API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 11th, 2024
24
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 29.22 KB | None | 0 0
raw download clone embed print report
  1. # Author: Jamie Strandboge <jamie@canonical.com>
  2. #include <tunables/global>
  3.  
  4. /usr/lib/snapd/snap-confine (attach_disconnected) {
  5. # Include any additional files that snapd chose to generate.
  6. # - for $HOME on NFS
  7. # - for $HOME on encrypted media
  8. #
  9. # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor
  10. # and https://forum.snapcraft.io/t/snaps-and-nfs-home/
  11. #include "/var/lib/snapd/apparmor/snap-confine"
  12.  
  13. # We run privileged, so be fanatical about what we include and don't use
  14. # any abstractions
  15. /etc/ld.so.cache r,
  16. /etc/ld.so.preload r,
  17.  
  18. # Do not assume that the interpreter is always named like
  19. # ld-linux-x86_64.so, as on some architectures there can be a version after
  20. # the .so suffix, eg. ld-linux-aarch64.so.1
  21. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld{-*,64}.so* mrix,
  22. # libc, you are funny
  23. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr,
  24. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr,
  25. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
  26. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr,
  27. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
  28. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
  29. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr,
  30. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
  31. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre{,2}{,-[0-9]*}.so* mr,
  32. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr,
  33. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr,
  34. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr,
  35. # normal libs in order
  36. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
  37. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
  38. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr,
  39. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
  40. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
  41. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
  42. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,
  43. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr,
  44. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr,
  45.  
  46. /usr/lib/snapd/snap-confine mr,
  47.  
  48. # This rule is needed when executing from a "base: core" devmode snap on
  49. # UC18 and newer where the /usr/lib/snapd/snap-confine inside the
  50. # "base: core" mount namespace always comes from the snapd snap, and thus
  51. # we will execute snap-confine via this path, and thus need to be able to
  52. # read this path when executing. It's also necessary on classic where both
  53. # the snapd and the core snap are installed at the same time.
  54. # TODO: remove this rule when we stop supporting executing other snaps from
  55. # inside devmode snaps, ideally even in the short term we would only include
  56. # this rule on core only, and specifically uc18 and newer where we need it
  57. #@VERBATIM_LIBEXECDIR_SNAP_CONFINE@ mr,
  58.  
  59. /dev/null rw,
  60. /dev/full rw,
  61. /dev/zero rw,
  62. /dev/random r,
  63. /dev/urandom r,
  64. /dev/pts/[0-9]* rw,
  65. /dev/tty rw,
  66.  
  67. # cgroup: devices
  68. capability sys_admin,
  69. capability dac_read_search,
  70. capability dac_override,
  71. /sys/fs/cgroup/ r,
  72. /sys/fs/cgroup/devices/ r,
  73. /sys/fs/cgroup/devices/snap.*/ rw,
  74. /sys/fs/cgroup/devices/snap.*/cgroup.procs w,
  75. /sys/fs/cgroup/devices/snap.*/devices.{allow,deny} w,
  76.  
  77. # cgroup: freezer
  78. # Allow creating per-snap cgroup freezers and adding snap command (task)
  79. # invocations to the freezer. This allows for reliably enumerating all
  80. # running processes for the snap. In addition, allow enumerating processes
  81. # in the cgroup to determine if it is occupied.
  82. /sys/fs/cgroup/freezer/ r,
  83. /sys/fs/cgroup/freezer/snap.*/ w,
  84. /sys/fs/cgroup/freezer/snap.*/cgroup.procs rw,
  85. /sys/fs/cgroup/ r,
  86. /sys/fs/cgroup/** r,
  87.  
  88. # cgroup: reading own cgroup
  89. @{PROC}/@{pid}/cgroup r,
  90.  
  91. # cgroup: manage bpf map for device cgroup
  92. /sys/fs/bpf/ r,
  93. /sys/fs/bpf/snap/ rw,
  94. /sys/fs/bpf/snap/* rw,
  95. # s-c may need to raise the memlock limit
  96. capability sys_resource,
  97.  
