github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/interfaces/apparmor/template.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2020 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package apparmor 21 22 // Rules for app snaps are comprised of: 23 // 24 // - preamble and rules common regardless of base runtime 25 // - base-specific runtime rules 26 // - snippet rules from interfaces, etc, regardless of base runtime 27 // 28 // As part of the mount namespace setup, some directories from the host will be 29 // bind mounted onto the base snap (these are defined by snap-confine). The 30 // locations of the target mounts that the snap sees at runtime are (for 31 // clarity, not all subdirectories are listed (eg, /var/lib/snapd/hostfs is not 32 // listed since /var/lib/snapd is)): 33 // 34 // - /dev 35 // - /etc 36 // - /home 37 // - /lib/modules and /usr/lib/modules 38 // - /lib/firmware and /usr/lib/firmware 39 // - /mnt, /media and /run/media 40 // - /proc 41 // - /root 42 // - /run 43 // - /snap and /var/snap 44 // - /sys 45 // - /usr/lib/snapd 46 // - /usr/src 47 // - /var/lib/dhcp 48 // - /var/lib/extrausers 49 // - /var/lib/jenkins 50 // - /var/lib/snapd 51 // - /var/log 52 // - /var/tmp 53 // 54 // For files coming from the host in this manner, accesses should be common to 55 // all bases, either via the template or interface rules (eg, given the same 56 // connected interfaces, access to devices in /dev should generally be the 57 // same, regardless of whether the snap specifies 'base: core18' or 58 // 'base: other'). 59 // 60 // The preamble and default accesses common to all bases go in templateCommon. 61 // These rules include the aformentioned host file rules as well as non-file 62 // rules (eg signal, dbus, unix, etc). 63 // 64 var templateCommon = ` 65 # vim:syntax=apparmor 66 67 #include <tunables/global> 68 69 # snapd supports the concept of 'parallel installs' where snaps with the same 70 # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz 71 # may all be installed on the system. To support this, SNAP_NAME is set to the 72 # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg 73 # 'foo_bar'). The profile name and most rules therefore reference 74 # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime 75 # environment so the snap doesn't have to be aware of the distinction (eg, 76 # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with 77 # SNAP_NAME so the security policy will allow writing to both locations (since 78 # they are equivalent). 79 80 ###VAR### 81 82 ###PROFILEATTACH### (attach_disconnected,mediate_deleted) { 83 #include <abstractions/base> 84 #include <abstractions/consoles> 85 #include <abstractions/openssl> 86 87 # While in later versions of the base abstraction, include this explicitly 88 # for series 16 and cross-distro 89 /etc/ld.so.preload r, 90 91 # The base abstraction doesn't yet have this 92 /etc/sysconfig/clock r, 93 owner @{PROC}/@{pid}/maps k, 94 # While the base abstraction has rules for encryptfs encrypted home and 95 # private directories, it is missing rules for directory read on the toplevel 96 # directory of the mount (LP: #1848919) 97 owner @{HOME}/.Private/ r, 98 owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r, 99 100 # for python apps/services 101 #include <abstractions/python> 102 /etc/python3.[0-9]/** r, 103 104 # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 105 # for details) 106 deny /usr/lib/python3*/{,**/}__pycache__/ w, 107 deny /usr/lib/python3*/{,**/}__pycache__/**.pyc.[0-9]* w, 108 # bind mount used here (see 'parallel installs', above) 109 deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/ w, 110 deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/*.pyc.[0-9]* w, 111 112 # for perl apps/services 113 #include <abstractions/perl> 114 # Missing from perl abstraction 115 /usr/lib/@{multiarch}/perl{,5,-base}/auto/**.so* mr, 116 117 # Note: the following dangerous accesses should not be allowed in most 118 # policy, but we cannot explicitly deny since other trusted interfaces might 119 # add them. 120 # Explicitly deny ptrace for now since it can be abused to break out of the 121 # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 122 #audit deny ptrace (trace), 123 124 # Explicitly deny capability mknod so apps can't create devices 125 #audit deny capability mknod, 126 127 # Explicitly deny mount, remount and umount so apps can't modify things in 128 # their namespace 129 #audit deny mount, 130 #audit deny remount, 131 #audit deny umount, 132 133 # End dangerous accesses 134 135 # Note: this potentially allows snaps to DoS other snaps via resource 136 # exhaustion but we can't sensibly mediate this today. In the future we may 137 # employ cgroup limits, AppArmor rlimit mlock rules or something else. 138 capability ipc_lock, 139 140 # for bash 'binaries' (do *not* use abstractions/bash) 141 # user-specific bash files 142 /etc/bash.bashrc r, 143 /etc/inputrc r, 144 /etc/environment r, 145 /etc/profile r, 146 147 # user/group/seat lookups 148 /etc/{passwd,group,nsswitch.conf} r, # very common 149 /var/lib/extrausers/{passwd,group} r, 150 /run/systemd/users/[0-9]* r, 151 /etc/default/nss r, 152 153 # libnss-systemd (subset from nameservice abstraction) 154 # 155 # https://systemd.io/USER_GROUP_API/ 156 # https://systemd.io/USER_RECORD/ 157 # https://www.freedesktop.org/software/systemd/man/nss-systemd.html 158 # 159 # Allow User/Group lookups via common VarLink socket APIs. Applications need 160 # to either consult all of them or the io.systemd.Multiplexer frontend. 