github.com/tompreston/snapd@v0.0.0-20210817193607-954edfcb9611/cmd/snap-confine/snap-confine.apparmor.in (about) 1 # Author: Jamie Strandboge <jamie@canonical.com> 2 #include <tunables/global> 3 4 @LIBEXECDIR@/snap-confine (attach_disconnected) { 5 # Include any additional files that snapd chose to generate. 6 # - for $HOME on NFS 7 # - for $HOME on encrypted media 8 # 9 # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor 10 # and https://forum.snapcraft.io/t/snaps-and-nfs-home/ 11 #include "/var/lib/snapd/apparmor/snap-confine" 12 13 # We run privileged, so be fanatical about what we include and don't use 14 # any abstractions 15 /etc/ld.so.cache r, 16 /etc/ld.so.preload r, 17 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix, 18 # libc, you are funny 19 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, 20 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, 21 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr, 22 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr, 23 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, 24 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr, 25 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr, 26 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, 27 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre{,2}{,-[0-9]*}.so* mr, 28 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, 29 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr, 30 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr, 31 # normal libs in order 32 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, 33 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, 34 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr, 35 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, 36 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, 37 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, 38 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr, 39 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr, 40 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr, 41 42 @LIBEXECDIR@/snap-confine mr, 43 44 /dev/null rw, 45 /dev/full rw, 46 /dev/zero rw, 47 /dev/random r, 48 /dev/urandom r, 49 /dev/pts/[0-9]* rw, 50 /dev/tty rw, 51 52 # cgroup: devices 53 capability sys_admin, 54 capability dac_read_search, 55 capability dac_override, 56 /sys/fs/cgroup/ r, 57 /sys/fs/cgroup/devices/ r, 58 /sys/fs/cgroup/devices/snap.*/ rw, 59 /sys/fs/cgroup/devices/snap.*/cgroup.procs w, 60 /sys/fs/cgroup/devices/snap.*/devices.{allow,deny} w, 61 62 # cgroup: freezer 63 # Allow creating per-snap cgroup freezers and adding snap command (task) 64 # invocations to the freezer. This allows for reliably enumerating all 65 # running processes for the snap. In addition, allow enumerating processes 66 # in the cgroup to determine if it is occupied. 67 /sys/fs/cgroup/freezer/ r, 68 /sys/fs/cgroup/freezer/snap.*/ w, 69 /sys/fs/cgroup/freezer/snap.*/cgroup.procs rw, 70 /sys/fs/cgroup/ r, 71 /sys/fs/cgroup/** r, 72 73 # cgroup: reading own cgroup 74 @{PROC}/@{pid}/cgroup r, 75 76 # querying udev 77 /etc/udev/udev.conf r, 78 /sys/**/uevent r, 79 /run/udev/** rw, 80 /{,usr/}bin/tr ixr, 81 /usr/lib/locale/** r, 82 /usr/lib/@{multiarch}/gconv/gconv-modules r, 83 /usr/lib/@{multiarch}/gconv/gconv-modules.cache r, 84 85 # priv dropping 86 capability setuid, 87 capability setgid, 88 89 # changing profile 90 @{PROC}/[0-9]*/attr/{,apparmor/}exec w, 91 # Reading current profile 92 @{PROC}/[0-9]*/attr/{,apparmor/}current r, 93 # Reading available filesystems 94 @{PROC}/filesystems r, 95 96 # To find where apparmor is mounted 97 @{PROC}/[0-9]*/mounts r, 98 # To find if apparmor is enabled 99 /sys/module/apparmor/parameters/enabled r, 100 101 # Don't allow changing profile to unconfined or profiles that start with 102 # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on 103 # the environment for determining the capabilities of the architecture. 104 # 'unsafe' is ok here because the kernel will have already cleared the 105 # environment as part of launching snap-confine with CAP_SYS_ADMIN. This 106 # does leave directories as configured by ld.so.preload as well as 107 # LD_PRELOAD to be set to a library which is in a directory configured by 108 # ld.so.conf, but access to those locations is mediated by this profile 109 # (which requires rules for specific locations). 