github.com/stulluk/snapd@v0.0.0-20210611110309-f6d5d5bd24b0/cmd/snap-confine/snap-confine.apparmor.in (about) 1 # Author: Jamie Strandboge <jamie@canonical.com> 2 #include <tunables/global> 3 4 @LIBEXECDIR@/snap-confine (attach_disconnected) { 5 # Include any additional files that snapd chose to generate. 6 # - for $HOME on NFS 7 # - for $HOME on encrypted media 8 # 9 # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor 10 # and https://forum.snapcraft.io/t/snaps-and-nfs-home/ 11 #include "/var/lib/snapd/apparmor/snap-confine" 12 13 # We run privileged, so be fanatical about what we include and don't use 14 # any abstractions 15 /etc/ld.so.cache r, 16 /etc/ld.so.preload r, 17 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix, 18 # libc, you are funny 19 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, 20 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, 21 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr, 22 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr, 23 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, 24 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr, 25 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr, 26 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, 27 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre{,2}{,-[0-9]*}.so* mr, 28 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, 29 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr, 30 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr, 31 # normal libs in order 32 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, 33 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, 34 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr, 35 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, 36 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, 37 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, 38 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr, 39 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr, 40 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr, 41 42 @LIBEXECDIR@/snap-confine mr, 43 44 /dev/null rw, 45 /dev/full rw, 46 /dev/zero rw, 47 /dev/random r, 48 /dev/urandom r, 49 /dev/pts/[0-9]* rw, 50 /dev/tty rw, 51 52 # cgroup: devices 53 capability sys_admin, 54 capability dac_read_search, 55 capability dac_override, 56 /sys/fs/cgroup/ r, 57 /sys/fs/cgroup/devices/ r, 58 /sys/fs/cgroup/devices/snap.*/ rw, 59 /sys/fs/cgroup/devices/snap.*/cgroup.procs w, 60 /sys/fs/cgroup/devices/snap.*/devices.{allow,deny} w, 61 62 # cgroup: freezer 63 # Allow creating per-snap cgroup freezers and adding snap command (task) 64 # invocations to the freezer. This allows for reliably enumerating all 65 # running processes for the snap. In addition, allow enumerating processes 66 # in the cgroup to determine if it is occupied. 67 /sys/fs/cgroup/freezer/ r, 68 /sys/fs/cgroup/freezer/snap.*/ w, 69 /sys/fs/cgroup/freezer/snap.*/cgroup.procs rw, 70 71 # querying udev 72 /etc/udev/udev.conf r, 73 /sys/**/uevent r, 74 /run/udev/** rw, 75 /{,usr/}bin/tr ixr, 76 /usr/lib/locale/** r, 77 /usr/lib/@{multiarch}/gconv/gconv-modules r, 78 /usr/lib/@{multiarch}/gconv/gconv-modules.cache r, 79 80 # priv dropping 81 capability setuid, 82 capability setgid, 83 84 # changing profile 85 @{PROC}/[0-9]*/attr/{,apparmor/}exec w, 86 # Reading current profile 87 @{PROC}/[0-9]*/attr/{,apparmor/}current r, 88 # Reading available filesystems 89 @{PROC}/filesystems r, 90 91 # To find where apparmor is mounted 92 @{PROC}/[0-9]*/mounts r, 93 # To find if apparmor is enabled 94 /sys/module/apparmor/parameters/enabled r, 95 96 # Don't allow changing profile to unconfined or profiles that start with 97 # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on 98 # the environment for determining the capabilities of the architecture. 99 # 'unsafe' is ok here because the kernel will have already cleared the 100 # environment as part of launching snap-confine with CAP_SYS_ADMIN. This 101 # does leave directories as configured by ld.so.preload as well as 102 # LD_PRELOAD to be set to a library which is in a directory configured by 103 # ld.so.conf, but access to those locations is mediated by this profile 104 # (which requires rules for specific locations). 105 change_profile unsafe /** -> [^u/]**, 106 change_profile unsafe /** -> u[^n]**, 107 change_profile unsafe /** -> un[^c]**, 108 change_profile unsafe /** -> unc[^o]**, 109 change_profile unsafe /** -> unco[^n]**, 110 change_profile unsafe /** -> uncon[^f]**, 111 change_profile unsafe /** -> unconf[^i]**, 112 change_profile unsafe /** -> unconfi[^n]**, 113 change_profile unsafe /** -> unconfin[^e]**, 114 change_profile unsafe /** -> unconfine[^d]**, 115 change_profile unsafe /** -> unconfined?