# Author: Jamie Strandboge <jamie@canonical.com>#include <tunables/global>

1. # Author: Jamie Strandboge <jamie@canonical.com>
2. #include <tunables/global>
3.  
4. /usr/lib/snapd/snap-confine (attach_disconnected) {
5. # Include any additional files that snapd chose to generate.
6. # - for $HOME on NFS
7. # - for $HOME on encrypted media
8. #
9. # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor
10. # and https://forum.snapcraft.io/t/snaps-and-nfs-home/
11. #include "/var/lib/snapd/apparmor/snap-confine"
12.  
13. # We run privileged, so be fanatical about what we include and don't use
14. # any abstractions
15. /etc/ld.so.cache r,
16. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix,
17. # libc, you are funny
18. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
19. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
20. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
21. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr,
22. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
23. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
24. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
25. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
26. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
27. # normal libs in order
28. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
29. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
30. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr,
31. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
32. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
33. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
34. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,
35. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr,
36. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr,
37.  
38. /usr/lib/snapd/snap-confine mr,
39.  
40. /dev/null rw,
41. /dev/full rw,
42. /dev/zero rw,
43. /dev/random r,
44. /dev/urandom r,
45. /dev/pts/[0-9]* rw,
46. /dev/tty rw,
47.  
48. # cgroup: devices
49. capability sys_admin,
50. capability dac_override,
51. /sys/fs/cgroup/devices/snap{,py}.*/ w,
52. /sys/fs/cgroup/devices/snap{,py}.*/tasks w,
53. /sys/fs/cgroup/devices/snap{,py}.*/devices.{allow,deny} w,
54.  
55. # cgroup: freezer
56. # Allow creating per-snap cgroup freezers and adding snap command (task)
57. # invocations to the freezer. This allows for reliably enumerating all
58. # running tasks for the snap. In addition, allow enumerating processes in
59. # the cgroup to determine if it is occupied.
60. /sys/fs/cgroup/freezer/ r,
61. /sys/fs/cgroup/freezer/snap.*/ w,
62. /sys/fs/cgroup/freezer/snap.*/tasks w,
63. /sys/fs/cgroup/freezer/snap.*/cgroup.procs r,
64.  
65. # querying udev
66. /etc/udev/udev.conf r,
67. /sys/**/uevent r,
68. /usr/lib/snapd/snap-device-helper ixr, # drop
69. /lib/udev/snappy-app-dev ixr, # drop
70. /run/udev/** rw,
71. /{,usr/}bin/tr ixr,
72. /usr/lib/locale/** r,
73. /usr/lib/@{multiarch}/gconv/gconv-modules r,
74. /usr/lib/@{multiarch}/gconv/gconv-modules.cache r,
75.  
76. # priv dropping
77. capability setuid,
78. capability setgid,
79.  
80. # changing profile
81. @{PROC}/[0-9]*/attr/exec w,
82. # Reading current profile
83. @{PROC}/[0-9]*/attr/current r,
84. # Reading available filesystems
85. @{PROC}/filesystems r,
86.  
87. # To find where apparmor is mounted
88. @{PROC}/[0-9]*/mounts r,
89. # To find if apparmor is enabled
90. /sys/module/apparmor/parameters/enabled r,
91.  
92. # Don't allow changing profile to unconfined or profiles that start with
93. # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on
94. # the environment for determining the capabilities of the architecture.
95. # 'unsafe' is ok here because the kernel will have already cleared the
96. # environment as part of launching snap-confine with
97. # CAP_SYS_ADMIN.
98. change_profile unsafe /** -> [^u/]**,
99. change_profile unsafe /** -> u[^n]**,
100. change_profile unsafe /** -> un[^c]**,
101. change_profile unsafe /** -> unc[^o]**,
102. change_profile unsafe /** -> unco[^n]**,
103. change_profile unsafe /** -> uncon[^f]**,
104. change_profile unsafe /** -> unconf[^i]**,
105. change_profile unsafe /** -> unconfi[^n]**,
106. change_profile unsafe /** -> unconfin[^e]**,
107. change_profile unsafe /** -> unconfine[^d]**,
108. change_profile unsafe /** -> unconfined?**,
109.  
110. # allow changing to a few not caught above
111. change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
112.  
113. # LP: #1446794 - when this bug is fixed, change the above to:
114. # deny change_profile unsafe /** -> {unconfined,/**},
115. # change_profile unsafe /** -> **,
116.  
117. # reading seccomp filters
118. /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r,
119.  