110 change_profile unsafe /** -> [^u/]**, 111 change_profile unsafe /** -> u[^n]**, 112 change_profile unsafe /** -> un[^c]**, 113 change_profile unsafe /** -> unc[^o]**, 114 change_profile unsafe /** -> unco[^n]**, 115 change_profile unsafe /** -> uncon[^f]**, 116 change_profile unsafe /** -> unconf[^i]**, 117 change_profile unsafe /** -> unconfi[^n]**, 118 change_profile unsafe /** -> unconfin[^e]**, 119 change_profile unsafe /** -> unconfine[^d]**, 120 change_profile unsafe /** -> unconfined?**, 121 122 # allow changing to a few not caught above 123 change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, 124 125 # LP: #1446794 - when this bug is fixed, change the above to: 126 # deny change_profile unsafe /** -> {unconfined,/**}, 127 # change_profile unsafe /** -> **, 128 129 # reading seccomp filters 130 /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r, 131 132 # LP: #1668659 and parallel instaces of classic snaps 133 mount options=(rw rbind) /snap/ -> /snap/, 134 mount options=(rw rshared) -> /snap/, 135 mount options=(rw rbind) /var/lib/snapd/snap/ -> /var/lib/snapd/snap/, 136 mount options=(rw rshared) -> /var/lib/snapd/snap/, 137 138 # boostrapping the mount namespace 139 mount options=(rw rshared) -> /, 140 mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/, 141 mount options=(rw unbindable) -> /tmp/snap.rootfs_*/, 142 # the next line is for classic system 143 mount options=(rw rbind) @SNAP_MOUNT_DIR@/*/*/ -> /tmp/snap.rootfs_*/, 144 # the next line is for core system 145 mount options=(rw rbind) / -> /tmp/snap.rootfs_*/, 146 # all of the constructed rootfs is a rslave 147 mount options=(rw rslave) -> /tmp/snap.rootfs_*/, 148 # bidirectional mounts (for both classic and core) 149 # NOTE: this doesn't capture the MERGED_USR configuration option so that 150 # when a distro with merged /usr and / that uses apparmor shows up it 151 # should be handled here. 152 /{,run/}media/ w, 153 mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_*/{,run/}media/, 154 /run/netns/ w, 155 mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/, 156 # unidirectional mounts (only for classic system) 157 mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/, 158 mount options=(rw rslave) -> /tmp/snap.rootfs_*/dev/, 159 160 mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/, 161 mount options=(rw rslave) -> /tmp/snap.rootfs_*/etc/, 162 163 mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/, 164 mount options=(rw rslave) -> /tmp/snap.rootfs_*/home/, 165 166 mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/, 167 mount options=(rw rslave) -> /tmp/snap.rootfs_*/root/, 168 169 mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/, 170 mount options=(rw rslave) -> /tmp/snap.rootfs_*/proc/, 171 172 mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/, 173 mount options=(rw rslave) -> /tmp/snap.rootfs_*/sys/, 174 175 mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/, 176 mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/, 177 178 mount options=(rw rbind) /var/lib/dhcp/ -> /tmp/snap.rootfs_*/var/lib/dhcp/, 179 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/dhcp/, 180 181 mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/, 182 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/, 183 184 mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/, 185 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/snap/, 186 187 mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/, 188 # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups 189 mount options=(rw rbind) /var/volatile/tmp/ -> /tmp/snap.rootfs_*/var/tmp/, 190 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/tmp/, 191 192 mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/, 193 mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/, 194 195 mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_*/var/lib/extrausers/, 196 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/extrausers/, 197 198 mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, 199 mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, 200 201 mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/firmware/ -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/, 202 mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/, 203 204 mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/, 205 # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups 206 mount options=(rw rbind) /var/volatile/log/ -> /tmp/snap.rootfs_*/var/log/, 207 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/, 208 209 mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/, 210 mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/, 211 212 mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_*/mnt/, 213 mount options=(rw rslave) -> /tmp/snap.rootfs_*/mnt/, 214 215 # allow making host snap-exec available inside base snaps 216 mount options=(rw bind) @LIBEXECDIR@/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, 217 mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/, 218 219 # allow making re-execed host snap-exec available inside base snaps 220 mount options=(ro bind) @SNAP_MOUNT_DIR@/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, 221 # allow making snapd snap tools available inside base snaps 222 mount options=(ro bind) @SNAP_MOUNT_DIR@/snapd/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, 223 224 mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl, 225 mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl, 226 227 # /etc/alternatives (classic and normal mode) 228 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, 229 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/, 230 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf, 231 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/apparmor/ -> /tmp/snap.rootfs_*/etc/apparmor/, 232 mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/apparmor.d/ -> /tmp/snap.rootfs_*/etc/apparmor.d/, 233 234 # /etc/alternatives (core/legacy mode) 235 mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, 236 237 # making all those directories slave shared. 238 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/, 239 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/, 240 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/nsswitch.conf, 241 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/apparmor/, 242 mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/apparmor.d/, 243 244 # the /snap directory 245 mount options=(rw rbind) @SNAP_MOUNT_DIR@/ -> /tmp/snap.rootfs_*/snap/, 246 mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/, 247 # pivot_root preparation and execution 248 mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, 249 mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, 250 251 # pivot_root mediation in AppArmor is not complete. See LP: #1791711. 252 # However, we can mediate the new_root and put_old to be what we expect, 253 # and then deny directory creation within old_root to prevent trivial 254 # pivoting into a whitelisted path. 255 pivot_root oldroot=/tmp/snap.rootfs_*/var/lib/snapd/hostfs/ /tmp/snap.rootfs_*/, 256 # Explicitly deny creating the old_root directory in case it is 257 # inadvertently added somewhere else. While this doesn't resolve 258 # LP: #1791711, it provides some hardening. 259 audit deny /tmp/snap.rootfs_*/{var/,var/lib/,var/lib/snapd/,var/lib/snapd/hostfs/} w, 260 261 # cleanup 262 umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/, 263 umount /var/lib/snapd/hostfs/sys/, 264 umount /var/lib/snapd/hostfs/dev/, 265 umount /var/lib/snapd/hostfs/proc/, 266 mount options=(rw rslave) -> /var/lib/snapd/hostfs/, 267 268 # Hide /writable from view of snaps. 269 mount options=(rprivate) -> /{,var/lib/snapd/hostfs/}writable/, 270 umount /{,var/lib/snapd/hostfs/}writable/, 271 272 # set up user mount namespace 273 mount options=(rslave) -> /, 274 275 # set up mount namespace for parallel instances of classic snaps 276 mount options=(rw rbind) @SNAP_MOUNT_DIR@/{,*/} -> @SNAP_MOUNT_DIR@/{,*/}, 277 mount options=(rslave) -> @SNAP_MOUNT_DIR@/, 278 mount options=(rslave) -> /var/snap/, 279 mount options=(rw rbind) /var/snap/{,*/} -> /var/snap/{,*/}, 280 mount options=(rw rshared) -> /var/snap/, 281 282 # Allow reading the os-release file (possibly a symlink to /usr/lib). 283 /{etc/,usr/lib/}os-release r, 284 285 # Allow creating /var/lib/snapd/hostfs, if missing 286 /var/lib/snapd/hostfs/ rw, 287 288 # set up snap-specific private /tmp dir 289 capability chown, 290 /tmp/ rw, 291 /tmp/snap.*/ rw, 292 /tmp/snap.*/tmp/ rw, 293 mount options=(rw private) -> /tmp/, 294 mount options=(rw bind) /tmp/snap.*/tmp/ -> /tmp/, 295 mount fstype=devpts options=(rw) devpts -> /dev/pts/, 296 mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting 297 mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD 298 # Workaround for LP: #1584456 on older kernels that mistakenly think 299 # /dev/pts/ptmx needs a trailing '/' 300 mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/, 301 mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/, 302 303 # for running snaps on classic 304 /snap/ r, 305 /snap/** r, 306 @SNAP_MOUNT_DIR@/ r, 307 @SNAP_MOUNT_DIR@/** r, 308 309 # NOTE: at this stage the /snap directory is stable as we have called 310 # pivot_root already. 311 312 # nvidia handling, glob needs /usr/** and the launcher must be 313 # able to bind mount the nvidia dir 314 /sys/module/nvidia/version r, 315 /sys/**/drivers/nvidia{,_*}/* r, 316 /sys/**/nvidia*/uevent r, 317 /sys/module/nvidia{,_*}/* r, 318 /dev/nvidia[0-9]* r, 319 /dev/nvidiactl r, 320 /dev/nvidia-uvm r, 321 /usr/** r, 322 mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/, 323 mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/, 324 /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w, 325 mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/, 326 mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/, 327 328 # Vulkan support 329 /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w, 330 mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/, 331 mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/, 332 333 # GLVND EGL vendor 334 /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/{,*} w, 335 mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/, 336 mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/, 337 338 # create gl dirs as needed 339 /tmp/snap.rootfs_*/ r, 340 /tmp/snap.rootfs_*/var/ r, 341 /tmp/snap.rootfs_*/var/lib/ r, 342 /tmp/snap.rootfs_*/var/lib/snapd/ r, 343 /tmp/snap.rootfs_*/var/lib/snapd/lib/ r, 344 /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/ r, 345 /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw, 346 /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r, 347 /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw, 348 /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/ r, 349 /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/** rw, 350 351 # for chroot on steroids, we use pivot_root as a better chroot that makes 352 # apparmor rules behave the same on classic and outside of classic. 353 354 # for creating the user data directories: ~/snap, ~/snap/<name> and 355 # ~/snap/<name>/<version> 356 / r, 357 @{HOMEDIRS}/ r, 358 # These should both have 'owner' match but due to LP: #1466234, we can't 359 # yet 360 @{HOME}/ r, 361 @{HOME}/snap/{,*/,*/*/} rw, 362 363 # Special case for *classic* snaps that are used by users with existing dirs 364 # in /var/lib/. Like jenkins, postgresql, mysql, puppet, ... 365 # (see https://forum.snapcraft.io/t/9717) 366 # TODO: this can be removed once we support home-dirs outside of /home 367 # better 368 /var/ r, 369 /var/lib/ r, 370 # These should both have 'owner' match but due to LP: #1466234, we can't 371 # yet 372 /var/lib/*/ r, 373 /var/lib/*/snap/{,*/,*/*/} rw, 374 375 # for creating the user shared memory directories 376 /{dev,run}/{,shm/} r, 377 # This should both have 'owner' match but due to LP: #1466234, we can't yet 378 /{dev,run}/shm/{,*/,*/*/} rw, 379 380 # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and 381 # /run/user/UID/<name> 382 /run/user/{,[0-9]*/,[0-9]*/*/} rw, 383 384 # Workaround https://launchpad.net/bugs/359338 until upstream handles 385 # stacked filesystems generally. 386 # encrypted ~/.Private and old-style encrypted $HOME 387 @{HOME}/.Private/ r, 388 @{HOME}/.Private/** mrixwlk, 389 # new-style encrypted $HOME 390 @{HOMEDIRS}/.ecryptfs/*/.Private/ r, 391 @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, 392 393 # Allow snap-confine to move to the void, creating it if necessary. 394 /var/lib/snapd/void/ rw, 395 396 # Allow snap-confine to read snap contexts 397 /var/lib/snapd/context/snap.* r, 398 399 # Allow snap-confine to unmount stale mount namespaces. 400 umount /run/snapd/ns/*.mnt, 401 /run/snapd/ns/snap.