**, 116 117 # allow changing to a few not caught above 118 change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, 119 120 # LP: #1446794 - when this bug is fixed, change the above to: 121 # deny change_profile unsafe /** -> {unconfined,/**}, 122 # change_profile unsafe /** -> **, 123 124 # reading seccomp filters 125 /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r, 126 127 # LP: #1668659 and parallel instaces of classic snaps 128 mount options=(rw rbind) /snap/ -> /snap/, 129 mount options=(rw rshared) -> /snap/, 130 mount options=(rw rbind) /var/lib/snapd/snap/ -> /var/lib/snapd/snap/, 131 mount options=(rw rshared) -> /var/lib/snapd/snap/, 132 133 # boostrapping the mount namespace 134 mount options=(rw rshared) -> /, 135 mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/, 136 mount options=(rw unbindable) -> /tmp/snap.rootfs_*/, 137 # the next line is for classic system 138 mount options=(rw rbind) @SNAP_MOUNT_DIR@/*/*/ -> /tmp/snap.rootfs_*/, 139 # the next line is for core system 140 mount options=(rw rbind) / -> /tmp/snap.rootfs_*/, 141 # all of the constructed rootfs is a rslave 142 mount options=(rw rslave) -> /tmp/snap.rootfs_*/, 143 # bidirectional mounts (for both classic and core) 144 # NOTE: this doesn't capture the MERGED_USR configuration option so that 145 # when a distro with merged /usr and / that uses apparmor shows up it 146 # should be handled here. 147 /{,run/}media/ w, 148 mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_*/{,run/}media/, 149 /run/netns/ w, 150 mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/, 151 # unidirectional mounts (only for classic system) 152 mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/, 153 mount options=(rw rslave) -> /tmp/snap.rootfs_*/dev/, 154 155 mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/, 156 mount options=(rw rslave) -> /tmp/snap.rootfs_*/etc/, 157 158 mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/, 159 mount options=(rw rslave) -> /tmp/snap.rootfs_*/home/, 160 161 mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/, 162 mount options=(rw rslave) -> /tmp/snap.rootfs_*/root/, 163 164 mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/, 165 mount options=(rw rslave) -> /tmp/snap.rootfs_*/proc/, 166 167 mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/, 168 mount options=(rw rslave) -> /tmp/snap.rootfs_*/sys/, 169 170 mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/, 171 mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/, 172 173 mount options=(rw rbind) /var/lib/dhcp/ -> /tmp/snap.rootfs_*/var/lib/dhcp/, 174 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/dhcp/, 175 176 mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/, 177 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/, 178 179 mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/, 180 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/snap/, 181 182 mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/, 183 # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups 184 mount options=(rw rbind) /var/volatile/tmp/ -> /tmp/snap.rootfs_*/var/tmp/, 185 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/tmp/, 186 187 mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/, 188 mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/, 189 190 mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_*/var/lib/extrausers/, 191 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/extrausers/, 192 193 mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, 194 mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, 195 196 mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/firmware/ -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/, 197 mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/, 198 199 mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/, 200 # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups 201 mount options=(rw rbind) /var/volatile/log/ -> /tmp/snap.rootfs_*/var/log/, 202 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/, 203 204 mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/, 205 mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/, 206 207 mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_*/mnt/, 208 mount options=(rw rslave) -> /tmp/snap.rootfs_*/mnt/, 209 210 # allow making host snap-exec available inside base snaps 211 mount options=(rw bind) @LIBEXECDIR@/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, 212 mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/, 213 214 # allow making re-execed host snap-exec available inside base snaps 215 mount options=(ro bind) @SNAP_MOUNT_DIR@/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, 216 # allow making snapd snap tools available inside base snaps 217 mount options=(ro bind) @SNAP_MOUNT_DIR@/snapd/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, 218 219 mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl, 220 mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl, 221 222 # /etc/alternatives (classic and normal mode) 223 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, 224 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/, 225 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf, 226 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/apparmor/ -> /tmp/snap.rootfs_*/etc/apparmor/, 227 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/apparmor.d/ -> /tmp/snap.rootfs_*/etc/apparmor.d/, 228 229 # /etc/alternatives (core/legacy mode) 230 mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, 231 232 # making all those directories slave shared. 