Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Description: Allows access to app-specific directories and basic runtime
- # Usage: common
- # vim:syntax=apparmor
- #include <tunables/global>
- # snapd supports the concept of 'parallel installs' where snaps with the same
- # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz
- # may all be installed on the system. To support this, SNAP_NAME is set to the
- # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg
- # 'foo_bar'). The profile name and most rules therefore reference
- # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime
- # environment so the snap doesn't have to be aware of the distinction (eg,
- # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with
- # SNAP_NAME so the security policy will allow writing to both locations (since
- # they are equivalent).
- # This is a snap name without the instance key
- @{SNAP_NAME}="snap-store"
- # This is a snap name with instance key
- @{SNAP_INSTANCE_NAME}="snap-store"
- @{SNAP_COMMAND_NAME}="ubuntu-software"
- @{SNAP_REVISION}="357"
- @{PROFILE_DBUS}="snap_2esnap_2dstore_2eubuntu_2dsoftware"
- @{INSTALL_DIR}="/{,var/lib/snapd/}snap"
- profile "snap.snap-store.ubuntu-software" (attach_disconnected,mediate_deleted) {
- #include <abstractions/base>
- #include <abstractions/consoles>
- #include <abstractions/openssl>
- # While in later versions of the base abstraction, include this explicitly
- # for series 16 and cross-distro
- /etc/ld.so.preload r,
- # The base abstraction doesn't yet have this
- /etc/sysconfig/clock r,
- /lib/terminfo/** rk,
- /usr/share/terminfo/** k,
- /usr/share/zoneinfo/** k,
- owner @{PROC}/@{pid}/maps k,
- # While the base abstraction has rules for encryptfs encrypted home and
- # private directories, it is missing rules for directory read on the toplevel
- # directory of the mount (LP: #1848919)
- owner @{HOME}/.Private/ r,
- owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
- # for python apps/services
- #include <abstractions/python>
- /usr/bin/python{,2,2.[0-9]*,3,3.[0-9]*} ixr,
- # additional accesses needed for newer pythons in later bases
- /usr/lib{,32,64}/python3.[0-9]/**.{pyc,so} mr,
- /usr/lib{,32,64}/python3.[0-9]/**.{egg,py,pth} r,
- /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r,
- /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
- /etc/python3.[0-9]/** r,
- /usr/include/python3.[0-9]*/pyconfig.h r,
- # explicitly deny noisy denials to read-only filesystems (see LP: #1496895
- # for details)
- deny /usr/lib/python3*/{,**/}__pycache__/ w,
- deny /usr/lib/python3*/{,**/}__pycache__/**.pyc.[0-9]* w,
- # bind mount used here (see 'parallel installs', above)
- deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/ w,
- deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/*.pyc.[0-9]* w,
- # for perl apps/services
- #include <abstractions/perl>
- /usr/bin/perl{,5*} ixr,
- # AppArmor <2.12 doesn't have rules for perl-base, so add them here
- /usr/lib/@{multiarch}/perl{,5,-base}/** r,
- /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr,
- # Note: the following dangerous accesses should not be allowed in most
- # policy, but we cannot explicitly deny since other trusted interfaces might
- # add them.
- # Explicitly deny ptrace for now since it can be abused to break out of the
- # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823
- #audit deny ptrace (trace),
- # Explicitly deny capability mknod so apps can't create devices
- #audit deny capability mknod,
- # Explicitly deny mount, remount and umount so apps can't modify things in
- # their namespace
- #audit deny mount,
- #audit deny remount,
- #audit deny umount,
- # End dangerous accesses
- # Note: this potentially allows snaps to DoS other snaps via resource
- # exhaustion but we can't sensibly mediate this today. In the future we may
- # employ cgroup limits, AppArmor rlimit mlock rules or something else.
- capability ipc_lock,
- # for bash 'binaries' (do *not* use abstractions/bash)
- # user-specific bash files
- /{,usr/}bin/bash ixr,
- /{,usr/}bin/dash ixr,
- /etc/bash.bashrc r,
- # user/group/seat lookups
- /etc/{passwd,group,nsswitch.conf} r, # very common
- /var/lib/extrausers/{passwd,group} r,
- /run/systemd/users/[0-9]* r,
- /etc/default/nss r,
- # libnss-systemd (subset from nameservice abstraction)
- #
- # https://systemd.io/USER_GROUP_API/
- # https://systemd.io/USER_RECORD/
- # https://www.freedesktop.org/software/systemd/man/nss-systemd.html
- #
- # Allow User/Group lookups via common VarLink socket APIs. Applications need
- # to either consult all of them or the io.systemd.Multiplexer frontend.
- /run/systemd/userdb/ r,
- /run/systemd/userdb/io.systemd.Multiplexer rw,
- /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users
- /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs
- /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS
- /etc/libnl-3/{classid,pktloc} r, # apps that use libnl
- /etc/profile r,
- /etc/environment r,
- /usr/share/terminfo/** r,
- /etc/inputrc r,
- # Common utilities for shell scripts
- /{,usr/}bin/arch ixr,
- /{,usr/}bin/{,g,m}awk ixr,
- /{,usr/}bin/base32 ixr,
- /{,usr/}bin/base64 ixr,
- /{,usr/}bin/basename ixr,
- /{,usr/}bin/bunzip2 ixr,
- /{,usr/}bin/bzcat ixr,
- /{,usr/}bin/bzdiff ixr,
- /{,usr/}bin/bzgrep ixr,
- /{,usr/}bin/bzip2 ixr,
- /{,usr/}bin/cat ixr,
- /{,usr/}bin/chgrp ixr,
- /{,usr/}bin/chmod ixr,
- /{,usr/}bin/chown ixr,
- /{,usr/}bin/clear ixr,
- /{,usr/}bin/cmp ixr,
- /{,usr/}bin/cp ixr,
