Ubuntu Pastebin

Paste from jdstrand at Tue, 21 Apr 2015 17:42:18 +0000

Download as text

# Author: Jamie Strandboge <jamie@canonical.com>
#include <tunables/global>

profile ubuntu-core-launcher /usr/bin/ubuntu-core-launcher {
    # We run privileged, so be fanatical about what we include and don't use 
    # any abstractions
    /etc/ld.so.cache r,
    /lib/@{multiarch}/libapparmor.so* mr,
    /lib/@{multiarch}/libc-*.so* mr,
    /lib/@{multiarch}/libpthread-*.so* mr,
    /lib/@{multiarch}/libudev.so* mr,
    /usr/lib/@{multiarch}/libseccomp.so* mr,
    
    # cgroups
    capability sys_admin,
    /sys/fs/cgroup/devices/snappy.*/tasks w,
    /sys/fs/cgroup/devices/snappy.*/devices.{allow,deny} w,
    
    # querying udev
    /etc/udev/udev.conf r,
    /sys/devices/virtual/*/*/uevent r,
    /lib/udev/snappy-app-dev ixr, # drop

    # priv dropping
    capability setuid,
    capability setgid,
    
    # changing profile
    @{PROC}/[0-9]*/attr/exec w,
    change_profile -> *,
    
    # reading seccomp filters
    /var/lib/snappy/seccomp/profiles/* r,
}

Download as text