File manager

File manager - Edit - /home/newsbmcs.com/public_html/static/img/logo/profiles.tar

Back
snap.lxd.daemon��0000644��00000073142�15027571546�0007503 0��ustar�00�� # vim:syntax=apparmor #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d" #include if exists "/var/lib/snapd/apparmor/snap-tuning" # snapd supports the concept of 'parallel installs' where snaps with the same # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz # may all be installed on the system. To support this, SNAP_NAME is set to the # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg # 'foo_bar'). The profile name and most rules therefore reference # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime # environment so the snap doesn't have to be aware of the distinction (eg, # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with # SNAP_NAME so the security policy will allow writing to both locations (since # they are equivalent). # This is a snap name without the instance key @{SNAP_NAME}="lxd" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="lxd" @{SNAP_INSTANCE_DESKTOP}="lxd" @{SNAP_COMMAND_NAME}="daemon" @{SNAP_REVISION}="31333" @{PROFILE_DBUS}="snap_2elxd_2edaemon" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.lxd.daemon" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> # While in later versions of the base abstraction, include this explicitly # for series 16 and cross-distro /etc/ld.so.preload r, # The base abstraction doesn't yet have this /etc/sysconfig/clock r, owner @{PROC}/@{pid}/maps k, # /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but # in a format that is simpler to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. # Reading /proc/XXXX/maps is already allowed in the base template # via <abstractions/base>. Also, only the owner can read it, and the # kernel limits access to it by requiring 'ptrace' enabled, so allowing # to access /proc/XXXX/map_files can be considered secure too. owner @{PROC}/@{pid}/map_files/ r, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/ r, # for python apps/services #include <abstractions/python> /etc/python3.[0-9]/** r, # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 # for details) deny /usr/lib/python3/{,/}__pycache__/ w, deny /usr/lib/python3/{,/}__pycache__/.pyc.[0-9]* w, # bind mount used here (see 'parallel installs', above) deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/ w, deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/.pyc.[0-9] w, # for perl apps/services #include <abstractions/perl> # Missing from perl abstraction /usr/lib/@{multiarch}/perl{,5,-base}/auto/*.so mr, # Note: the following dangerous accesses should not be allowed in most # policy, but we cannot explicitly deny since other trusted interfaces might # add them. # Explicitly deny ptrace for now since it can be abused to break out of the # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 #audit deny ptrace (trace), # Explicitly deny capability mknod so apps can't create devices #audit deny capability mknod, # Explicitly deny mount, remount and umount so apps can't modify things in # their namespace #audit deny mount, #audit deny remount, #audit deny umount, # End dangerous accesses # Note: this potentially allows snaps to DoS other snaps via resource # exhaustion but we can't sensibly mediate this today. In the future we may # employ cgroup limits, AppArmor rlimit mlock rules or something else. capability ipc_lock, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /etc/bash.bashrc r, /etc/inputrc r, /etc/environment r, /etc/profile r, # user/group/seat lookups /etc/{passwd,group,nsswitch.conf} r, # very common /var/lib/extrausers/{passwd,group} r, /run/systemd/users/[0-9]* r, /etc/default/nss r, # libnss-systemd (subset from nameservice abstraction) # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. /run/systemd/userdb/ r, /run/systemd/userdb/io.systemd.Multiplexer rw, /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS /run/systemd/userdb/io.systemd.Machine rw, # systemd-machined /etc/libnl-3/{classid,pktloc} r, # apps that use libnl # For snappy reexec on 4.8+ kernels /usr/lib/snapd/snap-exec m, # For gdb support /usr/lib/snapd/snap-gdb-shim ixr, /usr/lib/snapd/snap-gdbserver-shim ixr, # For in-snap tab completion /etc/bash_completion.d/{,} r, /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here # uptime @{PROC}/uptime r, @{PROC}/loadavg r, # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib # which is allowed by the base abstraction, but on 14.04 it is an actual file # so need to add it here. Also allow read locks on the file. /etc/os-release rk, /usr/lib/os-release k, # Debian version of the host OS which might be required in AppArmor-secured Debian /etc/debian_version r, # systemd native journal API (see sd_journal_print(4)). This should be in # AppArmor's base abstraction, but until it is, include here. We include # the base journal path as well as the journal namespace pattern path. Each # journal namespace for quota groups will be prefixed with 'snap-'. /run/systemd/journal{,.snap-}/socket w, /run/systemd/journal{,.snap-}/stdout rw, # 'r' shouldn't be needed, but journald # doesn't leak anything so allow /run/systemd/journal{,.snap-}/dev-log w, # snapctl and its requirements /usr/bin/snapctl ixr, /usr/lib/snapd/snapctl ixr, @{PROC}/sys/net/core/somaxconn r, /run/snapd-snap.socket rw, # Note: for now, don't explicitly deny this noisy denial so --devmode isn't # broken but eventually we may conditionally deny this since it is an # information leak. #deny /{,var/}run/utmp r, # java @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/auxv r, @{PROC}/sys/vm/zone_reclaim_mode r, /etc/lsb-release r, /sys/devices//read_ahead_kb r, /sys/devices/system/cpu/ r, /sys/devices/system/node/node[0-9]/ r, /sys/kernel/mm/transparent_hugepage/enabled r, /sys/kernel/mm/transparent_hugepage/defrag r, # NOTE: this leaks running process but java seems to want it (even though it # seems to operate ok without it) and SDL apps crash without it. Allow owner # match until AppArmor kernel var is available to solve this properly (see # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Allow reading and writing to our file descriptors in /proc which, for # example, allow access to /dev/std{in,out,err} which are all symlinks to # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) # linkat() temporary file technique, allow all fds. Importantly, access to # another task's fd via this proc interface is mediated via 'ptrace (read)' # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so # this rule by itself doesn't allow opening another snap's fds via proc. owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, # Miscellaneous accesses /dev/{,u}random w, /etc/machine-id r, /etc/mime.types r, /etc/default/keyboard r, @{PROC}/ r, @{PROC}/version r, @{PROC}/version_signature r, /etc/{,writable/}hostname r, /etc/{,writable/}localtime r, /etc/{,writable/}mailname r, /etc/{,writable/}timezone r, owner @{PROC}/@{pid}/cgroup rk, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/fdinfo/* r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/[0-9]/smaps r, @{PROC}/@{pid}/task/[0-9]/stat r, @{PROC}/@{pid}/task/[0-9]/statm r, @{PROC}/@{pid}/task/[0-9]/status r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/shmmax r, # Allow apps to introspect the level of dbus mediation AppArmor implements. /sys/kernel/security/apparmor/features/dbus/mask r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_* r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/cap_last_cap r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request rw, /sys/devices/virtual/tty/{console,tty}/active r, /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.stat r, /sys/fs/cgroup/system.slice/snap.@{SNAP_INSTANCE_NAME}{,.}/memory.max r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.shares r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_{,score_}adj r, # Note: for now, don't explicitly deny write access so --devmode isn't broken # but eventually we may conditionally deny this since it allows the process # to increase the oom heuristic of other processes (make them more likely to # be killed). Once AppArmor kernel var is available to solve this properly, # this can safely be allowed since non-root processes won't be able to # decrease the value and root processes will only be able to with # 'capability sys_resource,' which we deny be default. # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, # Eases hardware assignment (doesn't give anything away) /etc/udev/udev.conf r, /sys/ r, /sys/bus/ r, /sys/class/ r, # this leaks interface names and stats, but not in a way that is traceable # to the user/device @{PROC}/net/dev r, @{PROC}/@{pid}/net/dev r, # Read-only of this snap /var/lib/snapd/snaps/@{SNAP_NAME}_.snap r, # Read-only of snapd restart state for snapctl specifically /var/lib/snapd/maintenance.json r, # Read-only for the install directory # bind mount used here (see 'parallel installs', above) @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/* mrklix, # Read-only install directory for other revisions to help with bugs like # LP: #1616650 and LP: #1655992 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Read-only home area for other versions # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ mrkix, # Experimental snap folder changes owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ mrkix, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/ wl, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl, # Writable home area for this version. # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/ wl, # Read-only system area for other versions # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ mrkix, # Writable system area only for this version # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/ wl, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/ wl, # The snap-confine program creates an app-specific private restricted /tmp # and will fail to launch the app if something goes wrong. As such, we can # simply allow full access to /tmp. /tmp/ r, /tmp/ mrwlkix, # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount not used here (see 'parallel installs', above) /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, # Also allow app-specific access for sem_open() /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user # bind mount not used here (see 'parallel installs', above) owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ rw, owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Allow apps from the same package to communicate with each other via an # abstract or anonymous socket unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.", unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # Allow apps from the same package to communicate with each other via DBus. # Note: this does not grant access to the DBus sockets of well known buses # (will still need to use an appropriate interface for that). dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # In addition to the above, dbus-run-session attempts reading these files # from the snap base runtime. /usr/share/dbus-1/services/{,} r, /usr/share/dbus-1/system-services/{,} r, # Allow apps to perform DBus introspection on org.freedesktop.DBus for both # the system and session buses. # Note: this does not grant access to the DBus sockets of these buses, but # we grant it here since it is missing from the dbus abstractions # (LP: #1866168) dbus (send) bus={session,system} path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow apps from the same package to signal each other via signals signal peer=snap.@{SNAP_INSTANCE_NAME}., # Allow receiving signals from all snaps (and focus on mediating sending of # signals) signal (receive) peer=snap., # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' /{,usr/}{,s}bin/udevadm ixr, /etc/udev/udev.conf r, /{,var/}run/udev/tags/snappy-assign/ r, @{PROC}/cmdline r, /sys/devices/*/uevent r, # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above # requires: # /run/udev/data/ r, # but that reveals too much about the system and cannot be granted to apps # by default at this time. # For convenience, allow apps to see what is in /dev even though cgroups # will block most access /dev/ r, /dev// r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because # the launcher uses a per-app devpts newinstance. /dev/ptmx rw, # Do the same with /sys/devices and /sys/class to help people using hw-assign /sys/devices/ r, /sys/devices// r, /sys/class/ r, /sys/class/*/ r, # Allow all snaps to chroot capability sys_chroot, # Lttng tracing is very noisy and should not be allowed by confined apps. Can # safely deny for the normal case (LP: #1260491). If/when an lttng-trace # interface is needed, we can rework this. deny /{dev,run,var/run}/shm/lttng-ust- rw, # Allow read-access on /home/ for navigating to other parts of the # filesystem. While this allows enumerating users, this is already allowed # via /etc/passwd and getent. @{HOMEDIRS}/ r, # Allow read-access to / for navigating to other parts of the filesystem. / r, # Snap-specific run directory. Bind mount not used here # (see 'parallel installs', above) /run/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Snap-specific lock directory and prerequisite navigation permissions. /run/lock/ r, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Default rules for core base runtimes # The base abstraction doesn't yet have this /{,usr/}lib/terminfo/ rk, /usr/share/terminfo/ k, /usr/share/zoneinfo/** k, # for python apps/services /usr/bin/python{,2,2.