- /{,usr/}bin/cpio ixr,
- /{,usr/}bin/cut ixr,
- /{,usr/}bin/date ixr,
- /{,usr/}bin/dbus-daemon ixr,
- /{,usr/}bin/dbus-run-session ixr,
- /{,usr/}bin/dbus-send ixr,
- /{,usr/}bin/dd ixr,
- /{,usr/}bin/diff{,3} ixr,
- /{,usr/}bin/dir ixr,
- /{,usr/}bin/dirname ixr,
- /{,usr/}bin/du ixr,
- /{,usr/}bin/echo ixr,
- /{,usr/}bin/{,e,f,r}grep ixr,
- /{,usr/}bin/env ixr,
- /{,usr/}bin/expr ixr,
- /{,usr/}bin/false ixr,
- /{,usr/}bin/find ixr,
- /{,usr/}bin/flock ixr,
- /{,usr/}bin/fmt ixr,
- /{,usr/}bin/fold ixr,
- /{,usr/}bin/getconf ixr,
- /{,usr/}bin/getent ixr,
- /{,usr/}bin/getopt ixr,
- /{,usr/}bin/groups ixr,
- /{,usr/}bin/gzip ixr,
- /{,usr/}bin/head ixr,
- /{,usr/}bin/hostname ixr,
- /{,usr/}bin/id ixr,
- /{,usr/}bin/igawk ixr,
- /{,usr/}bin/infocmp ixr,
- /{,usr/}bin/kill ixr,
- /{,usr/}bin/ldd ixr,
- /{usr/,}lib{,32,64}/ld{,32,64}-*.so ix,
- /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so ix,
- /{,usr/}bin/less{,file,pipe} ixr,
- /{,usr/}bin/ln ixr,
- /{,usr/}bin/line ixr,
- /{,usr/}bin/link ixr,
- /{,usr/}bin/locale ixr,
- /{,usr/}bin/logger ixr,
- /{,usr/}bin/ls ixr,
- /{,usr/}bin/md5sum ixr,
- /{,usr/}bin/mkdir ixr,
- /{,usr/}bin/mkfifo ixr,
- /{,usr/}bin/mknod ixr,
- /{,usr/}bin/mktemp ixr,
- /{,usr/}bin/more ixr,
- /{,usr/}bin/mv ixr,
- /{,usr/}bin/nice ixr,
- /{,usr/}bin/nohup ixr,
- /{,usr/}bin/od ixr,
- /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial
- /{,usr/}bin/paste ixr,
- /{,usr/}bin/pgrep ixr,
- /{,usr/}bin/printenv ixr,
- /{,usr/}bin/printf ixr,
- /{,usr/}bin/ps ixr,
- /{,usr/}bin/pwd ixr,
- /{,usr/}bin/readlink ixr,
- /{,usr/}bin/realpath ixr,
- /{,usr/}bin/rev ixr,
- /{,usr/}bin/rm ixr,
- /{,usr/}bin/rmdir ixr,
- /{,usr/}bin/run-parts ixr,
- /{,usr/}bin/sed ixr,
- /{,usr/}bin/seq ixr,
- /{,usr/}bin/sha{1,224,256,384,512}sum ixr,
- /{,usr/}bin/shuf ixr,
- /{,usr/}bin/sleep ixr,
- /{,usr/}bin/sort ixr,
- /{,usr/}bin/stat ixr,
- /{,usr/}bin/stdbuf ixr,
- /{,usr/}bin/stty ixr,
- /{,usr/}bin/sync ixr,
- /{,usr/}bin/systemd-cat ixr,
- /{,usr/}bin/tac ixr,
- /{,usr/}bin/tail ixr,
- /{,usr/}bin/tar ixr,
- /{,usr/}bin/tee ixr,
- /{,usr/}bin/test ixr,
- /{,usr/}bin/tempfile ixr,
- /{,usr/}bin/tset ixr,
- /{,usr/}bin/touch ixr,
- /{,usr/}bin/tput ixr,
- /{,usr/}bin/tr ixr,
- /{,usr/}bin/true ixr,
- /{,usr/}bin/tty ixr,
- /{,usr/}bin/uname ixr,
- /{,usr/}bin/uniq ixr,
- /{,usr/}bin/unlink ixr,
- /{,usr/}bin/unxz ixr,
- /{,usr/}bin/unzip ixr,
- /{,usr/}bin/vdir ixr,
- /{,usr/}bin/wc ixr,
- /{,usr/}bin/which ixr,
- /{,usr/}bin/xargs ixr,
- /{,usr/}bin/xz ixr,
- /{,usr/}bin/yes ixr,
- /{,usr/}bin/zcat ixr,
- /{,usr/}bin/z{,e,f}grep ixr,
- /{,usr/}bin/zip ixr,
- /{,usr/}bin/zipgrep ixr,
- # For snappy reexec on 4.8+ kernels
- /usr/lib/snapd/snap-exec m,
- # For gdb support
- /usr/lib/snapd/snap-gdb-shim ixr,
- # For in-snap tab completion
- /etc/bash_completion.d/{,*} r,
- /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal)
- /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here
- # For printing the cache (we don't allow updating the cache)
- /{,usr/}sbin/ldconfig{,.real} ixr,
- # uptime
- /{,usr/}bin/uptime ixr,
- @{PROC}/uptime r,
- @{PROC}/loadavg r,
- # lsb-release
- /usr/bin/lsb_release ixr,
- /usr/bin/ r,
- /usr/share/distro-info/*.csv r,
- # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib
- # which is allowed by the base abstraction, but on 14.04 it is an actual file
- # so need to add it here. Also allow read locks on the file.
- /etc/os-release rk,
- /usr/lib/os-release k,
- # systemd native journal API (see sd_journal_print(4)). This should be in
- # AppArmor's base abstraction, but until it is, include here.
- /run/systemd/journal/socket w,
- /run/systemd/journal/stdout rw, # 'r' shouldn't be needed, but journald
- # doesn't leak anything so allow
- # snapctl and its requirements
- /usr/bin/snapctl ixr,
- /usr/lib/snapd/snapctl ixr,
- @{PROC}/sys/net/core/somaxconn r,
- /run/snapd-snap.socket rw,
- # Note: for now, don't explicitly deny this noisy denial so --devmode isn't
- # broken but eventually we may conditionally deny this since it is an
- # information leak.
- #deny /{,var/}run/utmp r,
- # java
- @{PROC}/@{pid}/ r,
- @{PROC}/@{pid}/fd/ r,
- owner @{PROC}/@{pid}/auxv r,
- @{PROC}/sys/vm/zone_reclaim_mode r,
- /etc/lsb-release r,
- /sys/devices/**/read_ahead_kb r,
- /sys/devices/system/cpu/** r,
- /sys/devices/system/node/node[0-9]*/* r,
- /sys/kernel/mm/transparent_hugepage/enabled r,
- /sys/kernel/mm/transparent_hugepage/defrag r,
- # NOTE: this leaks running process but java seems to want it (even though it
- # seems to operate ok without it) and SDL apps crash without it. Allow owner
- # match until AppArmor kernel var is available to solve this properly (see
- # LP: #1546825 for details). comm is a subset of cmdline, so allow it too.
- owner @{PROC}/@{pid}/cmdline r,
- owner @{PROC}/@{pid}/comm r,
- # Per man(5) proc, the kernel enforces that a thread may only modify its comm
- # value or those in its thread group.
- owner @{PROC}/@{pid}/task/@{tid}/comm rw,
- # Allow reading and writing to our file descriptors in /proc which, for
- # example, allow access to /dev/std{in,out,err} which are all symlinks to
- # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE)
- # linkat() temporary file technique, allow all fds. Importantly, access to
- # another's task's fd via this proc interface is mediated via 'ptrace (read)'
- # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so
- # this rule by itself doesn't allow opening another snap's fds via proc.
- owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw,
- # Miscellaneous accesses
- /dev/{,u}random w,
- /etc/machine-id r,
- /etc/mime.types r,
- @{PROC}/ r,
- @{PROC}/version r,
- @{PROC}/version_signature r,
- /etc/{,writable/}hostname r,
- /etc/{,writable/}localtime r,
- /etc/{,writable/}mailname r,
- /etc/{,writable/}timezone r,
- owner @{PROC}/@{pid}/cgroup rk,
- @{PROC}/@{pid}/io r,
- owner @{PROC}/@{pid}/limits r,
- owner @{PROC}/@{pid}/loginuid r,
- @{PROC}/@{pid}/smaps r,
- @{PROC}/@{pid}/stat r,
- @{PROC}/@{pid}/statm r,
- @{PROC}/@{pid}/status r,
- @{PROC}/@{pid}/task/ r,
- @{PROC}/@{pid}/task/[0-9]*/smaps r,
- @{PROC}/@{pid}/task/[0-9]*/stat r,
- @{PROC}/@{pid}/task/[0-9]*/statm r,
- @{PROC}/@{pid}/task/[0-9]*/status r,
- @{PROC}/sys/fs/pipe-max-size r,
- @{PROC}/sys/kernel/hostname r,
- @{PROC}/sys/kernel/osrelease r,
- @{PROC}/sys/kernel/ostype r,
- @{PROC}/sys/kernel/pid_max r,
- @{PROC}/sys/kernel/yama/ptrace_scope r,
- @{PROC}/sys/kernel/shmmax r,
- @{PROC}/sys/fs/file-max r,
- @{PROC}/sys/fs/inotify/max_* r,
- @{PROC}/sys/kernel/pid_max r,
- @{PROC}/sys/kernel/random/boot_id r,
- @{PROC}/sys/kernel/random/uuid r,
- # Allow access to the uuidd daemon (this daemon is a thin wrapper around
- # time and getrandom()/{,u}random and, when available, runs under an
- # unprivilged, dedicated user).
- /run/uuidd/request r,
- /sys/devices/virtual/tty/{console,tty*}/active r,
- /sys/fs/cgroup/memory/memory.limit_in_bytes r,
- /sys/fs/cgroup/memory/snap.@{SNAP_INSTANCE_NAME}{,.*}/memory.limit_in_bytes r,
- /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
- /sys/module/apparmor/parameters/enabled r,
- /{,usr/}lib/ r,
- # Reads of oom_adj and oom_score_adj are safe
- owner @{PROC}/@{pid}/oom_{,score_}adj r,
- # Note: for now, don't explicitly deny write access so --devmode isn't broken
- # but eventually we may conditionally deny this since it allows the process
- # to increase the oom heuristic of other processes (make them more likely to
- # be killed). Once AppArmor kernel var is available to solve this properly,
- # this can safely be allowed since non-root processes won't be able to
- # decrease the value and root processes will only be able to with
- # 'capability sys_resource,' which we deny be default.
- # deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
- # Eases hardware assignment (doesn't give anything away)
- /etc/udev/udev.conf r,
- /sys/ r,
- /sys/bus/ r,
- /sys/class/ r,
- # this leaks interface names and stats, but not in a way that is traceable
- # to the user/device
- @{PROC}/net/dev r,
- @{PROC}/@{pid}/net/dev r,
- # Read-only of this snap
- /var/lib/snapd/snaps/@{SNAP_NAME}_*.snap r,
- # Read-only for the install directory
- # bind mount used here (see 'parallel installs', above)
- @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r,
- @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r,
- @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/** mrklix,
- # Read-only install directory for other revisions to help with bugs like
- # LP: #1616650 and LP: #1655992
- @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix,
- # Read-only home area for other versions
- # bind mount *not* used here (see 'parallel installs', above)
- owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r,
- owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/** mrkix,
- # Writable home area for this version.
- # bind mount *not* used here (see 'parallel installs', above)
- owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/** wl,
- owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/** wl,
- # Read-only system area for other versions
- # bind mount used here (see 'parallel installs', above)
- /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r,
- /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix,
- # Writable system area only for this version
- # bind mount used here (see 'parallel installs', above)
- /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/** wl,
- /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/** wl,
- # The ubuntu-core-launcher creates an app-specific private restricted /tmp
- # and will fail to launch the app if something goes wrong. As such, we can
- # simply allow full access to /tmp.
- /tmp/ r,
- /tmp/** mrwlkix,
- # App-specific access to files and directories in /dev/shm. We allow file
- # access in /dev/shm for shm_open() and files in subdirectories for open()
- # bind mount *not* used here (see 'parallel installs', above)
- /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix,
- # Also allow app-specific access for sem_open()
- /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk,
- # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user
- # bind mount *not* used here (see 'parallel installs', above)
- owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/ rw,
- owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/** mrwklix,
- # Allow apps from the same package to communicate with each other via an
- # abstract or anonymous socket
- unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.**",
- unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.*),
- # Allow apps from the same package to communicate with each other via DBus.
- # Note: this does not grant access to the DBus sockets of well known buses
- # (will still need to use an appropriate interface for that).
- dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.*),
- # In addition to the above, dbus-run-session attempts reading these files
- # from the snap base runtime.
- /usr/share/dbus-1/services/{,*} r,
- /usr/share/dbus-1/system-services/{,*} r,
- # Allow apps to perform DBus introspection on org.freedesktop.DBus for both
- # the system and session buses.
- # Note: this does not grant access to the DBus sockets of these buses, but
- # we grant it here since it is missing from the dbus abstractions
- # (LP: #1866168)
- dbus (send)
- bus={session,system}
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus.Introspectable
- member=Introspect
- peer=(label=unconfined),
- # Allow apps from the same package to signal each other via signals
- signal peer=snap.@{SNAP_INSTANCE_NAME}.*,
- # Allow receiving signals from all snaps (and focus on mediating sending of
- # signals)
- signal (receive) peer=snap.*,
- # Allow receiving signals from unconfined (eg, systemd)
- signal (receive) peer=unconfined,
- # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign'
- /{,s}bin/udevadm ixr,
- /etc/udev/udev.conf r,
- /{,var/}run/udev/tags/snappy-assign/ r,
- @{PROC}/cmdline r,
- /sys/devices/**/uevent r,
- # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above
- # requires:
- # /run/udev/data/* r,
- # but that reveals too much about the system and cannot be granted to apps
- # by default at this time.
- # For convenience, allow apps to see what is in /dev even though cgroups
- # will block most access
- /dev/ r,
- /dev/**/ r,
- # Allow setting up pseudoterminal via /dev/pts system. This is safe because
- # the launcher uses a per-app devpts newinstance.
- /dev/ptmx rw,
- # Do the same with /sys/devices and /sys/class to help people using hw-assign
- /sys/devices/ r,
- /sys/devices/**/ r,
- /sys/class/ r,
- /sys/class/**/ r,
- # Allow all snaps to chroot
- capability sys_chroot,
- /{,usr/}sbin/chroot ixr,
- # Lttng tracing is very noisy and should not be allowed by confined apps. Can
- # safely deny for the normal case (LP: #1260491). If/when an lttng-trace
- # interface is needed, we can rework this.
- deny /{dev,run,var/run}/shm/lttng-ust-* rw,
- # Allow read-access on /home/ for navigating to other parts of the
- # filesystem. While this allows enumerating users, this is already allowed
- # via /etc/passwd and getent.
- @{HOMEDIRS}/ r,
- # Allow read-access to / for navigating to other parts of the filesystem.
