github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/cmd/snap-confine/snap-confine.apparmor.in (about) 1 # Author: Jamie Strandboge <jamie@canonical.com> 2 #include <tunables/global> 3 4 @LIBEXECDIR@/snap-confine (attach_disconnected) { 5 # Include any additional files that snapd chose to generate. 6 # - for $HOME on NFS 7 # - for $HOME on encrypted media 8 # 9 # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor 10 # and https://forum.snapcraft.io/t/snaps-and-nfs-home/ 11 #include "/var/lib/snapd/apparmor/snap-confine" 12 13 # We run privileged, so be fanatical about what we include and don't use 14 # any abstractions 15 /etc/ld.so.cache r, 16 /etc/ld.so.preload r, 17 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix, 18 # libc, you are funny 19 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, 20 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, 21 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr, 22 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr, 23 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, 24 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr, 25 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr, 26 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, 27 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre{,2}{,-[0-9]*}.so* mr, 28 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, 29 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr, 30 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr, 31 # normal libs in order 32 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, 33 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, 34 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr, 35 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, 36 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, 37 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, 38 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr, 39 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr, 40 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr, 41 # Needed to run /usr/bin/sh for snap-device-helper. 42 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libtinfo.so* mr, 43 44 @LIBEXECDIR@/snap-confine mr, 45 46 /dev/null rw, 47 /dev/full rw, 48 /dev/zero rw, 49 /dev/random r, 50 /dev/urandom r, 51 /dev/pts/[0-9]* rw, 52 /dev/tty rw, 53 54 # cgroup: devices 55 capability sys_admin, 56 capability dac_read_search, 57 capability dac_override, 58 /sys/fs/cgroup/devices/snap{,py}.*/ w, 59 /sys/fs/cgroup/devices/snap{,py}.*/cgroup.procs w, 60 /sys/fs/cgroup/devices/snap{,py}.*/devices.{allow,deny} w, 61 62 # cgroup: freezer 63 # Allow creating per-snap cgroup freezers and adding snap command (task) 64 # invocations to the freezer. This allows for reliably enumerating all 65 # running processes for the snap. In addition, allow enumerating processes 66 # in the cgroup to determine if it is occupied. 67 /sys/fs/cgroup/freezer/ r, 68 /sys/fs/cgroup/freezer/snap.*/ w, 69 /sys/fs/cgroup/freezer/snap.*/cgroup.procs rw, 70 71 # querying udev 72 /etc/udev/udev.conf r, 73 /sys/**/uevent r, 74 /usr/lib/snapd/snap-device-helper ixr, # drop 75 /{,usr/}lib/udev/snappy-app-dev ixr, # drop 76 /run/udev/** rw, 77 /{,usr/}bin/tr ixr, 78 /usr/lib/locale/** r, 79 /usr/lib/@{multiarch}/gconv/gconv-modules r, 80 /usr/lib/@{multiarch}/gconv/gconv-modules.cache r, 81 82 # priv dropping 83 capability setuid, 84 capability setgid, 85 86 # changing profile 87 @{PROC}/[0-9]*/attr/{,apparmor/}exec w, 88 # Reading current profile 89 @{PROC}/[0-9]*/attr/{,apparmor/}current r, 90 # Reading available filesystems 91 @{PROC}/filesystems r, 92 93 # To find where apparmor is mounted 94 @{PROC}/[0-9]*/mounts r, 95 # To find if apparmor is enabled 96 /sys/module/apparmor/parameters/enabled r, 97 98 # Don't allow changing profile to unconfined or profiles that start with 99 # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on 100 # the environment for determining the capabilities of the architecture. 101 # 'unsafe' is ok here because the kernel will have already cleared the 102 # environment as part of launching snap-confine with CAP_SYS_ADMIN. This 103 # does leave directories as configured by ld.so.preload as well as 104 # LD_PRELOAD to be set to a library which is in a directory configured by 105 # ld.so.conf, but access to those locations is mediated by this profile 106 # (which requires rules for specific locations). 107 change_profile unsafe /** -> [^u/]**, 108 change_profile unsafe /** -> u[^n]**, 109 change_profile unsafe /** -> un[^c]**, 110 change_profile unsafe /** -> unc[^o]**, 111 change_profile unsafe /** -> unco[^n]**, 112 change_profile unsafe /** -> uncon[^f]**, 113 change_profile unsafe /** -> unconf[^i]**, 114 change_profile unsafe /** -> unconfi[^n]**, 115 change_profile unsafe /** -> unconfin[^e]**, 116 change_profile unsafe /** -> unconfine[^d]**, 117 change_profile unsafe /** -> unconfined?