#
# Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor
# and https://forum.snapcraft.io/t/snaps-and-nfs-home/
- #include "/var/lib/snapd/apparmor/snap-confine.d"
+ #include "/var/lib/snapd/apparmor/snap-confine"
# We run privileged, so be fanatical about what we include and don't use
# any abstractions
# libc, you are funny
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
+ /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
+ /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
# cgroup: freezer
# Allow creating per-snap cgroup freezers and adding snap command (task)
# invocations to the freezer. This allows for reliably enumerating all
- # running tasks for the snap.
+ # running tasks for the snap. In addition, allow enumerating processes in
+ # the cgroup to determine if it is occupied.
/sys/fs/cgroup/freezer/ r,
/sys/fs/cgroup/freezer/snap.*/ w,
/sys/fs/cgroup/freezer/snap.*/tasks w,
+ /sys/fs/cgroup/freezer/snap.*/cgroup.procs r,
# querying udev
/etc/udev/udev.conf r,
/sys/**/uevent r,
+ /usr/lib/snapd/snap-device-helper ixr, # drop
/lib/udev/snappy-app-dev ixr, # drop
/run/udev/** rw,
/{,usr/}bin/tr ixr,
mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/,
- mount options=(rw rbind) {/usr,}/lib/modules/ -> /tmp/snap.rootfs_*{/usr,}/lib/modules/,
- mount options=(rw rslave) -> /tmp/snap.rootfs_*{/usr,}/lib/modules/,
+ mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
+ mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/,
/dev/nvidiactl r,
/dev/nvidia-uvm r,
/usr/** r,
- mount options=(rw bind) /usr/lib/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl/,
+ mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
+ mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
+ /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w,
+ mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
+ mount options=(remount ro) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
+
+ # Vulkan support
+ /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w,
+ mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
+ mount options=(remount ro) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
+
+ # create gl dirs as needed
+ /tmp/snap.rootfs_*/ r,
+ /tmp/snap.rootfs_*/var/ r,
+ /tmp/snap.rootfs_*/var/lib/ r,
+ /tmp/snap.rootfs_*/var/lib/snapd/ r,
+ /tmp/snap.rootfs_*/var/lib/snapd/lib/ r,
+ /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/ r,
+ /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw,
+ /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r,
+ /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw,
# for chroot on steroids, we use pivot_root as a better chroot that makes
# apparmor rules behave the same on classic and outside of classic.
# Allow snap-confine to read snap contexts
/var/lib/snapd/context/snap.* r,
+ # Allow snap-confine to unmount stale mount namespaces.
+ umount /run/snapd/ns/*.mnt,
+ # Required to correctly unmount bound mount namespace.
+ # See LP: #1735459 for details.
+ umount /,
+
# Support for the quirk system
/var/ r,
/var/lib/ r,
capability sys_admin,
signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine,
signal (send) set=(int) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
- signal (send, receive) set=(alrm, exists) peer=/usr/lib/snapd/snap-confine,
+ signal (send, receive) set=(int, alrm, exists) peer=/usr/lib/snapd/snap-confine,
signal (receive) set=(exists) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
+ # workaround for linux 4.13/upstream, see
+ # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3
+ ptrace (trace, tracedby) peer=/usr/lib/snapd/snap-confine,
+
# For aa_change_hat() to go into ^mount-namespace-capture-helper
@{PROC}/[0-9]*/attr/current w,
# libc, you are funny
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
+ /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
+ /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
# Allow snap-confine to be killed
signal (receive) peer=unconfined,
+ # Allow switching to snap-update-ns with a per-snap profile.