161 /run/systemd/userdb/ r, 162 /run/systemd/userdb/io.systemd.Multiplexer rw, 163 /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users 164 /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs 165 /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS 166 167 /etc/libnl-3/{classid,pktloc} r, # apps that use libnl 168 169 # For snappy reexec on 4.8+ kernels 170 /usr/lib/snapd/snap-exec m, 171 172 # For gdb support 173 /usr/lib/snapd/snap-gdb-shim ixr, 174 /usr/lib/snapd/snap-gdbserver-shim ixr, 175 176 # For in-snap tab completion 177 /etc/bash_completion.d/{,*} r, 178 /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) 179 /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here 180 181 # uptime 182 @{PROC}/uptime r, 183 @{PROC}/loadavg r, 184 185 # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib 186 # which is allowed by the base abstraction, but on 14.04 it is an actual file 187 # so need to add it here. Also allow read locks on the file. 188 /etc/os-release rk, 189 /usr/lib/os-release k, 190 191 # systemd native journal API (see sd_journal_print(4)). This should be in 192 # AppArmor's base abstraction, but until it is, include here. 193 /run/systemd/journal/socket w, 194 /run/systemd/journal/stdout rw, # 'r' shouldn't be needed, but journald 195 # doesn't leak anything so allow 196 197 # snapctl and its requirements 198 /usr/bin/snapctl ixr, 199 /usr/lib/snapd/snapctl ixr, 200 @{PROC}/sys/net/core/somaxconn r, 201 /run/snapd-snap.socket rw, 202 203 # Note: for now, don't explicitly deny this noisy denial so --devmode isn't 204 # broken but eventually we may conditionally deny this since it is an 205 # information leak. 206 #deny /{,var/}run/utmp r, 207 208 # java 209 @{PROC}/@{pid}/ r, 210 @{PROC}/@{pid}/fd/ r, 211 owner @{PROC}/@{pid}/auxv r, 212 @{PROC}/sys/vm/zone_reclaim_mode r, 213 /etc/lsb-release r, 214 /sys/devices/**/read_ahead_kb r, 215 /sys/devices/system/cpu/** r, 216 /sys/devices/system/node/node[0-9]*/* r, 217 /sys/kernel/mm/transparent_hugepage/enabled r, 218 /sys/kernel/mm/transparent_hugepage/defrag r, 219 # NOTE: this leaks running process but java seems to want it (even though it 220 # seems to operate ok without it) and SDL apps crash without it. Allow owner 221 # match until AppArmor kernel var is available to solve this properly (see 222 # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. 223 owner @{PROC}/@{pid}/cmdline r, 224 owner @{PROC}/@{pid}/comm r, 225 226 # Per man(5) proc, the kernel enforces that a thread may only modify its comm 227 # value or those in its thread group. 228 owner @{PROC}/@{pid}/task/@{tid}/comm rw, 229 230 # Allow reading and writing to our file descriptors in /proc which, for 231 # example, allow access to /dev/std{in,out,err} which are all symlinks to 232 # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) 233 # linkat() temporary file technique, allow all fds. Importantly, access to 234 # another task's fd via this proc interface is mediated via 'ptrace (read)' 235 # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so 236 # this rule by itself doesn't allow opening another snap's fds via proc. 237 owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, 238 239 # Miscellaneous accesses 240 /dev/{,u}random w, 241 /etc/machine-id r, 242 /etc/mime.types r, 243 @{PROC}/ r, 244 @{PROC}/version r, 245 @{PROC}/version_signature r, 246 /etc/{,writable/}hostname r, 247 /etc/{,writable/}localtime r, 248 /etc/{,writable/}mailname r, 249 /etc/{,writable/}timezone r, 250 owner @{PROC}/@{pid}/cgroup rk, 251 @{PROC}/@{pid}/io r, 252 owner @{PROC}/@{pid}/limits r, 253 owner @{PROC}/@{pid}/loginuid r, 254 @{PROC}/@{pid}/smaps r, 255 @{PROC}/@{pid}/stat r, 256 @{PROC}/@{pid}/statm r, 257 @{PROC}/@{pid}/status r, 258 @{PROC}/@{pid}/task/ r, 259 @{PROC}/@{pid}/task/[0-9]*/smaps r, 260 @{PROC}/@{pid}/task/[0-9]*/stat r, 261 @{PROC}/@{pid}/task/[0-9]*/statm r, 262 @{PROC}/@{pid}/task/[0-9]*/status r, 263 @{PROC}/sys/fs/pipe-max-size r, 264 @{PROC}/sys/kernel/hostname r, 265 @{PROC}/sys/kernel/osrelease r, 266 @{PROC}/sys/kernel/ostype r, 267 @{PROC}/sys/kernel/pid_max r, 268 @{PROC}/sys/kernel/yama/ptrace_scope r, 269 @{PROC}/sys/kernel/shmmax r, 270 @{PROC}/sys/fs/file-max r, 271 @{PROC}/sys/fs/file-nr r, 272 @{PROC}/sys/fs/inotify/max_* r, 273 @{PROC}/sys/kernel/pid_max r, 274 @{PROC}/sys/kernel/random/boot_id r, 275 @{PROC}/sys/kernel/random/uuid r, 276 # Allow access to the uuidd daemon (this daemon is a thin wrapper around 277 # time and getrandom()/{,u}random and, when available, runs under an 278 # unprivilged, dedicated user). 