 532 /{,usr/}bin/fold ixr, 533 /{,usr/}bin/getconf ixr, 534 /{,usr/}bin/getent ixr, 535 /{,usr/}bin/getopt ixr, 536 /{,usr/}bin/groups ixr, 537 /{,usr/}bin/gzip ixr, 538 /{,usr/}bin/head ixr, 539 /{,usr/}bin/hostname ixr, 540 /{,usr/}bin/id ixr, 541 /{,usr/}bin/igawk ixr, 542 /{,usr/}bin/infocmp ixr, 543 /{,usr/}bin/kill ixr, 544 /{,usr/}bin/ldd ixr, 545 /{usr/,}lib{,32,64}/ld{,32,64}-*.so ix, 546 /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so ix, 547 /{,usr/}bin/less{,file,pipe} ixr, 548 /{,usr/}bin/ln ixr, 549 /{,usr/}bin/line ixr, 550 /{,usr/}bin/link ixr, 551 /{,usr/}bin/locale ixr, 552 /{,usr/}bin/logger ixr, 553 /{,usr/}bin/ls ixr, 554 /{,usr/}bin/md5sum ixr, 555 /{,usr/}bin/mkdir ixr, 556 /{,usr/}bin/mkfifo ixr, 557 /{,usr/}bin/mknod ixr, 558 /{,usr/}bin/mktemp ixr, 559 /{,usr/}bin/more ixr, 560 /{,usr/}bin/mv ixr, 561 /{,usr/}bin/nice ixr, 562 /{,usr/}bin/nohup ixr, 563 /{,usr/}bin/od ixr, 564 /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial 565 /{,usr/}bin/paste ixr, 566 /{,usr/}bin/pgrep ixr, 567 /{,usr/}bin/printenv ixr, 568 /{,usr/}bin/printf ixr, 569 /{,usr/}bin/ps ixr, 570 /{,usr/}bin/pwd ixr, 571 /{,usr/}bin/readlink ixr, 572 /{,usr/}bin/realpath ixr, 573 /{,usr/}bin/rev ixr, 574 /{,usr/}bin/rm ixr, 575 /{,usr/}bin/rmdir ixr, 576 /{,usr/}bin/run-parts ixr, 577 /{,usr/}bin/sed ixr, 578 /{,usr/}bin/seq ixr, 579 /{,usr/}bin/sha{1,224,256,384,512}sum ixr, 580 /{,usr/}bin/shuf ixr, 581 /{,usr/}bin/sleep ixr, 582 /{,usr/}bin/sort ixr, 583 /{,usr/}bin/stat ixr, 584 /{,usr/}bin/stdbuf ixr, 585 /{,usr/}bin/stty ixr, 586 /{,usr/}bin/sync ixr, 587 /{,usr/}bin/systemd-cat ixr, 588 /{,usr/}bin/tac ixr, 589 /{,usr/}bin/tail ixr, 590 /{,usr/}bin/tar ixr, 591 /{,usr/}bin/tee ixr, 592 /{,usr/}bin/test ixr, 593 /{,usr/}bin/tempfile ixr, 594 /{,usr/}bin/tset ixr, 595 /{,usr/}bin/touch ixr, 596 /{,usr/}bin/tput ixr, 597 /{,usr/}bin/tr ixr, 598 /{,usr/}bin/true ixr, 599 /{,usr/}bin/tty ixr, 600 /{,usr/}bin/uname ixr, 601 /{,usr/}bin/uniq ixr, 602 /{,usr/}bin/unlink ixr, 603 /{,usr/}bin/unxz ixr, 604 /{,usr/}bin/unzip ixr, 605 /{,usr/}bin/uptime ixr, 606 /{,usr/}bin/vdir ixr, 607 /{,usr/}bin/wc ixr, 608 /{,usr/}bin/which ixr, 609 /{,usr/}bin/xargs ixr, 610 /{,usr/}bin/xz ixr, 611 /{,usr/}bin/yes ixr, 612 /{,usr/}bin/zcat ixr, 613 /{,usr/}bin/z{,e,f}grep ixr, 614 /{,usr/}bin/zip ixr, 615 /{,usr/}bin/zipgrep ixr, 616 617 # lsb-release 618 /usr/bin/lsb_release ixr, 619 /usr/bin/ r, 620 /usr/share/distro-info/*.csv r, 621 622 # For printing the cache (we don't allow updating the cache) 623 /{,usr/}sbin/ldconfig{,.real} ixr, 624 625 # Allow all snaps to chroot 626 /{,usr/}sbin/chroot ixr, 627 ` 628 629 // defaultCoreRuntimeTemplate contains the default apparmor template for core* bases. It 630 // can be overridden for testing using MockTemplate(). 631 var defaultCoreRuntimeTemplate = templateCommon + defaultCoreRuntimeTemplateRules + templateFooter 632 633 // defaultOtherBaseTemplateRules for non-core* bases. When a snap specifies an 634 // alternative base to core*, it is allowed read-only access to all files 635 // within the base, but all other accesses (eg, host file rules, signal, dbus, 636 // unix, etc rules) should be the same as the default template. 637 // 638 // For clarity and ease of maintenance, we will whitelist top-level directories 639 // here instead of using glob rules (we can add more if specific bases 640 // dictate). 