- / r,
- # Snap-specific run directory. Bind mount *not* used here
- # (see 'parallel installs', above)
- /run/snap.@{SNAP_INSTANCE_NAME}/ rw,
- /run/snap.@{SNAP_INSTANCE_NAME}/** mrwklix,
- # Allow access to the Wayland compositor server socket
- owner /run/user/[0-9]*/wayland-[0-9]* rw,
- # Needed when using QT_QPA_PLATFORM=wayland-egl (MESA dri config)
- /etc/drirc r,
- # Description: Allow access to AppStream metadata from the host system
- # Allow access to AppStream upstream metadata files
- /usr/share/metainfo/{,**} r,
- /usr/share/appdata/{,**} r,
- # Allow access to AppStream collection metadata
- /usr/share/app-info/** r,
- /var/cache/app-info/** r,
- /var/lib/app-info/** r,
- # Apt symlinks the DEP-11 metadata to files in /var/lib/apt/lists
- /var/lib/apt/lists/*.yml.gz r,
- # Description: Allow access to PackageKit service which gives
- # privileged access to native package management on the system
- #include <abstractions/dbus-strict>
- # Allow communication with the main PackageKit end point.
- dbus (receive, send)
- bus=system
- path=/org/freedesktop/PackageKit
- interface=org.freedesktop.PackageKit
- peer=(label=unconfined),
- dbus (receive, send)
- bus=system
- path=/org/freedesktop/PackageKit
- interface=org.freedesktop.PackageKit.Offline
- peer=(label=unconfined),
- dbus (send)
- bus=system
- path=/org/freedesktop/PackageKit
- interface=org.freedesktop.DBus.Properties
- member=Get{,All}
- peer=(label=unconfined),
- dbus (receive)
- bus=system
- path=/org/freedesktop/PackageKit
- interface=org.freedesktop.DBus.Properties
- member=PropertiesChanged
- peer=(label=unconfined),
- dbus (send)
- bus=system
- path=/org/freedesktop/PackageKit
- interface=org.freedesktop.DBus.Introspectable
- member=Introspect
- peer=(label=unconfined),
- # Allow communication with PackageKit transactions. Transactions are
- # exported with random object paths that currently take the form
- # "/{number}_{hexstring}". If PackageKit (or a reimplementation of
- # packagekitd) changes this, then these rules will need to change too.
- dbus (receive, send)
- bus=system
- path=/[0-9]*_[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]
- interface=org.freedesktop.PackageKit.Transaction
- peer=(label=unconfined),
- dbus (send)
- bus=system
- path=/[0-9]*_[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]
- interface=org.freedesktop.DBus.Properties
- member=Get{,All}
- peer=(label=unconfined),
- dbus (receive)
- bus=system
- path=/[0-9]*_[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]
- interface=org.freedesktop.DBus.Properties
- member=PropertiesChanged
- peer=(label=unconfined),
- dbus (send)
- bus=system
- path=/[0-9]*_[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]
- interface=org.freedesktop.DBus.Introspectable
- member=Introspect
- peer=(label=unconfined),
- # Description: Allow access to password manager services provided by popular
- # Desktop Environments. This interface gives access to sensitive information
- # available in the user's session.
- #include <abstractions/dbus-session-strict>
- # Provide full access to the secret-service API:
- # - https://standards.freedesktop.org/secret-service/)
- #
- # The secret-service allows managing (add/delete/lock/etc) collections and
- # (add/delete/etc) items within collections. The API also has the concept of
- # aliases for collections which is typically used to access the default
- # collection. While it would be possible for an application developer to use a
- # snap-specific collection and mediate by object path, application developers
- # are meant to instead to treat collections (typically the default collection)
- # as a database of key/value attributes each with an associated secret that
- # applications may query. Because AppArmor does not mediate member data,
- # typical and recommended usage of the API does not allow for application
- # isolation. For details, see:
- # - https://standards.freedesktop.org/secret-service/ch03.html
- #
- dbus (receive, send)
- bus=session
- path=/org/freedesktop/secrets{,/**}
- interface=org.freedesktop.DBus.*
- peer=(label=unconfined),
- dbus (receive, send)
- bus=session
- path=/org/freedesktop/secrets{,/**}
- interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session}
- peer=(label=unconfined),
- # KWallet's client API is still in use in KDE/Plasma. It's DBus API relies upon
- # member data for access to its 'folders' and 'entries' and it therefore does
- # not allow for application isolation via AppArmor. For details, see:
- # - https://cgit.kde.org/kdelibs.git/tree/kdeui/util/kwallet.h?h=v4.14.33
- #
- dbus (receive, send)
- bus=session
- path=/modules/kwalletd{,5}
- interface=org.freedesktop.DBus.*
- peer=(label=unconfined),
- dbus (receive, send)
- bus=session
- path=/modules/kwalletd{,5}
- interface=org.kde.KWallet
- peer=(label=unconfined),
- # Description: Allow owning a name on DBus public bus
- #include <abstractions/dbus-session-strict>
- # register on DBus
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member="{Request,Release}Name"
- peer=(name=org.freedesktop.DBus, label=unconfined),
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member="GetConnectionUnix{ProcessID,User}"
- peer=(name=org.freedesktop.DBus, label=unconfined),
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member="GetConnectionCredentials"
- peer=(name=org.freedesktop.DBus, label=unconfined),
- # bind to a well-known DBus name: io.snapcraft.Store
- dbus (bind)
- bus=session
- name=io.snapcraft.Store,
- # For KDE applications and some other cases, also support alternation for:
- # - using org.kde.foo-PID as the 'well-known' name
- # - using org.foo.cmd_<num>_<num> as the 'well-known' name
- # Note, snapd does not allow declaring a 'well-known' name that ends with
- # '-[0-9]+' or that contains '_'. Parallel installs of DBus services aren't
- # supported at this time, but if they were, this could allow a parallel
- # install'swell-known name to overlap with the normal install.
- dbus (bind)
- bus=session
- name=io.snapcraft.Store{_,-}[1-9]{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9]}{,_[1-9]{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9]}},
- # Allow us to talk to dbus-daemon
- dbus (receive)
- bus=session
- path="/io/snapcraft/Store{,/**}"
- peer=(name=org.freedesktop.DBus, label=unconfined),
- dbus (send)
- bus=session
- path="/io/snapcraft/Store{,/**}"
- interface=org.freedesktop.DBus.Properties
- peer=(name=org.freedesktop.DBus, label=unconfined),
- # Allow us to introspect org.freedesktop.DBus (needed by pydbus)
- dbus (send)
- bus=session
- interface=org.freedesktop.DBus.Introspectable
- member=Introspect
- peer=(name=org.freedesktop.DBus, label=unconfined),
- # Description: Allow owning a name on DBus public bus
- #include <abstractions/dbus-session-strict>
- # register on DBus
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member="{Request,Release}Name"
- peer=(name=org.freedesktop.DBus, label=unconfined),
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member="GetConnectionUnix{ProcessID,User}"
- peer=(name=org.freedesktop.DBus, label=unconfined),
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member="GetConnectionCredentials"
- peer=(name=org.freedesktop.DBus, label=unconfined),
- # bind to a well-known DBus name: org.freedesktop.PackageKit
- dbus (bind)
- bus=session
- name=org.freedesktop.PackageKit,
- # For KDE applications and some other cases, also support alternation for:
- # - using org.kde.foo-PID as the 'well-known' name
- # - using org.foo.cmd_<num>_<num> as the 'well-known' name
- # Note, snapd does not allow declaring a 'well-known' name that ends with
- # '-[0-9]+' or that contains '_'. Parallel installs of DBus services aren't
- # supported at this time, but if they were, this could allow a parallel
- # install'swell-known name to overlap with the normal install.