279 /run/uuidd/request rw, 280 /sys/devices/virtual/tty/{console,tty*}/active r, 281 /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, 282 /sys/fs/cgroup/memory/{,**/}snap.@{SNAP_INSTANCE_NAME}{,.*}/memory.limit_in_bytes r, 283 /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, 284 /sys/fs/cgroup/cpu,cpuacct/{,**/}snap.@{SNAP_INSTANCE_NAME}{,.*}/cpu.cfs_{period,quota}_us r, 285 /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, 286 /sys/fs/cgroup/cpu,cpuacct/{,**/}snap.@{SNAP_INSTANCE_NAME}{,.*}/cpu.shares r, 287 /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 288 /sys/module/apparmor/parameters/enabled r, 289 /{,usr/}lib/ r, 290 291 # Reads of oom_adj and oom_score_adj are safe 292 owner @{PROC}/@{pid}/oom_{,score_}adj r, 293 294 # Note: for now, don't explicitly deny write access so --devmode isn't broken 295 # but eventually we may conditionally deny this since it allows the process 296 # to increase the oom heuristic of other processes (make them more likely to 297 # be killed). Once AppArmor kernel var is available to solve this properly, 298 # this can safely be allowed since non-root processes won't be able to 299 # decrease the value and root processes will only be able to with 300 # 'capability sys_resource,' which we deny be default. 301 # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, 302 303 # Eases hardware assignment (doesn't give anything away) 304 /etc/udev/udev.conf r, 305 /sys/ r, 306 /sys/bus/ r, 307 /sys/class/ r, 308 309 # this leaks interface names and stats, but not in a way that is traceable 310 # to the user/device 311 @{PROC}/net/dev r, 312 @{PROC}/@{pid}/net/dev r, 313 314 # Read-only of this snap 315 /var/lib/snapd/snaps/@{SNAP_NAME}_*.snap r, 316 317 # Read-only for the install directory 318 # bind mount used here (see 'parallel installs', above) 319 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, 320 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, 321 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/** mrklix, 322 323 # Read-only install directory for other revisions to help with bugs like 324 # LP: #1616650 and LP: #1655992 325 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, 326 327 # Read-only home area for other versions 328 # bind mount *not* used here (see 'parallel installs', above) 329 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, 330 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/** mrkix, 331 332 # Writable home area for this version. 333 # bind mount *not* used here (see 'parallel installs', above) 334 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/** wl, 335 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/** wl, 336 337 # Read-only system area for other versions 338 # bind mount used here (see 'parallel installs', above) 339 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, 340 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, 341 342 # Writable system area only for this version 343 # bind mount used here (see 'parallel installs', above) 344 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/** wl, 345 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/** wl, 346 347 # The ubuntu-core-launcher creates an app-specific private restricted /tmp 348 # and will fail to launch the app if something goes wrong. As such, we can 349 # simply allow full access to /tmp. 350 /tmp/ r, 351 /tmp/** mrwlkix, 352 353 # App-specific access to files and directories in /dev/shm. We allow file 354 # access in /dev/shm for shm_open() and files in subdirectories for open() 355 # bind mount *not* used here (see 'parallel installs', above) 356 /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, 357 # Also allow app-specific access for sem_open() 358 /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, 359 360 # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user 361 # bind mount *not* used here (see 'parallel installs', above) 362 owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/ rw, 363 owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/** mrwklix, 364 365 # Allow apps from the same package to communicate with each other via an 366 # abstract or anonymous socket 367 unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.**", 368 unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.*), 369 370 # Allow apps from the same package to communicate with each other via DBus. 371 # Note: this does not grant access to the DBus sockets of well known buses 372 # (will still need to use an appropriate interface for that). 373 dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.