  98. # querying udev
  99. /etc/udev/udev.conf r,
  100. /sys/**/uevent r,
  101. /run/udev/** rw,
  102. /{,usr/}bin/tr ixr,
  103. /usr/lib/locale/** r,
  104. /usr/lib/@{multiarch}/gconv/gconv-modules r,
  105. /usr/lib/@{multiarch}/gconv/gconv-modules.cache r,
  106.  
  107. # priv dropping
  108. capability setuid,
  109. capability setgid,
  110.  
  111. # changing profile
  112. @{PROC}/[0-9]*/attr/{,apparmor/}exec w,
  113. # Reading current profile
  114. @{PROC}/[0-9]*/attr/{,apparmor/}current r,
  115. # Reading available filesystems
  116. @{PROC}/filesystems r,
  117.  
  118. # To find where apparmor is mounted
  119. @{PROC}/[0-9]*/mounts r,
  120. # To find if apparmor is enabled
  121. /sys/module/apparmor/parameters/enabled r,
  122.  
  123. # Don't allow changing profile to unconfined or profiles that start with
  124. # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on
  125. # the environment for determining the capabilities of the architecture.
  126. # 'unsafe' is ok here because the kernel will have already cleared the
  127. # environment as part of launching snap-confine with CAP_SYS_ADMIN. This
  128. # does leave directories as configured by ld.so.preload as well as
  129. # LD_PRELOAD to be set to a library which is in a directory configured by
  130. # ld.so.conf, but access to those locations is mediated by this profile
  131. # (which requires rules for specific locations).
  132. change_profile unsafe /** -> [^u/]**,
  133. change_profile unsafe /** -> u[^n]**,
  134. change_profile unsafe /** -> un[^c]**,
  135. change_profile unsafe /** -> unc[^o]**,
  136. change_profile unsafe /** -> unco[^n]**,
  137. change_profile unsafe /** -> uncon[^f]**,
  138. change_profile unsafe /** -> unconf[^i]**,
  139. change_profile unsafe /** -> unconfi[^n]**,
  140. change_profile unsafe /** -> unconfin[^e]**,
  141. change_profile unsafe /** -> unconfine[^d]**,
  142. change_profile unsafe /** -> unconfined?**,
  143.  
  144. # allow changing to a few not caught above
  145. change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
  146.  
  147. # LP: #1446794 - when this bug is fixed, change the above to:
  148. # deny change_profile unsafe /** -> {unconfined,/**},
  149. # change_profile unsafe /** -> **,
  150.  
  151. # reading seccomp filters
  152. /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r,
  153.  
  154. # adding a missing bpf mount
  155. mount fstype=bpf options=(rw) bpf -> /sys/fs/bpf/,
  156.  
  157. # For mounting base dir by dir (write dirs and mount on them)
  158. /tmp/snap.rootfs_** rw,
  159. mount options=(remount ro) -> /tmp/snap.rootfs_*/,
  160. mount options=(rw rbind) /var/lib/snapd/snap/*/*/**/ -> /tmp/snap.rootfs_**/,
  161. # For mounting individual files
  162. mount options=(rw bind) /var/lib/snapd/snap/*/*/** -> /tmp/snap.rootfs_*/**,
  163. mount options=(rw rslave) -> /tmp/snap.rootfs_**/,
  164. # Allow mounting dirs from /
  165. mount options=(rw rbind) /*/ -> /tmp/snap.rootfs_**/,
  166.  
  167. # LP: #1668659 and parallel instaces of classic snaps
  168. mount options=(rw rbind) /snap/ -> /snap/,
  169. mount options=(rw rshared) -> /snap/,
  170. mount options=(rw rbind) /var/lib/snapd/snap/ -> /var/lib/snapd/snap/,
  171. mount options=(rw rshared) -> /var/lib/snapd/snap/,
  172.  