- dbus (bind)
- bus=session
- name=org.freedesktop.PackageKit{_,-}[1-9]{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9]}{,_[1-9]{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9]}},
- # Allow us to talk to dbus-daemon
- dbus (receive)
- bus=session
- path="/org/freedesktop/PackageKit{,/**}"
- peer=(name=org.freedesktop.DBus, label=unconfined),
- dbus (send)
- bus=session
- path="/org/freedesktop/PackageKit{,/**}"
- interface=org.freedesktop.DBus.Properties
- peer=(name=org.freedesktop.DBus, label=unconfined),
- # Allow us to introspect org.freedesktop.DBus (needed by pydbus)
- dbus (send)
- bus=session
- interface=org.freedesktop.DBus.Introspectable
- member=Introspect
- peer=(name=org.freedesktop.DBus, label=unconfined),
- # Description: Allow using fwupd service. This gives # privileged access to the
- # fwupd service.
- #Can access the network
- #include <abstractions/nameservice>
- #include <abstractions/ssl_certs>
- /run/systemd/resolve/stub-resolv.conf r,
- # DBus accesses
- #include <abstractions/dbus-strict>
- # systemd-resolved (not yet included in nameservice abstraction)
- #
- # Allow access to the safe members of the systemd-resolved D-Bus API:
- #
- # https://www.freedesktop.org/wiki/Software/systemd/resolved/
- #
- # This API may be used directly over the D-Bus system bus or it may be used
- # indirectly via the nss-resolve plugin:
- #
- # https://www.freedesktop.org/software/systemd/man/nss-resolve.html
- #
- dbus send
- bus=system
- path="/org/freedesktop/resolve1"
- interface="org.freedesktop.resolve1.Manager"
- member="Resolve{Address,Hostname,Record,Service}"
- peer=(name="org.freedesktop.resolve1"),
- # Allow access to fwupd service
- dbus (receive, send)
- bus=system
- path=/
- interface=org.freedesktop.fwupd
- peer=(label=unconfined),
- dbus (receive, send)
- bus=system
- path=/
- interface=org.freedesktop.DBus.Properties
- peer=(label=unconfined),
- # Allow clients to introspect the service on non-classic (due to the path,
- # allowing on classic would reveal too much for unconfined)
- dbus (send)
- bus=system
- path=/
- interface=org.freedesktop.DBus.Introspectable
- member=Introspect
- peer=(label=unconfined),
- # Description: Can access basic graphical desktop resources. To be used with
- # other interfaces (eg, wayland).
- #include <abstractions/dbus-strict>
- #include <abstractions/dbus-session-strict>
- # Allow finding the DBus session bus id (eg, via dbus_bus_get_id())
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=GetId
- peer=(name=org.freedesktop.DBus, label=unconfined),
- #include <abstractions/fonts>
- owner @{HOME}/.local/share/fonts/{,**} r,
- /var/cache/fontconfig/ r,
- /var/cache/fontconfig/** mr,
- # some applications are known to mmap fonts
- /usr/{,local/}share/fonts/** m,
- # subset of gnome abstraction
- /etc/gtk-3.0/settings.ini r,
- owner @{HOME}/.config/gtk-3.0/settings.ini r,
- # Note: this leaks directory names that wouldn't otherwise be known to the snap
- owner @{HOME}/.config/gtk-3.0/bookmarks r,
- /usr/share/icons/ r,
- /usr/share/icons/** r,
- /usr/share/icons/*/index.theme rk,
- /usr/share/pixmaps/ r,
- /usr/share/pixmaps/** r,
- /usr/share/unity/icons/** r,
- /usr/share/thumbnailer/icons/** r,
- /usr/share/themes/** r,
- # The snapcraft desktop part may look for schema files in various locations, so
- # allow reading system installed schemas.
- /usr/share/glib*/schemas/{,*} r,
- /usr/share/gnome/glib*/schemas/{,*} r,
- /usr/share/ubuntu/glib*/schemas/{,*} r,
- # subset of freedesktop.org
- owner @{HOME}/.local/share/mime/** r,
- owner @{HOME}/.config/user-dirs.* r,
- /etc/xdg/user-dirs.conf r,
- /etc/xdg/user-dirs.defaults r,
- # gmenu
- dbus (send)
- bus=session
- interface=org.gtk.Actions
- member=Changed
- peer=(name=org.freedesktop.DBus, label=unconfined),
- # notifications
- dbus (send)
- bus=session
- path=/org/freedesktop/Notifications
- interface=org.freedesktop.Notifications
- member="{GetCapabilities,GetServerInformation,Notify,CloseNotification}"
- peer=(label=unconfined),
- dbus (receive)
- bus=session
- path=/org/freedesktop/Notifications
- interface=org.freedesktop.Notifications
- member={ActionInvoked,NotificationClosed,NotificationReplied}
- peer=(label=unconfined),
- # DesktopAppInfo Launched
- dbus (send)
- bus=session
- path=/org/gtk/gio/DesktopAppInfo
- interface=org.gtk.gio.DesktopAppInfo
- member=Launched
- peer=(label=unconfined),
- # Allow requesting interest in receiving media key events. This tells Gnome
- # settings that our application should be notified when key events we are
- # interested in are pressed, and allows us to receive those events.
- dbus (receive, send)
- bus=session
- interface=org.gnome.SettingsDaemon.MediaKeys
- path=/org/gnome/SettingsDaemon/MediaKeys
- peer=(label=unconfined),
- dbus (send)
- bus=session
- interface=org.freedesktop.DBus.Properties
- path=/org/gnome/SettingsDaemon/MediaKeys
- member="Get{,All}"
- peer=(label=unconfined),
- # Allow use of snapd's internal 'xdg-open'
- /usr/bin/xdg-open ixr,
- /usr/share/applications/{,*} r,
- dbus (send)
- bus=session
- path=/
- interface=com.canonical.SafeLauncher
- member=OpenURL
- peer=(label=unconfined),
- # ... and this allows access to the new xdg-open service which
- # is now part of snapd itself.