*), 374 # In addition to the above, dbus-run-session attempts reading these files 375 # from the snap base runtime. 376 /usr/share/dbus-1/services/{,*} r, 377 /usr/share/dbus-1/system-services/{,*} r, 378 # Allow apps to perform DBus introspection on org.freedesktop.DBus for both 379 # the system and session buses. 380 # Note: this does not grant access to the DBus sockets of these buses, but 381 # we grant it here since it is missing from the dbus abstractions 382 # (LP: #1866168) 383 dbus (send) 384 bus={session,system} 385 path=/org/freedesktop/DBus 386 interface=org.freedesktop.DBus.Introspectable 387 member=Introspect 388 peer=(label=unconfined), 389 390 # Allow apps from the same package to signal each other via signals 391 signal peer=snap.@{SNAP_INSTANCE_NAME}.*, 392 393 # Allow receiving signals from all snaps (and focus on mediating sending of 394 # signals) 395 signal (receive) peer=snap.*, 396 397 # Allow receiving signals from unconfined (eg, systemd) 398 signal (receive) peer=unconfined, 399 400 # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' 401 /{,s}bin/udevadm ixr, 402 /etc/udev/udev.conf r, 403 /{,var/}run/udev/tags/snappy-assign/ r, 404 @{PROC}/cmdline r, 405 /sys/devices/**/uevent r, 406 407 # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above 408 # requires: 409 # /run/udev/data/* r, 410 # but that reveals too much about the system and cannot be granted to apps 411 # by default at this time. 412 413 # For convenience, allow apps to see what is in /dev even though cgroups 414 # will block most access 415 /dev/ r, 416 /dev/**/ r, 417 418 # Allow setting up pseudoterminal via /dev/pts system. This is safe because 419 # the launcher uses a per-app devpts newinstance. 420 /dev/ptmx rw, 421 422 # Do the same with /sys/devices and /sys/class to help people using hw-assign 423 /sys/devices/ r, 424 /sys/devices/**/ r, 425 /sys/class/ r, 426 /sys/class/**/ r, 427 428 # Allow all snaps to chroot 429 capability sys_chroot, 430 431 # Lttng tracing is very noisy and should not be allowed by confined apps. Can 432 # safely deny for the normal case (LP: #1260491). If/when an lttng-trace 433 # interface is needed, we can rework this. 434 deny /{dev,run,var/run}/shm/lttng-ust-* rw, 435 436 # Allow read-access on /home/ for navigating to other parts of the 437 # filesystem. While this allows enumerating users, this is already allowed 438 # via /etc/passwd and getent. 439 @{HOMEDIRS}/ r, 440 441 # Allow read-access to / for navigating to other parts of the filesystem. 442 / r, 443 444 # Snap-specific run directory. Bind mount *not* used here 445 # (see 'parallel installs', above) 446 /run/snap.@{SNAP_INSTANCE_NAME}/ rw, 447 /run/snap.@{SNAP_INSTANCE_NAME}/** mrwklix, 448 449 # Snap-specific lock directory and prerequisite navigation permissions. 450 /run/lock/ r, 451 /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, 452 /run/lock/snap.@{SNAP_INSTANCE_NAME}/** mrwklix, 453 ` 454 455 var templateFooter = ` 456 ###SNIPPETS### 457 } 458 ` 459 460 // defaultCoreRuntimeTemplateRules contains core* runtime-specific rules. In general, 461 // binaries exposed here declare what the core runtime has historically been 462 // expected to support. 463 var defaultCoreRuntimeTemplateRules = ` 464 # Default rules for core base runtimes 465 466 # The base abstraction doesn't yet have this 467 /lib/terminfo/** rk, 468 /usr/share/terminfo/** k, 469 /usr/share/zoneinfo/** k, 470 471 # for python apps/services 472 /usr/bin/python{,2,2.[0-9]*,3,3.[0-9]*} ixr, 473 # additional accesses needed for newer pythons in later bases 474 /usr/lib{,32,64}/python3.[0-9]/**.{pyc,so} mr, 475 /usr/lib{,32,64}/python3.[0-9]/**.{egg,py,pth} r, 476 /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, 477 /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr, 478 /usr/include/python3.[0-9]*/pyconfig.h r, 479 480 # for perl apps/services 481 /usr/bin/perl{,5*} ixr, 482 # AppArmor <2.12 doesn't have rules for perl-base, so add them here 483 /usr/lib/@{multiarch}/perl{,5,-base}/** r, 484 /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr, 485 486 # for bash 'binaries' (do *not* use abstractions/bash) 487 # user-specific bash files 488 /{,usr/}bin/bash ixr, 489 /{,usr/}bin/dash ixr, 490 /usr/share/terminfo/** r, 491 492 # Common utilities for shell scripts 493 /{,usr/}bin/arch ixr, 494 /{,usr/}bin/{,g,m}awk ixr, 495 /{,usr/}bin/base32 ixr, 496 /{,usr/}bin/base64 ixr, 497 /{,usr/}bin/basename ixr, 498 /{,usr/}bin/bunzip2 ixr, 499 /{,usr/}bin/bzcat ixr, 500 /{,usr/}bin/bzdiff ixr, 501 /{,usr/}bin/bzgrep ixr, 502 /{,usr/}bin/bzip2 ixr, 503 /{,usr/}bin/cat ixr, 504 /{,usr/}bin/chgrp ixr, 505 /{,usr/}bin/chmod ixr, 506 /{,usr/}bin/chown ixr, 507 /{,usr/}bin/clear ixr, 508 /{,usr/}bin/cmp ixr, 509 /{,usr/}bin/cp ixr, 510 /{,usr/}bin/cpio ixr, 511 /{,usr/}bin/cut ixr, 512 /{,usr/}bin/date ixr, 513 /{,usr/}bin/dbus-daemon ixr, 514 /{,usr/}bin/dbus-run-session ixr, 515 /{,usr/}bin/dbus-send