From 673cd6d56da6055f64dff09f28aa5c7a22ac15fc Mon Sep 17 00:00:00 2001 From: root Date: Wed, 27 Mar 2019 06:49:35 +0100 Subject: [PATCH] committing changes in /etc after apt run Package changes: -snapd 2.34.2+18.04.1 amd64 +snapd 2.37.4+18.04.1 amd64 -ubuntu-core-launcher 2.34.2+18.04.1 amd64 +ubuntu-core-launcher 2.37.4+18.04.1 amd64 --- .etckeeper | 1 + apparmor.d/usr.lib.snapd.snap-confine.real | 86 ++++++++++++++-------- apt/apt.conf.d/20snapd.conf | 1 + mailcap | 1 + 4 files changed, 59 insertions(+), 30 deletions(-) create mode 100644 apt/apt.conf.d/20snapd.conf diff --git a/.etckeeper b/.etckeeper index 8529039..f6822f6 100755 --- a/.etckeeper +++ b/.etckeeper @@ -508,6 +508,7 @@ maybe chmod 0644 'apt/apt.conf.d/15update-stamp' maybe chmod 0644 'apt/apt.conf.d/20archive' maybe chmod 0644 'apt/apt.conf.d/20auto-upgrades' maybe chmod 0644 'apt/apt.conf.d/20dbus' +maybe chmod 0644 'apt/apt.conf.d/20snapd.conf' maybe chmod 0644 'apt/apt.conf.d/50appstream' maybe chmod 0644 'apt/apt.conf.d/50command-not-found' maybe chmod 0644 'apt/apt.conf.d/50unattended-upgrades' diff --git a/apparmor.d/usr.lib.snapd.snap-confine.real b/apparmor.d/usr.lib.snapd.snap-confine.real index b26f5bc..71c287e 100644 --- a/apparmor.d/usr.lib.snapd.snap-confine.real +++ b/apparmor.d/usr.lib.snapd.snap-confine.real @@ -25,6 +25,9 @@ /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr, # normal libs in order /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, @@ -68,7 +71,7 @@ /etc/udev/udev.conf r, /sys/**/uevent r, /usr/lib/snapd/snap-device-helper ixr, # drop - /lib/udev/snappy-app-dev ixr, # drop + /{,usr/}lib/udev/snappy-app-dev ixr, # drop /run/udev/** rw, /{,usr/}bin/tr ixr, /usr/lib/locale/** r, @@ -119,9 +122,6 @@ # reading seccomp filters /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r, - # ensuring correct permissions in sc_quirk_create_writable_mimic - /{tmp/snap.rootfs_*/,}var/lib/ rw, - # LP: #1668659 mount options=(rw rbind) /snap/ -> /snap/, mount options=(rw rshared) -> /snap/, @@ -178,6 +178,9 @@ mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/, + mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_*/var/lib/extrausers/, + mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/extrausers/, + mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, @@ -187,6 +190,9 @@ mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/, + mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_*/mnt/, + mount options=(rw rslave) -> /tmp/snap.rootfs_*/mnt/, + # allow making host snap-exec available inside base snaps mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/, @@ -214,6 +220,7 @@ # pivot_root preparation and execution mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, + # pivot_root mediation in AppArmor is not complete. See LP: #1791711 pivot_root, # cleanup umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/, @@ -228,9 +235,12 @@ # Allow reading the os-release file (possibly a symlink to /usr/lib). /{etc/,usr/lib/}os-release r, + # Allow creating /var/lib/snapd/hostfs, if missing + /var/lib/snapd/hostfs/ rw, + # set up snap-specific private /tmp dir capability chown, - /tmp/ w, + /tmp/ rw, /tmp/snap.*/ w, /tmp/snap.*/tmp/ w, mount options=(rw private) -> /tmp/, @@ -303,6 +313,18 @@ @{HOME}/ r, @{HOME}/snap/{,*/,*/*/} rw, + # Special case for *classic* snaps that are used by users with existing dirs + # in /var/lib/. Like jenkins, postgresql, mysql, puppet, ... + # (see https://forum.snapcraft.io/t/9717) + # TODO: this can be removed once we support home-dirs outside of /home + # better + /var/ r, + /var/lib/ r, + # These should both have 'owner' match but due to LP: #1466234, we can't + # yet + /var/lib/*/ r, + /var/lib/*/snap/{,*/,*/*/} rw, + # for creating the user shared memory directories /{dev,run}/{,shm/} r, # This should both have 'owner' match but due to LP: #1466234, we can't yet @@ -329,35 +351,11 @@ # Allow snap-confine to unmount stale mount namespaces. umount /run/snapd/ns/*.mnt, + /run/snapd/ns/snap.*.fstab w, # Required to correctly unmount bound mount namespace. # See LP: #1735459 for details. umount /, - # Support for the quirk system - /var/ r, - /var/lib/ r, - /var/lib/** rw, - /tmp/ r, - /tmp/snapd.quirks_*/ rw, - mount options=(move) /var/lib/snapd/ -> /tmp/snapd.quirks_*/, - mount fstype=tmpfs options=(rw nodev nosuid) none -> /var/lib/, - mount options=(ro rbind) /snap/{,ubuntu-}core/*/var/lib/** -> /var/lib/**, - umount /var/lib/snapd/, - mount options=(move) /tmp/snapd.quirks_*/ -> /var/lib/snapd/, - # On classic systems with a setuid root snap-confine when run by non-root - # user, the mimic_dir is created with the gid of the calling user (ie, - # not '0') so when setting the permissions (chmod) of the mimicked - # directory to that of the reference directory, a CAP_FSETID is triggered. - # snap-confine sets the directory up correctly, so simply silence the - # denial since we don't want to grant the capability as a whole to - # snap-confine. - deny capability fsetid, - - # support for the LXD quirk - mount options=(rw rbind nodev nosuid noexec) /var/lib/snapd/hostfs/var/lib/lxd/ -> /var/lib/lxd/, - /var/lib/lxd/ w, - /var/lib/snapd/hostfs/var/lib/lxd r, - # support for locking /run/snapd/lock/ rw, /run/snapd/lock/*.lock rwk, @@ -365,6 +363,8 @@ # support for the mount namespace sharing capability sys_ptrace, # allow snap-confine to read /proc/1/ns/mnt + ptrace read peer=unconfined, + # https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21 ptrace trace peer=unconfined, mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/, @@ -388,9 +388,19 @@ # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3 ptrace (trace, tracedby) peer=/usr/lib/snapd/snap-confine, + # Allow reading snap cookies. + /var/lib/snapd/cookie/snap.* r, + # For aa_change_hat() to go into ^mount-namespace-capture-helper @{PROC}/[0-9]*/attr/current w, + # As a special exception allow snap-confine to write to anything in /var/lib. + # This code should be changed to allow delegation so that snap-confine can + # inherit any file descriptor and pass it to the invoked application but + # this is not possible in apparmor yet. + # See https://bugs.launchpad.net/snapd/+bug/1815869 + /var/lib/** rw, + ^mount-namespace-capture-helper (attach_disconnected) { # We run privileged, so be fanatical about what we include and don't use # any abstractions @@ -406,6 +416,9 @@ /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr, + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr, # normal libs in order /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, @@ -490,4 +503,17 @@ # reported as (LP: #1716339). The variants here represent different # locations of snap mount directory across distributions. /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r, + + # Allow executing snap-discard-ns, just like the set for snap-update-ns + # above but with the key difference that snap-discard-ns does not + # have a dedicated profile so we need to inherit snap-confine's profile. + + /usr/lib{,exec,64}/snapd/snap-discard-ns rix, + /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-discard-ns rix, + /{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-discard-ns rix, + /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-discard-ns rix, + + # Allow mounting /var/lib/jenkinks from the host into the snap. + mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_*/var/lib/jenkins/, + mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/jenkins/, } diff --git a/apt/apt.conf.d/20snapd.conf b/apt/apt.conf.d/20snapd.conf new file mode 100644 index 0000000..11f9721 --- /dev/null +++ b/apt/apt.conf.d/20snapd.conf @@ -0,0 +1 @@ +AptCli::Hooks::Install { "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"; }; diff --git a/mailcap b/mailcap index 87e4cc6..63beb66 100644 --- a/mailcap +++ b/mailcap @@ -678,6 +678,7 @@ application/sla; slic3r --gui %s; test=test -n "$DISPLAY" model/x-wavefront-obj; slic3r --gui %s; test=test -n "$DISPLAY" model/x-geomview-off; slic3r --gui %s; test=test -n "$DISPLAY" application/x-amf; slic3r --gui %s; test=test -n "$DISPLAY" +x-scheme-handler/snap; /usr/bin/snap handle-link %s; test=test -n "$DISPLAY" text/x-apt-sources-list; software-properties-gtk %s; test=test -n "$DISPLAY" x-scheme-handler/mailto; thunderbird -addressbook %s; test=test -n "$DISPLAY" application/x-xpinstall; thunderbird -addressbook %s; test=test -n "$DISPLAY" -- 2.43.0