- dbus (send)
- bus=session
- path=/io/snapcraft/Launcher
- interface=io.snapcraft.Launcher
- member={OpenURL,OpenFile}
- peer=(label=unconfined),
- # Allow checking status, activating and locking the screensaver
- # gnome/kde/freedesktop.org
- dbus (send)
- bus=session
- path="/{,org/freedesktop/,org/gnome/}ScreenSaver"
- interface="org.{freedesktop,gnome}.ScreenSaver"
- member="{GetActive,GetActiveTime,Lock,SetActive}"
- peer=(label=unconfined),
- dbus (receive)
- bus=session
- path="/{,org/freedesktop/,org/gnome/}ScreenSaver"
- interface="org.{freedesktop,gnome}.ScreenSaver"
- member=ActiveChanged
- peer=(label=unconfined),
- # Allow unconfined to introspect us
- dbus (receive)
- bus=session
- interface=org.freedesktop.DBus.Introspectable
- member=Introspect
- peer=(label=unconfined),
- # Allow use of snapd's internal 'xdg-settings'
- /usr/bin/xdg-settings ixr,
- dbus (send)
- bus=session
- path=/io/snapcraft/Settings
- interface=io.snapcraft.Settings
- member={Check,Get,Set}
- peer=(label=unconfined),
- ## Allow access to xdg-document-portal file system. Access control is
- ## handled by bind mounting a snap-specific sub-tree to this location.
- owner /run/user/[0-9]*/doc/ r,
- owner /run/user/[0-9]*/doc/** rw,
- # Allow access to xdg-desktop-portal and xdg-document-portal
- dbus (receive, send)
- bus=session
- interface=org.freedesktop.portal.*
- path=/org/freedesktop/portal/{desktop,documents}{,/**}
- peer=(label=unconfined),
- dbus (receive, send)
- bus=session
- interface=org.freedesktop.DBus.Properties
- path=/org/freedesktop/portal/{desktop,documents}{,/**}
- peer=(label=unconfined),
- # These accesses are noisy and applications can't do anything with the found
- # icon files, so explicitly deny to silence the denials
- deny /var/lib/snapd/desktop/icons/ r,
- # Description: Can access common desktop legacy methods. This gives privileged
- # access to the user's input.
- # accessibility (a11y)
- #include <abstractions/dbus-session-strict>
- dbus (send)
- bus=session
- path=/org/a11y/bus
- interface=org.a11y.Bus
- member=GetAddress
- peer=(label=unconfined),
- #include <abstractions/dbus-accessibility-strict>
- # Allow the accessibility services in the user session to send us any events
- dbus (receive)
- bus=accessibility
- peer=(label=unconfined),
- # Allow querying for capabilities and registering
- dbus (send)
- bus=accessibility
- path="/org/a11y/atspi/accessible/root"
- interface="org.a11y.atspi.Socket"
- member="Embed"
- peer=(name=org.a11y.atspi.Registry, label=unconfined),
- dbus (send)
- bus=accessibility
- path="/org/a11y/atspi/registry"
- interface="org.a11y.atspi.Registry"
- member="GetRegisteredEvents"
- peer=(name=org.a11y.atspi.Registry, label=unconfined),
- dbus (send)
- bus=accessibility
- path="/org/a11y/atspi/registry/deviceeventcontroller"
- interface="org.a11y.atspi.DeviceEventController"
- member="Get{DeviceEvent,Keystroke}Listeners"
- peer=(name=org.a11y.atspi.Registry, label=unconfined),
- dbus (send)
- bus=accessibility
- path="/org/a11y/atspi/registry/deviceeventcontroller"
- interface="org.a11y.atspi.DeviceEventController"
- member="NotifyListenersSync"
- peer=(name=org.a11y.atspi.Registry, label=unconfined),
- # org.a11y.atspi is not designed for application isolation and these rules
- # can be used to send change events for other processes.
- dbus (send)
- bus=accessibility
- path="/org/a11y/atspi/accessible/root"
- interface="org.a11y.atspi.Event.Object"
- member="ChildrenChanged"
- peer=(name=org.freedesktop.DBus, label=unconfined),
- dbus (send)
- bus=accessibility
- path="/org/a11y/atspi/accessible/root"
- interface="org.a11y.atspi.Accessible"
- member="Get*"
- peer=(label=unconfined),
- dbus (send)
- bus=accessibility
- path="/org/a11y/atspi/accessible/[0-9]*"
- interface="org.a11y.atspi.Event.Object"
- member="{ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved}"
- peer=(name=org.freedesktop.DBus, label=unconfined),
- dbus (send)
- bus=accessibility
- path="/org/a11y/atspi/accessible/[0-9]*"
- interface="org.freedesktop.DBus.Properties"
- member="Get{,All}"
- peer=(label=unconfined),
- dbus (send)
- bus=accessibility
- path="/org/a11y/atspi/cache"
- interface="org.a11y.atspi.Cache"
- member="{Add,Remove}Accessible"
- peer=(name=org.freedesktop.DBus, label=unconfined),
- # ibus
- # subset of ibus abstraction
- /usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
- owner @{HOME}/.config/ibus/ r,
- owner @{HOME}/.config/ibus/bus/ r,
- owner @{HOME}/.config/ibus/bus/* r,
- # allow communicating with ibus-daemon (this allows sniffing key events)
- unix (connect, receive, send)
- type=stream
- peer=(addr="@/tmp/ibus/dbus-*"),
- # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)
- # This should use this, but due to LP: #1856738 we cannot
- #unix (connect, receive, send)
- # type=stream
- # peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),
- unix (connect, receive, send)
- type=stream
- peer=(addr="@/home/*/.cache/ibus/dbus-*"),
- # mozc
- # allow communicating with mozc server
- unix (connect, receive, send)
- type=stream
- peer=(addr="@tmp/.mozc.*"),
- # fcitx
- # allow communicating with fcitx dbus service
- dbus send
- bus=fcitx
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
- peer=(name=org.freedesktop.DBus),
- owner @{HOME}/.config/fcitx/dbus/* r,
- # allow creating an input context
- dbus send
- bus={fcitx,session}
- path=/inputmethod
- interface=org.fcitx.Fcitx.InputMethod
- member=CreateIC*
- peer=(label=unconfined),
- # allow setting up and tearing down the input context
- dbus send
- bus={fcitx,session}
- path=/inputcontext_[0-9]*
- interface=org.fcitx.Fcitx.InputContext
- member="{Close,Destroy,Enable}IC"
- peer=(label=unconfined),
- dbus send
- bus={fcitx,session}
- path=/inputcontext_[0-9]*
- interface=org.fcitx.Fcitx.InputContext
- member=Reset
- peer=(label=unconfined),
- # allow service to send us signals
- dbus receive
- bus=fcitx
- peer=(label=unconfined),
- dbus receive
- bus=session
- interface=org.fcitx.Fcitx.*
- peer=(label=unconfined),
- # use the input context
- dbus send
- bus={fcitx,session}
- path=/inputcontext_[0-9]*
- interface=org.fcitx.Fcitx.InputContext
- member="Focus{In,Out}"
- peer=(label=unconfined),
- dbus send
- bus={fcitx,session}
- path=/inputcontext_[0-9]*
- interface=org.fcitx.Fcitx.InputContext
- member="{CommitPreedit,Set*}"
- peer=(label=unconfined),
- # this is an information leak and allows key and mouse sniffing. If the input
- # context path were tied to the process' security label, this would not be an
- # issue.
- dbus send
- bus={fcitx,session}
- path=/inputcontext_[0-9]*
- interface=org.fcitx.Fcitx.InputContext
- member="{MouseEvent,ProcessKeyEvent}"
- peer=(label=unconfined),
- # this method does not exist with the sunpinyin backend (at least), so allow
- # it for other input methods. This may consitute an information leak (which,
- # again, could be avoided if the path were tied to the process' security
- # label).
