Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Author: Jamie Strandboge <jamie@canonical.com>
- #include <tunables/global>
- /usr/lib/snapd/snap-confine (attach_disconnected) {
- # Include any additional files that snapd chose to generate.
- # - for $HOME on NFS
- # - for $HOME on encrypted media
- #
- # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor
- # and https://forum.snapcraft.io/t/snaps-and-nfs-home/
- #include "/var/lib/snapd/apparmor/snap-confine"
- # We run privileged, so be fanatical about what we include and don't use
- # any abstractions
- /etc/ld.so.cache r,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix,
- # libc, you are funny
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
- # normal libs in order
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr,
- /usr/lib/snapd/snap-confine mr,
- /dev/null rw,
- /dev/full rw,
- /dev/zero rw,
- /dev/random r,
- /dev/urandom r,
- /dev/pts/[0-9]* rw,
- /dev/tty rw,
- # cgroup: devices
- capability sys_admin,
- capability dac_override,
- /sys/fs/cgroup/devices/snap{,py}.*/ w,
- /sys/fs/cgroup/devices/snap{,py}.*/tasks w,
- /sys/fs/cgroup/devices/snap{,py}.*/devices.{allow,deny} w,
- # cgroup: freezer
- # Allow creating per-snap cgroup freezers and adding snap command (task)
- # invocations to the freezer. This allows for reliably enumerating all
- # running tasks for the snap. In addition, allow enumerating processes in
- # the cgroup to determine if it is occupied.
- /sys/fs/cgroup/freezer/ r,
- /sys/fs/cgroup/freezer/snap.*/ w,
- /sys/fs/cgroup/freezer/snap.*/tasks w,
- /sys/fs/cgroup/freezer/snap.*/cgroup.procs r,
- # querying udev
- /etc/udev/udev.conf r,
- /sys/**/uevent r,
- /usr/lib/snapd/snap-device-helper ixr, # drop
- /lib/udev/snappy-app-dev ixr, # drop
- /run/udev/** rw,
- /{,usr/}bin/tr ixr,
- /usr/lib/locale/** r,
- /usr/lib/@{multiarch}/gconv/gconv-modules r,
- /usr/lib/@{multiarch}/gconv/gconv-modules.cache r,
- # priv dropping
- capability setuid,
- capability setgid,
- # changing profile
- @{PROC}/[0-9]*/attr/exec w,
- # Reading current profile
- @{PROC}/[0-9]*/attr/current r,
- # Reading available filesystems
- @{PROC}/filesystems r,
- # To find where apparmor is mounted
- @{PROC}/[0-9]*/mounts r,
- # To find if apparmor is enabled
- /sys/module/apparmor/parameters/enabled r,
- # Don't allow changing profile to unconfined or profiles that start with
- # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on
- # the environment for determining the capabilities of the architecture.
- # 'unsafe' is ok here because the kernel will have already cleared the
- # environment as part of launching snap-confine with
- # CAP_SYS_ADMIN.
- change_profile unsafe /** -> [^u/]**,
- change_profile unsafe /** -> u[^n]**,
- change_profile unsafe /** -> un[^c]**,
- change_profile unsafe /** -> unc[^o]**,
- change_profile unsafe /** -> unco[^n]**,
- change_profile unsafe /** -> uncon[^f]**,
- change_profile unsafe /** -> unconf[^i]**,
- change_profile unsafe /** -> unconfi[^n]**,
- change_profile unsafe /** -> unconfin[^e]**,
- change_profile unsafe /** -> unconfine[^d]**,
- change_profile unsafe /** -> unconfined?**,
- # allow changing to a few not caught above
- change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
- # LP: #1446794 - when this bug is fixed, change the above to:
- # deny change_profile unsafe /** -> {unconfined,/**},
- # change_profile unsafe /** -> **,
- # reading seccomp filters
- /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r,
- # ensuring correct permissions in sc_quirk_create_writable_mimic
- /{tmp/snap.rootfs_*/,}var/lib/ rw,
- # LP: #1668659
- mount options=(rw rbind) /snap/ -> /snap/,
- mount options=(rw rshared) -> /snap/,
- # boostrapping the mount namespace
- mount options=(rw rshared) -> /,
- mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/,
- mount options=(rw unbindable) -> /tmp/snap.rootfs_*/,
- # the next line is for classic system
- mount options=(rw rbind) /snap/*/*/ -> /tmp/snap.rootfs_*/,
- # the next line is for core system
- mount options=(rw rbind) / -> /tmp/snap.rootfs_*/,
- # all of the constructed rootfs is a rslave
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/,
- # bidirectional mounts (for both classic and core)
- # NOTE: this doesn't capture the MERGED_USR configuration option so that
- # when a distro with merged /usr and / that uses apparmor shows up it
- # should be handled here.