**, 118 119 # allow changing to a few not caught above 120 change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, 121 122 # LP: #1446794 - when this bug is fixed, change the above to: 123 # deny change_profile unsafe /** -> {unconfined,/**}, 124 # change_profile unsafe /** -> **, 125 126 # reading seccomp filters 127 /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r, 128 129 # LP: #1668659 and parallel instaces of classic snaps 130 mount options=(rw rbind) /snap/ -> /snap/, 131 mount options=(rw rshared) -> /snap/, 132 mount options=(rw rbind) /var/lib/snapd/snap/ -> /var/lib/snapd/snap/, 133 mount options=(rw rshared) -> /var/lib/snapd/snap/, 134 135 # boostrapping the mount namespace 136 mount options=(rw rshared) -> /, 137 mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/, 138 mount options=(rw unbindable) -> /tmp/snap.rootfs_*/, 139 # the next line is for classic system 140 mount options=(rw rbind) @SNAP_MOUNT_DIR@/*/*/ -> /tmp/snap.rootfs_*/, 141 # the next line is for core system 142 mount options=(rw rbind) / -> /tmp/snap.rootfs_*/, 143 # all of the constructed rootfs is a rslave 144 mount options=(rw rslave) -> /tmp/snap.rootfs_*/, 145 # bidirectional mounts (for both classic and core) 146 # NOTE: this doesn't capture the MERGED_USR configuration option so that 147 # when a distro with merged /usr and / that uses apparmor shows up it 148 # should be handled here. 149 /{,run/}media/ w, 150 mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_*/{,run/}media/, 151 /run/netns/ w, 152 mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/, 153 # unidirectional mounts (only for classic system) 154 mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/, 155 mount options=(rw rslave) -> /tmp/snap.rootfs_*/dev/, 156 157 mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/, 158 mount options=(rw rslave) -> /tmp/snap.rootfs_*/etc/, 159 160 mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/, 161 mount options=(rw rslave) -> /tmp/snap.rootfs_*/home/, 162 163 mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/, 164 mount options=(rw rslave) -> /tmp/snap.rootfs_*/root/, 165 166 mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/, 167 mount options=(rw rslave) -> /tmp/snap.rootfs_*/proc/, 168 169 mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/, 170 mount options=(rw rslave) -> /tmp/snap.rootfs_*/sys/, 171 172 mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/, 173 mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/, 174 175 mount options=(rw rbind) /var/lib/dhcp/ -> /tmp/snap.rootfs_*/var/lib/dhcp/, 176 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/dhcp/, 177 178 mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/, 179 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/, 180 181 mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/, 182 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/snap/, 183 184 mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/, 185 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/tmp/, 186 187 mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/, 188 mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/, 189 190 mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_*/var/lib/extrausers/, 191 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/extrausers/, 192 193 mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, 194 mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, 195 196 mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/firmware/ -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/, 197 mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/, 198 199 mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/, 200 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/, 201 202 mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/, 203 mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/, 204 205 mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_*/mnt/, 206 mount options=(rw rslave) -> /tmp/snap.rootfs_*/mnt/, 207 208 # allow making host snap-exec available inside base snaps 209 mount options=(rw bind) @LIBEXECDIR@/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, 210 mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/, 211 212 # allow making re-execed host snap-exec available inside base snaps 213 mount options=(ro bind) @SNAP_MOUNT_DIR@/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, 214 # allow making snapd snap tools available inside base snaps 215 mount options=(ro bind) @SNAP_MOUNT_DIR@/snapd/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, 216 217 mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl, 218 mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl, 219 220 # /etc/alternatives (classic) 221 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, 222 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/, 223 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf, 224 # /etc/alternatives (core) 225 mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, 226 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/, 227 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/, 228 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/nsswitch.conf, 229 # the /snap directory 230 mount options=(rw rbind) @SNAP_MOUNT_DIR@/ -> /tmp/snap.rootfs_*/snap/, 231 mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/, 232 # pivot_root preparation and execution 233 mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, 234 mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, 235 236 # pivot_root mediation in AppArmor is not complete. See LP: #1791711. 