  173. # boostrapping the mount namespace
  174. /tmp/snap.rootfs_*/ rw,
  175. mount fstype=tmpfs none -> /tmp/snap.rootfs_*/,
  176. mount options=(rw rshared) -> /,
  177. mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/,
  178. mount options=(rw unbindable) -> /tmp/snap.rootfs_*/,
  179. # the next line is for classic system
  180. mount options=(rw rbind) /var/lib/snapd/snap/*/*/ -> /tmp/snap.rootfs_*/,
  181. # the next line is for core system
  182. mount options=(rw rbind) / -> /tmp/snap.rootfs_*/,
  183. # all of the constructed rootfs is a rslave
  184. mount options=(rw rslave) -> /tmp/snap.rootfs_*/,
  185. # bidirectional mounts (for both classic and core)
  186. # NOTE: this doesn't capture the MERGED_USR configuration option so that
  187. # when a distro with merged /usr and / that uses apparmor shows up it
  188. # should be handled here.
  189. /{,run/}media/ w,
  190. mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_*/{,run/}media/,
  191. /run/netns/ w,
  192. mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/,
  193. # unidirectional mounts (only for classic system)
  194. mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/,
  195. mount options=(rw rslave) -> /tmp/snap.rootfs_*/dev/,
  196.  
  197. mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/,
  198. mount options=(rw rslave) -> /tmp/snap.rootfs_*/etc/,
  199.  
  200. mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/,
  201. mount options=(rw rslave) -> /tmp/snap.rootfs_*/home/,
  202.  
  203. mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/,
  204. mount options=(rw rslave) -> /tmp/snap.rootfs_*/root/,
  205.  
  206. mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/,
  207. mount options=(rw rslave) -> /tmp/snap.rootfs_*/proc/,
  208.  
  209. mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/,
  210. mount options=(rw rslave) -> /tmp/snap.rootfs_*/sys/,
  211.  
  212. mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/,
  213. mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/,
  214.  
  215. mount options=(rw rbind) /var/lib/dhcp/ -> /tmp/snap.rootfs_*/var/lib/dhcp/,
  216. mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/dhcp/,
  217.  
  218. mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/,
  219. mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/,
  220.  
  221. mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/,
  222. mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/snap/,
  223.  
  224. mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/,
  225. # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups
  226. mount options=(rw rbind) /var/volatile/tmp/ -> /tmp/snap.rootfs_*/var/tmp/,
  227. mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/tmp/,
  228.  
  229. mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/,
  230. mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/,
  231.  
  232. mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_*/var/lib/extrausers/,
  233. mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/extrausers/,
  234.  
  235. mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
  236. mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
  237.  
  238. mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/firmware/ -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/,
  239. mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/,
  240.  
  241. mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/,
  242. # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups
  243. mount options=(rw rbind) /var/volatile/log/ -> /tmp/snap.rootfs_*/var/log/,
  244. mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/,
  245.  
  246. mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/,
  247. mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/,
  248.  
  249. mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_*/mnt/,
  250. mount options=(rw rslave) -> /tmp/snap.rootfs_*/mnt/,
  251.  
  252. # allow making host snap-exec available inside base snaps
  253. mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
  254. mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/,
  255.  
  256. # allow making re-execed host snap-exec available inside base snaps
  257. mount options=(ro bind) /var/lib/snapd/snap/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
  258. # allow making snapd snap tools available inside base snaps
  259. mount options=(ro bind) /var/lib/snapd/snap/snapd/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
  260.  
  261. mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl,
  262. mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl,
  263.  
  264. # /etc/alternatives (classic and normal mode)
  265. mount options=(rw bind) /var/lib/snapd/snap/*/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
  266. mount options=(rw bind) /var/lib/snapd/snap/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/,
  267. mount options=(rw bind) /var/lib/snapd/snap/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
  268. mount options=(rw bind) /var/lib/snapd/snap/*/*/etc/apparmor/ -> /tmp/snap.rootfs_*/etc/apparmor/,
  269. mount options=(rw bind) /var/lib/snapd/snap/*/*/etc/apparmor.d/ -> /tmp/snap.rootfs_*/etc/apparmor.d/,
  270.  
