github.com/rigado/snapd@v2.42.5-go-mod+incompatible/cmd/snap-confine/snap-confine.rst (about)

     1  ==============
     2   snap-confine
     3  ==============
     4  
     5  -----------------------------------------------
     6  internal tool for confining snappy applications
     7  -----------------------------------------------
     8  
     9  :Author: zygmunt.krynicki@canonical.com
    10  :Date:   2017-09-18
    11  :Copyright: Canonical Ltd.
    12  :Version: 2.28
    13  :Manual section: 8
    14  :Manual group: snappy
    15  
    16  SYNOPSIS
    17  ========
    18  
    19  	snap-confine [--classic] [--base BASE] SECURITY_TAG COMMAND [...ARGUMENTS]
    20  
    21  DESCRIPTION
    22  ===========
    23  
    24  The `snap-confine` is a program used internally by `snapd` to construct the
    25  execution environment for snap applications.
    26  
    27  OPTIONS
    28  =======
    29  
    30  The `snap-confine` program accepts two options:
    31  
    32      `--classic` requests the so-called _classic_ _confinement_ in which
    33      applications are not confined at all (like in classic systems, hence the
    34      name). This disables the use of a dedicated, per-snap mount namespace. The
    35      `snapd` service generates permissive apparmor and seccomp profiles that
    36      allow everything.
    37  
    38      `--base BASE` directs snap-confine to use the given base snap as the root
    39      filesystem. If omitted it defaults to the `core` snap. This is derived from
    40      snap meta-data by `snapd` when starting the application process.
    41  
    42  FEATURES
    43  ========
    44  
    45  Apparmor profiles
    46  -----------------
    47  
    48  `snap-confine` switches to the apparmor profile `$SECURITY_TAG`. The profile is
    49  **mandatory** and `snap-confine` will refuse to run without it.
    50  
    51  The profile has to be loaded into the kernel prior to using `snap-confine`.
    52  Typically this is arranged for by `snapd`. The profile contains rich
    53  description of what the application process is allowed to do, this includes
    54  system calls, file paths, access patterns, linux capabilities, etc. The
    55  apparmor profile can also do extensive dbus mediation. Refer to apparmor
    56  documentation for more details.
    57  
    58  Seccomp profiles
    59  ----------------
    60  
    61  `snap-confine` looks for the
    62  `/var/lib/snapd/seccomp/bpf/$SECURITY_TAG.bin` file. This file is
    63  **mandatory** and `snap-confine` will refuse to run without it. This
    64  file contains the seccomp bpf binary program that is loaded into the
    65  kernel by snap-confine.
    66  
    67  The file is generated with the `/usr/lib/snapd/snap-seccomp` compiler from the
    68  `$SECURITY_TAG.src` file that uses a custom syntax that describes the set of
    69  allowed system calls and optionally their arguments. The profile is then used
    70  to confine the started application.
    71  
    72  As a security precaution disallowed system calls cause the started application
    73  executable to be killed by the kernel. In the future this restriction may be
    74  lifted to return `EPERM` instead.
    75  
    76  Mount profiles
    77  --------------
    78  
    79  `snap-confine` uses a helper process, `snap-update-ns`, to apply the mount
    80  namespace profile to freshly constructed mount namespace. That tool looks for
    81  the `/var/lib/snapd/mount/snap.$SNAP_NAME.fstab` file.  If present it is read,
    82  parsed and treated like a mostly-typical `fstab(5)` file.  The mount directives
    83  listed there are executed in order. All directives must succeed as any failure
    84  will abort execution.
    85  
    86  By default all mount entries start with the following flags: `bind`, `ro`,
    87  `nodev`, `nosuid`.  Some of those flags can be reversed by an appropriate
    88  option (e.g. `rw` can cause the mount point to be writable).
    89  
    90  Certain additional features are enabled and conveyed through the use of mount
    91  options prefixed with `x-snapd-`.
    92  
    93  As a security precaution only `bind` mounts are supported at this time.
    94  
    95  Sharing of the mount namespace
    96  ------------------------------
    97  
    98  As of version 1.0.41 all the applications from the same snap will share the
    99  same mount namespace. Applications from different snaps continue to use
   100  separate mount namespaces.
   101  
   102  ENVIRONMENT
   103  ===========
   104  
   105  `snap-confine` responds to the following environment variables
   106  
   107  `SNAP_CONFINE_DEBUG`:
   108  	When defined the program will print additional diagnostic information about
   109  	the actions being performed. All the output goes to stderr.
   110  
   111  The following variables are only used when `snap-confine` is not setuid root.
   112  This is only applicable when testing the program itself.
   113  
   114  `SNAPPY_LAUNCHER_INSIDE_TESTS`:
   115  	Internal variable that should not be relied upon.
   116  
   117  `SNAP_CONFINE_NO_ROOT`:
   118  	Internal variable that should not be relied upon.
   119  
   120  `SNAPPY_LAUNCHER_SECCOMP_PROFILE_DIR`:
   121  	Internal variable that should not be relied upon.
   122  
   123  `SNAP_USER_DATA`:
   124      Full path to the directory like /home/$LOGNAME/snap/$SNAP_NAME/$SNAP_REVISION.
   125  
   126      This directory is created by snap-confine on startup. This is a temporary
   127      feature that will be merged into snapd's snap-run command. The set of directories
   128      that can be created is confined with apparmor.
   129  
   130  FILES
   131  =====
   132  
   133  `snap-confine` and `snap-update-ns` use the following files:
   134  
   135  `/var/lib/snapd/mount/snap.*.fstab`:
   136  
   137  	Description of the mount profile.
   138  
   139  `/var/lib/snapd/seccomp/bpf/*.src`:
   140  
   141  	Input for the /usr/lib/snapd/snap-seccomp profile compiler.
   142  
   143  `/var/lib/snapd/seccomp/bpf/*.bin`:
   144  
   145  	Compiled seccomp bpf profile programs.
   146  
   147  `/run/snapd/ns/`:
   148  
   149      Directory used to keep shared mount namespaces.
   150  
   151      `snap-confine` internally converts this directory to a private bind mount.
   152      Semantically the behavior is identical to the following mount commands:
   153  
   154      mount --bind /run/snapd/ns /run/snapd/ns
   155      mount --make-private /run/snapd/ns
   156  
   157  `/run/snapd/ns/.lock`:
   158  
   159      A `flock(2)`-based lock file acquired to create and convert
   160      `/run/snapd/ns/` to a private bind mount.
   161  
   162  `/run/snapd/ns/$SNAP_NAME.lock`:
   163  
   164      A `flock(2)`-based lock file acquired to create or join the mount namespace
   165      represented as `/run/snaps/ns/$SNAP_NAME.mnt`.
   166  
   167  `/run/snapd/ns/$SNAP_NAME.mnt`:
   168  
   169      This file can be either:
   170  
   171      - An empty file that may be seen before the mount namespace is preserved or
   172        when the mount namespace is unmounted.
   173      - A file belonging to the `nsfs` file system, representing a fully
   174        populated mount namespace of a given snap. The file is bind mounted from
   175        `/proc/self/ns/mnt` from the first process in any snap.
   176  
   177  `/proc/self/mountinfo`:
   178  
   179      This file is read to decide if `/run/snapd/ns/` needs to be created and
   180      converted to a private bind mount, as described above.
   181  
   182  Note that the apparmor profile is external to `snap-confine` and is loaded
   183  directly into the kernel. The actual apparmor profile is managed by `snapd`.
   184  
   185  BUGS
   186  ====
   187  
   188  Please report all bugs with https://bugs.launchpad.net/snap-confine/+filebug