[0-9],3,3.[0-9]} ixr, # additional accesses needed for newer pythons in later bases /usr/lib{,32,64}/python3.[0-9]/.{pyc,so} mr, /usr/lib{,32,64}/python3.[0-9]/*.{egg,py,pth} r, /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, /usr/lib{,32,64}/python3.[0-9]/lib-dynload/.so mr, /usr/include/python3.[0-9]/pyconfig.h r, # for perl apps/services /usr/bin/perl{,5} ixr, # AppArmor <2.12 doesn't have rules for perl-base, so add them here /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]/.so mr, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /usr/share/terminfo/** r, # Common utilities for shell scripts /{,usr/}bin/arch ixr, /{,usr/}bin/{,g,m}awk ixr, /{,usr/}bin/base32 ixr, /{,usr/}bin/base64 ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/bunzip2 ixr, /{,usr/}bin/busctl ixr, /{,usr/}bin/bzcat ixr, /{,usr/}bin/bzdiff ixr, /{,usr/}bin/bzgrep ixr, /{,usr/}bin/bzip2 ixr, /{,usr/}bin/cat ixr, /{,usr/}bin/chgrp ixr, /{,usr/}bin/chmod ixr, /{,usr/}bin/chown ixr, /{,usr/}bin/clear ixr, /{,usr/}bin/cmp ixr, /{,usr/}bin/cp ixr, /{,usr/}bin/cpio ixr, /{,usr/}bin/cut ixr, /{,usr/}bin/date ixr, /{,usr/}bin/dbus-daemon ixr, /{,usr/}bin/dbus-run-session ixr, /{,usr/}bin/dbus-send ixr, /{,usr/}bin/dd ixr, /{,usr/}bin/diff{,3} ixr, /{,usr/}bin/dir ixr, /{,usr/}bin/dirname ixr, /{,usr/}bin/du ixr, /{,usr/}bin/echo ixr, /{,usr/}bin/{,e,f,r}grep ixr, /{,usr/}bin/env ixr, /{,usr/}bin/expr ixr, /{,usr/}bin/false ixr, /{,usr/}bin/find ixr, /{,usr/}bin/flock ixr, /{,usr/}bin/fmt ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/getconf ixr, /{,usr/}bin/getent ixr, /{,usr/}bin/getopt ixr, /{,usr/}bin/groups ixr, /{,usr/}bin/gzip ixr, /{,usr/}bin/head ixr, /{,usr/}bin/hostname ixr, /{,usr/}bin/id ixr, /{,usr/}bin/igawk ixr, /{,usr/}bin/infocmp ixr, /{,usr/}bin/kill ixr, /{,usr/}bin/ldd ixr, /{usr/,}lib{,32,64}/ld{,32,64}-.so ix, /{usr/,}lib/@{multiarch}/ld{,32,64}-.so* ix, /{,usr/}bin/less{,file,pipe} ixr, /{,usr/}bin/ln ixr, /{,usr/}bin/line ixr, /{,usr/}bin/link ixr, /{,usr/}bin/locale ixr, /{,usr/}bin/logger ixr, /{,usr/}bin/ls ixr, /{,usr/}bin/md5sum ixr, /{,usr/}bin/mkdir ixr, /{,usr/}bin/mkfifo ixr, /{,usr/}bin/mknod ixr, /{,usr/}bin/mktemp ixr, /{,usr/}bin/more ixr, /{,usr/}bin/mv ixr, /{,usr/}bin/nice ixr, /{,usr/}bin/nohup ixr, /{,usr/}bin/numfmt ixr, /{,usr/}bin/od ixr, /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial /{,usr/}bin/paste ixr, /{,usr/}bin/pgrep ixr, /{,usr/}bin/printenv ixr, /{,usr/}bin/printf ixr, /{,usr/}bin/ps ixr, /{,usr/}bin/pwd ixr, /{,usr/}bin/readlink ixr, /{,usr/}bin/realpath ixr, /{,usr/}bin/rev ixr, /{,usr/}bin/rm ixr, /{,usr/}bin/rmdir ixr, /{,usr/}bin/run-parts ixr, /{,usr/}bin/sed ixr, /{,usr/}bin/seq ixr, /{,usr/}bin/setpriv ixr, /{,usr/}bin/sha{1,224,256,384,512}sum ixr, /{,usr/}bin/shuf ixr, /{,usr/}bin/sleep ixr, /{,usr/}bin/sort ixr, /{,usr/}bin/stat ixr, /{,usr/}bin/stdbuf ixr, /{,usr/}bin/stty ixr, /{,usr/}bin/sync ixr, /{,usr/}bin/systemd-cat ixr, /{,usr/}bin/tac ixr, /{,usr/}bin/tail ixr, /{,usr/}bin/tar ixr, /{,usr/}bin/tee ixr, /{,usr/}bin/test ixr, /{,usr/}bin/tempfile ixr, /{,usr/}bin/tset ixr, /{,usr/}bin/touch ixr, /{,usr/}bin/tput ixr, /{,usr/}bin/tr ixr, /{,usr/}bin/true ixr, /{,usr/}bin/tty ixr, /{,usr/}bin/uname ixr, /{,usr/}bin/uniq ixr, /{,usr/}bin/unlink ixr, /{,usr/}bin/unxz ixr, /{,usr/}bin/unzip ixr, /{,usr/}bin/uptime ixr, /{,usr/}bin/vdir ixr, /{,usr/}bin/vim.tiny ixr, /{,usr/}bin/wc ixr, /{,usr/}bin/which{,.debianutils} ixr, /{,usr/}bin/xargs ixr, /{,usr/}bin/xz ixr, /{,usr/}bin/yes ixr, /{,usr/}bin/zcat ixr, /{,usr/}bin/z{,e,f}grep ixr, /{,usr/}bin/zip ixr, /{,usr/}bin/zipgrep ixr, # lsb-release /usr/bin/lsb_release ixr, /usr/bin/ r, /usr/share/distro-info/.csv r, # For printing the cache (we don't allow updating the cache) /{,usr/}sbin/ldconfig{,.real} ixr, # Allow all snaps to chroot /{,usr/}sbin/chroot ixr, # Description: Can access the network as a server. #include <abstractions/nameservice> /run/systemd/resolve/stub-resolv.conf