- /{,run/}media/ w,
- mount options=(rw rbind) /media/ -> /tmp/snap.rootfs_*/media/,
- /run/netns/ w,
- mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/,
- # unidirectional mounts (only for classic system)
- mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/dev/,
- mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/etc/,
- mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/home/,
- mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/root/,
- mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/proc/,
- mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/sys/,
- mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/,
- mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/,
- mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/snap/,
- mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/tmp/,
- mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/,
- mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
- mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/,
- mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/,
- # allow making host snap-exec available inside base snaps
- mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
- mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/,
- # allow making re-execed host snap-exec available inside base snaps
- mount options=(ro bind) /snap/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
- mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl,
- mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl,
- # /etc/alternatives (classic)
- mount options=(rw bind) /snap/{,ubuntu-}core/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
- mount options=(rw bind) /snap/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/,
- mount options=(rw bind) /snap/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
- # /etc/alternatives (core)
- mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
- mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/,
- mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/,
- mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
- # the /snap directory
- mount options=(rw rbind) /snap/ -> /tmp/snap.rootfs_*/snap/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/,
- # pivot_root preparation and execution
- mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
- mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
- pivot_root,
- # cleanup
- umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/,
- umount /var/lib/snapd/hostfs/sys/,
- umount /var/lib/snapd/hostfs/dev/,
- umount /var/lib/snapd/hostfs/proc/,
- mount options=(rw rslave) -> /var/lib/snapd/hostfs/,
- # Allow reading the os-release file (possibly a symlink to /usr/lib).
- /{etc/,usr/lib/}os-release r,
- # set up snap-specific private /tmp dir
- capability chown,
- /tmp/ w,
- /tmp/snap.*/ w,
- /tmp/snap.*/tmp/ w,
- mount options=(rw private) -> /tmp/,
- mount options=(rw bind) /tmp/snap.*/tmp/ -> /tmp/,
- mount fstype=devpts options=(rw) devpts -> /dev/pts/,
- mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting
- mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD
- # Workaround for LP: #1584456 on older kernels that mistakenly think
- # /dev/pts/ptmx needs a trailing '/'
- mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/,
- mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/,
- # for running snaps on classic
- /snap/ r,
- /snap/** r,
- /snap/ r,
- /snap/** r,
- # NOTE: at this stage the /snap directory is stable as we have called
- # pivot_root already.
- # nvidia handling, glob needs /usr/** and the launcher must be
- # able to bind mount the nvidia dir
- /sys/module/nvidia/version r,
- /sys/**/drivers/nvidia{,_*}/* r,
- /sys/**/nvidia*/uevent r,
- /sys/module/nvidia{,_*}/* r,
- /dev/nvidia[0-9]* r,
- /dev/nvidiactl r,
- /dev/nvidia-uvm r,
- /usr/** r,
- mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
- mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
- /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w,
- mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
- mount options=(remount ro) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
- # Vulkan support
- /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w,
- mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
- mount options=(remount ro) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
- # create gl dirs as needed
- /tmp/snap.rootfs_*/ r,
- /tmp/snap.rootfs_*/var/ r,
- /tmp/snap.rootfs_*/var/lib/ r,
- /tmp/snap.rootfs_*/var/lib/snapd/ r,
- /tmp/snap.rootfs_*/var/lib/snapd/lib/ r,
- /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/ r,
- /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw,
- /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r,
- /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw,
- # for chroot on steroids, we use pivot_root as a better chroot that makes
- # apparmor rules behave the same on classic and outside of classic.
- # for creating the user data directories: ~/snap, ~/snap/<name> and
- # ~/snap/<name>/<version>
- / r,
- @{HOMEDIRS}/ r,
- # These should both have 'owner' match but due to LP: #1466234, we can't
- # yet
- @{HOME}/ r,
- @{HOME}/snap/{,*/,*/*/} rw,
- # for creating the user shared memory directories
- /{dev,run}/{,shm/} r,
- # This should both have 'owner' match but due to LP: #1466234, we can't yet
- /{dev,run}/shm/{,*/,*/*/} rw,
- # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and
- # /run/user/UID/<name>
- /run/user/{,[0-9]*/,[0-9]*/*/} rw,
- # Workaround https://launchpad.net/bugs/359338 until upstream handles
- # stacked filesystems generally.
- # encrypted ~/.Private and old-style encrypted $HOME
- @{HOME}/.Private/ r,
- @{HOME}/.Private/** mrixwlk,
- # new-style encrypted $HOME
- @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
- @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
- # Allow snap-confine to move to the void
- /var/lib/snapd/void/ r,
- # Allow snap-confine to read snap contexts
- /var/lib/snapd/context/snap.* r,
- # Allow snap-confine to unmount stale mount namespaces.
- umount /run/snapd/ns/*.mnt,
- # Required to correctly unmount bound mount namespace.
- # See LP: #1735459 for details.
- umount /,
- # Support for the quirk system
- /var/ r,
- /var/lib/ r,
- /var/lib/** rw,
- /tmp/ r,
- /tmp/snapd.quirks_*/ rw,
- mount options=(move) /var/lib/snapd/ -> /tmp/snapd.quirks_*/,
- mount fstype=tmpfs options=(rw nodev nosuid) none -> /var/lib/,
- mount options=(ro rbind) /snap/{,ubuntu-}core/*/var/lib/** -> /var/lib/**,
- umount /var/lib/snapd/,
- mount options=(move) /tmp/snapd.quirks_*/ -> /var/lib/snapd/,
- # On classic systems with a setuid root snap-confine when run by non-root
- # user, the mimic_dir is created with the gid of the calling user (ie,
- # not '0') so when setting the permissions (chmod) of the mimicked
- # directory to that of the reference directory, a CAP_FSETID is triggered.
