github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/apparmor/template.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package apparmor 21 22 // defaultTemplate contains default apparmor template. 23 // 24 // It can be overridden for testing using MockTemplate(). 25 // 26 // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/templates/ubuntu-core/16.04/default 27 var defaultTemplate = ` 28 # Description: Allows access to app-specific directories and basic runtime 29 # Usage: common 30 31 # vim:syntax=apparmor 32 33 #include <tunables/global> 34 35 # snapd supports the concept of 'parallel installs' where snaps with the same 36 # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz 37 # may all be installed on the system. To support this, SNAP_NAME is set to the 38 # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg 39 # 'foo_bar'). The profile name and most rules therefore reference 40 # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime 41 # environment so the snap doesn't have to be aware of the distinction (eg, 42 # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with 43 # SNAP_NAME so the security policy will allow writing to both locations (since 44 # they are equivalent). 45 46 ###VAR### 47 48 ###PROFILEATTACH### (attach_disconnected,mediate_deleted) { 49 #include <abstractions/base> 50 #include <abstractions/consoles> 51 #include <abstractions/openssl> 52 53 # While in later versions of the base abstraction, include this explicitly 54 # for series 16 and cross-distro 55 /etc/ld.so.preload r, 56 57 # The base abstraction doesn't yet have this 58 /etc/sysconfig/clock r, 59 /lib/terminfo/** rk, 60 /usr/share/terminfo/** k, 61 /usr/share/zoneinfo/** k, 62 owner @{PROC}/@{pid}/maps k, 63 # While the base abstraction has rules for encryptfs encrypted home and 64 # private directories, it is missing rules for directory read on the toplevel 65 # directory of the mount (LP: #1848919) 66 owner @{HOME}/.Private/ r, 67 owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r, 68 69 # for python apps/services 70 #include <abstractions/python> 71 /usr/bin/python{,2,2.[0-9]*,3,3.[0-9]*} ixr, 72 # additional accesses needed for newer pythons in later bases 73 /usr/lib{,32,64}/python3.[0-9]/**.{pyc,so} mr, 74 /usr/lib{,32,64}/python3.[0-9]/**.{egg,py,pth} r, 75 /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, 76 /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr, 77 /etc/python3.[0-9]/** r, 78 /usr/include/python3.[0-9]*/pyconfig.h r, 79 80 # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 81 # for details) 82 deny /usr/lib/python3*/{,**/}__pycache__/ w, 83 deny /usr/lib/python3*/{,**/}__pycache__/**.pyc.[0-9]* w, 84 # bind mount used here (see 'parallel installs', above) 85 deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/ w, 86 deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/*.pyc.[0-9]* w, 87 88 # for perl apps/services 89 #include <abstractions/perl> 90 /usr/bin/perl{,5*} ixr, 91 # AppArmor <2.12 doesn't have rules for perl-base, so add them here 92 /usr/lib/@{multiarch}/perl{,5,-base}/** r, 93 /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr, 94 95 # Note: the following dangerous accesses should not be allowed in most 96 # policy, but we cannot explicitly deny since other trusted interfaces might 97 # add them. 98 # Explicitly deny ptrace for now since it can be abused to break out of the 99 # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 100 #audit deny ptrace (trace), 101 102 # Explicitly deny capability mknod so apps can't create devices 103 #audit deny capability mknod, 104 105 # Explicitly deny mount, remount and umount so apps can't modify things in 106 # their namespace 107 #audit deny mount, 108 #audit deny remount, 109 #audit deny umount, 110 111 # End dangerous accesses 112 113 # Note: this potentially allows snaps to DoS other snaps via resource 114 # exhaustion but we can't