rk, network netlink dgram, # not yet included in the nameservice abstraction # systemd-resolved (not yet included in nameservice abstraction) # # Allow access to the safe members of the systemd-resolved D-Bus API: # # https://www.freedesktop.org/wiki/Software/systemd/resolved/ # # This API may be used directly over the D-Bus system bus or it may be used # indirectly via the nss-resolve plugin: # # https://www.freedesktop.org/software/systemd/man/nss-resolve.html # #include <abstractions/dbus-strict> dbus send bus=system path="/org/freedesktop/resolve1" interface="org.freedesktop.resolve1.Manager" member="Resolve{Address,Hostname,Record,Service}" peer=(name="org.freedesktop.resolve1"), #include <abstractions/ssl_certs> # These probably shouldn't be something that apps should use, but this offers # no information disclosure since the files are in the read-only part of the # system. /etc/hosts.deny r, /etc/hosts.allow r, @{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/net/ipv4/ip_local_port_range r, # LP: #1496906: java apps need these for some reason and they leak the IPv6 IP # addresses and routes. Until we find another way to handle them (see the bug # for some options), we need to allow them to avoid developer confusion. @{PROC}/@{pid}/net/if_inet6 r, @{PROC}/@{pid}/net/ipv6_route r, # java apps attempt this, presumably to handle interface changes, but a # corresponding seccomp socket rule is required to use netlink. When # fine-grained netlink mediation is implemented (LP: #1669552), we can perhaps # allow 'read' with NETLINK_ROUTE, but for now we omit it here and don't # explicitly deny this noisy denial so --devmode isn't broken. LP: #1499897 #deny network netlink dgram, # Description: Can change to any apparmor profile (including unconfined) thus # giving access to all resources of the system so LXD may manage what to give # to its containers. This gives device ownership to connected snaps. @{PROC}//attr/{,apparmor/}current r, /{,usr/}{,s}bin/aa-exec ux, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/{etc,usr/lib}/os-release r, # Description: Can query system status information. This is restricted because # it gives privileged read access to all processes on the system and should # only be used with trusted apps. # Needed by 'ps' @{PROC}/tty/drivers r, # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here # since since ps doesn't actually need to trace other processes. Note this # allows a number of accesses (assuming the associated /proc file is allowed), # such as various memory address locations and esp/eip via /proc//stat, # /proc//mem, /proc//personality, /proc//stack, /proc//syscall, # /proc//timerslack_ns and /proc//wchan (see man proc). # # Some files like /proc/kallsyms (but anything using %pK format specifier) need # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we # intentionally do not allow since it could be used to defeat KASLR. ptrace (read), # Other miscellaneous accesses for observing the system @{PROC}/cgroups r, @{PROC}/locks r, @{PROC}/modules r, @{PROC}/mdstat r, @{PROC}/schedstat r, @{PROC}/stat r, @{PROC}/vmstat r, @{PROC}/zoneinfo r, @{PROC}/diskstats r, @{PROC}/kallsyms r, @{PROC}/partitions r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @{PROC}/sys/kernel/panic r, @{PROC}/sys/kernel/panic_on_oops r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/panic_on_oom r, @{PROC}/sys/vm/swappiness r, # These are not process-specific (/proc//... and /proc//task//...) @{PROC}//{,task/,task//} r, @{PROC}//{,task//}autogroup r, @{PROC}//{,task//}auxv r, @{PROC}//{,task//}cgroup r, @{PROC}//{,task//}cmdline r, @{PROC}//{,task//}comm r, @{PROC}//{,task//}exe r, @{PROC}//{,task//}fdinfo/ r, @{PROC}//{,task//}io r, @{PROC}//{,task//}oom_score r, # allow reading of smaps_rollup, which is a summary of the memory use of a process, # but not smaps which contains a detailed mappings breakdown like # /proc/self/maps, which we do not allow access to for other processes @{PROC}//{,task//}smaps_rollup r, @{PROC}//{,task//}schedstat r, @{PROC}//{,task//}stat r, @{PROC}//{,task//}statm r, @{PROC}//{,task//}status r, @{PROC}//{,task//}wchan r, # Allow reading processes security label @{PROC}//{,task//}attr/{,apparmor/}current r, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/etc/os-release rk, /var/lib/snapd/hostfs/usr/lib/os-release rk, # Allow discovering