# We run privileged, so be fanatical about what we include and don't use
# any abstractions
/etc/ld.so.cache r,
+ /etc/ld.so.preload r,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix,
# libc, you are funny
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
# cgroup: devices
capability sys_admin,
+ capability dac_read_search,
capability dac_override,
/sys/fs/cgroup/devices/snap{,py}.*/ w,
/sys/fs/cgroup/devices/snap{,py}.*/tasks w,
# when a distro with merged /usr and / that uses apparmor shows up it
# should be handled here.
/{,run/}media/ w,
- mount options=(rw rbind) /media/ -> /tmp/snap.rootfs_*/media/,
+ mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_*/{,run/}media/,
/run/netns/ w,
mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/,
# unidirectional mounts (only for classic system)
mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl,
# /etc/alternatives (classic)
- mount options=(rw bind) /snap/{,ubuntu-}core/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
+ mount options=(rw bind) /snap/*/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
mount options=(rw bind) /snap/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/,
mount options=(rw bind) /snap/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
# /etc/alternatives (core)
umount /var/lib/snapd/hostfs/proc/,
mount options=(rw rslave) -> /var/lib/snapd/hostfs/,
+ # set up user mount namespace
+ mount options=(rslave) -> /,
+
# Allow reading the os-release file (possibly a symlink to /usr/lib).
/{etc/,usr/lib/}os-release r,
mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
mount options=(remount ro) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
+ # GLVND EGL vendor
+ /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/{,*} w,
+ mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/,
+ mount options=(remount ro) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/,
+
# create gl dirs as needed
/tmp/snap.rootfs_*/ r,
/tmp/snap.rootfs_*/var/ r,
/tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw,
/tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r,
/tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw,
+ /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/ r,
+ /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/** rw,
# for chroot on steroids, we use pivot_root as a better chroot that makes
# apparmor rules behave the same on classic and outside of classic.
#!/bin/sh --this-shebang-is-just-here-to-inform-shellcheck--
# Expand $PATH to include the directory where snappy applications go.
-if [ "${PATH#*/snap/bin}" = "${PATH}" ]; then
- export PATH=$PATH:/snap/bin
+snap_bin_path="/snap/bin"
+if [ -n "${PATH##*${snap_bin_path}}" -a -n "${PATH##*${snap_bin_path}:*}" ]; then
+ export PATH=$PATH:${snap_bin_path}
fi
-# desktop files (used by desktop environments within both X11 and Wayland) are
+# Ensure base distro defaults xdg path are set if nothing filed up some
+# defaults yet.
+if [ -z "$XDG_DATA_DIRS" ]; then
+ export XDG_DATA_DIRS="/usr/local/share:/usr/share"
+fi
+
+# Desktop files (used by desktop environments within both X11 and Wayland) are
# looked for in XDG_DATA_DIRS; make sure it includes the relevant directory for
# snappy applications' desktop files.
-if [ "${XDG_DATA_DIRS#*/snapd/desktop}" = "${XDG_DATA_DIRS}" ]; then
- export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}:/var/lib/snapd/desktop"
+snap_xdg_path="/var/lib/snapd/desktop"
+if [ -n "${XDG_DATA_DIRS##*${snap_xdg_path}}" -a -n "${XDG_DATA_DIRS##*${snap_xdg_path}:*}" ]; then
+ export XDG_DATA_DIRS="${XDG_DATA_DIRS}:${snap_xdg_path}"
fi
projects / zenbook / commitdiff