sensibly mediate this today. In the future we may 115 # employ cgroup limits, AppArmor rlimit mlock rules or something else. 116 capability ipc_lock, 117 118 # for bash 'binaries' (do *not* use abstractions/bash) 119 # user-specific bash files 120 /{,usr/}bin/bash ixr, 121 /{,usr/}bin/dash ixr, 122 /etc/bash.bashrc r, 123 124 # user/group/seat lookups 125 /etc/{passwd,group,nsswitch.conf} r, # very common 126 /var/lib/extrausers/{passwd,group} r, 127 /run/systemd/users/[0-9]* r, 128 /etc/default/nss r, 129 130 /etc/libnl-3/{classid,pktloc} r, # apps that use libnl 131 /etc/profile r, 132 /etc/environment r, 133 /usr/share/terminfo/** r, 134 /etc/inputrc r, 135 # Common utilities for shell scripts 136 /{,usr/}bin/arch ixr, 137 /{,usr/}bin/{,g,m}awk ixr, 138 /{,usr/}bin/base32 ixr, 139 /{,usr/}bin/base64 ixr, 140 /{,usr/}bin/basename ixr, 141 /{,usr/}bin/bunzip2 ixr, 142 /{,usr/}bin/bzcat ixr, 143 /{,usr/}bin/bzdiff ixr, 144 /{,usr/}bin/bzgrep ixr, 145 /{,usr/}bin/bzip2 ixr, 146 /{,usr/}bin/cat ixr, 147 /{,usr/}bin/chgrp ixr, 148 /{,usr/}bin/chmod ixr, 149 /{,usr/}bin/chown ixr, 150 /{,usr/}bin/clear ixr, 151 /{,usr/}bin/cmp ixr, 152 /{,usr/}bin/cp ixr, 153 /{,usr/}bin/cpio ixr, 154 /{,usr/}bin/cut ixr, 155 /{,usr/}bin/date ixr, 156 /{,usr/}bin/dbus-daemon ixr, 157 /{,usr/}bin/dbus-run-session ixr, 158 /{,usr/}bin/dbus-send ixr, 159 /{,usr/}bin/dd ixr, 160 /{,usr/}bin/diff{,3} ixr, 161 /{,usr/}bin/dir ixr, 162 /{,usr/}bin/dirname ixr, 163 /{,usr/}bin/du ixr, 164 /{,usr/}bin/echo ixr, 165 /{,usr/}bin/{,e,f,r}grep ixr, 166 /{,usr/}bin/env ixr, 167 /{,usr/}bin/expr ixr, 168 /{,usr/}bin/false ixr, 169 /{,usr/}bin/find ixr, 170 /{,usr/}bin/flock ixr, 171 /{,usr/}bin/fmt ixr, 172 /{,usr/}bin/fold ixr, 173 /{,usr/}bin/getconf ixr, 174 /{,usr/}bin/getent ixr, 175 /{,usr/}bin/getopt ixr, 176 /{,usr/}bin/groups ixr, 177 /{,usr/}bin/gzip ixr, 178 /{,usr/}bin/head ixr, 179 /{,usr/}bin/hostname ixr, 180 /{,usr/}bin/id ixr, 181 /{,usr/}bin/igawk ixr, 182 /{,usr/}bin/infocmp ixr, 183 /{,usr/}bin/kill ixr, 184 /{,usr/}bin/ldd ixr, 185 /{usr/,}lib{,32,64}/ld{,32,64}-*.so ix, 186 /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so ix, 187 /{,usr/}bin/less{,file,pipe} ixr, 188 /{,usr/}bin/ln ixr, 189 /{,usr/}bin/line ixr, 190 /{,usr/}bin/link ixr, 191 /{,usr/}bin/locale ixr, 192 /{,usr/}bin/logger ixr, 193 /{,usr/}bin/ls ixr, 194 /{,usr/}bin/md5sum ixr, 195 /{,usr/}bin/mkdir ixr, 196 /{,usr/}bin/mkfifo ixr, 197 /{,usr/}bin/mknod ixr, 198 /{,usr/}bin/mktemp ixr, 199 /{,usr/}bin/more ixr, 200 /{,usr/}bin/mv ixr, 201 /{,usr/}bin/nice ixr, 202 /{,usr/}bin/nohup ixr, 203 /{,usr/}bin/od ixr, 204 /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial 205 /{,usr/}bin/paste ixr, 206 /{,usr/}bin/pgrep ixr, 207 /{,usr/}bin/printenv ixr, 208 /{,usr/}bin/printf ixr, 209 /{,usr/}bin/ps ixr, 210 /{,usr/}bin/pwd ixr, 211 /{,usr/}bin/readlink ixr, 212 /{,usr/}bin/realpath ixr, 213 /{,usr/}bin/rev ixr, 214 /{,usr/}bin/rm ixr, 215 /{,usr/}bin/rmdir ixr, 216 /{,usr/}bin/run-parts ixr, 217 /{,usr/}bin/sed ixr, 218 /{,usr/}bin/seq ixr, 219 /{,usr/}bin/sha{1,224,256,384,512}sum ixr, 220 /{,usr/}bin/shuf ixr, 221 /{,usr/}bin/sleep ixr, 222 /{,usr/}bin/sort ixr, 223 /{,usr/}bin/stat ixr, 224 /{,usr/}bin/stdbuf ixr, 225 /{,usr/}bin/stty ixr, 226 /{,usr/}bin/sync ixr, 227 /{,usr/}bin/systemd-cat ixr, 228 /{,usr/}bin/tac ixr, 229 /{,usr/}bin/tail ixr, 230 /{,usr/}bin/tar ixr, 231 /{,usr/}bin/tee ixr, 232 /{,usr/}bin/test ixr, 233 /{,usr/}bin/tempfile ixr, 234 /{,usr/}bin/tset ixr, 235 /{,usr/}bin/touch ixr, 236 /{,usr/}bin/tput ixr, 237 /{,usr/}bin/tr ixr, 238 /{,usr/}bin/true ixr, 239 /{,usr/}bin/tty ixr, 240 /{,usr/}bin/uname ixr, 241 /{,usr/}bin/uniq ixr, 242 /{,usr/}bin/unlink ixr, 243 /{,usr/}bin/unxz ixr, 244 /{,usr/}bin/unzip ixr, 245 /{,usr/}bin/vdir ixr, 246 /{,usr/}bin/wc ixr, 247 /{,usr/}bin/which ixr, 248 /{,usr/}bin/xargs ixr, 249 /{,usr/}bin/xz ixr, 250 /{,usr/}bin/yes ixr, 251 /{,usr/}bin/zcat