# Author: Jamie Strandboge #include /usr/lib/snapd/snap-confine (attach_disconnected) { # We run privileged, so be fanatical about what we include and don't use # any abstractions /etc/ld.so.cache r, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix, # libc, you are funny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr, # normal libs in order /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr, /usr/lib/snapd/snap-confine mr, /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, /dev/pts/[0-9]* rw, /dev/tty rw, # cgroups capability sys_admin, capability dac_override, /sys/fs/cgroup/devices/snap{,py}.*/ w, /sys/fs/cgroup/devices/snap{,py}.*/tasks w, /sys/fs/cgroup/devices/snap{,py}.*/devices.{allow,deny} w, # querying udev /etc/udev/udev.conf r, /sys/devices/**/uevent r, /lib/udev/snappy-app-dev ixr, # drop /run/udev/** rw, /{,usr/}bin/tr ixr, /usr/lib/locale/** r, /usr/lib/@{multiarch}/gconv/gconv-modules r, /usr/lib/@{multiarch}/gconv/gconv-modules.cache r, # priv dropping capability setuid, capability setgid, # changing profile @{PROC}/[0-9]*/attr/exec w, # Reading current profile @{PROC}/[0-9]*/attr/current r, # Reading available filesystems @{PROC}/filesystems r, # To find where apparmor is mounted @{PROC}/[0-9]*/mounts r, # To find if apparmor is enabled /sys/module/apparmor/parameters/enabled r, # Don't allow changing profile to unconfined or profiles that start with # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on # the environment for determining the capabilities of the architecture. # 'unsafe' is ok here because the kernel will have already cleared the # environment as part of launching snap-confine with # CAP_SYS_ADMIN. change_profile unsafe /** -> [^u/]**, change_profile unsafe /** -> u[^n]**, change_profile unsafe /** -> un[^c]**, change_profile unsafe /** -> unc[^o]**, change_profile unsafe /** -> unco[^n]**, change_profile unsafe /** -> uncon[^f]**, change_profile unsafe /** -> unconf[^i]**, change_profile unsafe /** -> unconfi[^n]**, change_profile unsafe /** -> unconfin[^e]**, change_profile unsafe /** -> unconfine[^d]**, change_profile unsafe /** -> unconfined?**, # allow changing to a few not caught above change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, # LP: #1446794 - when this bug is fixed, change the above to: # deny change_profile unsafe /** -> {unconfined,/**}, # change_profile unsafe /** -> **, # reading seccomp filters /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r, # reading mount profiles /{tmp/snap.rootfs_*/,}var/lib/snapd/mount/*.fstab r, # ensuring correct permissions in sc_quirk_create_writable_mimic /{tmp/snap.rootfs_*/,}var/lib/ rw, # LP: #1668659 mount options=(rw rbind) /snap/ -> /snap/, mount options=(rw rshared) -> /snap/, # boostrapping the mount namespace mount options=(rw rshared) -> /, mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/, mount options=(rw unbindable) -> /tmp/snap.rootfs_*/, # the next line is for classic system mount options=(rw rbind) /snap/*/*/ -> /tmp/snap.rootfs_*/, # the next line is for core system mount options=(rw rbind) / -> /tmp/snap.rootfs_*/, # all of the constructed rootfs is a rslave mount options=(rw rslave) -> /tmp/snap.rootfs_*/, # bidirectional mounts (for both classic and core) # NOTE: this doesn't capture the MERGED_USR configuration option so that # when a distro with merged /usr and / that uses apparmor shows up it # should be handled here. /{,run/}media/ w, mount options=(rw rbind) /media/ -> /tmp/snap.rootfs_*/media/, /run/netns/ w, mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/, # unidirectional mounts (only for classic system) mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/dev/, mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/etc/, mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/home/, mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/root/, mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/proc/, mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/sys/, mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/, mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/, mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/snap/, mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/tmp/, mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/, mount