- dbus send
- bus={fcitx,session}
- path=/inputcontext_[0-9]*
- interface=org.freedesktop.DBus.Properties
- member=GetAll
- peer=(label=unconfined),
- # gtk2/gvfs gtk_show_uri()
- dbus (send)
- bus=session
- path=/org/gtk/vfs/mounttracker
- interface=org.gtk.vfs.MountTracker
- member=ListMountableInfo,
- dbus (send)
- bus=session
- path=/org/gtk/vfs/mounttracker
- interface=org.gtk.vfs.MountTracker
- member=LookupMount,
- # This leaks the names of snaps with desktop files
- /var/lib/snapd/desktop/applications/ r,
- /var/lib/snapd/desktop/applications/mimeinfo.cache r,
- # Support BAMF_DESKTOP_FILE_HINT by allowing reading our desktop files
- # parallel-installs: this leaks read access to desktop files owned by keyed
- # instances of @{SNAP_NAME} to @{SNAP_NAME} snap
- /var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_NAME}_*.desktop r,
- # Description: Can access global gsettings of the user's session. Restricted
- # because this gives privileged access to sensitive information stored in
- # gsettings and allows adjusting settings of other applications.
- #include <abstractions/dbus-session-strict>
- #include <abstractions/dconf>
- owner /{,var/}run/user/*/dconf/user w,
- owner @{HOME}/.config/dconf/user w,
- dbus (receive, send)
- bus=session
- interface="ca.desrt.dconf.Writer"
- peer=(label=unconfined),
- # Description: Can access specific system files or directories.
- # This is restricted because it gives file access to arbitrary locations.
- "/var/lib/snapd/hostfs/usr/share/applications{,/,/**}" rk,
- # Description: Can access the X server. Restricted because X does not prevent
- # eavesdropping or apps interfering with one another.
- # The X abstraction doesn't check the peer label, but in this case that's
- # ok because x11ConnectedSlotAppArmor will limit which clients can connect
- # to the slot implementation.
- #include <abstractions/X>
- #include <abstractions/fonts>
- owner @{HOME}/.local/share/fonts/{,**} r,
- /var/cache/fontconfig/ r,
- /var/cache/fontconfig/** mr,
- # Allow access to the user specific copy of the xauth file specified
- # in the XAUTHORITY environment variable, that "snap run" creates on
- # startup.
- owner /run/user/[0-9]*/.Xauthority r,
- # Allow reading an Xwayland Xauth file
- # (see https://gitlab.gnome.org/GNOME/mutter/merge_requests/626)
- owner /run/user/[0-9]*/.mutter-Xwaylandauth.* r,
- owner /run/user/[0-9]*/mutter/Xauthority r,
- # Needed by QtSystems on X to detect mouse and keyboard. Note, the 'netlink
- # raw' rule is not finely mediated by apparmor so we mediate with seccomp arg
- # filtering.
- network netlink raw,
- /run/udev/data/c13:[0-9]* r,
- /run/udev/data/+input:* r,
- # Description: Can access the network as a client.
- #include <abstractions/nameservice>
- /run/systemd/resolve/stub-resolv.conf rk,
- /etc/mdns.allow r, # not yet include in mdns abstraction
- # systemd-resolved (not yet included in nameservice abstraction)
- #
- # Allow access to the safe members of the systemd-resolved D-Bus API:
- #
- # https://www.freedesktop.org/wiki/Software/systemd/resolved/
- #
- # This API may be used directly over the D-Bus system bus or it may be used
- # indirectly via the nss-resolve plugin:
- #
- # https://www.freedesktop.org/software/systemd/man/nss-resolve.html
- #
- #include <abstractions/dbus-strict>
- dbus send
- bus=system
- path="/org/freedesktop/resolve1"
- interface="org.freedesktop.resolve1.Manager"
- member="Resolve{Address,Hostname,Record,Service}"
- peer=(name="org.freedesktop.resolve1"),
- # libnss-systemd (D-Bus portion from nameservice abstraction)
- # Also allow lookups for systemd-exec's DynamicUsers via D-Bus
- # https://www.freedesktop.org/software/systemd/man/systemd.exec.html
- dbus send
- bus=system
- path="/org/freedesktop/systemd1"
- interface="org.freedesktop.systemd1.Manager"
- member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
- peer=(name="org.freedesktop.systemd1"),
- #include <abstractions/ssl_certs>
- @{PROC}/sys/net/core/somaxconn r,
- @{PROC}/sys/net/ipv4/tcp_fastopen r,
- # Allow using netcat as client
- /{,usr/}bin/nc{,.openbsd} ixr,
- # Description: Can manage snaps via snapd.
- /run/snapd.socket rw,
- # Description: Can query UPower for power devices, history and statistics.
- #include <abstractions/dbus-strict>
- # Find all devices monitored by UPower
- dbus (send)
- bus=system
- path=/org/freedesktop/UPower
- interface=org.freedesktop.UPower
- member=EnumerateDevices
- peer=(label=unconfined),
- # Read all properties from UPower and devices
- # do not use peer=(label=unconfined) here since this is DBus activated
- dbus (send)
- bus=system
- path=/org/freedesktop/UPower{,/Wakeups,/devices/**}
- interface=org.freedesktop.DBus.Properties
- member=Get{,All},
- dbus (send)
- bus=system
- path=/org/freedesktop/UPower
- interface=org.freedesktop.UPower
- member=GetCriticalAction
- peer=(label=unconfined),
- dbus (send)
- bus=system
- path=/org/freedesktop/UPower
- interface=org.freedesktop.UPower
- member=GetDisplayDevice
- peer=(label=unconfined),
- dbus (send)
- bus=system
- path=/org/freedesktop/UPower/devices/**
- interface=org.freedesktop.UPower.Device
- member=GetHistory
- peer=(label=unconfined),
- # Receive property changed events
- dbus (receive)
- bus=system
- path=/org/freedesktop/UPower{,/devices/**}
- interface=org.freedesktop.DBus.Properties
- member=PropertiesChanged
- peer=(label=unconfined),
- # Allow clients to introspect the service
- # do not use peer=(label=unconfined) here since this is DBus activated
- dbus (send)
- bus=system
- interface=org.freedesktop.DBus.Introspectable
- path=/org/freedesktop/UPower
- member=Introspect,
- # Description: Can query system status information. This is restricted because
- # it gives privileged read access to all processes on the system and should
- # only be used with trusted apps.
- # Needed by 'ps'
- @{PROC}/tty/drivers r,
- # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here
- # since since ps doesn't actually need to trace other processes. Note this
- # allows a number of accesses (assuming the associated /proc file is allowed),
- # such as various memory address locations and esp/eip via /proc/*/stat,
- # /proc/*/mem, /proc/*/personality, /proc/*/stack, /proc/*/syscall,
- # /proc/*/timerslack_ns and /proc/*/wchan (see man proc).
- #
- # Some files like /proc/kallsyms (but anything using %pK format specifier) need
- # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we
- # intentionally do not allow since it could be used to defeat KASLR.