ixr, 252 /{,usr/}bin/z{,e,f}grep ixr, 253 /{,usr/}bin/zip ixr, 254 /{,usr/}bin/zipgrep ixr, 255 256 # For snappy reexec on 4.8+ kernels 257 /usr/lib/snapd/snap-exec m, 258 259 # For gdb support 260 /usr/lib/snapd/snap-gdb-shim ixr, 261 262 # For in-snap tab completion 263 /etc/bash_completion.d/{,*} r, 264 /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) 265 /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here 266 267 # For printing the cache (we don't allow updating the cache) 268 /{,usr/}sbin/ldconfig{,.real} ixr, 269 270 # uptime 271 /{,usr/}bin/uptime ixr, 272 @{PROC}/uptime r, 273 @{PROC}/loadavg r, 274 275 # lsb-release 276 /usr/bin/lsb_release ixr, 277 /usr/bin/ r, 278 /usr/share/distro-info/*.csv r, 279 280 # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib 281 # which is allowed by the base abstraction, but on 14.04 it is an actual file 282 # so need to add it here. Also allow read locks on the file. 283 /etc/os-release rk, 284 /usr/lib/os-release k, 285 286 # systemd native journal API (see sd_journal_print(4)). This should be in 287 # AppArmor's base abstraction, but until it is, include here. 288 /run/systemd/journal/socket w, 289 /run/systemd/journal/stdout rw, # 'r' shouldn't be needed, but journald 290 # doesn't leak anything so allow 291 292 # snapctl and its requirements 293 /usr/bin/snapctl ixr, 294 /usr/lib/snapd/snapctl ixr, 295 @{PROC}/sys/net/core/somaxconn r, 296 /run/snapd-snap.socket rw, 297 298 # Note: for now, don't explicitly deny this noisy denial so --devmode isn't 299 # broken but eventually we may conditionally deny this since it is an 300 # information leak. 301 #deny /{,var/}run/utmp r, 302 303 # java 304 @{PROC}/@{pid}/ r, 305 @{PROC}/@{pid}/fd/ r, 306 owner @{PROC}/@{pid}/auxv r, 307 @{PROC}/sys/vm/zone_reclaim_mode r, 308 /etc/lsb-release r, 309 /sys/devices/**/read_ahead_kb r, 310 /sys/devices/system/cpu/** r, 311 /sys/devices/system/node/node[0-9]*/* r, 312 /sys/kernel/mm/transparent_hugepage/enabled r, 313 /sys/kernel/mm/transparent_hugepage/defrag r, 314 # NOTE: this leaks running process but java seems to want it (even though it 315 # seems to operate ok without it) and SDL apps crash without it. Allow owner 316 # match until AppArmor kernel var is available to solve this properly (see 317 # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. 318 owner @{PROC}/@{pid}/cmdline r, 319 owner @{PROC}/@{pid}/comm r, 320 321 # Per man(5) proc, the kernel enforces that a thread may only modify its comm 322 # value or those in its thread group. 323 owner @{PROC}/@{pid}/task/@{tid}/comm rw, 324 325 # Allow reading and writing to our file descriptors in /proc which, for 326 # example, allow access to /dev/std{in,out,err} which are all symlinks to 327 # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) 328 # linkat() temporary file technique, allow all fds. Importantly, access to 329 # another's task's fd via this proc interface is mediated via 'ptrace (read)' 330 # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so 331 # this rule by itself doesn't allow opening another snap's fds via proc. 332 owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, 333 334 # Miscellaneous accesses 335 /dev/{,u}random w, 336 /etc/machine-id r, 337 /etc/mime.types r, 338 @{PROC}/ r, 339 @{PROC}/version r, 340 @{PROC}/version_signature r, 341 /etc/{,writable/}hostname r, 342 /etc/{,writable/}localtime r, 343 /etc/{,writable/}mailname r, 344 /etc/{,writable/}timezone r, 345 owner @{PROC}/@{pid}/cgroup r, 346 @{PROC}/@{pid}/io r, 347 owner @{PROC}/@{pid}/limits r, 348 owner @{PROC}/@{pid}/loginuid r, 349 @{PROC}/@{pid}/smaps r, 350 @{PROC}/@{pid}/stat r, 351 @{PROC}/@{pid}/statm r, 352 @{PROC}/@{pid}/status r, 353 @{PROC}/@{pid}/task/ r, 354 @{PROC}/@{pid}/task/[0-9]*/smaps r, 355 @{PROC}/@{pid}/task/[0-9]*/stat r, 356 @{PROC}/@{pid}/task/[0-9]*/statm r, 357 @{PROC}/@{pid}/task/[0-9]*/status r, 358 @{PROC}/sys/fs/pipe-max-size r, 359 @{PROC}/sys/kernel/hostname r, 360 @{PROC}/sys/kernel/osrelease r, 361 @{PROC}/sys/kernel/ostype r, 362 @{PROC}/sys/kernel/yama/ptrace_scope r, 363 @{PROC}/sys/kernel/shmmax r, 364 @{PROC}/sys/fs/file-max r, 365 @{PROC}/sys/fs/inotify/max_* r, 366 @{PROC}/sys/kernel/pid_max r, 367 @{PROC}/sys/kernel/random/uuid r, 368 @{PROC}/sys/kernel/random/boot_id r, 369 /sys/devices/virtual/tty/{console,tty*}/active r, 370 /sys/fs/cgroup/memory/memory.limit_in_bytes r, 371 /sys/fs/cgroup/memory/snap.