- # snap-confine sets the directory up correctly, so simply silence the
- # denial since we don't want to grant the capability as a whole to
- # snap-confine.
- deny capability fsetid,
- # support for the LXD quirk
- mount options=(rw rbind nodev nosuid noexec) /var/lib/snapd/hostfs/var/lib/lxd/ -> /var/lib/lxd/,
- /var/lib/lxd/ w,
- /var/lib/snapd/hostfs/var/lib/lxd r,
- # support for locking
- /run/snapd/lock/ rw,
- /run/snapd/lock/*.lock rwk,
- # support for the mount namespace sharing
- capability sys_ptrace,
- # allow snap-confine to read /proc/1/ns/mnt
- ptrace trace peer=unconfined,
- mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/,
- mount options=(private) -> /run/snapd/ns/,
- / rw,
- /run/ rw,
- /run/snapd/ rw,
- /run/snapd/ns/ rw,
- /run/snapd/ns/*.lock rwk,
- /run/snapd/ns/*.mnt rw,
- ptrace (read, readby, tracedby) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
- @{PROC}/*/mountinfo r,
- capability sys_chroot,
- capability sys_admin,
- signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine,
- signal (send) set=(int) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
- signal (send, receive) set=(int, alrm, exists) peer=/usr/lib/snapd/snap-confine,
- signal (receive) set=(exists) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
- # workaround for linux 4.13/upstream, see
- # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3
- ptrace (trace, tracedby) peer=/usr/lib/snapd/snap-confine,
- # For aa_change_hat() to go into ^mount-namespace-capture-helper
- @{PROC}/[0-9]*/attr/current w,
- ^mount-namespace-capture-helper (attach_disconnected) {
- # We run privileged, so be fanatical about what we include and don't use
- # any abstractions
- /etc/ld.so.cache r,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix,
- # libc, you are funny
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
- # normal libs in order
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr,
- /usr/lib/snapd/snap-confine mr,
- /dev/null rw,
- /dev/full rw,
- /dev/zero rw,
- /dev/random r,
- /dev/urandom r,
- capability sys_ptrace,
- capability sys_admin,
- # This allows us to read and bind mount the namespace file
- / r,
- @{PROC}/ r,
- @{PROC}/*/ r,
- @{PROC}/*/ns/ r,
- @{PROC}/*/ns/mnt r,
- /run/ r,
- /run/snapd/ r,
- /run/snapd/ns/ r,
- /run/snapd/ns/*.mnt rw,
- # NOTE: the source name is / even though we map /proc/123/ns/mnt
- mount options=(rw bind) / -> /run/snapd/ns/*.mnt,
- # This is the SIGALRM that we send and receive if a timeout expires
- signal (send, receive) set=(alrm) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
- # Those two rules are exactly the same but we don't know if the parent process is still alive
- # and hence has the appropriate label or is already dead and hence has no label.
- signal (send) set=(exists) peer=/usr/lib/snapd/snap-confine,
- signal (send) set=(exists) peer=unconfined,
- # This is so that we can abort
- signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
- # This is the signal we get if snap-confine dies (we subscribe to it with prctl)
- signal (receive) set=(int) peer=/usr/lib/snapd/snap-confine,
- # This allows snap-confine to be killed from the outside.
- signal (receive) peer=unconfined,
- # This allows snap-confine to wait for us
- ptrace (read, trace, tracedby) peer=/usr/lib/snapd/snap-confine,
- }
- # Allow snap-confine to be killed
- signal (receive) peer=unconfined,
- # Allow switching to snap-update-ns with a per-snap profile.
- change_profile -> snap-update-ns.*,
- # Allow executing snap-update-ns when...
- # ...snap-confine is, conceptually, re-executing and uses snap-update-ns
- # from the distribution package. This is also the location used when using
- # the core/base snap on all-snap systems. The variants here represent
- # various locations of libexecdir across distributions.
- /usr/lib{,exec,64}/snapd/snap-update-ns r,
- # ...snap-confine is not, conceptually, re-executing and uses
- # snap-update-ns from the distribution package but we are already inside
- # the constructed mount namespace so we must traverse "hostfs". The
- # variants here represent various locations of libexecdir across
- # distributions.
- /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r,
- # ..snap-confine is, conceptually, re-executing and uses snap-update-ns
- # from the core snap. Note that the location of the core snap varies from
- # distribution to distribution. The variants here represent different
- # locations of snap mount directory across distributions.
- /{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,
- # ...snap-confine is, conceptually, re-executing and uses snap-update-ns
- # from the core snap but we are already inside the constructed mount
- # namespace. Here the apparmor kernel module re-constructs the path to
- # snap-update-ns using the "hostfs" mount entry rather than the more
- # "natural" /snap mount entry but we have no control over that. This is
- # reported as (LP: #1716339). The variants here represent different
- # locations of snap mount directory across distributions.
- /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement