1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188 | # Author: Jamie Strandboge <jamie@canonical.com>
#include <tunables/global>
/usr/lib/snapd/snap-confine (attach_disconnected) {
# We run privileged, so be fanatical about what we include and don't use
# any abstractions
/etc/ld.so.cache r,
/lib/@{multiarch}/ld-*.so mr,
# libc, you are funny
/lib/@{multiarch}/libc{,-[0-9]*}.so* mr,
/lib/@{multiarch}/libpthread{,-[0-9]*}.so* mr,
/lib/@{multiarch}/librt{,-[0-9]*}.so* mr,
/lib/@{multiarch}/libgcc_s.so* mr,
# normal libs in order
/lib/@{multiarch}/libapparmor.so* mr,
/lib/@{multiarch}/libcgmanager.so* mr,
/lib/@{multiarch}/libnih.so* mr,
/lib/@{multiarch}/libnih-dbus.so* mr,
/lib/@{multiarch}/libdbus-1.so* mr,
/lib/@{multiarch}/libudev.so* mr,
/usr/lib/@{multiarch}/libseccomp.so* mr,
/lib/@{multiarch}/libseccomp.so* mr,
/usr/lib/snapd/snap-confine r,
/etc/ld.so.preload r,
/usr/lib/arm-linux-gnueabihf/libarmmem.so r,
/dev/null rw,
/dev/full rw,
/dev/zero rw,
/dev/random r,
/dev/urandom r,
# cgroups
capability sys_admin,
capability dac_override,
/sys/fs/cgroup/devices/snap{,py}.*/ w,
/sys/fs/cgroup/devices/snap{,py}.*/tasks w,
/sys/fs/cgroup/devices/snap{,py}.*/devices.{allow,deny} w,
# querying udev
/etc/udev/udev.conf r,
/sys/devices/**/uevent r,
/lib/udev/snappy-app-dev ixr, # drop
/run/udev/** rw,
/{,usr/}bin/tr ixr,
/usr/lib/locale/** r,
/usr/lib/@{multiarch}/gconv/gconv-modules r,
/usr/lib/@{multiarch}/gconv/gconv-modules.cache r,
# priv dropping
capability setuid,
capability setgid,
# changing profile
@{PROC}/[0-9]*/attr/exec w,
# don't allow changing profile to unconfined or profiles that start with
# '/'
change_profile -> [^u/]**,
change_profile -> u[^n]**,
change_profile -> un[^c]**,
change_profile -> unc[^o]**,
change_profile -> unco[^n]**,
change_profile -> uncon[^f]**,
change_profile -> unconf[^i]**,
change_profile -> unconfi[^n]**,
change_profile -> unconfin[^e]**,
change_profile -> unconfine[^d]**,
change_profile -> unconfined?**,
# allow changing to a few not caught above
change_profile -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
# LP: #1446794 - when this bug is fixed, change the above to:
# deny change_profile -> {unconfined,/**},
# change_profile -> **,
# reading seccomp filters
/{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/profiles/* r,
# reading mount profiles
/{tmp/snap.rootfs_*/,}var/lib/snapd/mount/*.fstab r,
# set up snap-specific private /tmp dir
capability chown,
/{tmp/snap.rootfs_*/,}tmp/ w,
/{tmp/snap.rootfs_*/,}tmp/snap.*/ w,
/{tmp/snap.rootfs_*/,}tmp/snap.*/tmp/ w,
mount options=(rw private) -> /{tmp/snap.rootfs_*/,}tmp/,
mount options=(rw bind) /{tmp/snap.rootfs_*/,}tmp/snap.*/tmp/ -> /{tmp/snap.rootfs_*/,}tmp/,
mount fstype=devpts options=(rw) devpts -> /{tmp/snap.rootfs_*/,}dev/pts/,
mount options=(rw bind) /{tmp/snap.rootfs_*/,}dev/pts/ptmx -> /{tmp/snap.rootfs_*/,}dev/ptmx, # for bind mounting
# Workaround for LP: #1584456 on older kernels that mistakenly think
# /dev/pts/ptmx needs a trailing '/'
mount options=(rw bind) /{tmp/snap.rootfs_*/,}dev/pts/ptmx/ -> /{tmp/snap.rootfs_*/,}dev/ptmx/,