237 # However, we can mediate the new_root and put_old to be what we expect, 238 # and then deny directory creation within old_root to prevent trivial 239 # pivoting into a whitelisted path. 240 pivot_root oldroot=/tmp/snap.rootfs_*/var/lib/snapd/hostfs/ /tmp/snap.rootfs_*/, 241 # Explicitly deny creating the old_root directory in case it is 242 # inadvertently added somewhere else. While this doesn't resolve 243 # LP: #1791711, it provides some hardening. 244 audit deny /tmp/snap.rootfs_*/{var/,var/lib/,var/lib/snapd/,var/lib/snapd/hostfs/} w, 245 246 # cleanup 247 umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/, 248 umount /var/lib/snapd/hostfs/sys/, 249 umount /var/lib/snapd/hostfs/dev/, 250 umount /var/lib/snapd/hostfs/proc/, 251 mount options=(rw rslave) -> /var/lib/snapd/hostfs/, 252 253 # Hide /writable from view of snaps. 254 mount options=(rprivate) -> /{,var/lib/snapd/hostfs/}writable/, 255 umount /{,var/lib/snapd/hostfs/}writable/, 256 257 # set up user mount namespace 258 mount options=(rslave) -> /, 259 260 # set up mount namespace for parallel instances of classic snaps 261 mount options=(rw rbind) @SNAP_MOUNT_DIR@/{,*/} -> @SNAP_MOUNT_DIR@/{,*/}, 262 mount options=(rslave) -> @SNAP_MOUNT_DIR@/, 263 mount options=(rslave) -> /var/snap/, 264 mount options=(rw rbind) /var/snap/{,*/} -> /var/snap/{,*/}, 265 mount options=(rw rshared) -> /var/snap/, 266 267 # Allow reading the os-release file (possibly a symlink to /usr/lib). 268 /{etc/,usr/lib/}os-release r, 269 270 # Allow creating /var/lib/snapd/hostfs, if missing 271 /var/lib/snapd/hostfs/ rw, 272 273 # set up snap-specific private /tmp dir 274 capability chown, 275 /tmp/ rw, 276 /tmp/snap.*/ rw, 277 /tmp/snap.*/tmp/ rw, 278 mount options=(rw private) -> /tmp/, 279 mount options=(rw bind) /tmp/snap.*/tmp/ -> /tmp/, 280 mount fstype=devpts options=(rw) devpts -> /dev/pts/, 281 mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting 282 mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD 283 # Workaround for LP: #1584456 on older kernels that mistakenly think 284 # /dev/pts/ptmx needs a trailing '/' 285 mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/, 286 mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/, 287 288 # for running snaps on classic 289 /snap/ r, 290 /snap/** r, 291 @SNAP_MOUNT_DIR@/ r, 292 @SNAP_MOUNT_DIR@/** r, 293 294 # NOTE: at this stage the /snap directory is stable as we have called 295 # pivot_root already. 296 297 # nvidia handling, glob needs /usr/** and the launcher must be 298 # able to bind mount the nvidia dir 299 /sys/module/nvidia/version r, 300 /sys/**/drivers/nvidia{,_*}/* r, 301 /sys/**/nvidia*/uevent r, 302 /sys/module/nvidia{,_*}/* r, 303 /dev/nvidia[0-9]* r, 304 /dev/nvidiactl r, 305 /dev/nvidia-uvm r, 306 /usr/** r, 307 mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/, 308 mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/, 309 /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w, 310 mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/, 311 mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/, 312 313 # Vulkan support 314 /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w, 315 mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/, 316 mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/, 317 318 # GLVND EGL vendor 319 /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/{,*} w, 320 mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/, 321 mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/, 322 323 # create gl dirs as needed 324 /tmp/snap.rootfs_*/ r, 325 /tmp/snap.rootfs_*/var/ r, 326 /tmp/snap.rootfs_*/var/lib/ r, 327 /tmp/snap.rootfs_*/var/lib/snapd/ r, 328 /tmp/snap.rootfs_*/var/lib/snapd/lib/ r, 329 /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/ r, 330 /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw, 331 /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r, 332 /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw, 333 /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/ r, 334 /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/** rw, 335 336 # for chroot on steroids, we use pivot_root as a better chroot that makes 337 # apparmor rules behave the same on classic and outside of classic. 338 339 # for creating the user data directories: ~/snap, ~/snap/<name> and 340 # ~/snap/<name>/<version> 341 / r, 342 @{HOMEDIRS}/ r, 343 # These should both have 'owner' match but due to LP: #1466234, we can't 344 # yet 345 @{HOME}/ r, 346 @{HOME}/snap/{,*/,*/*/} rw, 347 348 # Special case for *classic* snaps that are used by users with existing dirs 349 # in /var/lib/. Like jenkins, postgresql, mysql, puppet, ... 