- ptrace (read),
- # Other miscellaneous accesses for observing the system
- @{PROC}/locks r,
- @{PROC}/modules r,
- @{PROC}/stat r,
- @{PROC}/vmstat r,
- @{PROC}/diskstats r,
- @{PROC}/kallsyms r,
- @{PROC}/partitions r,
- @{PROC}/sys/kernel/panic r,
- @{PROC}/sys/kernel/panic_on_oops r,
- @{PROC}/sys/vm/panic_on_oom r,
- # These are not process-specific (/proc/*/... and /proc/*/task/*/...)
- @{PROC}/*/{,task/,task/*/} r,
- @{PROC}/*/{,task/*/}auxv r,
- @{PROC}/*/{,task/*/}cgroup r,
- @{PROC}/*/{,task/*/}cmdline r,
- @{PROC}/*/{,task/*/}comm r,
- @{PROC}/*/{,task/*/}exe r,
- @{PROC}/*/{,task/*/}fdinfo/* r,
- @{PROC}/*/{,task/*/}stat r,
- @{PROC}/*/{,task/*/}statm r,
- @{PROC}/*/{,task/*/}status r,
- @{PROC}/*/{,task/*/}wchan r,
- # Allow discovering the os-release of the host
- /var/lib/snapd/hostfs/etc/os-release rk,
- /var/lib/snapd/hostfs/usr/lib/os-release rk,
- # Allow discovering system-wide CFS Bandwidth Control information
- # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html
- /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r,
- /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
- /sys/fs/cgroup/cpu,cpuacct/cpu.shares r,
- /sys/fs/cgroup/cpu,cpuacct/cpu.stat r,
- #include <abstractions/dbus-strict>
- # do not use peer=(label=unconfined) here since this is DBus activated
- dbus (send)
- bus=system
- path=/org/freedesktop/hostname1
- interface=org.freedesktop.DBus.Properties
- member=Get{,All},
- # Allow clients to introspect hostname1
- # do not use peer=(label=unconfined) here since this is DBus activated
- dbus (send)
- bus=system
- path=/org/freedesktop/hostname1
- interface=org.freedesktop.DBus.Introspectable
- member=Introspect,
- # Allow clients to enumerate DBus connection names on common buses
- dbus (send)
- bus={session,system}
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=ListNames
- peer=(label=unconfined),
- # Allow clients to obtain the DBus machine ID on common buses. We do not
- # mediate the path since any peer can be used.
- dbus (send)
- bus={session,system}
- interface=org.freedesktop.DBus.Peer
- member=GetMachineId
- peer=(label=unconfined),
- # In addition to the bind mount, add any AppArmor rules so that
- # snaps may directly access the slot implementation's files
- # read-only.
- /snap/gnome-3-34-1804/24/** mrkix,
- # In addition to the bind mount, add any AppArmor rules so that
- # snaps may directly access the slot implementation's files
- # read-only.
- /snap/gtk-common-themes/1474/share/icons/Adwaita/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/hicolor/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/HighContrast/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/Humanity/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/Humanity-Dark/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/ubuntu-mono-dark/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/ubuntu-mono-light/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/DMZ-Black/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/DMZ-White/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/communitheme/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/Suru/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/Yaru/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/elementary/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/Ambiant-MATE/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/Radiant-MATE/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/Papirus-Adapta-Maia/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/Papirus-Adapta-Nokto-Maia/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/Papirus-Dark-Maia/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/Papirus-Light-Maia/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/Papirus-Maia/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/breeze_cursors/** mrkix,
- /snap/gtk-common-themes/1474/share/icons/Breeze_Snow/** mrkix,
- # In addition to the bind mount, add any AppArmor rules so that
- # snaps may directly access the slot implementation's files
- # read-only.
- /snap/gtk-common-themes/1474/share/sounds/communitheme/** mrkix,
- /snap/gtk-common-themes/1474/share/sounds/Yaru/** mrkix,
- # In addition to the bind mount, add any AppArmor rules so that
- # snaps may directly access the slot implementation's files
- # read-only.
- /snap/gtk-common-themes/1474/share/themes/Adwaita/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Adwaita-dark/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/HighContrast/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Ambiance/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Radiance/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Arc/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Arc-Dark/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Arc-Darker/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Breeze/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Breeze-Dark/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Communitheme/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Communitheme-dark/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Communitheme-light/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Yaru/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Yaru-dark/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Yaru-light/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/elementary/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Ambiant-MATE/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Ambiant-MATE-Dark/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Radiant-MATE/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Matcha-aliz/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Matcha-azul/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Matcha-dark-aliz/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Matcha-dark-azul/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Matcha-dark-sea/** mrkix,
- /snap/gtk-common-themes/1474/share/themes/Matcha-sea/** mrkix,
- # allow unconfined clients to introspect us on classic
- dbus (receive)
- bus=session
- interface=org.freedesktop.DBus.Introspectable
- member=Introspect
- peer=(label=unconfined),
- # allow us to respond to unconfined clients via "io.snapcraft.Store{,.*}"
- # on classic (send should be handled via another snappy interface).
- dbus (receive)
- bus=session
- interface="io.snapcraft.Store{,.*}"
- peer=(label=unconfined),
- # allow us to respond to unconfined clients via "/io/snapcraft/Store{,/**}" (eg,
- # org.freedesktop.*, org.gtk.Application, etc) on classic (send should be
- # handled via another snappy interface).
- dbus (receive)
- bus=session
- path="/io/snapcraft/Store{,/**}"
- peer=(label=unconfined),
- # allow unconfined clients to introspect us on classic
- dbus (receive)
- bus=session
- interface=org.freedesktop.DBus.Introspectable
- member=Introspect
- peer=(label=unconfined),
- # allow us to respond to unconfined clients via "org.freedesktop.PackageKit{,.*}"
- # on classic (send should be handled via another snappy interface).
- dbus (receive)
- bus=session
- interface="org.freedesktop.PackageKit{,.*}"
- peer=(label=unconfined),
- # allow us to respond to unconfined clients via "/org/freedesktop/PackageKit{,/**}" (eg,
- # org.freedesktop.*, org.gtk.Application, etc) on classic (send should be
- # handled via another snappy interface).
- dbus (receive)
- bus=session
- path="/org/freedesktop/PackageKit{,/**}"
- peer=(label=unconfined),
- # Layout path: /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0
- /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0{,/**} mrwklix,
- # Layout path: /usr/share/applications
- /usr/share/applications{,/**} mrwklix,
- # Layout path: /usr/share/xml/iso-codes
- /usr/share/xml/iso-codes{,/**} mrwklix,
- # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc
- # trigger a 'ptrace (trace)' denial, they aren't actually tracing other
- # processes. Unfortunately, the kernel overloads trace such that the LSMs are
- # unable to distinguish between tracing other processes and other accesses.
- # ptrace (trace) can be used to break out of the seccomp sandbox unless the
- # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd
- # has full ptrace support conditional on kernel support, explicitly deny to
- # silence noisy denials/avoid confusion and accidentally giving away this
- # dangerous access frivolously.
- deny ptrace (trace),
- deny capability sys_ptrace,
- }
Add Comment
Please, Sign In to add comment