120. # ensuring correct permissions in sc_quirk_create_writable_mimic
121. /{tmp/snap.rootfs_*/,}var/lib/ rw,
122.  
123. # LP: #1668659
124. mount options=(rw rbind) /snap/ -> /snap/,
125. mount options=(rw rshared) -> /snap/,
126.  
127. # boostrapping the mount namespace
128. mount options=(rw rshared) -> /,
129. mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/,
130. mount options=(rw unbindable) -> /tmp/snap.rootfs_*/,
131. # the next line is for classic system
132. mount options=(rw rbind) /snap/*/*/ -> /tmp/snap.rootfs_*/,
133. # the next line is for core system
134. mount options=(rw rbind) / -> /tmp/snap.rootfs_*/,
135. # all of the constructed rootfs is a rslave
136. mount options=(rw rslave) -> /tmp/snap.rootfs_*/,
137. # bidirectional mounts (for both classic and core)
138. # NOTE: this doesn't capture the MERGED_USR configuration option so that
139. # when a distro with merged /usr and / that uses apparmor shows up it
140. # should be handled here.
141. /{,run/}media/ w,
142. mount options=(rw rbind) /media/ -> /tmp/snap.rootfs_*/media/,
143. /run/netns/ w,
144. mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/,
145. # unidirectional mounts (only for classic system)
146. mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/,
147. mount options=(rw rslave) -> /tmp/snap.rootfs_*/dev/,
148.  
149. mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/,
150. mount options=(rw rslave) -> /tmp/snap.rootfs_*/etc/,
151.  
152. mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/,
153. mount options=(rw rslave) -> /tmp/snap.rootfs_*/home/,
154.  
155. mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/,
156. mount options=(rw rslave) -> /tmp/snap.rootfs_*/root/,
157.  
158. mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/,
159. mount options=(rw rslave) -> /tmp/snap.rootfs_*/proc/,
160.  
161. mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/,
162. mount options=(rw rslave) -> /tmp/snap.rootfs_*/sys/,
163.  
164. mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/,
165. mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/,
166.  
167. mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/,
168. mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/,
169.  
170. mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/,
171. mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/snap/,
172.  
173. mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/,
174. mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/tmp/,
175.  
176. mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/,
177. mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/,
178.  
179. mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
180. mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
181.  
182. mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/,
183. mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/,
184.  
185. mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/,
186. mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/,
187.  
188. # allow making host snap-exec available inside base snaps
189. mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
190. mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/,
191.  
192. # allow making re-execed host snap-exec available inside base snaps
193. mount options=(ro bind) /snap/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
194.  
195. mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl,
196. mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl,
197.  
198. # /etc/alternatives (classic)
199. mount options=(rw bind) /snap/{,ubuntu-}core/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
200. mount options=(rw bind) /snap/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/,
201. mount options=(rw bind) /snap/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
202. # /etc/alternatives (core)
203. mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
204. mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/,
205. mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/,
206. mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
207. # the /snap directory
208. mount options=(rw rbind) /snap/ -> /tmp/snap.rootfs_*/snap/,
209. mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/,
210. # pivot_root preparation and execution
211. mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
212. mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
213. pivot_root,
214. # cleanup
215. umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/,
216. umount /var/lib/snapd/hostfs/sys/,
217. umount /var/lib/snapd/hostfs/dev/,
218. umount /var/lib/snapd/hostfs/proc/,
219. mount options=(rw rslave) -> /var/lib/snapd/hostfs/,
220.  
221. # Allow reading the os-release file (possibly a symlink to /usr/lib).
222. /{etc/,usr/lib/}os-release r,
223.  
224. # set up snap-specific private /tmp dir
225. capability chown,
226. /tmp/ w,
227. /tmp/snap.*/ w,
228. /tmp/snap.*/tmp/ w,
229. mount options=(rw private) -> /tmp/,
230. mount options=(rw bind) /tmp/snap.*/tmp/ -> /tmp/,
231. mount fstype=devpts options=(rw) devpts -> /dev/pts/,
232. mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting
233. mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD
234. # Workaround for LP: #1584456 on older kernels that mistakenly think
235. # /dev/pts/ptmx needs a trailing '/'
236. mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/,
237. mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/,
238.  
239. # for running snaps on classic
240. /snap/ r,
241. /snap/** r,
242. /snap/ r,
243. /snap/** r,
244.  
245. # NOTE: at this stage the /snap directory is stable as we have called
246. # pivot_root already.
247.  
