%PDF- %PDF-
Direktori : /proc/thread-self/root/etc/apparmor.d/ |
Current File : //proc/thread-self/root/etc/apparmor.d/usr.lib.snapd.snap-confine.real |
# Author: Jamie Strandboge <jamie@canonical.com> #include <tunables/global> /usr/lib/snapd/snap-confine (attach_disconnected) { # Include any additional files that snapd chose to generate. # - for $HOME on remote file system. # - for $HOME on encrypted media # # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor # and https://forum.snapcraft.io/t/snaps-and-nfs-home/ #include "/var/lib/snapd/apparmor/snap-confine" # We run privileged, so be fanatical about what we include and don't use # any abstractions /etc/ld.so.cache r, /etc/ld.so.preload r, # Do not assume that the interpreter is always named like # ld-linux-x86_64.so, as on some architectures there can be a version after # the .so suffix, eg. ld-linux-aarch64.so.1 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld{-*,64}.so* mrix, # libc, you are funny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre{,2}{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr, # normal libs in order /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr, /usr/lib/snapd/snap-confine mr, # This rule is needed when executing from a "base: core" devmode snap on # UC18 and newer where the /usr/lib/snapd/snap-confine inside the # "base: core" mount namespace always comes from the snapd snap, and thus # we will execute snap-confine via this path, and thus need to be able to # read this path when executing. It's also necessary on classic where both # the snapd and the core snap are installed at the same time. # TODO: remove this rule when we stop supporting executing other snaps from # inside devmode snaps, ideally even in the short term we would only include # this rule on core only, and specifically uc18 and newer where we need it #@VERBATIM_LIBEXECDIR_SNAP_CONFINE@ mr, /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, /dev/pts/[0-9]* rw, /dev/tty rw, # cgroup: devices capability sys_admin, capability dac_read_search, capability dac_override, /sys/fs/cgroup/ r, /sys/fs/cgroup/devices/ r, /sys/fs/cgroup/devices/snap.*/ rw, /sys/fs/cgroup/devices/snap.*/cgroup.procs w, /sys/fs/cgroup/devices/snap.*/devices.{allow,deny} w, # cgroup: freezer # Allow creating per-snap cgroup freezers and adding snap command (task) # invocations to the freezer. This allows for reliably enumerating all # running processes for the snap. In addition, allow enumerating processes # in the cgroup to determine if it is occupied. /sys/fs/cgroup/freezer/ r, /sys/fs/cgroup/freezer/snap.*/ w, /sys/fs/cgroup/freezer/snap.*/cgroup.procs rw, /sys/fs/cgroup/ r, /sys/fs/cgroup/** r, # cgroup: reading own cgroup @{PROC}/@{pid}/cgroup r, # cgroup: manage bpf map for device cgroup /sys/fs/bpf/ r, /sys/fs/bpf/snap/ rw, /sys/fs/bpf/snap/* rw, # s-c may need to raise the memlock limit capability sys_resource, # querying udev /etc/udev/udev.conf r, /sys/**/uevent r, /run/udev/** rw, /{,usr/}bin/tr ixr, /usr/lib/locale/** r, /usr/lib/@{multiarch}/gconv/gconv-modules r, /usr/lib/@{multiarch}/gconv/gconv-modules.cache r, # priv dropping capability setuid, capability setgid, # changing profile @{PROC}/[0-9]*/attr/{,apparmor/}exec w, # Reading current profile @{PROC}/[0-9]*/attr/{,apparmor/}current r, # Reading available filesystems @{PROC}/filesystems r, # To find where apparmor is mounted @{PROC}/[0-9]*/mounts r, # To find if apparmor is enabled /sys/module/apparmor/parameters/enabled r, # For detecting if we're in a container /run/systemd/container r, # Don't allow changing profile to unconfined or profiles that start with # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on # the environment for determining the capabilities of the architecture. # 'unsafe' is ok here because the kernel will have already cleared the # environment as part of launching snap-confine with CAP_SYS_ADMIN. This # does leave directories as configured by ld.so.preload as well as # LD_PRELOAD to be set to a library which is in a directory configured by # ld.so.conf, but access to those locations is mediated by this profile # (which requires rules for specific locations). change_profile unsafe /** -> [^u/]**, change_profile unsafe /** -> u[^n]**, change_profile unsafe /** -> un[^c]**, change_profile unsafe /** -> unc[^o]**, change_profile unsafe /** -> unco[^n]**, change_profile unsafe /** -> uncon[^f]**, change_profile unsafe /** -> unconf[^i]**, change_profile unsafe /** -> unconfi[^n]**, change_profile unsafe /** -> unconfin[^e]**, change_profile unsafe /** -> unconfine[^d]**, change_profile unsafe /** -> unconfined?