ixr, 516 /{,usr/}bin/dd ixr, 517 /{,usr/}bin/diff{,3} ixr, 518 /{,usr/}bin/dir ixr, 519 /{,usr/}bin/dirname ixr, 520 /{,usr/}bin/du ixr, 521 /{,usr/}bin/echo ixr, 522 /{,usr/}bin/{,e,f,r}grep ixr, 523 /{,usr/}bin/env ixr, 524 /{,usr/}bin/expr ixr, 525 /{,usr/}bin/false ixr, 526 /{,usr/}bin/find ixr, 527 /{,usr/}bin/flock ixr, 528 /{,usr/}bin/fmt ixr, 529 /{,usr/}bin/fold ixr, 530 /{,usr/}bin/getconf ixr, 531 /{,usr/}bin/getent ixr, 532 /{,usr/}bin/getopt ixr, 533 /{,usr/}bin/groups ixr, 534 /{,usr/}bin/gzip ixr, 535 /{,usr/}bin/head ixr, 536 /{,usr/}bin/hostname ixr, 537 /{,usr/}bin/id ixr, 538 /{,usr/}bin/igawk ixr, 539 /{,usr/}bin/infocmp ixr, 540 /{,usr/}bin/kill ixr, 541 /{,usr/}bin/ldd ixr, 542 /{usr/,}lib{,32,64}/ld{,32,64}-*.so ix, 543 /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so ix, 544 /{,usr/}bin/less{,file,pipe} ixr, 545 /{,usr/}bin/ln ixr, 546 /{,usr/}bin/line ixr, 547 /{,usr/}bin/link ixr, 548 /{,usr/}bin/locale ixr, 549 /{,usr/}bin/logger ixr, 550 /{,usr/}bin/ls ixr, 551 /{,usr/}bin/md5sum ixr, 552 /{,usr/}bin/mkdir ixr, 553 /{,usr/}bin/mkfifo ixr, 554 /{,usr/}bin/mknod ixr, 555 /{,usr/}bin/mktemp ixr, 556 /{,usr/}bin/more ixr, 557 /{,usr/}bin/mv ixr, 558 /{,usr/}bin/nice ixr, 559 /{,usr/}bin/nohup ixr, 560 /{,usr/}bin/od ixr, 561 /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial 562 /{,usr/}bin/paste ixr, 563 /{,usr/}bin/pgrep ixr, 564 /{,usr/}bin/printenv ixr, 565 /{,usr/}bin/printf ixr, 566 /{,usr/}bin/ps ixr, 567 /{,usr/}bin/pwd ixr, 568 /{,usr/}bin/readlink ixr, 569 /{,usr/}bin/realpath ixr, 570 /{,usr/}bin/rev ixr, 571 /{,usr/}bin/rm ixr, 572 /{,usr/}bin/rmdir ixr, 573 /{,usr/}bin/run-parts ixr, 574 /{,usr/}bin/sed ixr, 575 /{,usr/}bin/seq ixr, 576 /{,usr/}bin/sha{1,224,256,384,512}sum ixr, 577 /{,usr/}bin/shuf ixr, 578 /{,usr/}bin/sleep ixr, 579 /{,usr/}bin/sort ixr, 580 /{,usr/}bin/stat ixr, 581 /{,usr/}bin/stdbuf ixr, 582 /{,usr/}bin/stty ixr, 583 /{,usr/}bin/sync ixr, 584 /{,usr/}bin/systemd-cat ixr, 585 /{,usr/}bin/tac ixr, 586 /{,usr/}bin/tail ixr, 587 /{,usr/}bin/tar ixr, 588 /{,usr/}bin/tee ixr, 589 /{,usr/}bin/test ixr, 590 /{,usr/}bin/tempfile ixr, 591 /{,usr/}bin/tset ixr, 592 /{,usr/}bin/touch ixr, 593 /{,usr/}bin/tput ixr, 594 /{,usr/}bin/tr ixr, 595 /{,usr/}bin/true ixr, 596 /{,usr/}bin/tty ixr, 597 /{,usr/}bin/uname ixr, 598 /{,usr/}bin/uniq ixr, 599 /{,usr/}bin/unlink ixr, 600 /{,usr/}bin/unxz ixr, 601 /{,usr/}bin/unzip ixr, 602 /{,usr/}bin/uptime ixr, 603 /{,usr/}bin/vdir ixr, 604 /{,usr/}bin/wc ixr, 605 /{,usr/}bin/which ixr, 606 /{,usr/}bin/xargs ixr, 607 /{,usr/}bin/xz ixr, 608 /{,usr/}bin/yes ixr, 609 /{,usr/}bin/zcat ixr, 610 /{,usr/}bin/z{,e,f}grep ixr, 611 /{,usr/}bin/zip ixr, 612 /{,usr/}bin/zipgrep ixr, 613 614 # lsb-release 615 /usr/bin/lsb_release ixr, 616 /usr/bin/ r, 617 /usr/share/distro-info/*.csv r, 618 619 # For printing the cache (we don't allow updating the cache) 620 /{,usr/}sbin/ldconfig{,.real} ixr, 621 622 # Allow all snaps to chroot 623 /{,usr/}sbin/chroot ixr, 624 ` 625 626 // defaultCoreRuntimeTemplate contains the default apparmor template for core* bases. It 627 // can be overridden for testing using MockTemplate(). 628 var defaultCoreRuntimeTemplate = templateCommon + defaultCoreRuntimeTemplateRules + templateFooter 629 630 // defaultOtherBaseTemplateRules for non-core* bases. When a snap specifies an 631 // alternative base to core*, it is allowed read-only access to all files 632 // within the base, but all other accesses (eg, host file rules, signal, dbus, 633 // unix, etc rules) should be the same as the default template. 634 // 635 // For clarity and ease of maintenance, we will whitelist top-level directories 636 // here instead of using glob rules (we can add more if specific bases 637 // dictate). 638 var defaultOtherBaseTemplateRules = ` 639 # Default rules for non-core base runtimes 640 641 # /bin and /sbin (/usr/{,local/}{s,bin} handled in /usr) 642 /{,s}bin/ r, 643 /{,s}bin/** mrklix, 644 645 # /lib - the mount setup may bind mount to: 646 # 647 # - /lib/firmware 648 # - /lib/modules 649 # 650 # Everything but /lib/firmware and /lib/modules 651 /lib/ r, 652 /lib/[^fm]** mrklix, 653 /lib/{f[^i],m[^o]}** mrklix, 654 /lib/{fi[^r],mo[^d]}** mrklix, 655 /lib/{fir[^m],mod[^u]}** mrklix, 656 /lib/{firm[^w],modu[^l]}** mrklix, 657 /lib/{firmw[^a],modul[^e]}** mrklix, 658 /lib/{firmwa[^r],module[^s]}** mrklix, 659 /lib/modules[^/]** mrklix, 660 /lib/firmwar[^e]** mrklix, 661 /lib/firmware[^/]** mrklix, 662 663 # /lib64, etc 664 /lib[^/]** mrklix, 665 666 # /opt 667 /opt/ r, 668 /opt/** mrklix, 669 670 # /usr - the mount setup may bind mount to: 671 # 672 # - /usr/lib/modules 673 # - /usr/lib/firmware 674 # - /usr/lib/snapd 675 # - /usr/src 676 # 677 # Everything but /usr/lib and /usr/src, which are handled elsewhere. 678 /usr/ r, 679 /usr/[^ls]** mrklix, 680 /usr/{l[^i],s[^r]}** mrklix, 681 /usr/{li[^b],sr[^c]}** mrklix, 682 /usr/{lib,src}[^/]** mrklix, 683 # Everything in /usr/lib except /usr/lib/firmware, /usr/lib/modules and 684 # /usr/lib/snapd, which are handled elsewhere. 