options=(rw rbind) {/usr,}/lib/modules/ -> /tmp/snap.rootfs_*{/usr,}/lib/modules/, mount options=(rw rslave) -> /tmp/snap.rootfs_*{/usr,}/lib/modules/, mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/, mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/, # allow making host snap-exec available inside base snaps mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/, # allow making re-execed host snap-exec available inside base snaps mount options=(ro bind) /snap/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl, mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl, # /etc/alternatives (classic) mount options=(rw bind) /snap/{,ubuntu-}core/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, mount options=(rw bind) /snap/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/, mount options=(rw bind) /snap/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf, # /etc/alternatives (core) mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/, mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/, mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/nsswitch.conf, # the /snap directory mount options=(rw rbind) /snap/ -> /tmp/snap.rootfs_*/snap/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/, # pivot_root preparation and execution mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, pivot_root, # cleanup umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/, umount /var/lib/snapd/hostfs/sys/, umount /var/lib/snapd/hostfs/dev/, umount /var/lib/snapd/hostfs/proc/, mount options=(rw rslave) -> /var/lib/snapd/hostfs/, # set up snap-specific private /tmp dir capability chown, /tmp/ w, /tmp/snap.*/ w, /tmp/snap.*/tmp/ w, mount options=(rw private) -> /tmp/, mount options=(rw bind) /tmp/snap.*/tmp/ -> /tmp/, mount fstype=devpts options=(rw) devpts -> /dev/pts/, mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD # Workaround for LP: #1584456 on older kernels that mistakenly think # /dev/pts/ptmx needs a trailing '/' mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/, mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/, # for running snaps on classic /snap/ r, /snap/** r, /snap/ r, /snap/** r, # NOTE: at this stage the /snap directory is stable as we have called # pivot_root already. # Support mount profiles via the content interface. This should correspond # to permutations of $SNAP -> $SNAP for reading and $SNAP_{DATA,COMMON} -> # $SNAP_{DATA,COMMON} for both reading and writing. # # Note that: # /snap/*/*/** # is meant to mean: # /snap/$SNAP_NAME/$SNAP_REVISION/and-any-subdirectory # but: # /var/snap/*/** # is meant to mean: # /var/snap/$SNAP_NAME/$SNAP_REVISION/ mount options=(ro bind) /snap/*/** -> /snap/*/*/**, mount options=(ro bind) /snap/*/** -> /var/snap/*/**, mount options=(rw bind) /var/snap/*/** -> /var/snap/*/**, mount options=(ro bind) /var/snap/*/** -> /var/snap/*/**, # But we don't want anyone to touch /snap/bin audit deny mount /snap/bin/** -> /**, audit deny mount /** -> /snap/bin/**, # Allow the content interface to bind fonts from the host filesystem mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/*/*/**, # nvidia handling, glob needs /usr/** and the launcher must be # able to bind mount the nvidia dir /sys/module/nvidia/version r, /sys/**/drivers/nvidia{,_*}/* r, /sys/**/nvidia*/uevent r, /sys/module/nvidia{,_*}/* r, /dev/nvidia[0-9]* r, /dev/nvidiactl r, /dev/nvidia-uvm r, /usr/** r, mount options=(rw bind) /usr/lib/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl/, # for chroot on steroids, we use pivot_root as a better chroot that makes # apparmor rules behave the same on classic and outside of classic. # for creating the user data directories: ~/snap, ~/snap/ and # ~/snap// / r, @{HOMEDIRS}/ r, # These should both have 'owner' match but due to LP: #1466234, we can't # yet @{HOME}/ r, @{HOME}/snap/{,*/,*/*/} rw, # for creating the user shared memory directories /{dev,run}/{,shm/} r, # This should both have 'owner' match but due to LP: #1466234, we can't yet /{dev,run}/shm/{,*/,*/*/} rw, # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and # /run/user/UID/ /run/user/{,[0-9]*/,[0-9]*/*/} rw, # Workaround https://launchpad.net/bugs/359338 until upstream handles # stacked filesystems generally. # encrypted ~/.Private and old-style encrypted $HOME @{HOME}/.Private/ r, @{HOME}/.Private/** mrixwlk, # new-style encrypted $HOME @{HOMEDIRS}/.ecryptfs/*/.Private/ r, @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, # Allow snap-confine to move to the void /var/lib/snapd/void/ r, # Allow snap-confine to read snap contexts /var/lib/snapd/context/snap.