Ubuntu Pastebin

Paste from kyrofa at Thu, 18 Feb 2016 14:13:16 +0000

Download as text 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# Author: Jamie Strandboge <jamie@canonical.com>
#include <tunables/global>

/usr/bin/ubuntu-core-launcher (attach_disconnected) {
    # We run privileged, so be fanatical about what we include and don't use
    # any abstractions
    /etc/ld.so.cache r,
    /lib/@{multiarch}/ld-*.so mr,
    # libc, you are funny
    /lib/@{multiarch}/libc{,-[0-9]*}.so* mr,
    /lib/@{multiarch}/libpthread{,-[0-9]*}.so* mr,
    /lib/@{multiarch}/librt{,-[0-9]*}.so* mr,
    /lib/@{multiarch}/libgcc_s.so* mr,
    # normal libs in order
    /lib/@{multiarch}/libapparmor.so* mr,
    /lib/@{multiarch}/libudev.so* mr,
    /usr/lib/@{multiarch}/libseccomp.so* mr,
    /lib/@{multiarch}/libseccomp.so* mr,

    /usr/bin/ubuntu-core-launcher r,

    /dev/null rw,
    /dev/full rw,
    /dev/zero rw,

    # cgroups
    capability sys_admin,
    capability dac_override,
    /sys/fs/cgroup/devices/snappy.*/ w,
    /sys/fs/cgroup/devices/snappy.*/tasks w,
    /sys/fs/cgroup/devices/snappy.*/devices.{allow,deny} w,

    # querying udev
    /etc/udev/udev.conf r,
    /sys/devices/**/uevent r,
    /lib/udev/snappy-app-dev ixr, # drop
    /run/udev/** rw,

    # priv dropping
    capability setuid,
    capability setgid,

    # changing profile
    @{PROC}/[0-9]*/attr/exec w,
    change_profile -> [^u/]**,
    change_profile -> [^u/][^n]**,
    change_profile -> [^u/][^n][^c]**,
    change_profile -> [^u/][^n][^c][^o]**,
    change_profile -> [^u/][^n][^c][^o][^n]**,
    change_profile -> [^u/][^n][^c][^o][^n][^f]**,
    change_profile -> [^u/][^n][^c][^o][^n][^f][^i]**,
    change_profile -> [^u/][^n][^c][^o][^n][^f][^i][^n]**,
    change_profile -> [^u/][^n][^c][^o][^n][^f][^i][^n][^e]**,
    change_profile -> [^u/][^n][^c][^o][^n][^f][^i][^n][^e][^d]**,
    # LP: #1446794 - when this bug is fixed, change the above to:
    # deny change_profile -> {unconfined,/**},
    # change_profile -> **,

    # reading seccomp filters
    /var/lib/snappy/seccomp/profiles/* r,

    # read apparmor to figure out if we need cgroups
    /var/lib/apparmor/clicks/* r,

    # set up snap-specific private /tmp dir
    capability chown,
    /tmp/ w,
    /tmp/snap.*/ w,
    /tmp/snap.*/tmp/ w,
    mount options=(rw private) -> /tmp/,
    mount options=(rw bind) /tmp/snap.*/tmp/ -> /tmp/,

    # for running snaps on ubuntu
    mount options=(rw rslave) -> /,
    /snaps/ r,
    /snaps/** r,
    mount options=(rw bind) /snaps/ubuntu-core*/*/bin/ -> /bin/,
    mount options=(rw bind) /snaps/ubuntu-core*/*/sbin/ -> /sbin/,
    mount options=(rw bind) /snaps/ubuntu-core*/*/lib/ -> /lib/,
    mount options=(rw bind) /snaps/ubuntu-core*/*/lib64/ -> /lib64/,
    mount options=(rw bind) /snaps/ubuntu-core*/*/usr/ -> /usr/,

    # for creating the user data directories: ~/snaps, ~/snaps/<name> and
    # ~/snaps/<name>/<version>
    / r,
    @{HOMEDIRS}/ r,
    # These should both have 'owner' match but due to LP: #1466234, we can't
    # yet
    @{HOME}/ r,
    @{HOME}/snaps/{,*/,*/*/} rw,

    # for creating the user shared memory directories
    /{dev,run}/{,shm/} r,
    # This should both have 'owner' match but due to LP: #1466234, we can't yet
    /{dev,run}/shm/{,*/,*/*/} rw,
}
Download as text