685 /usr/lib/ r, 686 /usr/lib/[^fms]** mrklix, 687 /usr/lib/{f[^i],m[^o],s[^n]}** mrklix, 688 /usr/lib/{fi[^r],mo[^d],sn[^a]}** mrklix, 689 /usr/lib/{fir[^m],mod[^u],sna[^p]}** mrklix, 690 /usr/lib/{firm[^w],modu[^l],snap[^d]}** mrklix, 691 /usr/lib/snapd[^/]** mrklix, 692 /usr/lib/{firmw[^a],modul[^e]}** mrklix, 693 /usr/lib/{firmwa[^r],module[^s]}** mrklix, 694 /usr/lib/modules[^/]** mrklix, 695 /usr/lib/firmwar[^e]** mrklix, 696 /usr/lib/firmware[^/]** mrklix, 697 698 # /var - the mount setup may bind mount in: 699 # 700 # - /var/lib/dhcp 701 # - /var/lib/extrausers 702 # - /var/lib/jenkins 703 # - /var/lib/snapd 704 # - /var/log 705 # - /var/snap 706 # - /var/tmp 707 # 708 # Everything but /var/lib, /var/log, /var/snap and /var/tmp, which are 709 # handled elsewhere. 710 /var/ r, 711 /var/[^lst]** mrklix, 712 /var/{l[^io],s[^n],t[^m]}** mrklix, 713 /var/{li[^b],lo[^g],sn[^a],tm[^p]}** mrklix, 714 /var/{lib,log,tmp}[^/]** mrklix, 715 /var/sna[^p]** mrklix, 716 /var/snap[^/]** mrklix, 717 # Everything in /var/lib except /var/lib/dhcp, /var/lib/extrausers, 718 # /var/lib/jenkins and /var/lib/snapd which are handled elsewhere. 719 /var/lib/ r, 720 /var/lib/[^dejs]** mrklix, 721 /var/lib/{d[^h],e[^x],j[^e],s[^n]}** mrklix, 722 /var/lib/{dh[^c],ex[^t],je[^n],sn[^a]}** mrklix, 723 /var/lib/{dhc[^p],ext[^r],jen[^k],sna[^p]}** mrklix, 724 /var/lib/dhcp[^/]** mrklix, 725 /var/lib/{extr[^a],jenk[^i],snap[^d]}** mrklix, 726 /var/lib/snapd[^/]** mrklix, 727 /var/lib/{extra[^u],jenki[^n]}** mrklix, 728 /var/lib/{extrau[^s],jenkin[^s]}** mrklix, 729 /var/lib/jenkins[^/]** mrklix, 730 /var/lib/extraus[^e]** mrklix, 731 /var/lib/extrause[^r]** mrklix, 732 /var/lib/extrauser[^s]** mrklix, 733 /var/lib/extrausers[^/]** mrklix, 734 ` 735 736 // defaultOtherBaseTemplate contains the default apparmor template for non-core 737 // bases 738 var defaultOtherBaseTemplate = templateCommon + defaultOtherBaseTemplateRules + templateFooter 739 740 // Template for privilege drop and chown operations. The specific setuid, 741 // setgid and chown operations are controlled via seccomp. 742 // 743 // To expand on the policy comment below: "this is not a problem in practice": 744 // access to sockets is mediated by file and unix AppArmor rules. When the 745 // access is allowed, the snap is expected to be able to use the socket. Some 746 // service listeners will employ additional checks, such as 'is the connecting 747 // (snap) process root' or 'is the connecting non-root (snap) process in a 748 // particular group', etc. Since snapd daemons start as root and because the 749 // service listeners typically let the root process do anything, the snap 750 // doesn't gain anything from being able to forge a uid since it has full 751 // access to the socket API already. A snap could forge a check to bypass the 752 // theoretical case of the service listener wanting to limit root to something 753 // less than another user, but in practice service listeners won't do this 754 // because it is ineffective against unconfined root processes which can 755 // manipulate the service listener in other ways to subvert a check like this. 756 // 757 // For CAP_KILL, AppArmor mediates signals and the default policy allows 758 // sending signals only to processes with a security label that matches the 759 // snap, but AppArmor does not currently mediate the uid/gid of the 760 // sender/receiver to finely mediate what non-root uid/gids a root process may 761 // send to, so we have always required the process-control interface for snaps 762 // to send signals to other users (even within the same snap). We want to 763 // maintain this with our privilege dropping rules, so we omit 'capability 764 // kill' since snaps can work within the system without 'capability kill': 765 // - root parent can drop, spawn a child and later (dropped) parent can send a 766 // signal 767 // - root parent can spawn a child that drops, then later temporarily drop 768 // (ie, seteuid/setegid), send the signal, then reraise 769 var privDropAndChownRules = ` 770 # allow setuid, setgid and chown for privilege dropping (mediation is done 771 # via seccomp). Note: CAP_SETUID allows (and CAP_SETGID is the same, but 772 # for gid operations): 773 # - forging of UIDs when passing passing socket credentials via UNIX domain 774 # sockets and we don't currently mediate socket credentials, between 775 # mediating socket access in general and the execve() boundary that drops 776 # the capability for non-root commands, this is not a problem in practice. 777 # - accessing the persistent keyring via keyctl, but keyctl is mediated via 778 # seccomp. 