* r, # Support for the quirk system /var/ r, /var/lib/ r, /var/lib/** rw, /tmp/ r, /tmp/snapd.quirks_*/ rw, mount options=(move) /var/lib/snapd/ -> /tmp/snapd.quirks_*/, mount fstype=tmpfs options=(rw nodev nosuid) none -> /var/lib/, mount options=(ro rbind) /snap/{,ubuntu-}core/*/var/lib/** -> /var/lib/**, umount /var/lib/snapd/, mount options=(move) /tmp/snapd.quirks_*/ -> /var/lib/snapd/, # On classic systems with a setuid root snap-confine when run by non-root # user, the mimic_dir is created with the gid of the calling user (ie, # not '0') so when setting the permissions (chmod) of the mimicked # directory to that of the reference directory, a CAP_FSETID is triggered. # snap-confine sets the directory up correctly, so simply silence the # denial since we don't want to grant the capability as a whole to # snap-confine. deny capability fsetid, # support for the LXD quirk mount options=(rw rbind nodev nosuid noexec) /var/lib/snapd/hostfs/var/lib/lxd/ -> /var/lib/lxd/, /var/lib/lxd/ w, /var/lib/snapd/hostfs/var/lib/lxd r, # support for locking /run/snapd/lock/ rw, /run/snapd/lock/*.lock rwk, # support for the mount namespace sharing capability sys_ptrace, # allow snap-confine to read /proc/1/ns/mnt ptrace trace peer=unconfined, mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/, mount options=(private) -> /run/snapd/ns/, / rw, /run/ rw, /run/snapd/ rw, /run/snapd/ns/ rw, /run/snapd/ns/*.lock rwk, /run/snapd/ns/*.mnt rw, /run/snapd/ns/*.fstab rw, ptrace (read, readby, tracedby) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, @{PROC}/*/mountinfo r, capability sys_chroot, capability sys_admin, signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine, signal (send) set=(int) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, signal (send, receive) set=(alrm, exists) peer=/usr/lib/snapd/snap-confine, signal (receive) set=(exists) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # For aa_change_hat() to go into ^mount-namespace-capture-helper @{PROC}/[0-9]*/attr/current w, ^mount-namespace-capture-helper (attach_disconnected) { # We run privileged, so be fanatical about what we include and don't use # any abstractions /etc/ld.so.cache r, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix, # libc, you are funny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr, # normal libs in order /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr, /usr/lib/snapd/snap-confine mr, /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, capability sys_ptrace, capability sys_admin, # This allows us to read and bind mount the namespace file / r, @{PROC}/ r, @{PROC}/*/ r, @{PROC}/*/ns/ r, @{PROC}/*/ns/mnt r, /run/ r, /run/snapd/ r, /run/snapd/ns/ r, /run/snapd/ns/*.mnt rw, # NOTE: the source name is / even though we map /proc/123/ns/mnt mount options=(rw bind) / -> /run/snapd/ns/*.mnt, # This is the SIGALRM that we send and receive if a timeout expires signal (send, receive) set=(alrm) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # Those two rules are exactly the same but we don't know if the parent process is still alive # and hence has the appropriate label or is already dead and hence has no label. signal (send) set=(exists) peer=/usr/lib/snapd/snap-confine, signal (send) set=(exists) peer=unconfined, # This is so that we can abort signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # This is the signal we get if snap-confine dies (we subscribe to it with prctl) signal (receive) set=(int) peer=/usr/lib/snapd/snap-confine, # This allows snap-confine to be killed from the outside. signal (receive) peer=unconfined, # This allows snap-confine to wait for us ptrace (read, trace, tracedby) peer=/usr/lib/snapd/snap-confine, } # Allow snap-confine to be killed signal (receive) peer=unconfined, }