  271. # /etc/alternatives (core/legacy mode)
  272. mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
  273.  
  274. # making all those directories slave shared.
  275. mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/,
  276. mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/,
  277. mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
  278. mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/apparmor/,
  279. mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/apparmor.d/,
  280.  
  281. # the /snap directory
  282. mount options=(rw rbind) /var/lib/snapd/snap/ -> /tmp/snap.rootfs_*/snap/,
  283. mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/,
  284. # pivot_root preparation and execution
  285. mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
  286. mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
  287.  
  288. # pivot_root mediation in AppArmor is not complete. See LP: #1791711.
  289. # However, we can mediate the new_root and put_old to be what we expect,
  290. # and then deny directory creation within old_root to prevent trivial
  291. # pivoting into a whitelisted path.
  292. pivot_root oldroot=/tmp/snap.rootfs_*/var/lib/snapd/hostfs/ /tmp/snap.rootfs_*/,
  293. # Explicitly deny creating the old_root directory in case it is
  294. # inadvertently added somewhere else. While this doesn't resolve
  295. # LP: #1791711, it provides some hardening.
  296. # For dir on dir mounts, we do need write permissions in /var though
  297. audit deny /tmp/snap.rootfs_*/{var/lib/,var/lib/snapd/,var/lib/snapd/hostfs/} w,
  298.  
  299. # cleanup
  300. umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/,
  301. umount /var/lib/snapd/hostfs/sys/,
  302. umount /var/lib/snapd/hostfs/dev/,
  303. umount /var/lib/snapd/hostfs/proc/,
  304. mount options=(rw rslave) -> /var/lib/snapd/hostfs/,
  305.  
  306. # Hide /writable from view of snaps.
  307. mount options=(rprivate) -> /{,var/lib/snapd/hostfs/}writable/,
  308. umount /{,var/lib/snapd/hostfs/}writable/,
  309.  
  310. # set up user mount namespace
  311. mount options=(rslave) -> /,
  312.  
  313. # set up mount namespace for parallel instances of classic snaps
  314. mount options=(rw rbind) /var/lib/snapd/snap/{,*/} -> /var/lib/snapd/snap/{,*/},
  315. mount options=(rslave) -> /var/lib/snapd/snap/,
  316. mount options=(rslave) -> /var/snap/,
  317. mount options=(rw rbind) /var/snap/{,*/} -> /var/snap/{,*/},
  318. mount options=(rw rshared) -> /var/snap/,
  319.  
  320. # Allow reading the os-release file (possibly a symlink to /usr/lib).
  321. /{etc/,usr/lib/}os-release r,
  322.  
  323. # Allow creating /var/lib/snapd/hostfs, if missing
  324. /var/lib/snapd/hostfs/ rw,
  325.  
  326. # set up snap-specific private /tmp dir
  327. capability chown,
  328. /tmp/ rw,
  329. /tmp/snap-private-tmp/ rw,
  330. /tmp/snap-private-tmp/snap.*/ rw,
  331. /tmp/snap-private-tmp/snap.*/tmp/ rw,
  332. mount options=(rw private) -> /tmp/,
  333. mount options=(rw bind) /tmp/snap-private-tmp/snap.*/tmp/ -> /tmp/,
  334. mount fstype=devpts options=(rw) devpts -> /dev/pts/,
  335. mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting
  336. mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD
  337. # Workaround for LP: #1584456 on older kernels that mistakenly think
  338. # /dev/pts/ptmx needs a trailing '/'
  339. mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/,
  340. mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/,
  341.  
  342. # for running snaps on classic
  343. /snap/ r,
  344. /snap/** r,
  345. /var/lib/snapd/snap/ r,
  346. /var/lib/snapd/snap/** r,
  347.  