# for running snaps on classic
mount options=(rw rslave) -> /,
/{tmp/snap.rootfs_*,}snap/ r,
/{tmp/snap.rootfs_*,}snap/** r,
# mount calls to setup the pivot_root based chroot with the core snap as
# the root filesystem.
mount options=(rw bind) /snap/ubuntu-core/*/ -> /tmp/snap.rootfs_*/,
mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/,
mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/,
mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/,
mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/,
mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/,
mount options=(rw rbind) /snap/ -> /tmp/snap.rootfs_*/snap/,
mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/,
mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/,
mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/,
mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/,
mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/,
mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/,
mount options=(rw rbind) /media/ -> /tmp/snap.rootfs_*/media/,
mount options=(rw rbind) {/usr,}/lib/modules/ -> /tmp/snap.rootfs_*/lib/modules/,
mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/,
mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/,
mount options=(rw bind) /snap/ubuntu-core/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
# Allow to mkdir /var/lib/snapd/hostfs
/var/lib/snapd/hostfs/ rw,
# Allow to mount / as hostfs in the chroot
mount options=(ro bind) / -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
# Support mount profiles via the content interface
mount options=(rw bind) /snap/*/** -> /snap/*/*/**,
mount options=(ro bind) /snap/*/** -> /snap/*/*/**,
# But we don't want anyone to touch /snap/bin
audit deny mount /snap/bin/** -> /**,
audit deny mount /** -> /snap/bin/**,
# Allow the content interface to bind fonts from the host filesystem
mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/*/*/**,
# nvidia handling, glob needs /usr/** and the launcher must be
# able to bind mount the nvidia dir
/usr/** r,
mount options=(rw bind) /usr/lib/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl/,
# for chroot on steroids, we use pivot_root as a better chroot that makes
# apparmor rules behave the same on classic and outside of classic.
pivot_root,
# for creating the user data directories: ~/snap, ~/snap/<name> and
# ~/snap/<name>/<version>
/ r,
@{HOMEDIRS}/ r,
# These should both have 'owner' match but due to LP: #1466234, we can't
# yet
@{HOME}/ r,
@{HOME}/snap/{,*/,*/*/} rw,
# for creating the user shared memory directories
/{dev,run}/{,shm/} r,
# This should both have 'owner' match but due to LP: #1466234, we can't yet
/{dev,run}/shm/{,*/,*/*/} rw,
# Workaround https://launchpad.net/bugs/359338 until upstream handles
# stacked filesystems generally.
# encrypted ~/.Private and old-style encrypted $HOME
@{HOME}/.Private/ r,
@{HOME}/.Private/** mrixwlk,
# new-style encrypted $HOME
@{HOMEDIRS}/.ecryptfs/*/.Private/ r,
@{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
# Support for the quirk system
/var/ r,
/var/lib/ r,
/var/lib/** rw,
/tmp/ r,
/tmp/snapd.quirks_*/ rw,
mount options=(move) /var/lib/snapd/ -> /tmp/snapd.quirks_*/,
mount fstype=tmpfs options=(rw nodev nosuid) none -> /var/lib/,
mount options=(ro rbind) /snap/ubuntu-core/*/var/lib/** -> /var/lib/**,
umount /var/lib/snapd/,
mount options=(move) /tmp/snapd.quirks_*/ -> /var/lib/snapd/,
# support for the LXD quirk
mount options=(rw rbind nodev nosuid noexec) /var/lib/snapd/hostfs/var/lib/lxd/ -> /var/lib/lxd/,
/var/lib/lxd/ w,
/var/lib/snapd/hostfs/var/lib/lxd r,
}
|