641 var defaultOtherBaseTemplateRules = ` 642 # Default rules for non-core base runtimes 643 644 # /bin and /sbin (/usr/{,local/}{s,bin} handled in /usr) 645 /{,s}bin/ r, 646 /{,s}bin/** mrklix, 647 648 # /lib - the mount setup may bind mount to: 649 # 650 # - /lib/firmware 651 # - /lib/modules 652 # 653 # Everything but /lib/firmware and /lib/modules 654 /lib/ r, 655 /lib/[^fm]** mrklix, 656 /lib/{f[^i],m[^o]}** mrklix, 657 /lib/{fi[^r],mo[^d]}** mrklix, 658 /lib/{fir[^m],mod[^u]}** mrklix, 659 /lib/{firm[^w],modu[^l]}** mrklix, 660 /lib/{firmw[^a],modul[^e]}** mrklix, 661 /lib/{firmwa[^r],module[^s]}** mrklix, 662 /lib/modules[^/]** mrklix, 663 /lib/firmwar[^e]** mrklix, 664 /lib/firmware[^/]** mrklix, 665 666 # /lib64, etc 667 /lib[^/]** mrklix, 668 669 # /opt 670 /opt/ r, 671 /opt/** mrklix, 672 673 # /usr - the mount setup may bind mount to: 674 # 675 # - /usr/lib/modules 676 # - /usr/lib/firmware 677 # - /usr/lib/snapd 678 # - /usr/src 679 # 680 # Everything but /usr/lib and /usr/src, which are handled elsewhere. 681 /usr/ r, 682 /usr/[^ls]** mrklix, 683 /usr/{l[^i],s[^r]}** mrklix, 684 /usr/{li[^b],sr[^c]}** mrklix, 685 /usr/{lib,src}[^/]** mrklix, 686 # Everything in /usr/lib except /usr/lib/firmware, /usr/lib/modules and 687 # /usr/lib/snapd, which are handled elsewhere. 688 /usr/lib/ r, 689 /usr/lib/[^fms]** mrklix, 690 /usr/lib/{f[^i],m[^o],s[^n]}** mrklix, 691 /usr/lib/{fi[^r],mo[^d],sn[^a]}** mrklix, 692 /usr/lib/{fir[^m],mod[^u],sna[^p]}** mrklix, 693 /usr/lib/{firm[^w],modu[^l],snap[^d]}** mrklix, 694 /usr/lib/snapd[^/]** mrklix, 695 /usr/lib/{firmw[^a],modul[^e]}** mrklix, 696 /usr/lib/{firmwa[^r],module[^s]}** mrklix, 697 /usr/lib/modules[^/]** mrklix, 698 /usr/lib/firmwar[^e]** mrklix, 699 /usr/lib/firmware[^/]** mrklix, 700 701 # /var - the mount setup may bind mount in: 702 # 703 # - /var/lib/dhcp 704 # - /var/lib/extrausers 705 # - /var/lib/jenkins 706 # - /var/lib/snapd 707 # - /var/log 708 # - /var/snap 709 # - /var/tmp 710 # 711 # Everything but /var/lib, /var/log, /var/snap and /var/tmp, which are 712 # handled elsewhere. 713 /var/ r, 714 /var/[^lst]** mrklix, 715 /var/{l[^io],s[^n],t[^m]}** mrklix, 716 /var/{li[^b],lo[^g],sn[^a],tm[^p]}** mrklix, 717 /var/{lib,log,tmp}[^/]** mrklix, 718 /var/sna[^p]** mrklix, 719 /var/snap[^/]** mrklix, 720 # Everything in /var/lib except /var/lib/dhcp, /var/lib/extrausers, 721 # /var/lib/jenkins and /var/lib/snapd which are handled elsewhere. 722 /var/lib/ r, 723 /var/lib/[^dejs]** mrklix, 724 /var/lib/{d[^h],e[^x],j[^e],s[^n]}** mrklix, 725 /var/lib/{dh[^c],ex[^t],je[^n],sn[^a]}** mrklix, 726 /var/lib/{dhc[^p],ext[^r],jen[^k],sna[^p]}** mrklix, 727 /var/lib/dhcp[^/]** mrklix, 728 /var/lib/{extr[^a],jenk[^i],snap[^d]}** mrklix, 729 /var/lib/snapd[^/]** mrklix, 730 /var/lib/{extra[^u],jenki[^n]}** mrklix, 731 /var/lib/{extrau[^s],jenkin[^s]}** mrklix, 732 /var/lib/jenkins[^/]** mrklix, 733 /var/lib/extraus[^e]** mrklix, 734 /var/lib/extrause[^r]** mrklix, 735 /var/lib/extrauser[^s]** mrklix, 736 /var/lib/extrausers[^/]** mrklix, 737 ` 738 739 // defaultOtherBaseTemplate contains the default apparmor template for non-core 740 // bases 741 var defaultOtherBaseTemplate = templateCommon + defaultOtherBaseTemplateRules + templateFooter 742 743 // Template for privilege drop and chown operations. The specific setuid, 744 // setgid and chown operations are controlled via seccomp. 745 // 746 // To expand on the policy comment below: "this is not a problem in practice": 747 // access to sockets is mediated by file and unix AppArmor rules. When the 748 // access is allowed, the snap is expected to be able to use the socket. Some 749 // service listeners will employ additional checks, such as 'is the connecting 750 // (snap) process root' or 'is the connecting non-root (snap) process in a 751 // particular group', etc. Since snapd daemons start as root and because the 752 // service listeners typically let the root process do anything, the snap 753 // doesn't gain anything from being able to forge a uid since it has full 754 // access to the socket API already. A snap could forge a check to bypass the 755 // theoretical case of the service listener wanting to limit root to something 756 // less than another user, but in practice service listeners won't do this 757 // because it is ineffective against unconfined root