350 # (see https://forum.snapcraft.io/t/9717) 351 # TODO: this can be removed once we support home-dirs outside of /home 352 # better 353 /var/ r, 354 /var/lib/ r, 355 # These should both have 'owner' match but due to LP: #1466234, we can't 356 # yet 357 /var/lib/*/ r, 358 /var/lib/*/snap/{,*/,*/*/} rw, 359 360 # for creating the user shared memory directories 361 /{dev,run}/{,shm/} r, 362 # This should both have 'owner' match but due to LP: #1466234, we can't yet 363 /{dev,run}/shm/{,*/,*/*/} rw, 364 365 # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and 366 # /run/user/UID/<name> 367 /run/user/{,[0-9]*/,[0-9]*/*/} rw, 368 369 # Workaround https://launchpad.net/bugs/359338 until upstream handles 370 # stacked filesystems generally. 371 # encrypted ~/.Private and old-style encrypted $HOME 372 @{HOME}/.Private/ r, 373 @{HOME}/.Private/** mrixwlk, 374 # new-style encrypted $HOME 375 @{HOMEDIRS}/.ecryptfs/*/.Private/ r, 376 @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, 377 378 # Allow snap-confine to move to the void, creating it if necessary. 379 /var/lib/snapd/void/ rw, 380 381 # Allow snap-confine to read snap contexts 382 /var/lib/snapd/context/snap.* r, 383 384 # Allow snap-confine to unmount stale mount namespaces. 385 umount /run/snapd/ns/*.mnt, 386 /run/snapd/ns/snap.*.fstab w, 387 # Allow snap-confine to read and write mount namespace information files. 388 /run/snapd/ns/snap.*.info rw, 389 # Required to correctly unmount bound mount namespace. 390 # See LP: #1735459 for details. 391 umount /, 392 393 # support for locking 394 /run/snapd/lock/ rw, 395 /run/snapd/lock/*.lock rwk, 396 397 # support for the mount namespace sharing 398 capability sys_ptrace, 399 # allow snap-confine to read /proc/1/ns/mnt 400 ptrace read peer=unconfined, 401 # https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21 402 ptrace trace peer=unconfined, 403 404 mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/, 405 mount options=(private) -> /run/snapd/ns/, 406 / rw, 407 /run/ rw, 408 /run/snapd/ rw, 409 /run/snapd/ns/ rw, 410 /run/snapd/ns/*.lock rwk, 411 /run/snapd/ns/*.mnt rw, 412 ptrace (read, readby, tracedby) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 413 @{PROC}/*/mountinfo r, 414 capability sys_chroot, 415 capability sys_admin, 416 signal (send, receive) set=(abrt) peer=@LIBEXECDIR@/snap-confine, 417 signal (send) set=(int) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 418 signal (send, receive) set=(int, alrm, exists) peer=@LIBEXECDIR@/snap-confine, 419 signal (receive) set=(exists) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 420 421 # workaround for linux 4.13/upstream, see 422 # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3 423 ptrace (trace, tracedby) peer=@LIBEXECDIR@/snap-confine, 424 425 # Allow reading snap cookies. 426 /var/lib/snapd/cookie/snap.* r, 427 428 # For aa_change_hat() to go into ^mount-namespace-capture-helper 429 @{PROC}/[0-9]*/attr/{,apparmor/}current w, 430 431 # As a special exception allow snap-confine to write to anything in /var/lib. 432 # This code should be changed to allow delegation so that snap-confine can 433 # inherit any file descriptor and pass it to the invoked application but 434 # this is not possible in apparmor yet. 435 # See https://bugs.launchpad.net/snapd/+bug/1815869 436 /var/lib/** rw, 437 438 ^mount-namespace-capture-helper (attach_disconnected) { 439 # We run privileged, so be fanatical about what we include and don't use 440 # any abstractions 441 /etc/ld.so.cache r, 442 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix, 443 # libc, you are funny 444 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, 445 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, 446 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr, 447 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr, 448 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, 449 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr, 450 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr, 451 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, 452 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr, 453 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, 454 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr, 455 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr, 456 # normal libs in order 457 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, 458 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, 459 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr, 460 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, 461 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, 462 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, 463 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr, 464 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr, 465 