**, # allow changing to a few not caught above change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, # LP: #1446794 - when this bug is fixed, change the above to: # deny change_profile unsafe /** -> {unconfined,/**}, # change_profile unsafe /** -> **, # reading seccomp filters. # Note 1: We still need to consider .bin extension because of global.bin file. # Note 2: This rule is not needed because of rule '/var/lib/** rw', however we keep it because at # some point we want to investigate if we can narrow the scope of the aforementioned rule. /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin{,2} r, # adding a missing bpf mount mount fstype=bpf options=(rw) bpf -> /sys/fs/bpf/, # For mounting base dir by dir (write dirs and mount on them) /tmp/snap.rootfs_** rw, mount options=(remount ro) -> /tmp/snap.rootfs_*/, mount options=(rw rbind) /snap/*/*/**/ -> /tmp/snap.rootfs_**/, # For mounting individual files mount options=(rw bind) /snap/*/*/** -> /tmp/snap.rootfs_*/**, mount options=(rw rslave) -> /tmp/snap.rootfs_**/, # Allow mounting dirs from / mount options=(rw rbind) /*/ -> /tmp/snap.rootfs_**/, # LP: #1668659 and parallel instaces of classic snaps mount options=(rw rbind) /snap/ -> /snap/, mount options=(rw rshared) -> /snap/, mount options=(rw rbind) /var/lib/snapd/snap/ -> /var/lib/snapd/snap/, mount options=(rw rshared) -> /var/lib/snapd/snap/, # boostrapping the mount namespace /tmp/snap.rootfs_*/ rw, mount fstype=tmpfs none -> /tmp/snap.rootfs_*/, mount options=(rw rshared) -> /, mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/, mount options=(rw unbindable) -> /tmp/snap.rootfs_*/, # the next line is for classic system mount options=(rw rbind) /snap/*/*/ -> /tmp/snap.rootfs_*/, # the next line is for core system mount options=(rw rbind) / -> /tmp/snap.rootfs_*/, # all of the constructed rootfs is a rslave mount options=(rw rslave) -> /tmp/snap.rootfs_*/, # bidirectional mounts (for both classic and core) # NOTE: this doesn't capture the MERGED_USR configuration option so that # when a distro with merged /usr and / that uses apparmor shows up it # should be handled here. /{,run/}media/ w, mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_*/{,run/}media/, /run/netns/ w, mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/, # unidirectional mounts (only for classic system) mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/dev/, mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/etc/, mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/home/, mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/root/, mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/proc/, mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/sys/, mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/, mount options=(rw rbind) /var/lib/dhcp/ -> /tmp/snap.rootfs_*/var/lib/dhcp/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/dhcp/, mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/, mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/snap/, mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/, # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups mount options=(rw rbind) /var/volatile/tmp/ -> /tmp/snap.rootfs_*/var/tmp/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/tmp/, mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/, mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_*/var/lib/extrausers/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/extrausers/, mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/firmware/ -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/, mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/, mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/, # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups mount options=(rw rbind) /var/volatile/log/ -> /tmp/snap.rootfs_*/var/log/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/, mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/, mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_*/mnt/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/mnt/, # allow making host snap-exec available inside base snaps mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/, # allow making re-execed host snap-exec available inside base snaps mount options=(ro bind) /snap/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, # allow making snapd snap tools available inside base snaps mount options=(ro