processes which can 758 // manipulate the service listener in other ways to subvert a check like this. 759 // 760 // For CAP_KILL, AppArmor mediates signals and the default policy allows 761 // sending signals only to processes with a security label that matches the 762 // snap, but AppArmor does not currently mediate the uid/gid of the 763 // sender/receiver to finely mediate what non-root uid/gids a root process may 764 // send to, so we have always required the process-control interface for snaps 765 // to send signals to other users (even within the same snap). We want to 766 // maintain this with our privilege dropping rules, so we omit 'capability 767 // kill' since snaps can work within the system without 'capability kill': 768 // - root parent can drop, spawn a child and later (dropped) parent can send a 769 // signal 770 // - root parent can spawn a child that drops, then later temporarily drop 771 // (ie, seteuid/setegid), send the signal, then reraise 772 var privDropAndChownRules = ` 773 # allow setuid, setgid and chown for privilege dropping (mediation is done 774 # via seccomp). Note: CAP_SETUID allows (and CAP_SETGID is the same, but 775 # for gid operations): 776 # - forging of UIDs when passing passing socket credentials via UNIX domain 777 # sockets and we don't currently mediate socket credentials, between 778 # mediating socket access in general and the execve() boundary that drops 779 # the capability for non-root commands, this is not a problem in practice. 780 # - accessing the persistent keyring via keyctl, but keyctl is mediated via 781 # seccomp. 782 # - writing a user ID mapping in a user namespace, but we mediate access to 783 # /proc/*/uid_map with AppArmor 784 # 785 # CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH are intentionally omitted from the 786 # policy since we want traditional DAC to be enforced for root. It is 787 # expected that a program that is dropping privileges, etc will create/modify 788 # files in a way that doesn't require these capabilities. 789 capability setuid, 790 capability setgid, 791 capability chown, 792 #capability dac_override, 793 #capability dac_read_search, 794 795 # Similarly, CAP_KILL is intentionally omitted since we want traditional 796 # DAC to be enforced for root. It is expected that a program that is spawning 797 # processes that ultimately run as non-root will send signals to those 798 # processes as the matching non-root user. 799 #capability kill, 800 ` 801 802 // classicTemplate contains apparmor template used for snaps with classic 803 // confinement. This template was Designed by jdstrand: 804 // https://github.com/snapcore/snapd/pull/2366#discussion_r90101320 805 // 806 // The classic template intentionally provides no confinement and is used 807 // simply to ensure that processes have the proper command-specific security 808 // label instead of 'unconfined'. 809 // 810 // It can be overridden for testing using MockClassicTemplate(). 811 var classicTemplate = ` 812 #include <tunables/global> 813 814 ###VAR### 815 816 ###PROFILEATTACH### (attach_disconnected,mediate_deleted) { 817 # set file rules so that exec() inherits our profile unless there is 818 # already a profile for it (eg, snap-confine) 819 / rwkl, 820 /** rwlkm, 821 /** pix, 822 823 capability, 824 ###CHANGEPROFILE_RULE### 825 dbus, 826 network, 827 mount, 828 remount, 829 umount, 830 pivot_root, 831 ptrace, 832 signal, 833 unix, 834 835 ###SNIPPETS### 836 } 837 ` 838 839 // classicJailmodeSnippet contains extra rules that allow snaps using classic 840 // confinement, that were put in to jailmode, to execute by at least having 841 // access to the core snap (e.g. for the dynamic linker and libc). 842 843 var classicJailmodeSnippet = ` 844 # Read-only access to the core snap. 845 @{INSTALL_DIR}/core/** r, 846 # Read only access to the core snap to load libc from. 847 # This is related to LP: #1666897 848 @{INSTALL_DIR}/core/*/{,usr/}lib/@{multiarch}/{,**/}lib*.so* m, 849 850 # For snappy reexec on 4.8+ kernels 851 @{INSTALL_DIR}/core/*/usr/lib/snapd/snap-exec m, 852 ` 853 854 // nfsSnippet contains extra permissions necessary for snaps and snap-confine 855 // to operate when NFS is used. This is an imperfect solution as this grants 856 // some network access to all the snaps on the system. 857 // For tracking see https://bugs.launchpad.net/apparmor/+bug/1724903 858 var nfsSnippet = ` 859 # snapd autogenerated workaround for systems using NFS, for details see: 860 # https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1662552 861 network inet, 862 network inet6, 863 ` 864 865 // overlayRootSnippet contains the extra permissions necessary for snap and 866 // snap-confine to operate on systems where '/' is a writable overlay fs. 867 // AppArmor requires directory reads for upperdir (but these aren't otherwise 868 // visible to the snap). While we filter AppArmor regular expression (AARE) 869 // characters elsewhere, we double quote the path in case UPPERDIR has spaces. 870 var overlayRootSnippet = ` 871 # snapd autogenerated workaround for systems using '/' on overlayfs. For 872 # details see: https://bugs.launchpad.net/apparmor/+bug/1703674 873 "###UPPERDIR###/{,**/}" r, 874 ` 875 876 var ptraceTraceDenySnippet = ` 877 # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc 878 # trigger a 'ptrace (trace)' denial, they aren't actually tracing other 879 # processes. Unfortunately, the kernel overloads trace such that the LSMs are 880 # unable to distinguish between tracing other processes and other accesses. 881 # ptrace (trace) can be used to break out of the seccomp sandbox unless the 882 # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd 883 # has full ptrace support conditional on kernel support, explicitly deny to 884 # silence noisy denials/avoid confusion and accidentally giving away this 885 # dangerous access frivolously. 886 deny ptrace (trace), 887 deny capability sys_ptrace, 888 ` 889 890 // updateNSTemplate defines the apparmor profile for per-snap snap-update-ns. 891 // 892 // The per-snap snap-update-ns profiles are composed via a template and 893 // snippets for the snap. The template allows: 894 // - accesses to libraries, files and /proc entries required to run 895 // - using global and per-snap lock files 896 // - reading per-snap mount namespaces and mount profiles 897 // - managing per-snap freezer state files 898 // - per-snap mounting/unmounting fonts from the host 899 // - denying mounts to restricted places (eg, /snap/bin and /media) 900 var updateNSTemplate = ` 901 # Description: Allows snap-update-ns to construct the mount namespace specific 902 # to a particular snap (see the name below). This specifically includes the 903 # precise locations of the layout elements. 904 905 # vim:syntax=apparmor 906 907 #include <tunables/global> 908 909 profile snap-update-ns.###SNAP_INSTANCE_NAME### (attach_disconnected) { 910 # The next four rules mirror those above. We want to be able to read 911 # and map snap-update-ns into memory but it may come from a variety of places. 912 /usr/lib{,exec,64}/snapd/snap-update-ns mr, 913 /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr, 914 /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns mr, 915 /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr, 916 917 # Allow reading the dynamic linker cache. 918 /etc/ld.so.cache r, 919 # Allow reading, mapping and executing the dynamic linker. 920 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix, 921 # Allow reading and mapping various parts of the standard library and 922 # dynamically loaded nss modules and what not. 923 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, 924 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, 925 926 # Common devices accesses 927 /dev/null rw, 928 /dev/full rw, 929 /dev/zero rw, 930 /dev/random r, 931 /dev/urandom r, 932 933 # golang runtime variables 934 /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 935 936 # Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code). 