@{SNAP_INSTANCE_NAME}{,.*}/memory.limit_in_bytes r, 372 /sys/module/apparmor/parameters/enabled r, 373 /{,usr/}lib/ r, 374 375 # Reads of oom_adj and oom_score_adj are safe 376 owner @{PROC}/@{pid}/oom_{,score_}adj r, 377 378 # Note: for now, don't explicitly deny write access so --devmode isn't broken 379 # but eventually we may conditionally deny this since it allows the process 380 # to increase the oom heuristic of other processes (make them more likely to 381 # be killed). Once AppArmor kernel var is available to solve this properly, 382 # this can safely be allowed since non-root processes won't be able to 383 # decrease the value and root processes will only be able to with 384 # 'capability sys_resource,' which we deny be default. 385 # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, 386 387 # Eases hardware assignment (doesn't give anything away) 388 /etc/udev/udev.conf r, 389 /sys/ r, 390 /sys/bus/ r, 391 /sys/class/ r, 392 393 # this leaks interface names and stats, but not in a way that is traceable 394 # to the user/device 395 @{PROC}/net/dev r, 396 @{PROC}/@{pid}/net/dev r, 397 398 # Read-only of this snap 399 /var/lib/snapd/snaps/@{SNAP_NAME}_*.snap r, 400 401 # Read-only for the install directory 402 # bind mount used here (see 'parallel installs', above) 403 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, 404 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, 405 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/** mrklix, 406 407 # Read-only install directory for other revisions to help with bugs like 408 # LP: #1616650 and LP: #1655992 409 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, 410 411 # Read-only home area for other versions 412 # bind mount *not* used here (see 'parallel installs', above) 413 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, 414 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/** mrkix, 415 416 # Writable home area for this version. 417 # bind mount *not* used here (see 'parallel installs', above) 418 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/** wl, 419 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/** wl, 420 421 # Read-only system area for other versions 422 # bind mount used here (see 'parallel installs', above) 423 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, 424 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, 425 426 # Writable system area only for this version 427 # bind mount used here (see 'parallel installs', above) 428 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/** wl, 429 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/** wl, 430 431 # The ubuntu-core-launcher creates an app-specific private restricted /tmp 432 # and will fail to launch the app if something goes wrong. As such, we can 433 # simply allow full access to /tmp. 434 /tmp/ r, 435 /tmp/** mrwlkix, 436 437 # App-specific access to files and directories in /dev/shm. We allow file 438 # access in /dev/shm for shm_open() and files in subdirectories for open() 439 # bind mount *not* used here (see 'parallel installs', above) 440 /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, 441 # Also allow app-specific access for sem_open() 442 /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, 443 444 # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user 445 # bind mount *not* used here (see 'parallel installs', above) 446 owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/ rw, 447 owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/** mrwklix, 448 449 # Allow apps from the same package to communicate with each other via an 450 # abstract or anonymous socket 451 unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.**", 452 unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.*), 453 454 # Allow apps from the same package to communicate with each other via DBus. 455 # Note: this does not grant access to the DBus sockets of well known buses 456 # (will still need to use an appropriate interface for that). 457 dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.*), 458 # In addition to the above, dbus-run-session attempts reading these files 459 # from the snap base runtime. 460 /usr/share/dbus-1/services/{,*} r, 461 /usr/share/dbus-1/system-services/{,*} r, 462 463 # Allow apps from the same package to signal each other via signals 464 signal peer=snap.@{SNAP_INSTANCE_NAME}.*, 465 466 # Allow receiving signals from all snaps (and focus on mediating sending of 467 # signals) 468 signal (receive) peer=snap.*, 469 470 # Allow receiving signals from unconfined (eg, systemd) 471 signal (receive) peer=unconfined, 472 473 # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' 474 /{,s}bin/udevadm ixr, 475 /etc/udev/udev.conf r, 476 /{,var/}run/udev/tags/snappy-assign/ r, 477 @{PROC}/cmdline r, 478 /sys/devices/**/uevent r, 479 480 # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above 481 # requires: 482 # /run/udev/data/* r, 483 # but that reveals too much about the system and cannot be granted to apps 484 # by default at this time. 485 486 # For convenience, allow apps to see what is in /dev even though cgroups 487 # will block most access 488 /dev/ r, 489 /dev/**/ r, 490 491 # Allow setting up pseudoterminal via /dev/pts system. This is safe because 492 # the launcher uses a per-app devpts newinstance. 493 /dev/ptmx rw, 494 495 # Do the same with /sys/devices and /sys/class to help people using hw-assign 496 /sys/devices/ r, 497 /sys/devices/**/ r, 498 /sys/class/ r, 499 /sys/class/**/ r, 500 501 # Allow all snaps to chroot 502 capability sys_chroot, 503 /{,usr/}sbin/chroot ixr, 504 505 # Lttng tracing is very noisy and should not be allowed by confined apps. Can 506 # safely deny for the normal case (LP: #1260491). If/when an lttng-trace 507 # interface is needed, we can rework this. 508 deny /{dev,run,var/run}/shm/lttng-ust-* rw, 509 510 # Allow read-access on /home/ for navigating to other parts of the 511 # filesystem. While this allows enumerating users, this is already allowed 512 # via /etc/passwd and getent. 513 @{HOMEDIRS}/ r, 514 515 # Allow read-access to / for navigating to other parts of the filesystem. 516 / r, 517 518 # Snap-specific run directory. Bind mount *not* used here 519 # (see 'parallel installs', above) 520 /run/snap.@{SNAP_INSTANCE_NAME}/ rw, 521 /run/snap.@{SNAP_INSTANCE_NAME}/** mrwklix, 522 523 ###SNIPPETS### 524 } 525 ` 526 527 // Template for privilege drop and chown operations. The specific setuid, 528 // setgid and chown operations are controlled via seccomp. 529 // 530 // To expand on the policy comment below: "this is not a problem in practice": 531 // access to sockets is mediated by file and unix AppArmor rules. When the 532 // access is allowed, the snap is expected to be able to use the socket. Some 533 // service listeners will employ additional checks, such as 'is the connecting 534 // (snap) process root' or 'is the connecting non-root (snap) process in a 535 // particular group', etc. Since snapd daemons start as root and because the 536 // service listeners typically let the root process do anything, the snap 537 // doesn't gain anything from being able to forge a uid since it has full 538 // access to the socket API already. A snap could forge a check to bypass the 539 // theoretical case of the service listener wanting to limit root to