+ change_profile -> snap-update-ns.*,
+
# Allow executing snap-update-ns when...
# ...snap-confine is, conceptually, re-executing and uses snap-update-ns
# from the distribution package. This is also the location used when using
# the core/base snap on all-snap systems. The variants here represent
# various locations of libexecdir across distributions.
- /usr/lib{,exec,64}/snapd/snap-update-ns Cxr -> snap_update_ns,
+ /usr/lib{,exec,64}/snapd/snap-update-ns r,
# ...snap-confine is not, conceptually, re-executing and uses
# snap-update-ns from the distribution package but we are already inside
# the constructed mount namespace so we must traverse "hostfs". The
# variants here represent various locations of libexecdir across
# distributions.
- /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns Cxr -> snap_update_ns,
+ /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r,
# ..snap-confine is, conceptually, re-executing and uses snap-update-ns
# from the core snap. Note that the location of the core snap varies from
# distribution to distribution. The variants here represent different
# locations of snap mount directory across distributions.
- /{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns Cxr -> snap_update_ns,
+ /{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,
# ...snap-confine is, conceptually, re-executing and uses snap-update-ns
# from the core snap but we are already inside the constructed mount
# "natural" /snap mount entry but we have no control over that. This is
# reported as (LP: #1716339). The variants here represent different
# locations of snap mount directory across distributions.
- /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns Cxr -> snap_update_ns,
-
- profile snap_update_ns (attach_disconnected) {
- # The next four rules mirror those above. We want to be able to read
- # and map snap-update-ns into memory but it may come from a variety of places.
- /usr/lib{,exec,64}/snapd/snap-update-ns mr,
- /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr,
- /{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr,
- /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr,
-
- # Allow reading the dynamic linker cache.
- /etc/ld.so.cache r,
- # Allow reading, mapping and executing the dynamic linker.
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix,
- # Allow reading and mapping various parts of the standard library and
- # dynamically loaded nss modules and what not.
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
- /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
-
- # Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code).
- @{PROC}/@{pid}/cmdline r,
-
- # Allow reading the os-release file (possibly a symlink to /usr/lib).
- /{etc/,usr/lib/}os-release r,
-
- # Allow creating/grabbing various snapd lock files.
- /run/snapd/lock/*.lock rwk,
-
- # Allow reading stored mount namespaces,
- /run/snapd/ns/ r,
- /run/snapd/ns/*.mnt r,
-
- # Allow reading per-snap desired mount profiles. Those are written by
- # snapd and represent the desired layout and content connections.
- /var/lib/snapd/mount/snap.*.fstab r,
-
- # Allow reading and writing actual per-snap mount profiles. Note that
- # the second rule is generic to allow our tmpfile-rename approach to
- # writing them. Those are written by snap-update-ns and represent the
- # actual layout at a given moment.
- /run/snapd/ns/*.fstab rw,
- /run/snapd/ns/*.fstab.* rw,
-
- # NOTE: at this stage the /snap directory is stable as we have called
- # pivot_root already.
-
- # Needed to perform mount/unmounts.
- capability sys_admin,
-
- # Support mount profiles via the content interface. This should correspond
- # to permutations of $SNAP -> $SNAP for reading and $SNAP_{DATA,COMMON} ->
- # $SNAP_{DATA,COMMON} for both reading and writing.
- #
- # Note that:
- # /snap/*/*/**
- # is meant to mean:
- # /snap/$SNAP_NAME/$SNAP_REVISION/and-any-subdirectory
- # but:
- # /var/snap/*/**
- # is meant to mean:
- # /var/snap/$SNAP_NAME/$SNAP_REVISION/
- mount options=(ro bind) /snap/*/** -> /snap/*/*/**,
- mount options=(ro bind) /snap/*/** -> /var/snap/*/**,
- mount options=(rw bind) /var/snap/*/** -> /var/snap/*/**,
- mount options=(ro bind) /var/snap/*/** -> /var/snap/*/**,
-
- # Allow the content interface to bind fonts from the host filesystem
- mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/*/*/**,
- # Allow the desktop interface to bind fonts from the host filesystem
- mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /usr/share/fonts/,
- mount options=(ro bind) /var/lib/snapd/hostfs/usr/local/share/fonts/ -> /usr/local/share/fonts/,
- mount options=(ro bind) /var/lib/snapd/hostfs/var/cache/fontconfig/ -> /var/cache/fontconfig/,
-
- # Allow unmounts matching possible mounts listed above.
- umount /snap/*/*/**,
- umount /var/snap/*/**,
- umount /usr/share/fonts,
- umount /usr/local/share/fonts,
- umount /var/cache/fontconfig,
-
- # But we don't want anyone to touch /snap/bin
- audit deny mount /snap/bin/** -> /**,
- audit deny mount /** -> /snap/bin/**,
-
- # Allow the content interface to bind fonts from the host filesystem
- mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/*/*/**,
- }
+ /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,
}
projects / zenbook / commitdiff