github.com/rigado/snapd@v2.42.5-go-mod+incompatible/cmd/snap-confine/snap-confine.apparmor.in (about) 1 # Author: Jamie Strandboge <jamie@canonical.com> 2 #include <tunables/global> 3 4 @LIBEXECDIR@/snap-confine (attach_disconnected) { 5 # Include any additional files that snapd chose to generate. 6 # - for $HOME on NFS 7 # - for $HOME on encrypted media 8 # 9 # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor 10 # and https://forum.snapcraft.io/t/snaps-and-nfs-home/ 11 #include "/var/lib/snapd/apparmor/snap-confine" 12 13 # We run privileged, so be fanatical about what we include and don't use 14 # any abstractions 15 /etc/ld.so.cache r, 16 /etc/ld.so.preload r, 17 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix, 18 # libc, you are funny 19 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr, 20 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr, 21 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr, 22 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr, 23 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, 24 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr, 25 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr, 26 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, 27 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr, 28 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, 29 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr, 30 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr, 31 # normal libs in order 32 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, 33 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, 34 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr, 35 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, 36 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, 37 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, 38 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr, 39 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr, 40 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr, 41 # Needed to run /usr/bin/sh for snap-device-helper. 42 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libtinfo.so* mr, 43 44 @LIBEXECDIR@/snap-confine mr, 45 46 /dev/null rw, 47 /dev/full rw, 48 /dev/zero rw, 49 /dev/random r, 50 /dev/urandom r, 51 /dev/pts/[0-9]* rw, 52 /dev/tty rw, 53 54 # cgroup: devices 55 capability sys_admin, 56 capability dac_read_search, 57 capability dac_override, 58 /sys/fs/cgroup/devices/snap{,py}.*/ w, 59 /sys/fs/cgroup/devices/snap{,py}.*/tasks w, 60 /sys/fs/cgroup/devices/snap{,py}.*/devices.{allow,deny} w, 61 62 # cgroup: freezer 63 # Allow creating per-snap cgroup freezers and adding snap command (task) 64 # invocations to the freezer. This allows for reliably enumerating all 65 # running tasks for the snap. In addition, allow enumerating processes in 66 # the cgroup to determine if it is occupied. 67 /sys/fs/cgroup/freezer/ r, 68 /sys/fs/cgroup/freezer/snap.*/ w, 69 /sys/fs/cgroup/freezer/snap.*/tasks w, 70 /sys/fs/cgroup/freezer/snap.*/cgroup.procs r, 71 72 # cgroup: pids 73 # allow creating per snap-security-tag hierarchy and adding snap command (task) 74 # invocations to the controller. 75 /sys/fs/cgroup/pids/ r, 76 /sys/fs/cgroup/pids/snap.*/ w, 77 /sys/fs/cgroup/pids/snap.*/tasks w, 78 79 # querying udev 80 /etc/udev/udev.conf r, 81 /sys/**/uevent r, 82 /usr/lib/snapd/snap-device-helper ixr, # drop 83 /{,usr/}lib/udev/snappy-app-dev ixr, # drop 84 /run/udev/** rw, 85 /{,usr/}bin/tr ixr, 86 /usr/lib/locale/** r, 87 /usr/lib/@{multiarch}/gconv/gconv-modules r, 88 /usr/lib/@{multiarch}/gconv/gconv-modules.cache r, 89 90 # priv dropping 91 capability setuid, 92 capability setgid, 93 94 # changing profile 95 @{PROC}/[0-9]*/attr/exec w, 96 # Reading current profile 97 @{PROC}/[0-9]*/attr/current r, 98 # Reading available filesystems 99 @{PROC}/filesystems r, 100 101 # To find where apparmor is mounted 102 @{PROC}/[0-9]*/mounts r, 103 # To find if apparmor is enabled 104 /sys/module/apparmor/parameters/enabled r, 105 106 # Don't allow changing profile to unconfined or profiles that start with 107 # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on 108 # the environment for determining the capabilities of the architecture. 109 # 'unsafe' is ok here because the kernel will have already cleared the 110 # environment as part of launching snap-confine with 111 # CAP_SYS_ADMIN. 112 change_profile unsafe /** -> [^u/]**, 113 change_profile unsafe /** -> u[^n]**, 114 change_profile unsafe /** -> un[^c]**, 115 change_profile unsafe /** -> unc[^o]**, 116 change_profile unsafe /** -> unco[^n]**, 117 change_profile unsafe /** -> uncon[^f]**, 118 change_profile unsafe /** -> unconf[^i]**, 119 change_profile unsafe /** -> unconfi[^n]**, 120 change_profile unsafe /** -> unconfin[^e]**, 121 change_profile unsafe /** -> unconfine[^d]**, 122 change_profile unsafe /** -> unconfined?**, 123 124 # allow changing to a few not caught above 125 change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, 126 127 # LP: #1446794 - when this bug is fixed, change the above to: 128 # deny change_profile unsafe /** -> {unconfined,/**}, 129 # change_profile unsafe /** -> **, 130 131 # reading seccomp filters 132 /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r, 133 134 # LP: #1668659 135 mount options=(rw rbind) /snap/ -> /snap/, 136 mount options=(rw rshared) -> /snap/, 137 138 # boostrapping the mount namespace 139 mount options=(rw rshared) -> /, 140 mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/, 141 mount options=(rw unbindable) -> /tmp/snap.rootfs_*/, 142 # the next line is for classic system 143 mount options=(rw rbind) @SNAP_MOUNT_DIR@/*/*/ -> /tmp/snap.rootfs_*/, 144 # the next line is for core system 145 mount options=(rw rbind) / -> /tmp/snap.rootfs_*/, 146 # all of the constructed rootfs is a rslave 147 mount options=(rw rslave) -> /tmp/snap.rootfs_*/, 148 # bidirectional mounts (for both classic and core) 149 # NOTE: this doesn't capture the MERGED_USR configuration option so that 150 # when a distro with merged /usr and / that uses apparmor shows up it 151 # should be handled here. 152 /{,run/}media/ w, 153 mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_*/{,run/}media/, 154 /run/netns/ w, 155 mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/, 156 # unidirectional mounts (only for classic system) 157 mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/, 158 mount options=(rw rslave) -> /tmp/snap.rootfs_*/dev/, 159 160 mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/, 161 mount options=(rw rslave) -> /tmp/snap.rootfs_*/etc/, 162 163 mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/, 164 mount options=(rw rslave) -> /tmp/snap.rootfs_*/home/, 165 166 mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/, 167 mount options=(rw rslave) -> /tmp/snap.rootfs_*/root/, 168 169 mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/, 170 mount options=(rw rslave) -> /tmp/snap.rootfs_*/proc/, 171 172 mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/, 173 mount options=(rw rslave) -> /tmp/snap.rootfs_*/sys/, 174 175 mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/, 176 mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/, 177 178 mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/, 179 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/, 180 181 mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/, 182 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/snap/, 183 184 mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/, 185 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/tmp/, 186 187 mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/, 188 mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/, 189 190 mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_*/var/lib/extrausers/, 191 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/extrausers/, 192 193 mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, 194 mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, 195 196 mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/firmware/ -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/, 197 mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/, 198 199 mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/, 200 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/, 201 202 mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/, 203 mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/, 204 205 mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_*/mnt/, 206 mount options=(rw rslave) -> /tmp/snap.rootfs_*/mnt/, 207 208 # allow making host snap-exec available inside base snaps 209 mount options=(rw bind) @LIBEXECDIR@/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, 210 mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/, 211 212 # allow making re-execed host snap-exec available inside base snaps 213 mount options=(ro bind) @SNAP_MOUNT_DIR@/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, 214 # allow making snapd snap tools available inside base snaps 215 mount options=(ro bind) @SNAP_MOUNT_DIR@/snapd/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, 216 217 mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl, 218 mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl, 219 220 # /etc/alternatives (classic) 221 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, 222 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/, 223 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf, 224 # /etc/alternatives (core) 225 mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, 226 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/, 227 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/, 228 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/nsswitch.conf, 229 # the /snap directory 230 mount options=(rw rbind) @SNAP_MOUNT_DIR@/ -> /tmp/snap.rootfs_*/snap/, 231 mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/, 232 # pivot_root preparation and execution 233 mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, 234 mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, 235 # pivot_root mediation in AppArmor is not complete. See LP: #1791711 236 pivot_root, 237 # cleanup 238 umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/, 239 umount /var/lib/snapd/hostfs/sys/, 240 umount /var/lib/snapd/hostfs/dev/, 241 umount /var/lib/snapd/hostfs/proc/, 242 mount options=(rw rslave) -> /var/lib/snapd/hostfs/, 243 244 # set up user mount namespace 245 mount options=(rslave) -> /, 246 247 # Allow reading the os-release file (possibly a symlink to /usr/lib). 248 /{etc/,usr/lib/}os-release r, 249 250 # Allow creating /var/lib/snapd/hostfs, if missing 251 /var/lib/snapd/hostfs/ rw, 252 253 # set up snap-specific private /tmp dir 254 capability chown, 255 /tmp/ rw, 256 /tmp/snap.*/ rw, 257 /tmp/snap.*/tmp/ rw, 258 mount options=(rw private) -> /tmp/, 259 mount options=(rw bind) /tmp/snap.*/tmp/ -> /tmp/, 260 mount fstype=devpts options=(rw) devpts -> /dev/pts/, 261 mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting 262 mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD 263 # Workaround for LP: #1584456 on older kernels that mistakenly think 264 # /dev/pts/ptmx needs a trailing '/' 265 mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/, 266 mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/, 267 268 # for running snaps on classic 269 /snap/ r, 270 /snap/** r, 271 @SNAP_MOUNT_DIR@/ r, 272 @SNAP_MOUNT_DIR@/** r, 273 274 # NOTE: at this stage the /snap directory is stable as we have called 275 # pivot_root already. 276 277 # nvidia handling, glob needs /usr/** and the launcher must be 278 # able to bind mount the nvidia dir 279 /sys/module/nvidia/version r, 280 /sys/**/drivers/nvidia{,_*}/* r, 281 /sys/**/nvidia*/uevent r, 282 /sys/module/nvidia{,_*}/* r, 283 /dev/nvidia[0-9]* r, 284 /dev/nvidiactl r, 285 /dev/nvidia-uvm r, 286 /usr/** r, 287 mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/, 288 mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/, 289 /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w, 290 mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/, 291 mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/, 292 293 # Vulkan support 294 /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w, 295 mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/, 296 mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/, 297 298 # GLVND EGL vendor 299 /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/{,*} w, 300 mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/, 301 mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/, 302 303 # create gl dirs as needed 304 /tmp/snap.rootfs_*/ r, 305 /tmp/snap.rootfs_*/var/ r, 306 /tmp/snap.rootfs_*/var/lib/ r, 307 /tmp/snap.rootfs_*/var/lib/snapd/ r, 308 /tmp/snap.rootfs_*/var/lib/snapd/lib/ r, 309 /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/ r, 310 /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw, 311 /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r, 312 /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw, 313 /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/ r, 314 /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/** rw, 315 316 # for chroot on steroids, we use pivot_root as a better chroot that makes 317 # apparmor rules behave the same on classic and outside of classic. 318 319 # for creating the user data directories: ~/snap, ~/snap/<name> and 320 # ~/snap/<name>/<version> 321 / r, 322 @{HOMEDIRS}/ r, 323 # These should both have 'owner' match but due to LP: #1466234, we can't 324 # yet 325 @{HOME}/ r, 326 @{HOME}/snap/{,*/,*/*/} rw, 327 328 # Special case for *classic* snaps that are used by users with existing dirs 329 # in /var/lib/. Like jenkins, postgresql, mysql, puppet, ... 330 # (see https://forum.snapcraft.io/t/9717) 331 # TODO: this can be removed once we support home-dirs outside of /home 332 # better 333 /var/ r, 334 /var/lib/ r, 335 # These should both have 'owner' match but due to LP: #1466234, we can't 336 # yet 337 /var/lib/*/ r, 338 /var/lib/*/snap/{,*/,*/*/} rw, 339 340 # for creating the user shared memory directories 341 /{dev,run}/{,shm/} r, 342 # This should both have 'owner' match but due to LP: #1466234, we can't yet 343 /{dev,run}/shm/{,*/,*/*/} rw, 344 345 # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and 346 # /run/user/UID/<name> 347 /run/user/{,[0-9]*/,[0-9]*/*/} rw, 348 349 # Workaround https://launchpad.net/bugs/359338 until upstream handles 350 # stacked filesystems generally. 351 # encrypted ~/.Private and old-style encrypted $HOME 352 @{HOME}/.Private/ r, 353 @{HOME}/.Private/** mrixwlk, 354 # new-style encrypted $HOME 355 @{HOMEDIRS}/.ecryptfs/*/.Private/ r, 356 @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, 357 358 # Allow snap-confine to move to the void, creating it if necessary. 359 /var/lib/snapd/void/ rw, 360 361 # Allow snap-confine to read snap contexts 362 /var/lib/snapd/context/snap.* r, 363 364 # Allow snap-confine to unmount stale mount namespaces. 365 umount /run/snapd/ns/*.mnt, 366 /run/snapd/ns/snap.*.fstab w, 367 # Allow snap-confine to read and write mount namespace information files. 368 /run/snapd/ns/snap.*.info rw, 369 # Required to correctly unmount bound mount namespace. 370 # See LP: #1735459 for details. 371 umount /, 372 373 # support for locking 374 /run/snapd/lock/ rw, 375 /run/snapd/lock/*.lock rwk, 376 377 # support for the mount namespace sharing 378 capability sys_ptrace, 379 # allow snap-confine to read /proc/1/ns/mnt 380 ptrace read peer=unconfined, 381 # https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21 382 ptrace trace peer=unconfined, 383 384 mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/, 385 mount options=(private) -> /run/snapd/ns/, 386 / rw, 387 /run/ rw, 388 /run/snapd/ rw, 389 /run/snapd/ns/ rw, 390 /run/snapd/ns/*.lock rwk, 391 /run/snapd/ns/*.mnt rw, 392 ptrace (read, readby, tracedby) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 393 @{PROC}/*/mountinfo r, 394 capability sys_chroot, 395 capability sys_admin, 396 signal (send, receive) set=(abrt) peer=@LIBEXECDIR@/snap-confine, 397 signal (send) set=(int) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 398 signal (send, receive) set=(int, alrm, exists) peer=@LIBEXECDIR@/snap-confine, 399 signal (receive) set=(exists) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 400 401 # workaround for linux 4.13/upstream, see 402 # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3 403 ptrace (trace, tracedby) peer=@LIBEXECDIR@/snap-confine, 404 405 # Allow reading snap cookies. 406 /var/lib/snapd/cookie/snap.* r, 407 408 # For aa_change_hat() to go into ^mount-namespace-capture-helper 409 @{PROC}/[0-9]*/attr/current w, 410 411 # As a special exception allow snap-confine to write to anything in /var/lib. 412 # This code should be changed to allow delegation so that snap-confine can 413 # inherit any file descriptor and pass it to the invoked application but 414 # this is not possible in apparmor yet. 415 # See https://bugs.launchpad.net/snapd/+bug/1815869 416 /var/lib/** rw, 417 418 ^mount-namespace-capture-helper (attach_disconnected) { 419 # We run privileged, so be fanatical about what we include and don't use 420 # any abstractions 421 /etc/ld.so.cache r, 422 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix, 423 # libc, you are funny 424 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr, 425 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr, 426 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr, 427 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr, 428 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, 429 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr, 430 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr, 431 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, 432 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr, 433 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, 434 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr, 435 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr, 436 # normal libs in order 437 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, 438 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, 439 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr, 440 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, 441 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, 442 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, 443 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr, 444 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr, 445 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr, 446 447 @LIBEXECDIR@/snap-confine mr, 448 449 /dev/null rw, 450 /dev/full rw, 451 /dev/zero rw, 452 /dev/random r, 453 /dev/urandom r, 454 455 capability sys_ptrace, 456 capability sys_admin, 457 # This allows us to read and bind mount the namespace file 458 / r, 459 @{PROC}/ r, 460 @{PROC}/*/ r, 461 @{PROC}/*/ns/ r, 462 @{PROC}/*/ns/mnt r, 463 /run/ r, 464 /run/snapd/ r, 465 /run/snapd/ns/ r, 466 /run/snapd/ns/*.mnt rw, 467 # NOTE: the source name is / even though we map /proc/123/ns/mnt 468 mount options=(rw bind) / -> /run/snapd/ns/*.mnt, 469 # This is the SIGALRM that we send and receive if a timeout expires 470 signal (send, receive) set=(alrm) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 471 # Those two rules are exactly the same but we don't know if the parent process is still alive 472 # and hence has the appropriate label or is already dead and hence has no label. 473 signal (send) set=(exists) peer=@LIBEXECDIR@/snap-confine, 474 signal (send) set=(exists) peer=unconfined, 475 # This is so that we can abort 476 signal (send, receive) set=(abrt) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 477 # This is the signal we get if snap-confine dies (we subscribe to it with prctl) 478 signal (receive) set=(int) peer=@LIBEXECDIR@/snap-confine, 479 # This allows snap-confine to be killed from the outside. 480 signal (receive) peer=unconfined, 481 # This allows snap-confine to wait for us 482 ptrace (read, trace, tracedby) peer=@LIBEXECDIR@/snap-confine, 483 } 484 485 # Allow snap-confine to be killed 486 signal (receive) peer=unconfined, 487 488 # Allow switching to snap-update-ns with a per-snap profile. 489 change_profile -> snap-update-ns.*, 490 491 # Allow executing snap-update-ns when... 492 493 # ...snap-confine is, conceptually, re-executing and uses snap-update-ns 494 # from the distribution package. This is also the location used when using 495 # the core/base snap on all-snap systems. The variants here represent 496 # various locations of libexecdir across distributions. 497 /usr/lib{,exec,64}/snapd/snap-update-ns r, 498 499 # ...snap-confine is not, conceptually, re-executing and uses 500 # snap-update-ns from the distribution package but we are already inside 501 # the constructed mount namespace so we must traverse "hostfs". The 502 # variants here represent various locations of libexecdir across 503 # distributions. 504 /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r, 505 506 # ..snap-confine is, conceptually, re-executing and uses snap-update-ns 507 # from the core or snapd snaps. Note that the location of the actual snap 508 # varies from distribution to distribution. The variants here represent 509 # different locations of snap mount directory across distributions. 510 /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r, 511 512 # ...snap-confine is, conceptually, re-executing and uses snap-update-ns 513 # from the core snap or snapd snap, but we are already inside the 514 # constructed mount namespace. Here the apparmor kernel module 515 # re-constructs the path to snap-update-ns using the "hostfs" mount entry 516 # rather than the more "natural" /snap mount entry but we have no control 517 # over that. This is reported as (LP: #1716339). The variants here 518 # represent different locations of snap mount directory across 519 # distributions. 520 /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r, 521 522 # Allow executing snap-discard-ns, just like the set for snap-update-ns 523 # above but with the key difference that snap-discard-ns does not 524 # have a dedicated profile so we need to inherit snap-confine's profile. 525 526 /usr/lib{,exec,64}/snapd/snap-discard-ns rix, 527 /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-discard-ns rix, 528 /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix, 529 /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix, 530 531 # Allow mounting /var/lib/jenkins from the host into the snap. 532 mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_*/var/lib/jenkins/, 533 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/jenkins/, 534 535 # Suppress noisy file_inherit denials (LP: #1850552) until LP: #1849753 is 536 # fixed. 537 deny /dev/shm/.org.chromium.Chromium.* rw, 538 539 # While snap-confine itself doesn't require unix rules and therefore all 540 # unix rules are implicitly denied, adding an explicit deny for unix to 541 # silence noisy denials breaks nested lxd. Until the cause is determined, 542 # do not use an explicit deny for unix. (LP: #1855355) 543 #deny unix, 544 }