something 540 // less than another user, but in practice service listeners won't do this 541 // because it is ineffective against unconfined root processes which can 542 // manipulate the service listener in other ways to subvert a check like this. 543 // 544 // For CAP_KILL, AppArmor mediates signals and the default policy allows 545 // sending signals only to processes with a security label that matches the 546 // snap, but AppArmor does not currently mediate the uid/gid of the 547 // sender/receiver to finely mediate what non-root uid/gids a root process may 548 // send to, so we have always required the process-control interface for snaps 549 // to send signals to other users (even within the same snap). We want to 550 // maintain this with our privilege dropping rules, so we omit 'capability 551 // kill' since snaps can work within the system without 'capability kill': 552 // - root parent can drop, spawn a child and later (dropped) parent can send a 553 // signal 554 // - root parent can spawn a child that drops, then later temporarily drop 555 // (ie, seteuid/setegid), send the signal, then reraise 556 var privDropAndChownRules = ` 557 # allow setuid, setgid and chown for privilege dropping (mediation is done 558 # via seccomp). Note: CAP_SETUID allows (and CAP_SETGID is the same, but 559 # for gid operations): 560 # - forging of UIDs when passing passing socket credentials via UNIX domain 561 # sockets and we don't currently mediate socket credentials, between 562 # mediating socket access in general and the execve() boundary that drops 563 # the capability for non-root commands, this is not a problem in practice. 564 # - accessing the persistent keyring via keyctl, but keyctl is mediated via 565 # seccomp. 566 # - writing a user ID mapping in a user namespace, but we mediate access to 567 # /proc/*/uid_map with AppArmor 568 # 569 # CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH are intentionally omitted from the 570 # policy since we want traditional DAC to be enforced for root. It is 571 # expected that a program that is dropping privileges, etc will create/modify 572 # files in a way that doesn't require these capabilities. 573 capability setuid, 574 capability setgid, 575 capability chown, 576 #capability dac_override, 577 #capability dac_read_search, 578 579 # Similarly, CAP_KILL is intentionally omitted since we want traditional 580 # DAC to be enforced for root. It is expected that a program that is spawning 581 # processes that ultimately run as non-root will send signals to those 582 # processes as the matching non-root user. 583 #capability kill, 584 ` 585 586 // classicTemplate contains apparmor template used for snaps with classic 587 // confinement. This template was Designed by jdstrand: 588 // https://github.com/snapcore/snapd/pull/2366#discussion_r90101320 589 // 590 // The classic template intentionally provides no confinement and is used 591 // simply to ensure that processes have the proper command-specific security 592 // label instead of 'unconfined'. 593 // 594 // It can be overridden for testing using MockClassicTemplate(). 595 var classicTemplate = ` 596 #include <tunables/global> 597 598 ###VAR### 599 600 ###PROFILEATTACH### (attach_disconnected,mediate_deleted) { 601 # set file rules so that exec() inherits our profile unless there is 602 # already a profile for it (eg, snap-confine) 603 / rwkl, 604 /** rwlkm, 605 /** pix, 606 607 capability, 608 ###CHANGEPROFILE_RULE### 609 dbus, 610 network, 611 mount, 612 remount, 613 umount, 614 pivot_root, 615 ptrace, 616 signal, 617 unix, 618 619 ###SNIPPETS### 620 } 621 ` 622 623 // classicJailmodeSnippet contains extra rules that allow snaps using classic 624 // confinement, that were put in to jailmode, to execute by at least having 625 // access to the core snap (e.g. for the dynamic linker and libc). 