  348. # NOTE: at this stage the /snap directory is stable as we have called
  349. # pivot_root already.
  350.  
  351. # nvidia handling, glob needs /usr/** and the launcher must be
  352. # able to bind mount the nvidia dir
  353. /sys/module/nvidia/version r,
  354. /sys/**/drivers/nvidia{,_*}/* r,
  355. /sys/**/nvidia*/uevent r,
  356. /sys/module/nvidia{,_*}/* r,
  357. /dev/nvidia[0-9]* r,
  358. /dev/nvidiactl r,
  359. /dev/nvidia-uvm r,
  360. /usr/** r,
  361. mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
  362. mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
  363. /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w,
  364. mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
  365. mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
  366.  
  367. # Vulkan support
  368. /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w,
  369. mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
  370. mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
  371.  
  372. # GLVND EGL vendor
  373. /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/{,*} w,
  374. mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/,
  375. mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/,
  376.  
  377. # create gl dirs as needed
  378. /tmp/snap.rootfs_*/ r,
  379. /tmp/snap.rootfs_*/var/ r,
  380. /tmp/snap.rootfs_*/var/lib/ r,
  381. /tmp/snap.rootfs_*/var/lib/snapd/ r,
  382. /tmp/snap.rootfs_*/var/lib/snapd/lib/ r,
  383. /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/ r,
  384. /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw,
  385. /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r,
  386. /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw,
  387. /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/ r,
  388. /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/** rw,
  389.  
  390. # for chroot on steroids, we use pivot_root as a better chroot that makes
  391. # apparmor rules behave the same on classic and outside of classic.
  392.  
  393. # for creating the user data directories: ~/snap, ~/snap/<name> and
  394. # ~/snap/<name>/<version>
  395. / r,
  396. @{HOMEDIRS}/ r,
  397. # These should both have 'owner' match but due to LP: #1466234, we can't
  398. # yet
  399. @{HOME}/ r,
  400. @{HOME}/snap/{,*/,*/*/} rw,
  401.  
  402. # experimental
  403. @{HOME}/.snap/ rw,
  404. @{HOME}/.snap/data/{,*/,*/*/} rw,
  405. @{HOME}/Snap/{,*/,*/*/} rw,
  406.  
  407. # Special case for *classic* snaps that are used by users with existing dirs
  408. # in /var/lib/. Like jenkins, postgresql, mysql, puppet, ...
  409. # (see https://forum.snapcraft.io/t/9717)
  410. # TODO: this can be removed once we support home-dirs outside of /home
  411. # better
  412. /var/ r,
  413. /var/lib/ r,
  414. # These should both have 'owner' match but due to LP: #1466234, we can't
  415. # yet
  416. /var/lib/*/ r,
  417. /var/lib/*/snap/{,*/,*/*/} rw,
  418.  
  419. # for creating the user shared memory directories
  420. /{dev,run}/{,shm/} r,
  421. # This should both have 'owner' match but due to LP: #1466234, we can't yet
  422. /{dev,run}/shm/{,*/,*/*/} rw,
  423.  
  424. # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and
  425. # /run/user/UID/<name>
  426. /run/user/{,[0-9]*/,[0-9]*/*/} rw,
  427.  
  428. # Workaround https://launchpad.net/bugs/359338 until upstream handles
  429. # stacked filesystems generally.
  430. # encrypted ~/.Private and old-style encrypted $HOME
  431. @{HOME}/.Private/ r,
  432. @{HOME}/.Private/** mrwlk,
  433. # new-style encrypted $HOME
  434. @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
  435. @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk,
  436.  
  437. # Allow snap-confine to move to the void, creating it if necessary.
  438. /var/lib/snapd/void/ rw,
  439.  
  440. # Allow snap-confine to read snap contexts
  441. /var/lib/snapd/context/snap.* r,
  442.  
  443. # Allow snap-confine to unmount stale mount namespaces.