bind) /snap/snapd/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl, mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl, # /etc/alternatives (classic and normal mode) mount options=(rw bind) /snap/*/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, mount options=(rw bind) /snap/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/, mount options=(rw bind) /snap/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf, mount options=(rw bind) /snap/*/*/etc/apparmor/ -> /tmp/snap.rootfs_*/etc/apparmor/, mount options=(rw bind) /snap/*/*/etc/apparmor.d/ -> /tmp/snap.rootfs_*/etc/apparmor.d/, # /etc/alternatives (core/legacy mode) mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, # making all those directories slave shared. mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/, mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/, mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/nsswitch.conf, mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/apparmor/, mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/apparmor.d/, # the /snap directory mount options=(rw rbind) /snap/ -> /tmp/snap.rootfs_*/snap/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/, # pivot_root preparation and execution mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, # pivot_root mediation in AppArmor is not complete. See LP: #1791711. # However, we can mediate the new_root and put_old to be what we expect, # and then deny directory creation within old_root to prevent trivial # pivoting into an allowlisted path. pivot_root oldroot=/tmp/snap.rootfs_*/var/lib/snapd/hostfs/ /tmp/snap.rootfs_*/, # Explicitly deny creating the old_root directory in case it is # inadvertently added somewhere else. While this doesn't resolve # LP: #1791711, it provides some hardening. # For dir on dir mounts, we do need write permissions in /var though audit deny /tmp/snap.rootfs_*/{var/lib/,var/lib/snapd/,var/lib/snapd/hostfs/} w, # cleanup umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/, umount /var/lib/snapd/hostfs/sys/, umount /var/lib/snapd/hostfs/dev/, umount /var/lib/snapd/hostfs/proc/, mount options=(rw rslave) -> /var/lib/snapd/hostfs/, # Hide /writable from view of snaps. mount options=(rprivate) -> /{,var/lib/snapd/hostfs/}writable/, umount /{,var/lib/snapd/hostfs/}writable/, # set up user mount namespace mount options=(rslave) -> /, # set up mount namespace for parallel instances of classic snaps mount options=(rw rbind) /snap/{,*/} -> /snap/{,*/}, mount options=(rslave) -> /snap/, mount options=(rslave) -> /var/snap/, mount options=(rw rbind) /var/snap/{,*/} -> /var/snap/{,*/}, mount options=(rw rshared) -> /var/snap/, # Allow reading the os-release file (possibly a symlink to /usr/lib). /{etc/,usr/lib/}os-release r, # Allow creating /var/lib/snapd/hostfs, if missing /var/lib/snapd/hostfs/ rw, # set up snap-specific private /tmp dir capability chown, /tmp/ rw, /tmp/snap-private-tmp/ rw, /tmp/snap-private-tmp/snap.*/ rw, /tmp/snap-private-tmp/snap.*/tmp/ rw, mount options=(rw private) -> /tmp/, mount options=(rw bind) /tmp/snap-private-tmp/snap.*/tmp/ -> /tmp/, mount fstype=devpts options=(rw) devpts -> /dev/pts/, mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD # Workaround for LP: #1584456 on older kernels that mistakenly think # /dev/pts/ptmx needs a trailing '/' mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/, mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/, # for running snaps on classic /snap/ r, /snap/** r, /snap/ r, /snap/** r, # NOTE: at this stage the /snap directory is stable as we have called # pivot_root already. # nvidia handling, glob needs /usr/** and the launcher must be # able to bind mount the nvidia dir /sys/module/nvidia/version r, /sys/**/drivers/nvidia{,_*}/* r, /sys/**/nvidia*/uevent r, /sys/module/nvidia{,_*}/* r, /dev/nvidia[0-9]* r, /dev/nvidiactl r, /dev/nvidia-uvm r, /usr/** r, mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/, mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/, /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w, mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/, mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/, # Vulkan support /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w, mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/, mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/, # GLVND EGL vendor /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/{,*} w, mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/, mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/, # create