233 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/, 234 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/, 235 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/nsswitch.conf, 236 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/apparmor/, 237 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/apparmor.d/, 238 239 # the /snap directory 240 mount options=(rw rbind) @SNAP_MOUNT_DIR@/ -> /tmp/snap.rootfs_*/snap/, 241 mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/, 242 # pivot_root preparation and execution 243 mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, 244 mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, 245 246 # pivot_root mediation in AppArmor is not complete. See LP: #1791711. 247 # However, we can mediate the new_root and put_old to be what we expect, 248 # and then deny directory creation within old_root to prevent trivial 249 # pivoting into a whitelisted path. 250 pivot_root oldroot=/tmp/snap.rootfs_*/var/lib/snapd/hostfs/ /tmp/snap.rootfs_*/, 251 # Explicitly deny creating the old_root directory in case it is 252 # inadvertently added somewhere else. While this doesn't resolve 253 # LP: #1791711, it provides some hardening. 254 audit deny /tmp/snap.rootfs_*/{var/,var/lib/,var/lib/snapd/,var/lib/snapd/hostfs/} w, 255 256 # cleanup 257 umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/, 258 umount /var/lib/snapd/hostfs/sys/, 259 umount /var/lib/snapd/hostfs/dev/, 260 umount /var/lib/snapd/hostfs/proc/, 261 mount options=(rw rslave) -> /var/lib/snapd/hostfs/, 262 263 # Hide /writable from view of snaps. 264 mount options=(rprivate) -> /{,var/lib/snapd/hostfs/}writable/, 265 umount /{,var/lib/snapd/hostfs/}writable/, 266 267 # set up user mount namespace 268 mount options=(rslave) -> /, 269 270 # set up mount namespace for parallel instances of classic snaps 271 mount options=(rw rbind) @SNAP_MOUNT_DIR@/{,*/} -> @SNAP_MOUNT_DIR@/{,*/}, 272 mount options=(rslave) -> @SNAP_MOUNT_DIR@/, 273 mount options=(rslave) -> /var/snap/, 274 mount options=(rw rbind) /var/snap/{,*/} -> /var/snap/{,*/}, 275 mount options=(rw rshared) -> /var/snap/, 276 277 # Allow reading the os-release file (possibly a symlink to /usr/lib). 278 /{etc/,usr/lib/}os-release r, 279 280 # Allow creating /var/lib/snapd/hostfs, if missing 281 /var/lib/snapd/hostfs/ rw, 282 283 # set up snap-specific private /tmp dir 284 capability chown, 285 /tmp/ rw, 286 /tmp/snap.*/ rw, 287 /tmp/snap.*/tmp/ rw, 288 mount options=(rw private) -> /tmp/, 289 mount options=(rw bind) /tmp/snap.*/tmp/ -> /tmp/, 290 mount fstype=devpts options=(rw) devpts -> /dev/pts/, 291 mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting 292 mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD 293 # Workaround for LP: #1584456 on older kernels that mistakenly think 294 # /dev/pts/ptmx needs a trailing '/' 295 mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/, 296 mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/, 297 298 # for running snaps on classic 299 /snap/ r, 300 /snap/** r, 301 @SNAP_MOUNT_DIR@/ r, 302 @SNAP_MOUNT_DIR@/** r, 303 304 # NOTE: at this stage the /snap directory is stable as we have called 305 # pivot_root already. 306 307 # nvidia handling, glob needs /usr/** and the launcher must be 308 # able to bind mount the nvidia dir 309 /sys/module/nvidia/version r, 310 /sys/**/drivers/nvidia{,_*}/* r, 311 /sys/**/nvidia*/uevent r, 312 /sys/module/nvidia{,_*}/* r, 313 /dev/nvidia[0-9]* r, 314 /dev/nvidiactl r, 315 /dev/nvidia-uvm r, 316 /usr/** r, 317 mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/, 318 mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/, 319 /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w, 320 mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/, 321 mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/, 322 323 # Vulkan support 324 /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w, 325 mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/, 326 mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/, 327 328 # GLVND EGL vendor 329 /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/{,*} w, 330 mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/, 331 mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/, 332 333 # create gl dirs as needed 334 /tmp/snap.rootfs_*/ r, 335 /tmp/snap.rootfs_*/var/ r, 336 /tmp/snap.rootfs_*/var/lib/ r, 337 /tmp/snap.rootfs_*/var/lib/snapd/ r, 338 /tmp/snap.rootfs_*/var/lib/snapd/lib/ r, 339 /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/ r, 340 /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw, 341 /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r, 342 /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw, 343 /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/ r, 344 /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/** rw, 345 346 # for chroot on steroids, we use pivot_root as a better chroot that makes 347 # apparmor rules behave the same on classic and outside of classic. 