  444. umount /run/snapd/ns/*.mnt,
  445. /run/snapd/ns/snap.*.fstab w,
  446. # Allow snap-confine to read and write mount namespace information files.
  447. /run/snapd/ns/snap.*.info rw,
  448. # Required to correctly unmount bound mount namespace.
  449. # See LP: #1735459 for details.
  450. umount /,
  451.  
  452. # support for locking
  453. /run/snapd/lock/ rw,
  454. /run/snapd/lock/*.lock rwk,
  455.  
  456. # support for the mount namespace sharing
  457. capability sys_ptrace,
  458. # allow snap-confine to read /proc/1/ns/mnt
  459. ptrace read peer=unconfined,
  460. # https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21
  461. ptrace trace peer=unconfined,
  462.  
  463. mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/,
  464. mount options=(private) -> /run/snapd/ns/,
  465. / rw,
  466. /run/ rw,
  467. /run/snapd/ rw,
  468. /run/snapd/ns/ rw,
  469. /run/snapd/ns/*.lock rwk,
  470. /run/snapd/ns/*.mnt rw,
  471. ptrace (read, readby, tracedby) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
  472. @{PROC}/*/mountinfo r,
  473. capability sys_chroot,
  474. capability sys_admin,
  475. signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine,
  476. signal (send) set=(int) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
  477. signal (send, receive) set=(int, alrm, exists) peer=/usr/lib/snapd/snap-confine,
  478. signal (receive) set=(exists) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
  479.  
  480. # workaround for linux 4.13/upstream, see
  481. # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3
  482. ptrace (trace, tracedby) peer=/usr/lib/snapd/snap-confine,
  483.  
  484. # Allow reading snap cookies.
  485. /var/lib/snapd/cookie/snap.* r,
  486.  
  487. # For aa_change_hat() to go into ^mount-namespace-capture-helper
  488. @{PROC}/[0-9]*/attr/{,apparmor/}current w,
  489.  
  490. # As a special exception allow snap-confine to write to anything in /var/lib.
  491. # This code should be changed to allow delegation so that snap-confine can
  492. # inherit any file descriptor and pass it to the invoked application but
  493. # this is not possible in apparmor yet.
  494. # See https://bugs.launchpad.net/snapd/+bug/1815869
  495. /var/lib/** rw,
  496.  
  497. ^mount-namespace-capture-helper (attach_disconnected) {
  498. # We run privileged, so be fanatical about what we include and don't use
  499. # any abstractions
  500. /etc/ld.so.cache r,
  501. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld{-*,64}.so* mrix,
  502. # libc, you are funny
  503. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr,
  504. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr,
  505. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
  506. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr,
  507. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
  508. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
  509. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr,
  510. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
  511. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
  512. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr,
  513. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr,
  514. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr,
  515. # normal libs in order
  516. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
  517. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
  518. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr,
  519. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
  520. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
  521. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
  522. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,
  523. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr,
  524. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr,
  525.  
  526. /usr/lib/snapd/snap-confine mr,
  527.  
  528. /dev/null rw,
  529. /dev/full rw,
  530. /dev/zero rw,
  531. /dev/random r,
  532. /dev/urandom r,
  533.  
  534. capability sys_ptrace,
  535. capability sys_admin,
  536. # This allows us to read and bind mount the namespace file
  537. / r,
  538. @{PROC}/ r,
  539. @{PROC}/*/ r,
  540. @{PROC}/*/ns/ r,
  541. @{PROC}/*/ns/mnt r,
  542. /run/ r,
  543. /run/snapd/ r,
  544. /run/snapd/ns/ r,
  545. /run/snapd/ns/*.mnt rw,
  546. # NOTE: the source name is / even though we map /proc/123/ns/mnt
  547. mount options=(rw bind) / -> /run/snapd/ns/*.mnt,
  548. # This is the SIGALRM that we send and receive if a timeout expires
  549. signal (send, receive) set=(alrm) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
  550. # Those two rules are exactly the same but we don't know if the parent process is still alive
  551. # and hence has the appropriate label or is already dead and hence has no label.