248. # nvidia handling, glob needs /usr/** and the launcher must be
249. # able to bind mount the nvidia dir
250. /sys/module/nvidia/version r,
251. /sys/**/drivers/nvidia{,_*}/* r,
252. /sys/**/nvidia*/uevent r,
253. /sys/module/nvidia{,_*}/* r,
254. /dev/nvidia[0-9]* r,
255. /dev/nvidiactl r,
256. /dev/nvidia-uvm r,
257. /usr/** r,
258. mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
259. mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
260. /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w,
261. mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
262. mount options=(remount ro) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
263.  
264. # Vulkan support
265. /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w,
266. mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
267. mount options=(remount ro) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
268.  
269. # create gl dirs as needed
270. /tmp/snap.rootfs_*/ r,
271. /tmp/snap.rootfs_*/var/ r,
272. /tmp/snap.rootfs_*/var/lib/ r,
273. /tmp/snap.rootfs_*/var/lib/snapd/ r,
274. /tmp/snap.rootfs_*/var/lib/snapd/lib/ r,
275. /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/ r,
276. /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw,
277. /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r,
278. /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw,
279.  
280. # for chroot on steroids, we use pivot_root as a better chroot that makes
281. # apparmor rules behave the same on classic and outside of classic.
282.  
283. # for creating the user data directories: ~/snap, ~/snap/<name> and
284. # ~/snap/<name>/<version>
285. / r,
286. @{HOMEDIRS}/ r,
287. # These should both have 'owner' match but due to LP: #1466234, we can't
288. # yet
289. @{HOME}/ r,
290. @{HOME}/snap/{,*/,*/*/} rw,
291.  
292. # for creating the user shared memory directories
293. /{dev,run}/{,shm/} r,
294. # This should both have 'owner' match but due to LP: #1466234, we can't yet
295. /{dev,run}/shm/{,*/,*/*/} rw,
296.  
297. # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and
298. # /run/user/UID/<name>
299. /run/user/{,[0-9]*/,[0-9]*/*/} rw,
300.  
301. # Workaround https://launchpad.net/bugs/359338 until upstream handles
302. # stacked filesystems generally.
303. # encrypted ~/.Private and old-style encrypted $HOME
304. @{HOME}/.Private/ r,
305. @{HOME}/.Private/** mrixwlk,
306. # new-style encrypted $HOME
307. @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
308. @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
309.  
310. # Allow snap-confine to move to the void
311. /var/lib/snapd/void/ r,
312.  
313. # Allow snap-confine to read snap contexts
314. /var/lib/snapd/context/snap.* r,
315.  
316. # Allow snap-confine to unmount stale mount namespaces.
317. umount /run/snapd/ns/*.mnt,
318. # Required to correctly unmount bound mount namespace.
319. # See LP: #1735459 for details.
320. umount /,
321.  
322. # Support for the quirk system
323. /var/ r,
324. /var/lib/ r,
325. /var/lib/** rw,
326. /tmp/ r,
327. /tmp/snapd.quirks_*/ rw,
328. mount options=(move) /var/lib/snapd/ -> /tmp/snapd.quirks_*/,
329. mount fstype=tmpfs options=(rw nodev nosuid) none -> /var/lib/,
330. mount options=(ro rbind) /snap/{,ubuntu-}core/*/var/lib/** -> /var/lib/**,
331. umount /var/lib/snapd/,
332. mount options=(move) /tmp/snapd.quirks_*/ -> /var/lib/snapd/,
333. # On classic systems with a setuid root snap-confine when run by non-root
334. # user, the mimic_dir is created with the gid of the calling user (ie,
335. # not '0') so when setting the permissions (chmod) of the mimicked
336. # directory to that of the reference directory, a CAP_FSETID is triggered.
337. # snap-confine sets the directory up correctly, so simply silence the
338. # denial since we don't want to grant the capability as a whole to
339. # snap-confine.
340. deny capability fsetid,
341.  
342. # support for the LXD quirk
343. mount options=(rw rbind nodev nosuid noexec) /var/lib/snapd/hostfs/var/lib/lxd/ -> /var/lib/lxd/,
344. /var/lib/lxd/ w,
345. /var/lib/snapd/hostfs/var/lib/lxd r,
346.  
347. # support for locking
348. /run/snapd/lock/ rw,
349. /run/snapd/lock/*.lock rwk,
350.  
351. # support for the mount namespace sharing
352. capability sys_ptrace,
353. # allow snap-confine to read /proc/1/ns/mnt
354. ptrace trace peer=unconfined,
355.  
356. mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/,
357. mount options=(private) -> /run/snapd/ns/,
358. / rw,
359. /run/ rw,
360. /run/snapd/ rw,
361. /run/snapd/ns/ rw,
362. /run/snapd/ns/*.lock rwk,
363. /run/snapd/ns/*.mnt rw,
364. ptrace (read, readby, tracedby) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
365. @{PROC}/*/mountinfo r,
366. capability sys_chroot,
367. capability sys_admin,
368. signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine,
369. signal (send) set=(int) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
370. signal (send, receive) set=(int, alrm, exists) peer=/usr/lib/snapd/snap-confine,
371. signal (receive) set=(exists) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
372.  
373. # workaround for linux 4.13/upstream, see
374. # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3
375. ptrace (trace, tracedby) peer=/usr/lib/snapd/snap-confine,
376.  
377. # For aa_change_hat() to go into ^mount-namespace-capture-helper
378. @{PROC}/[0-9]*/attr/current w,
379.  
380. ^mount-namespace-capture-helper (attach_disconnected) {
381. # We run privileged, so be fanatical about what we include and don't use
382. # any abstractions
383. /etc/ld.so.cache r,
384. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix,
385. # libc, you are funny
386. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
387. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
388. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
389. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr,
390. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
391. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
392. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
393. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
394. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
395. # normal libs in order
396. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
397. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
398. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr,
399. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
400. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
401. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
402. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,
403. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr,
404. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr,
405.  
406. /usr/lib/snapd/snap-confine mr,
407.  
408. /dev/null rw,
409. /dev/full rw,
410. /dev/zero rw,
411. /dev/random r,
412. /dev/urandom r,
413.  
414. capability sys_ptrace,
415. capability sys_admin,
416. # This allows us to read and bind mount the namespace file
417. / r,
418. @{PROC}/ r,
419. @{PROC}/*/ r,
420. @{PROC}/*/ns/ r,
421. @{PROC}/*/ns/mnt r,
422. /run/ r,
423. /run/snapd/ r,
424. /run/snapd/ns/ r,
425. /run/snapd/ns/*.mnt rw,
426. # NOTE: the source name is / even though we map /proc/123/ns/mnt
427. mount options=(rw bind) / -> /run/snapd/ns/*.mnt,
428. # This is the SIGALRM that we send and receive if a timeout expires
429. signal (send, receive) set=(alrm) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
430. # Those two rules are exactly the same but we don't know if the parent process is still alive
431. # and hence has the appropriate label or is already dead and hence has no label.
432. signal (send) set=(exists) peer=/usr/lib/snapd/snap-confine,
433. signal (send) set=(exists) peer=unconfined,
434. # This is so that we can abort
435. signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
436. # This is the signal we get if snap-confine dies (we subscribe to it with prctl)
437. signal (receive) set=(int) peer=/usr/lib/snapd/snap-confine,
438. # This allows snap-confine to be killed from the outside.
439. signal (receive) peer=unconfined,
440. # This allows snap-confine to wait for us
441. ptrace (read, trace, tracedby) peer=/usr/lib/snapd/snap-confine,
442. }
443.  
444. # Allow snap-confine to be killed
445. signal (receive) peer=unconfined,
446.  
447. # Allow switching to snap-update-ns with a per-snap profile.
448. change_profile -> snap-update-ns.*,
449.  
450. # Allow executing snap-update-ns when...
451.  
452. # ...snap-confine is, conceptually, re-executing and uses snap-update-ns
453. # from the distribution package. This is also the location used when using
454. # the core/base snap on all-snap systems. The variants here represent
455. # various locations of libexecdir across distributions.
456. /usr/lib{,exec,64}/snapd/snap-update-ns r,
457.  
458. # ...snap-confine is not, conceptually, re-executing and uses
459. # snap-update-ns from the distribution package but we are already inside
460. # the constructed mount namespace so we must traverse "hostfs". The
461. # variants here represent various locations of libexecdir across
462. # distributions.
463. /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r,
464.  
465. # ..snap-confine is, conceptually, re-executing and uses snap-update-ns
466. # from the core snap. Note that the location of the core snap varies from
467. # distribution to distribution. The variants here represent different
468. # locations of snap mount directory across distributions.
469. /{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,
470.  
471. # ...snap-confine is, conceptually, re-executing and uses snap-update-ns
472. # from the core snap but we are already inside the constructed mount
473. # namespace. Here the apparmor kernel module re-constructs the path to
474. # snap-update-ns using the "hostfs" mount entry rather than the more
475. # "natural" /snap mount entry but we have no control over that. This is
476. # reported as (LP: #1716339). The variants here represent different
477. # locations of snap mount directory across distributions.
478. /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,
479. }