gl dirs as needed /tmp/snap.rootfs_*/ r, /tmp/snap.rootfs_*/var/ r, /tmp/snap.rootfs_*/var/lib/ r, /tmp/snap.rootfs_*/var/lib/snapd/ r, /tmp/snap.rootfs_*/var/lib/snapd/lib/ r, /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/ r, /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw, /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r, /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw, /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/ r, /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/** rw, # for chroot on steroids, we use pivot_root as a better chroot that makes # apparmor rules behave the same on classic and outside of classic. # for creating the user data directories: ~/snap, ~/snap/<name> and # ~/snap/<name>/<version> / r, @{HOMEDIRS}/ r, # These should both have 'owner' match but due to LP: #1466234, we can't # yet @{HOME}/ r, @{HOME}/snap/{,*/,*/*/} rw, # experimental @{HOME}/.snap/ rw, @{HOME}/.snap/data/{,*/,*/*/} rw, @{HOME}/Snap/{,*/,*/*/} rw, # Special case for *classic* snaps that are used by users with existing dirs # in /var/lib/. Like jenkins, postgresql, mysql, puppet, ... # (see https://forum.snapcraft.io/t/9717) # TODO: this can be removed once we support home-dirs outside of /home # better /var/ r, /var/lib/ r, # These should both have 'owner' match but due to LP: #1466234, we can't # yet /var/lib/*/ r, /var/lib/*/snap/{,*/,*/*/} rw, # for creating the user shared memory directories /{dev,run}/{,shm/} r, # This should both have 'owner' match but due to LP: #1466234, we can't yet /{dev,run}/shm/{,*/,*/*/} rw, # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and # /run/user/UID/<name> /run/user/{,[0-9]*/,[0-9]*/*/} rw, # Workaround https://launchpad.net/bugs/359338 until upstream handles # stacked filesystems generally. # encrypted ~/.Private and old-style encrypted $HOME @{HOME}/.Private/ r, @{HOME}/.Private/** mrwlk, # new-style encrypted $HOME @{HOMEDIRS}/.ecryptfs/*/.Private/ r, @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk, # Allow snap-confine to move to the void, creating it if necessary. /var/lib/snapd/void/ rw, # Allow snap-confine to read snap contexts /var/lib/snapd/context/snap.* r, # Allow snap-confine to unmount stale mount namespaces. umount /run/snapd/ns/*.mnt, /run/snapd/ns/snap.*.fstab w, # Allow snap-confine to read and write mount namespace information files. /run/snapd/ns/snap.*.info rw, # Required to correctly unmount bound mount namespace. # See LP: #1735459 for details. umount /, # support for locking /run/snapd/lock/ rw, /run/snapd/lock/*.lock rwk, # support for the mount namespace sharing capability sys_ptrace, # allow snap-confine to read /proc/1/ns/mnt ptrace read peer=unconfined, # https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21 ptrace trace peer=unconfined, mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/, mount options=(private) -> /run/snapd/ns/, / rw, /run/ rw, /run/snapd/ rw, /run/snapd/ns/ rw, /run/snapd/ns/*.lock rwk, /run/snapd/ns/*.mnt rw, ptrace (read, readby, tracedby) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, @{PROC}/*/mountinfo r, capability sys_chroot, capability sys_admin, signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine, signal (send) set=(int) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, signal (send, receive) set=(int, alrm, exists) peer=/usr/lib/snapd/snap-confine, signal (receive) set=(exists) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # workaround for linux 4.13/upstream, see # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3 ptrace (trace, tracedby) peer=/usr/lib/snapd/snap-confine, # Allow reading snap cookies. /var/lib/snapd/cookie/snap.* r, # For aa_change_hat() to go into ^mount-namespace-capture-helper @{PROC}/[0-9]*/attr/{,apparmor/}current w, # As a special exception allow snap-confine to write to anything in /var/lib. # This code should be changed to allow delegation so that snap-confine can # inherit any file descriptor and pass it to the invoked application but # this is not possible in apparmor yet. # See https://bugs.launchpad.net/snapd/+bug/1815869 /var/lib/** rw, ^mount-namespace-capture-helper (attach_disconnected) { # We run privileged, so be fanatical about what we include and don't use # any abstractions /etc/ld.so.cache r, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld{-*,64}.so* mrix, # libc, you are funny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr, # normal libs in order /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr, /usr/lib/snapd/snap-confine mr, /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, capability sys_ptrace, capability sys_admin, # This allows us to read and bind mount the namespace file / r, @{PROC}/ r, @{PROC}/*/ r, @{PROC}/*/ns/ r, @{PROC}/*/ns/mnt r, /run/ r, /run/snapd/ r, /run/snapd/ns/ r, /run/snapd/ns/*.mnt rw, # NOTE: the source name is / even though we map /proc/123/ns/mnt mount options=(rw bind) / -> /run/snapd/ns/*.mnt, # This is the SIGALRM that we send and receive if a timeout expires signal (send, receive) set=(alrm) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # Those two rules are exactly the same but we don't know if the parent process is still alive # and hence has the appropriate label or is already dead and hence has no label. signal (send) set=(exists) peer=/usr/lib/snapd/snap-confine, signal (send) set=(exists) peer=unconfined, # This is so that we can abort signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # This is the signal we get if snap-confine dies (we subscribe to it with prctl) signal (receive) set=(int) peer=/usr/lib/snapd/snap-confine, # This allows snap-confine to be killed from the outside. signal (receive) peer=unconfined, # This allows snap-confine to wait for us ptrace (read, trace, tracedby) peer=/usr/lib/snapd/snap-confine, } # Allow snap-confine to be killed signal (receive) peer=unconfined, # Allow switching to snap-update-ns with a per-snap profile. change_profile -> snap-update-ns.*, # Allow executing snap-update-ns when... # ...snap-confine is, conceptually, re-executing and uses snap-update-ns # from the distribution package. This is also the location used when using # the core/base snap on all-snap systems. The variants here represent # various locations of libexecdir across distributions. /usr/lib{,exec,64}/snapd/snap-update-ns r, # ...snap-confine is not, conceptually, re-executing and uses # snap-update-ns from the distribution package but we are already inside # the constructed mount namespace so we must traverse "hostfs". The # variants here represent various locations of libexecdir across # distributions. /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r, # ..snap-confine is, conceptually, re-executing and uses snap-update-ns # from the core or snapd snaps. Note that the location of the actual snap # varies from distribution to distribution. The variants here represent # different locations of snap mount directory across distributions. /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r, # ...snap-confine is, conceptually, re-executing and uses snap-update-ns # from the core snap or snapd snap, but we are already inside the # constructed mount namespace. Here the apparmor kernel module # re-constructs the path to snap-update-ns using the "hostfs" mount entry # rather than the more "natural" /snap mount entry but we have no control # over that. This is reported as (LP: #1716339). The variants here # represent different locations of snap mount directory across # distributions. /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r, # Allow executing snap-discard-ns, just like the set for snap-update-ns # above but with the key difference that snap-discard-ns does not # have a dedicated profile so we need to inherit snap-confine's profile. /usr/lib{,exec,64}/snapd/snap-discard-ns rix, /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-discard-ns rix, /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix, /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix, # Allow mounting /var/lib/jenkins from the host into the snap. mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_*/var/lib/jenkins/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/jenkins/, # Suppress noisy file_inherit denials (LP: #1850552) until LP: #1849753 is # fixed. deny /dev/shm/.org.chromium.Chromium.* rw, # While snap-confine itself doesn't require unix rules and therefore all # unix rules are implicitly denied, adding an explicit deny for unix to # silence noisy denials breaks nested lxd. Until the cause is determined, # do not use an explicit deny for unix. (LP: #1855355) #deny unix, # Explicitly deny these accesses which show up on Arch to silence the # denials for this unneeded access. deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9]*.so* mr, deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_mymachines.[0-9]*.so* mr, deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_systemd.[0-9]*.so* mr, deny /etc/nsswitch.conf r, deny /etc/passwd r, }