*.fstab w, 402 # Allow snap-confine to read and write mount namespace information files. 403 /run/snapd/ns/snap.*.info rw, 404 # Required to correctly unmount bound mount namespace. 405 # See LP: #1735459 for details. 406 umount /, 407 408 # support for locking 409 /run/snapd/lock/ rw, 410 /run/snapd/lock/*.lock rwk, 411 412 # support for the mount namespace sharing 413 capability sys_ptrace, 414 # allow snap-confine to read /proc/1/ns/mnt 415 ptrace read peer=unconfined, 416 # https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21 417 ptrace trace peer=unconfined, 418 419 mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/, 420 mount options=(private) -> /run/snapd/ns/, 421 / rw, 422 /run/ rw, 423 /run/snapd/ rw, 424 /run/snapd/ns/ rw, 425 /run/snapd/ns/*.lock rwk, 426 /run/snapd/ns/*.mnt rw, 427 ptrace (read, readby, tracedby) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 428 @{PROC}/*/mountinfo r, 429 capability sys_chroot, 430 capability sys_admin, 431 signal (send, receive) set=(abrt) peer=@LIBEXECDIR@/snap-confine, 432 signal (send) set=(int) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 433 signal (send, receive) set=(int, alrm, exists) peer=@LIBEXECDIR@/snap-confine, 434 signal (receive) set=(exists) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 435 436 # workaround for linux 4.13/upstream, see 437 # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3 438 ptrace (trace, tracedby) peer=@LIBEXECDIR@/snap-confine, 439 440 # Allow reading snap cookies. 441 /var/lib/snapd/cookie/snap.* r, 442 443 # For aa_change_hat() to go into ^mount-namespace-capture-helper 444 @{PROC}/[0-9]*/attr/{,apparmor/}current w, 445 446 # As a special exception allow snap-confine to write to anything in /var/lib. 447 # This code should be changed to allow delegation so that snap-confine can 448 # inherit any file descriptor and pass it to the invoked application but 449 # this is not possible in apparmor yet. 450 # See https://bugs.launchpad.net/snapd/+bug/1815869 451 /var/lib/** rw, 452 453 ^mount-namespace-capture-helper (attach_disconnected) { 454 # We run privileged, so be fanatical about what we include and don't use 455 # any abstractions 456 /etc/ld.so.cache r, 457 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix, 458 # libc, you are funny 459 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, 460 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, 461 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr, 462 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr, 463 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, 464 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr, 465 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr, 466 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, 467 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr, 468 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, 469 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr, 470 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr, 471 # normal libs in order 472 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, 473 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, 474 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr, 475 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, 476 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, 477 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, 478 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr, 479 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr, 480 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr, 481 482 @LIBEXECDIR@/snap-confine mr, 483 484 /dev/null rw, 485 /dev/full rw, 486 /dev/zero rw, 487 /dev/random r, 488 /dev/urandom r, 489 490 capability sys_ptrace, 491 capability sys_admin, 492 # This allows us to read and bind mount the namespace file 493 / r, 494 @{PROC}/ r, 495 @{PROC}/*/ r, 496 @{PROC}/*/ns/ r, 497 @{PROC}/*/ns/mnt r, 498 /run/ r, 499 /run/snapd/ r, 500 /run/snapd/ns/ r, 501 /run/snapd/ns/*.mnt rw, 502 # NOTE: the source name is / even though we map /proc/123/ns/mnt 503 mount options=(rw bind) / -> /run/snapd/ns/*.mnt, 504 # This is the SIGALRM that we send and receive if a timeout expires 505 signal (send, receive) set=(alrm) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 506 # Those two rules are exactly the same but we don't know if the parent process is still alive 507 # and hence has the appropriate label or is already dead and hence has no label. 