626 627 var classicJailmodeSnippet = ` 628 # Read-only access to the core snap. 629 @{INSTALL_DIR}/core/** r, 630 # Read only access to the core snap to load libc from. 631 # This is related to LP: #1666897 632 @{INSTALL_DIR}/core/*/{,usr/}lib/@{multiarch}/{,**/}lib*.so* m, 633 634 # For snappy reexec on 4.8+ kernels 635 @{INSTALL_DIR}/core/*/usr/lib/snapd/snap-exec m, 636 ` 637 638 // nfsSnippet contains extra permissions necessary for snaps and snap-confine 639 // to operate when NFS is used. This is an imperfect solution as this grants 640 // some network access to all the snaps on the system. 641 // For tracking see https://bugs.launchpad.net/apparmor/+bug/1724903 642 var nfsSnippet = ` 643 # snapd autogenerated workaround for systems using NFS, for details see: 644 # https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1662552 645 network inet, 646 network inet6, 647 ` 648 649 // overlayRootSnippet contains the extra permissions necessary for snap and 650 // snap-confine to operate on systems where '/' is a writable overlay fs. 651 // AppArmor requires directory reads for upperdir (but these aren't otherwise 652 // visible to the snap). While we filter AppArmor regular expression (AARE) 653 // characters elsewhere, we double quote the path in case UPPERDIR has spaces. 654 var overlayRootSnippet = ` 655 # snapd autogenerated workaround for systems using '/' on overlayfs. For 656 # details see: https://bugs.launchpad.net/apparmor/+bug/1703674 657 "###UPPERDIR###/{,**/}" r, 658 ` 659 660 var ptraceTraceDenySnippet = ` 661 # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc 662 # trigger a 'ptrace (trace)' denial, they aren't actually tracing other 663 # processes. Unfortunately, the kernel overloads trace such that the LSMs are 664 # unable to distinguish between tracing other processes and other accesses. 665 # ptrace (trace) can be used to break out of the seccomp sandbox unless the 666 # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd 667 # has full ptrace support conditional on kernel support, explicitly deny to 668 # silence noisy denials/avoid confusion and accidentally giving away this 669 # dangerous access frivolously. 670 deny ptrace (trace), 671 deny capability sys_ptrace, 672 ` 673 674 // updateNSTemplate defines the apparmor profile for per-snap snap-update-ns. 675 // 676 // The per-snap snap-update-ns profiles are composed via a template and 677 // snippets for the snap. The template allows: 678 // - accesses to libraries, files and /proc entries required to run 679 // - using global and per-snap lock files 680 // - reading per-snap mount namespaces and mount profiles 681 // - managing per-snap freezer state files 682 // - per-snap mounting/unmounting fonts from the host 683 // - denying mounts to restricted places (eg, /snap/bin and /media) 684 var updateNSTemplate = ` 685 # Description: Allows snap-update-ns to construct the mount namespace specific 686 # to a particular snap (see the name below). This specifically includes the 687 # precise locations of the layout elements. 688 689 # vim:syntax=apparmor 690 691 #include <tunables/global> 692 693 profile snap-update-ns.###SNAP_INSTANCE_NAME### (attach_disconnected) { 694 # The next four rules mirror those above. We want to be able to read 695 # and map snap-update-ns into memory but it may come from a variety of places. 696 /usr/lib{,exec,64}/snapd/snap-update-ns mr, 697 /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr, 698 /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns mr, 699 /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr, 700 701 # Allow reading the dynamic linker cache. 702 /etc/ld.so.cache r, 703 # Allow reading, mapping and executing the dynamic linker. 