779 # - writing a user ID mapping in a user namespace, but we mediate access to 780 # /proc/*/uid_map with AppArmor 781 # 782 # CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH are intentionally omitted from the 783 # policy since we want traditional DAC to be enforced for root. It is 784 # expected that a program that is dropping privileges, etc will create/modify 785 # files in a way that doesn't require these capabilities. 786 capability setuid, 787 capability setgid, 788 capability chown, 789 #capability dac_override, 790 #capability dac_read_search, 791 792 # Similarly, CAP_KILL is intentionally omitted since we want traditional 793 # DAC to be enforced for root. It is expected that a program that is spawning 794 # processes that ultimately run as non-root will send signals to those 795 # processes as the matching non-root user. 796 #capability kill, 797 ` 798 799 // classicTemplate contains apparmor template used for snaps with classic 800 // confinement. This template was Designed by jdstrand: 801 // https://github.com/snapcore/snapd/pull/2366#discussion_r90101320 802 // 803 // The classic template intentionally provides no confinement and is used 804 // simply to ensure that processes have the proper command-specific security 805 // label instead of 'unconfined'. 806 // 807 // It can be overridden for testing using MockClassicTemplate(). 808 var classicTemplate = ` 809 #include <tunables/global> 810 811 ###VAR### 812 813 ###PROFILEATTACH### (attach_disconnected,mediate_deleted) { 814 # set file rules so that exec() inherits our profile unless there is 815 # already a profile for it (eg, snap-confine) 816 / rwkl, 817 /** rwlkm, 818 /** pix, 819 820 capability, 821 ###CHANGEPROFILE_RULE### 822 dbus, 823 network, 824 mount, 825 remount, 826 umount, 827 pivot_root, 828 ptrace, 829 signal, 830 unix, 831 832 ###SNIPPETS### 833 } 834 ` 835 836 // classicJailmodeSnippet contains extra rules that allow snaps using classic 837 // confinement, that were put in to jailmode, to execute by at least having 838 // access to the core snap (e.g. for the dynamic linker and libc). 839 840 var classicJailmodeSnippet = ` 841 # Read-only access to the core snap. 842 @{INSTALL_DIR}/core/** r, 843 # Read only access to the core snap to load libc from. 844 # This is related to LP: #1666897 845 @{INSTALL_DIR}/core/*/{,usr/}lib/@{multiarch}/{,**/}lib*.so* m, 846 847 # For snappy reexec on 4.8+ kernels 848 @{INSTALL_DIR}/core/*/usr/lib/snapd/snap-exec m, 849 ` 850 851 // nfsSnippet contains extra permissions necessary for snaps and snap-confine 852 // to operate when NFS is used. This is an imperfect solution as this grants 853 // some network access to all the snaps on the system. 854 // For tracking see https://bugs.launchpad.net/apparmor/+bug/1724903 855 var nfsSnippet = ` 856 # snapd autogenerated workaround for systems using NFS, for details see: 857 # https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1662552 858 network inet, 859 network inet6, 860 ` 861 862 // overlayRootSnippet contains the extra permissions necessary for snap and 863 // snap-confine to operate on systems where '/' is a writable overlay fs. 864 // AppArmor requires directory reads for upperdir (but these aren't otherwise 865 // visible to the snap). While we filter AppArmor regular expression (AARE) 866 // characters elsewhere, we double quote the path in case UPPERDIR has spaces. 867 var overlayRootSnippet = ` 868 # snapd autogenerated workaround for systems using '/' on overlayfs. For 869 # details see: https://bugs.launchpad.net/apparmor/+bug/1703674 870 "###UPPERDIR###/{,**/}" r, 871 ` 872 873 var ptraceTraceDenySnippet = ` 874 # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc 875 # trigger a 'ptrace (trace)' denial, they aren't actually tracing other 876 # processes. Unfortunately, the kernel overloads trace such that the LSMs are 877 # unable to distinguish between tracing other processes and other accesses. 878 # ptrace (trace) can be used to break out of the seccomp sandbox unless the 879 # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd 880 # has full ptrace support conditional on kernel support, explicitly deny to 881 # silence noisy denials/avoid confusion and accidentally giving away this 882 # dangerous access frivolously. 883 deny ptrace (trace), 884 deny capability sys_ptrace, 885 ` 886 887 // updateNSTemplate defines the apparmor profile for per-snap snap-update-ns. 888 // 889 // The per-snap snap-update-ns profiles are composed via a template and 890 // snippets for the snap. The template allows: 891 // - accesses to libraries, files and /proc entries required to run 892 // - using global and per-snap lock files 893 // - reading per-snap mount namespaces and mount profiles 894 // - managing per-snap freezer state files 895 // - per-snap mounting/unmounting fonts from the host 896 // - denying mounts to restricted places (eg, /snap/bin and /media) 897 var updateNSTemplate = ` 898 # Description: Allows snap-update-ns to construct the mount namespace specific 899 # to a particular snap (see the name below). This specifically includes the 900 # precise locations of the layout elements. 