508 signal (send) set=(exists) peer=@LIBEXECDIR@/snap-confine, 509 signal (send) set=(exists) peer=unconfined, 510 # This is so that we can abort 511 signal (send, receive) set=(abrt) peer=@LIBEXECDIR@/snap-confine//mount-namespace-capture-helper, 512 # This is the signal we get if snap-confine dies (we subscribe to it with prctl) 513 signal (receive) set=(int) peer=@LIBEXECDIR@/snap-confine, 514 # This allows snap-confine to be killed from the outside. 515 signal (receive) peer=unconfined, 516 # This allows snap-confine to wait for us 517 ptrace (read, trace, tracedby) peer=@LIBEXECDIR@/snap-confine, 518 } 519 520 # Allow snap-confine to be killed 521 signal (receive) peer=unconfined, 522 523 # Allow switching to snap-update-ns with a per-snap profile. 524 change_profile -> snap-update-ns.*, 525 526 # Allow executing snap-update-ns when... 527 528 # ...snap-confine is, conceptually, re-executing and uses snap-update-ns 529 # from the distribution package. This is also the location used when using 530 # the core/base snap on all-snap systems. The variants here represent 531 # various locations of libexecdir across distributions. 532 /usr/lib{,exec,64}/snapd/snap-update-ns r, 533 534 # ...snap-confine is not, conceptually, re-executing and uses 535 # snap-update-ns from the distribution package but we are already inside 536 # the constructed mount namespace so we must traverse "hostfs". The 537 # variants here represent various locations of libexecdir across 538 # distributions. 539 /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r, 540 541 # ..snap-confine is, conceptually, re-executing and uses snap-update-ns 542 # from the core or snapd snaps. Note that the location of the actual snap 543 # varies from distribution to distribution. The variants here represent 544 # different locations of snap mount directory across distributions. 545 /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r, 546 547 # ...snap-confine is, conceptually, re-executing and uses snap-update-ns 548 # from the core snap or snapd snap, but we are already inside the 549 # constructed mount namespace. Here the apparmor kernel module 550 # re-constructs the path to snap-update-ns using the "hostfs" mount entry 551 # rather than the more "natural" /snap mount entry but we have no control 552 # over that. This is reported as (LP: #1716339). The variants here 553 # represent different locations of snap mount directory across 554 # distributions. 555 /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r, 556 557 # Allow executing snap-discard-ns, just like the set for snap-update-ns 558 # above but with the key difference that snap-discard-ns does not 559 # have a dedicated profile so we need to inherit snap-confine's profile. 560 561 /usr/lib{,exec,64}/snapd/snap-discard-ns rix, 562 /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-discard-ns rix, 563 /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix, 564 /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix, 565 566 # Allow mounting /var/lib/jenkins from the host into the snap. 567 mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_*/var/lib/jenkins/, 568 mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/jenkins/, 569 570 # Suppress noisy file_inherit denials (LP: #1850552) until LP: #1849753 is 571 # fixed. 572 deny /dev/shm/.org.chromium.Chromium.* rw, 573 574 # While snap-confine itself doesn't require unix rules and therefore all 575 # unix rules are implicitly denied, adding an explicit deny for unix to 576 # silence noisy denials breaks nested lxd. Until the cause is determined, 577 # do not use an explicit deny for unix. (LP: #1855355) 578 #deny unix, 579 580 # Explicitly deny these accesses which show up on Arch to silence the 581 # denials for this unneeded access. 582 deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9]*.so* mr, 583 deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_mymachines.[0-9]*.so* mr, 584 deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_systemd.[0-9]*.so* mr, 585 deny /etc/nsswitch.conf r, 586 deny /etc/passwd r, 587 }