704 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix, 705 # Allow reading and mapping various parts of the standard library and 706 # dynamically loaded nss modules and what not. 707 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr, 708 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr, 709 710 # Common devices accesses 711 /dev/null rw, 712 /dev/full rw, 713 /dev/zero rw, 714 /dev/random r, 715 /dev/urandom r, 716 717 # Allow access to the uuidd daemon (this daemon is a thin wrapper around 718 # time and getrandom()/{,u}random and, when available, runs under an 719 # unprivilged, dedicated user). 720 /run/uuidd/request r, 721 722 # Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code). 723 @{PROC}/@{pid}/cmdline r, 724 725 # Allow reading file descriptor paths 726 @{PROC}/@{pid}/fd/* r, 727 # Allow reading /proc/version. For release.go WSL detection. 728 @{PROC}/version r, 729 730 # Allow reading somaxconn, required in newer distro releases 731 @{PROC}/sys/net/core/somaxconn r, 732 # but silence noisy denial of inet/inet6 733 deny network inet, 734 deny network inet6, 735 736 # Allow reading the os-release file (possibly a symlink to /usr/lib). 737 /{etc/,usr/lib/}os-release r, 738 739 # Allow creating/grabbing global and per-snap lock files. 740 /run/snapd/lock/###SNAP_INSTANCE_NAME###.lock rwk, 741 /run/snapd/lock/.lock rwk, 742 743 # Allow reading stored mount namespaces, 744 /run/snapd/ns/ r, 745 /run/snapd/ns/###SNAP_INSTANCE_NAME###.mnt r, 746 747 # Allow reading per-snap desired mount profiles. Those are written by 748 # snapd and represent the desired layout and content connections. 749 /var/lib/snapd/mount/snap.###SNAP_INSTANCE_NAME###.fstab r, 750 /var/lib/snapd/mount/snap.###SNAP_INSTANCE_NAME###.user-fstab r, 751 752 # Allow reading and writing actual per-snap mount profiles. Note that 753 # the wildcard in the rule to allow an atomic write + rename strategy. 754 # Those files are written by snap-update-ns and represent the actual 755 # mount profile at a given moment. 756 /run/snapd/ns/snap.###SNAP_INSTANCE_NAME###.fstab{,.*} rw, 757 758 # NOTE: at this stage the /snap directory is stable as we have called 759 # pivot_root already. 760 761 # Needed to perform mount/unmounts. 762 capability sys_admin, 763 # Needed for mimic construction. 764 capability chown, 765 # Needed for dropping to calling user when processing per-user mounts 766 capability setuid, 767 capability setgid, 768 # Allow snap-update-ns to override file ownership and permission checks. 769 # This is required because writable mimics now preserve the permissions 770 # of the original and hence we may be asked to create a directory when the 771 # parent is a tmpfs without DAC write access. 772 capability dac_override, 773 774 # Allow freezing and thawing the per-snap cgroup freezers 775 /sys/fs/cgroup/freezer/snap.###SNAP_INSTANCE_NAME###/freezer.state rw, 776 777 # Allow the content interface to bind fonts from the host filesystem 778 mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/###SNAP_INSTANCE_NAME###/*/**, 779 mount options=(rw private) -> /snap/###SNAP_INSTANCE_NAME###/*/**, 780 umount /snap/###SNAP_INSTANCE_NAME###/*/**, 781 782 # set up user mount namespace 783 mount options=(rslave) -> /, 784 785 # Allow traversing from the root directory and several well-known places. 786 # Specific directory permissions are added by snippets below. 787 / r, 788 /etc/ r, 789 /snap/ r, 790 /tmp/ r, 791 /usr/ r, 792 /var/ r, 793 /var/snap/ r, 794 795 # Allow reading timezone data. 796 /usr/share/zoneinfo/** r, 797 798 # Don't allow anyone to touch /snap/bin 799 audit deny mount /snap/bin/** -> /**, 800 audit deny mount /** -> /snap/bin/**, 801 802 # Don't allow bind mounts to /media which has special 803 # sharing and propagates mount events outside of the snap namespace. 804 audit deny mount -> /media, 805 806 # Allow receiving signals from unconfined (eg, systemd) 807 signal (receive) peer=unconfined, 808 # Allow sending and receiving signals from ourselves. 809 signal peer=@{profile_name}, 810 811 # Commonly needed permissions for writable mimics. 812 /tmp/ r, 813 /tmp/.snap/{,**} rw, 814 815 ###SNIPPETS### 816 } 817 `