# Author: Jamie Strandboge #include /usr/lib/snapd/snap-confine (attach_disconnected) { # We run privileged, so be fanatical about what we include and don't use # any abstractions /etc/ld.so.cache r, /lib/@{multiarch}/ld-*.so mr, # libc, you are funny /lib/@{multiarch}/libc{,-[0-9]*}.so* mr, /lib/@{multiarch}/libpthread{,-[0-9]*}.so* mr, /lib/@{multiarch}/librt{,-[0-9]*}.so* mr, /lib/@{multiarch}/libgcc_s.so* mr, # normal libs in order /lib/@{multiarch}/libapparmor.so* mr, /lib/@{multiarch}/libudev.so* mr, /usr/lib/@{multiarch}/libseccomp.so* mr, /lib/@{multiarch}/libseccomp.so* mr, /usr/lib/snapd/snap-confine r, /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, # cgroups capability sys_admin, capability dac_override, /sys/fs/cgroup/devices/snap{,py}.*/ w, /sys/fs/cgroup/devices/snap{,py}.*/tasks w, /sys/fs/cgroup/devices/snap{,py}.*/devices.{allow,deny} w, # querying udev /etc/udev/udev.conf r, /sys/devices/**/uevent r, /lib/udev/snappy-app-dev ixr, # drop /run/udev/** rw, /{,usr/}bin/tr ixr, /usr/lib/locale/** r, /usr/lib/@{multiarch}/gconv/gconv-modules r, /usr/lib/@{multiarch}/gconv/gconv-modules.cache r, # priv dropping capability setuid, capability setgid, # changing profile @{PROC}/[0-9]*/attr/exec w, # don't allow changing profile to unconfined or profiles that start with # '/' change_profile -> [^u/]**, change_profile -> u[^n]**, change_profile -> un[^c]**, change_profile -> unc[^o]**, change_profile -> unco[^n]**, change_profile -> uncon[^f]**, change_profile -> unconf[^i]**, change_profile -> unconfi[^n]**, change_profile -> unconfin[^e]**, change_profile -> unconfine[^d]**, change_profile -> unconfined?**, # allow changing to a few not caught above change_profile -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, # LP: #1446794 - when this bug is fixed, change the above to: # deny change_profile -> {unconfined,/**}, # change_profile -> **, # reading seccomp filters /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/profiles/* r, # reading mount profiles /{tmp/snap.rootfs_*/,}var/lib/snapd/mount/*.fstab r, # set up snap-specific private /tmp dir capability chown, /{tmp/snap.rootfs_*/,}tmp/ w, /{tmp/snap.rootfs_*/,}tmp/snap.*/ w, /{tmp/snap.rootfs_*/,}tmp/snap.*/tmp/ w, mount options=(rw private) -> /{tmp/snap.rootfs_*/,}tmp/, mount options=(rw bind) /{tmp/snap.rootfs_*/,}tmp/snap.*/tmp/ -> /{tmp/snap.rootfs_*/,}tmp/, mount fstype=devpts options=(rw) devpts -> /{tmp/snap.rootfs_*/,}dev/pts/, mount options=(rw bind) /{tmp/snap.rootfs_*/,}dev/pts/ptmx -> /{tmp/snap.rootfs_*/,}dev/ptmx, # for bind mounting # for running snaps on classic mount options=(rw rslave) -> /, /{tmp/snap.rootfs_*,}snap/ r, /{tmp/snap.rootfs_*,}snap/** r, # mount calls to setup the pivot_root based chroot with the core snap as # the root filesystem. mount options=(rw bind) /snap/ubuntu-core/*/ -> /tmp/snap.rootfs_*/, mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/, mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/, mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/, mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/, mount options=(rw rbind) /snap/ -> /tmp/snap.rootfs_*/snap/, mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/, mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/, mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/, mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/, mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/, mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/, mount options=(rw rbind) /media/ -> /tmp/snap.rootfs_*/media/, mount options=(rw rbind) {/usr,}/lib/modules/ -> /tmp/snap.rootfs_*/lib/modules/, mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/, mount options=(rw bind) /snap/ubuntu-core/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, # Allow to mkdir /var/lib/snapd/hostfs /var/lib/snapd/hostfs/ rw, # Allow to mount / as hostfs in the chroot mount options=(ro bind) / -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, # Support mount profiles via the content interface mount options=(rw bind) /snap/*/*/** -> /snap/*/*/**, mount options=(ro bind) /snap/*/*/** -> /snap/*/*/**, # But we don't want anyone to touch /snap/bin audit deny mount /snap/bin/** -> /**, audit deny mount /** -> /snap/bin/**, # Allow the content interface to bind fonts from the host filesystem mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/*/*/**, # nvidia handling, glob needs /usr/** and the launcher must be # able to bind mount the nvidia dir /usr/** r, mount options=(rw bind) /usr/lib/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl/, # for chroot on steroids, we use pivot_root as a better chroot that makes # apparmor rules behave the same on classic and outside of classic. pivot_root, # for creating the user data directories: ~/snap, ~/snap/ and # ~/snap// / r, @{HOMEDIRS}/ r, # These should both have 'owner' match but due to LP: #1466234, we can't # yet @{HOME}/ r, @{HOME}/snap/{,*/,*/*/} rw, # for creating the user shared memory directories /{dev,run}/{,shm/} r, # This should both have 'owner' match but due to LP: #1466234, we can't yet /{dev,run}/shm/{,*/,*/*/} rw, # Workaround https://launchpad.net/bugs/359338 until upstream handles # stacked filesystems generally. # encrypted ~/.Private and old-style encrypted $HOME owner @{HOME}/.Private/ r, owner @{HOME}/.Private/** mrixwlk, # new-style encrypted $HOME owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r, owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, }