348 349 # for creating the user data directories: ~/snap, ~/snap/<name> and 350 # ~/snap/<name>/<version> 351 / r, 352 @{HOMEDIRS}/ r, 353 # These should both have 'owner' match but due to LP: #1466234, we can't 354 # yet 355 @{HOME}/ r, 356 @{HOME}/snap/{,*/,*/*/} rw, 357 358 # Special case for *classic* snaps that are used by users with existing dirs 359 # in /var/lib/. Like jenkins, postgresql, mysql, puppet, ... 360 # (see https://forum.snapcraft.io/t/9717) 361 # TODO: this can be removed once we support home-dirs outside of /home 362 # better 363 /var/ r, 364 /var/lib/ r, 365 # These should both have 'owner' match but due to LP: #1466234, we can't 366 # yet 367 /var/lib/*/ r, 368 /var/lib/*/snap/{,*/,*/*/} rw, 369 370 # for creating the user shared memory directories 371 /{dev,run}/{,shm/} r, 372 # This should both have 'owner' match but due to LP: #1466234, we can't yet 373 /{dev,run}/shm/{,*/,*/*/} rw, 374 375 # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and 376 # /run/user/UID/<name> 377 /run/user/{,[0-9]*/,[0-9]*/*/} rw, 378 379 # Workaround https://launchpad.net/bugs/359338 until upstream handles 380 # stacked filesystems generally. 381 # encrypted ~/.Private and old-style encrypted $HOME 382 @{HOME}/.Private/ r, 383 @{HOME}/.Private/** mrixwlk, 384 # new-style encrypted $HOME 385 @{HOMEDIRS}/.ecryptfs/*/.Private/ r, 386 @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, 387 388 # Allow snap-confine to move to the void, creating it if necessary. 389 /var/lib/snapd/void/ rw, 390 391 # Allow snap-confine to read snap contexts 392 /var/lib/snapd/context/snap.* r, 393 394 # Allow snap-confine to unmount stale mount namespaces. 395 umount /run/snapd/ns/*.mnt, 396 /run/snapd/ns/snap.*.fstab w, 397 # Allow snap-confine to read and write mount namespace information files. 398 /run/snapd/ns/snap.*.info rw, 399 # Required to correctly unmount bound mount namespace. 400 # See LP: #1735459 for details. 401 umount /, 402 403 # support for locking 404 /run/snapd/lock/ rw, 405 /run/snapd/lock/*.lock rwk, 406 407 # support for the mount namespace sharing 408 capability sys_ptrace, 409 # allow snap-confine to read /proc/1/ns/mnt 410 ptrace read peer=unconfined, 411 # https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21 412 ptrace trace peer=unconfined, 413 414 mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/, 415 mount options=(private) -> /run/snapd/ns/, 416 / rw, 417 /run/ rw, 418 /run/snapd/ rw, 419 /run/snapd/ns/ rw, 420 /run/snapd/ns/*.lock rwk, 421 /run/snapd/ns/*.mnt rw, 422 ptrace (read, readby, tracedby) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 423 @{PROC}/*/mountinfo r, 424 capability sys_chroot, 425 capability sys_admin, 426 signal (send, receive) set=(abrt) peer=@LIBEXECDIR@/snap-confine, 427 signal (send) set=(int) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 428 signal (send, receive) set=(int, alrm, exists) peer=@LIBEXECDIR@/snap-confine, 429 signal (receive) set=(exists) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 430 431 # workaround for linux 4.13/upstream, see 432 # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3 433 ptrace (trace, tracedby) peer=@LIBEXECDIR@/snap-confine, 434 435 # Allow reading snap cookies. 436 /var/lib/snapd/cookie/snap.* r, 437 438 # For aa_change_hat() to go into ^mount-namespace-capture-helper 439 @{PROC}/[0-9]*/attr/{,apparmor/}current w, 440 441 # As a special exception allow snap-confine to write to anything in /var/lib. 442 # This code should be changed to allow delegation so that snap-confine can 443 # inherit any file descriptor and pass it to the invoked application but 444 # this is not possible in apparmor yet. 445 # See https://bugs.launchpad.net/snapd/+bug/1815869 446 /var/lib/** rw, 447 448 ^mount-namespace-capture-helper (attach_disconnected) { 449 # We run privileged, so be fanatical about what we include and don't use 450 # any abstractions 451 /etc/ld.so.cache r, 452 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix, 453 # libc, you are funny 454 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, 455 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, 456 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr, 457 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr, 458 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, 459 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr, 460 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr, 461 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, 462 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr, 463 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, 464 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr, 465 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr, 466 # normal libs in order 467 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, 468 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, 469 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr, 470 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, 471 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, 472 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, 473 