  552. signal (send) set=(exists) peer=/usr/lib/snapd/snap-confine,
  553. signal (send) set=(exists) peer=unconfined,
  554. # This is so that we can abort
  555. signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
  556. # This is the signal we get if snap-confine dies (we subscribe to it with prctl)
  557. signal (receive) set=(int) peer=/usr/lib/snapd/snap-confine,
  558. # This allows snap-confine to be killed from the outside.
  559. signal (receive) peer=unconfined,
  560. # This allows snap-confine to wait for us
  561. ptrace (read, trace, tracedby) peer=/usr/lib/snapd/snap-confine,
  562. }
  563.  
  564. # Allow snap-confine to be killed
  565. signal (receive) peer=unconfined,
  566.  
  567. # Allow switching to snap-update-ns with a per-snap profile.
  568. change_profile -> snap-update-ns.*,
  569.  
  570. # Allow executing snap-update-ns when...
  571.  
  572. # ...snap-confine is, conceptually, re-executing and uses snap-update-ns
  573. # from the distribution package. This is also the location used when using
  574. # the core/base snap on all-snap systems. The variants here represent
  575. # various locations of libexecdir across distributions.
  576. /usr/lib{,exec,64}/snapd/snap-update-ns r,
  577.  
  578. # ...snap-confine is not, conceptually, re-executing and uses
  579. # snap-update-ns from the distribution package but we are already inside
  580. # the constructed mount namespace so we must traverse "hostfs". The
  581. # variants here represent various locations of libexecdir across
  582. # distributions.
  583. /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r,
  584.  
  585. # ..snap-confine is, conceptually, re-executing and uses snap-update-ns
  586. # from the core or snapd snaps. Note that the location of the actual snap
  587. # varies from distribution to distribution. The variants here represent
  588. # different locations of snap mount directory across distributions.
  589. /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r,
  590.  
  591. # ...snap-confine is, conceptually, re-executing and uses snap-update-ns
  592. # from the core snap or snapd snap, but we are already inside the
  593. # constructed mount namespace. Here the apparmor kernel module
  594. # re-constructs the path to snap-update-ns using the "hostfs" mount entry
  595. # rather than the more "natural" /snap mount entry but we have no control
  596. # over that. This is reported as (LP: #1716339). The variants here
  597. # represent different locations of snap mount directory across
  598. # distributions.
  599. /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r,
  600.  
  601. # Allow executing snap-discard-ns, just like the set for snap-update-ns
  602. # above but with the key difference that snap-discard-ns does not
  603. # have a dedicated profile so we need to inherit snap-confine's profile.
  604.  
  605. /usr/lib{,exec,64}/snapd/snap-discard-ns rix,
  606. /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-discard-ns rix,
  607. /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix,
  608. /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix,
  609.  
  610. # Allow mounting /var/lib/jenkins from the host into the snap.
  611. mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_*/var/lib/jenkins/,
  612. mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/jenkins/,
  613.  
  614. # Suppress noisy file_inherit denials (LP: #1850552) until LP: #1849753 is
  615. # fixed.
  616. deny /dev/shm/.org.chromium.Chromium.* rw,
  617.  
  618. # While snap-confine itself doesn't require unix rules and therefore all
  619. # unix rules are implicitly denied, adding an explicit deny for unix to
  620. # silence noisy denials breaks nested lxd. Until the cause is determined,
  621. # do not use an explicit deny for unix. (LP: #1855355)
  622. #deny unix,
  623.  
  624. # Explicitly deny these accesses which show up on Arch to silence the
  625. # denials for this unneeded access.
  626. deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9]*.so* mr,
  627. deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_mymachines.[0-9]*.so* mr,
  628. deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_systemd.[0-9]*.so* mr,
  629. deny /etc/nsswitch.conf r,
  630. deny /etc/passwd r,
  631. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!