937 @{PROC}/@{pid}/cmdline r, 938 939 # Allow reading file descriptor paths 940 @{PROC}/@{pid}/fd/* r, 941 # Allow reading /proc/version. For release.go WSL detection. 942 @{PROC}/version r, 943 944 # Allow reading somaxconn, required in newer distro releases 945 @{PROC}/sys/net/core/somaxconn r, 946 # but silence noisy denial of inet/inet6 947 deny network inet, 948 deny network inet6, 949 950 # Allow reading the os-release file (possibly a symlink to /usr/lib). 951 /{etc/,usr/lib/}os-release r, 952 953 # Allow creating/grabbing global and per-snap lock files. 954 /run/snapd/lock/###SNAP_INSTANCE_NAME###.lock rwk, 955 /run/snapd/lock/.lock rwk, 956 957 # Allow reading stored mount namespaces, 958 /run/snapd/ns/ r, 959 /run/snapd/ns/###SNAP_INSTANCE_NAME###.mnt r, 960 961 # Allow reading per-snap desired mount profiles. Those are written by 962 # snapd and represent the desired layout and content connections. 963 /var/lib/snapd/mount/snap.###SNAP_INSTANCE_NAME###.fstab r, 964 /var/lib/snapd/mount/snap.###SNAP_INSTANCE_NAME###.user-fstab r, 965 966 # Allow reading and writing actual per-snap mount profiles. Note that 967 # the wildcard in the rule to allow an atomic write + rename strategy. 968 # Those files are written by snap-update-ns and represent the actual 969 # mount profile at a given moment. 970 /run/snapd/ns/snap.###SNAP_INSTANCE_NAME###.fstab{,.*} rw, 971 972 # NOTE: at this stage the /snap directory is stable as we have called 973 # pivot_root already. 974 975 # Needed to perform mount/unmounts. 976 capability sys_admin, 977 # Needed for mimic construction. 978 capability chown, 979 # Needed for dropping to calling user when processing per-user mounts 980 capability setuid, 981 capability setgid, 982 # Allow snap-update-ns to override file ownership and permission checks. 983 # This is required because writable mimics now preserve the permissions 984 # of the original and hence we may be asked to create a directory when the 985 # parent is a tmpfs without DAC write access. 986 capability dac_override, 987 988 # Allow freezing and thawing the per-snap cgroup freezers 989 /sys/fs/cgroup/freezer/snap.###SNAP_INSTANCE_NAME###/freezer.state rw, 990 991 # Allow the content interface to bind fonts from the host filesystem 992 mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/###SNAP_INSTANCE_NAME###/*/**, 993 mount options=(rw private) -> /snap/###SNAP_INSTANCE_NAME###/*/**, 994 umount /snap/###SNAP_INSTANCE_NAME###/*/**, 995 996 # set up user mount namespace 997 mount options=(rslave) -> /, 998 999 # Allow traversing from the root directory and several well-known places. 1000 # Specific directory permissions are added by snippets below. 1001 / r, 1002 /etc/ r, 1003 /snap/ r, 1004 /tmp/ r, 1005 /usr/ r, 1006 /var/ r, 1007 /var/snap/ r, 1008 1009 # Allow reading timezone data. 1010 /usr/share/zoneinfo/** r, 1011 1012 # Don't allow anyone to touch /snap/bin 1013 audit deny mount /snap/bin/** -> /**, 1014 audit deny mount /** -> /snap/bin/**, 1015 1016 # Don't allow bind mounts to /media which has special 1017 # sharing and propagates mount events outside of the snap namespace. 1018 audit deny mount -> /media, 1019 1020 # Allow receiving signals from unconfined (eg, systemd) 1021 signal (receive) peer=unconfined, 1022 # Allow sending and receiving signals from ourselves. 1023 signal peer=@{profile_name}, 1024 1025 # Commonly needed permissions for writable mimics. 1026 /tmp/ r, 1027 /tmp/.snap/{,**} rw, 1028 1029 # snapd logger.go checks /proc/cmdline 1030 @{PROC}/cmdline r, 1031 1032 ###SNIPPETS### 1033 } 1034 `