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr, 474 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr, 475 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr, 476 477 @LIBEXECDIR@/snap-confine mr, 478 479 /dev/null rw, 480 /dev/full rw, 481 /dev/zero rw, 482 /dev/random r, 483 /dev/urandom r, 484 485 capability sys_ptrace, 486 capability sys_admin, 487 # This allows us to read and bind mount the namespace file 488 / r, 489 @{PROC}/ r, 490 @{PROC}/*/ r, 491 @{PROC}/*/ns/ r, 492 @{PROC}/*/ns/mnt r, 493 /run/ r, 494 /run/snapd/ r, 495 /run/snapd/ns/ r, 496 /run/snapd/ns/*.mnt rw, 497 # NOTE: the source name is / even though we map /proc/123/ns/mnt 498 mount options=(rw bind) / -> /run/snapd/ns/*.mnt, 499 # This is the SIGALRM that we send and receive if a timeout expires 500 signal (send, receive) set=(alrm) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 501 # Those two rules are exactly the same but we don't know if the parent process is still alive 502 # and hence has the appropriate label or is already dead and hence has no label. 503 signal (send) set=(exists) peer=@LIBEXECDIR@/snap-confine, 504 signal (send) set=(exists) peer=unconfined, 505 # This is so that we can abort 506 signal (send, receive) set=(abrt) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 507 # This is the signal we get if snap-confine dies (we subscribe to it with prctl) 508 signal (receive) set=(int) peer=@LIBEXECDIR@/snap-confine, 509 # This allows snap-confine to be killed from the outside. 510 signal (receive) peer=unconfined, 511 # This allows snap-confine to wait for us 512 ptrace (read, trace, tracedby) peer=@LIBEXECDIR@/snap-confine, 513 } 514 515 # Allow snap-confine to be killed 516 signal (receive) peer=unconfined, 517 518 # Allow switching to snap-update-ns with a per-snap profile. 519 change_profile -> snap-update-ns.*, 520 521 # Allow executing snap-update-ns when... 522 523 # ...snap-confine is, conceptually, re-executing and uses snap-update-ns 524 # from the distribution package. This is also the location used when using 525 # the core/base snap on all-snap systems. The variants here represent 526 # various locations of libexecdir across distributions. 527 /usr/lib{,exec,64}/snapd/snap-update-ns r, 528 529 # ...snap-confine is not, conceptually, re-executing and uses 530 # snap-update-ns from the distribution package but we are already inside 531 # the constructed mount namespace so we must traverse "hostfs". The 532 # variants here represent various locations of libexecdir across 533 # distributions. 534 /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r, 535 536 # ..snap-confine is, conceptually, re-executing and uses snap-update-ns 537 # from the core or snapd snaps. Note that the location of the actual snap 538 # varies from distribution to distribution. The variants here represent 539 # different locations of snap mount directory across distributions. 540 /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r, 541 542 # ...snap-confine is, conceptually, re-executing and uses snap-update-ns 543 # from the core snap or snapd snap, but we are already inside the 544 # constructed mount namespace. Here the apparmor kernel module 545 # re-constructs the path to snap-update-ns using the "hostfs" mount entry 546 # rather than the more "natural" /snap mount entry but we have no control 547 # over that. This is reported as (LP: #1716339). The variants here 548 # represent different locations of snap mount directory across 549 # distributions. 550 /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r, 551 552 # Allow executing snap-discard-ns, just like the set for snap-update-ns 553 # above but with the key difference that snap-discard-ns does not 554 # have a dedicated profile so we need to inherit snap-confine's profile. 555 556 /usr/lib{,exec,64}/snapd/snap-discard-ns rix, 557 /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-discard-ns rix, 558 /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix, 559 /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix, 560 561 # Allow mounting /var/lib/jenkins from the host into the snap. 562 mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_*/var/lib/jenkins/, 563 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/jenkins/, 564 565 # Suppress noisy file_inherit denials (LP: #1850552) until LP: #1849753 is 566 # fixed. 567 deny /dev/shm/.org.chromium.Chromium.* rw, 568 569 # While snap-confine itself doesn't require unix rules and therefore all 570 # unix rules are implicitly denied, adding an explicit deny for unix to 571 # silence noisy denials breaks nested lxd. Until the cause is determined, 572 # do not use an explicit deny for unix. (LP: #1855355) 573 #deny unix, 574 575 # Explicitly deny these accesses which show up on Arch to silence the 576 # denials for this unneeded access. 577 deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9]*.so* mr, 578 deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_mymachines.[0-9]*.so* mr, 579 deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_systemd.[0-9]*.so* mr, 580 deny /etc/nsswitch.conf r, 581 deny /etc/passwd r, 582 }