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr, 466 467 @LIBEXECDIR@/snap-confine mr, 468 469 /dev/null rw, 470 /dev/full rw, 471 /dev/zero rw, 472 /dev/random r, 473 /dev/urandom r, 474 475 capability sys_ptrace, 476 capability sys_admin, 477 # This allows us to read and bind mount the namespace file 478 / r, 479 @{PROC}/ r, 480 @{PROC}/*/ r, 481 @{PROC}/*/ns/ r, 482 @{PROC}/*/ns/mnt r, 483 /run/ r, 484 /run/snapd/ r, 485 /run/snapd/ns/ r, 486 /run/snapd/ns/*.mnt rw, 487 # NOTE: the source name is / even though we map /proc/123/ns/mnt 488 mount options=(rw bind) / -> /run/snapd/ns/*.mnt, 489 # This is the SIGALRM that we send and receive if a timeout expires 490 signal (send, receive) set=(alrm) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 491 # Those two rules are exactly the same but we don't know if the parent process is still alive 492 # and hence has the appropriate label or is already dead and hence has no label. 493 signal (send) set=(exists) peer=@LIBEXECDIR@/snap-confine, 494 signal (send) set=(exists) peer=unconfined, 495 # This is so that we can abort 496 signal (send, receive) set=(abrt) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 497 # This is the signal we get if snap-confine dies (we subscribe to it with prctl) 498 signal (receive) set=(int) peer=@LIBEXECDIR@/snap-confine, 499 # This allows snap-confine to be killed from the outside. 500 signal (receive) peer=unconfined, 501 # This allows snap-confine to wait for us 502 ptrace (read, trace, tracedby) peer=@LIBEXECDIR@/snap-confine, 503 } 504 505 # Allow snap-confine to be killed 506 signal (receive) peer=unconfined, 507 508 # Allow switching to snap-update-ns with a per-snap profile. 509 change_profile -> snap-update-ns.*, 510 511 # Allow executing snap-update-ns when... 512 513 # ...snap-confine is, conceptually, re-executing and uses snap-update-ns 514 # from the distribution package. This is also the location used when using 515 # the core/base snap on all-snap systems. The variants here represent 516 # various locations of libexecdir across distributions. 517 /usr/lib{,exec,64}/snapd/snap-update-ns r, 518 519 # ...snap-confine is not, conceptually, re-executing and uses 520 # snap-update-ns from the distribution package but we are already inside 521 # the constructed mount namespace so we must traverse "hostfs". The 522 # variants here represent various locations of libexecdir across 523 # distributions. 524 /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r, 525 526 # ..snap-confine is, conceptually, re-executing and uses snap-update-ns 527 # from the core or snapd snaps. Note that the location of the actual snap 528 # varies from distribution to distribution. The variants here represent 529 # different locations of snap mount directory across distributions. 530 /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r, 531 532 # ...snap-confine is, conceptually, re-executing and uses snap-update-ns 533 # from the core snap or snapd snap, but we are already inside the 534 # constructed mount namespace. Here the apparmor kernel module 535 # re-constructs the path to snap-update-ns using the "hostfs" mount entry 536 # rather than the more "natural" /snap mount entry but we have no control 537 # over that. This is reported as (LP: #1716339). The variants here 538 # represent different locations of snap mount directory across 539 # distributions. 540 /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r, 541 542 # Allow executing snap-discard-ns, just like the set for snap-update-ns 543 # above but with the key difference that snap-discard-ns does not 544 # have a dedicated profile so we need to inherit snap-confine's profile. 545 546 /usr/lib{,exec,64}/snapd/snap-discard-ns rix, 547 /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-discard-ns rix, 548 /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix, 549 /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix, 550 551 # Allow mounting /var/lib/jenkins from the host into the snap. 552 mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_*/var/lib/jenkins/, 553 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/jenkins/, 554 555 # Suppress noisy file_inherit denials (LP: #1850552) until LP: #1849753 is 556 # fixed. 557 deny /dev/shm/.org.chromium.Chromium.* rw, 558 559 # While snap-confine itself doesn't require unix rules and therefore all 560 # unix rules are implicitly denied, adding an explicit deny for unix to 561 # silence noisy denials breaks nested lxd. Until the cause is determined, 562 # do not use an explicit deny for unix. (LP: #1855355) 563 #deny unix, 564 565 # Explicitly deny these accesses which show up on Arch to silence the 566 # denials for this unneeded access. 567 deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9]*.so* mr, 568 deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_mymachines.[0-9]*.so* mr, 569 deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_systemd.[0-9]*.so* mr, 570 deny /etc/nsswitch.conf r, 571 deny /etc/passwd r, 572 }