901 902 # vim:syntax=apparmor 903 904 #include <tunables/global> 905 906 profile snap-update-ns.###SNAP_INSTANCE_NAME### (attach_disconnected) { 907 # The next four rules mirror those above. We want to be able to read 908 # and map snap-update-ns into memory but it may come from a variety of places. 909 /usr/lib{,exec,64}/snapd/snap-update-ns mr, 910 /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr, 911 /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns mr, 912 /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr, 913 914 # Allow reading the dynamic linker cache. 915 /etc/ld.so.cache r, 916 # Allow reading, mapping and executing the dynamic linker. 917 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix, 918 # Allow reading and mapping various parts of the standard library and 919 # dynamically loaded nss modules and what not. 920 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, 921 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, 922 923 # Common devices accesses 924 /dev/null rw, 925 /dev/full rw, 926 /dev/zero rw, 927 /dev/random r, 928 /dev/urandom r, 929 930 # golang runtime variables 931 /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 932 933 # Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code). 934 @{PROC}/@{pid}/cmdline r, 935 936 # Allow reading file descriptor paths 937 @{PROC}/@{pid}/fd/* r, 938 # Allow reading /proc/version. For release.go WSL detection. 939 @{PROC}/version r, 940 941 # Allow reading somaxconn, required in newer distro releases 942 @{PROC}/sys/net/core/somaxconn r, 943 # but silence noisy denial of inet/inet6 944 deny network inet, 945 deny network inet6, 946 947 # Allow reading the os-release file (possibly a symlink to /usr/lib). 948 /{etc/,usr/lib/}os-release r, 949 950 # Allow creating/grabbing global and per-snap lock files. 951 /run/snapd/lock/###SNAP_INSTANCE_NAME###.lock rwk, 952 /run/snapd/lock/.lock rwk, 953 954 # Allow reading stored mount namespaces, 955 /run/snapd/ns/ r, 956 /run/snapd/ns/###SNAP_INSTANCE_NAME###.mnt r, 957 958 # Allow reading per-snap desired mount profiles. Those are written by 959 # snapd and represent the desired layout and content connections. 960 /var/lib/snapd/mount/snap.###SNAP_INSTANCE_NAME###.fstab r, 961 /var/lib/snapd/mount/snap.###SNAP_INSTANCE_NAME###.user-fstab r, 962 963 # Allow reading and writing actual per-snap mount profiles. Note that 964 # the wildcard in the rule to allow an atomic write + rename strategy. 965 # Those files are written by snap-update-ns and represent the actual 966 # mount profile at a given moment. 967 /run/snapd/ns/snap.###SNAP_INSTANCE_NAME###.fstab{,.*} rw, 968 969 # NOTE: at this stage the /snap directory is stable as we have called 970 # pivot_root already. 971 972 # Needed to perform mount/unmounts. 973 capability sys_admin, 974 # Needed for mimic construction. 975 capability chown, 976 # Needed for dropping to calling user when processing per-user mounts 977 capability setuid, 978 capability setgid, 979 # Allow snap-update-ns to override file ownership and permission checks. 980 # This is required because writable mimics now preserve the permissions 981 # of the original and hence we may be asked to create a directory when the 982 # parent is a tmpfs without DAC write access. 983 capability dac_override, 984 985 # Allow freezing and thawing the per-snap cgroup freezers 986 /sys/fs/cgroup/freezer/snap.###SNAP_INSTANCE_NAME###/freezer.state rw, 987 988 # Allow the content interface to bind fonts from the host filesystem 989 mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/###SNAP_INSTANCE_NAME###/*/**, 990 mount options=(rw private) -> /snap/###SNAP_INSTANCE_NAME###/*/**, 991 umount /snap/###SNAP_INSTANCE_NAME###/*/**, 992 993 # set up user mount namespace 994 mount options=(rslave) -> /, 995 996 # Allow traversing from the root directory and several well-known places. 997 # Specific directory permissions are added by snippets below. 998 / r, 999 /etc/ r, 1000 /snap/ r, 1001 /tmp/ r, 1002 /usr/ r, 1003 /var/ r, 1004 /var/snap/ r, 1005 1006 # Allow reading timezone data. 1007 /usr/share/zoneinfo/** r, 1008 1009 # Don't allow anyone to touch /snap/bin 1010 audit deny mount /snap/bin/** -> /**, 1011 audit deny mount /** -> /snap/bin/**, 1012 1013 # Don't allow bind mounts to /media which has special 1014 # sharing and propagates mount events outside of the snap namespace. 1015 audit deny mount -> /media, 1016 1017 # Allow receiving signals from unconfined (eg, systemd) 1018 signal (receive) peer=unconfined, 1019 # Allow sending and receiving signals from ourselves. 1020 signal peer=@{profile_name}, 1021 1022 # Commonly needed permissions for writable mimics. 1023 /tmp/ r, 1024 /tmp/.snap/{,**} rw, 1025 1026 # snapd logger.go checks /proc/cmdline 1027 @{PROC}/cmdline r, 1028 1029 ###SNIPPETS### 1030 } 1031 `