the Kernel build config @{PROC}/config.gz r, /boot/config* r, # Allow discovering system-wide CFS Bandwidth Control information # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, /sys/fs/cgroup/memory/memory.stat r, #include <abstractions/dbus-strict> # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get{,All}, # Allow clients to introspect hostname1 # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Introspectable member=Introspect, # Allow clients to enumerate DBus connection names on common buses dbus (send) bus={session,system} path={/,/org/freedesktop/DBus} interface=org.freedesktop.DBus member={ListNames,ListActivatableNames} peer=(label=unconfined), # Allow clients to obtain the DBus machine ID on common buses. We do not # mediate the path since any peer can be used. dbus (send) bus={session,system} interface=org.freedesktop.DBus.Peer member=GetMachineId peer=(label=unconfined), # Allow clients to get properties of systemd (the manager) and # units dbus (send) bus=system interface=org.freedesktop.DBus.Properties path=/org/freedesktop/systemd1{,/*} member=Get{,All} peer=(label=unconfined), # Allow clients to explicitly list units with some of their details (path, # status) and get unit path, see # https://www.freedesktop.org/wiki/Software/systemd/dbus/ for details dbus (send) bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,ListUnits} peer=(label=unconfined), # Allow reading if protected hardlinks are enabled, but don't allow enabling or # disabling them @{PROC}/sys/fs/protected_hardlinks r, @{PROC}/sys/fs/protected_symlinks r, @{PROC}/sys/fs/protected_fifos r, @{PROC}/sys/fs/protected_regular r, # allow use of user namespaces userns, # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc # trigger a 'ptrace (trace)' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. # ptrace (trace) can be used to break out of the seccomp sandbox unless the # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd # has full ptrace support conditional on kernel support, explicitly deny to # silence noisy denials/avoid confusion and accidentally giving away this # dangerous access frivolously. deny ptrace (trace), deny capability sys_ptrace, } ��snap.lxd.benchmark��0000644��00000067443�15027571546�0010201 0��ustar�00�� # vim:syntax=apparmor #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d" #include if exists "/var/lib/snapd/apparmor/snap-tuning" # snapd supports the concept of 'parallel installs' where snaps with the same # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz # may all be installed on the system. To support this, SNAP_NAME is set to the # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg # 'foo_bar'). The profile name and most rules therefore reference # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime # environment so the snap doesn't have to be aware of the distinction (eg, # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with # SNAP_NAME so the security policy will allow writing to both locations (since # they are equivalent). # This is a snap name without the instance key @{SNAP_NAME}="lxd" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="lxd" @{SNAP_INSTANCE_DESKTOP}="lxd" @{SNAP_COMMAND_NAME}="benchmark" @{SNAP_REVISION}="31333" @{PROFILE_DBUS}="snap_2elxd_2ebenchmark" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.lxd.benchmark" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> # While in later versions of the base abstraction, include this explicitly # for series 16 and cross-distro /etc/ld.so.preload r, # The base abstraction doesn't yet have this /etc/sysconfig/clock r, owner @{PROC}/@{pid}/maps k, # /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but # in a format that is simpler to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. # Reading /proc/XXXX/maps is already allowed in the base template # via <abstractions/base>. Also, only the owner can read it, and the # kernel limits access to it by requiring 'ptrace' enabled, so allowing # to access /proc/XXXX/map_files can be considered secure too. owner @{PROC}/@{pid}/map_files/ r, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/ r, # for python apps/services #include <abstractions/python> /etc/python3.[0-9]/* r, # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 # for details) deny /usr/lib/python3/{,/}__pycache__/ w, deny /usr/lib/python3/{,/}__pycache__/.pyc.[0-9]* w, # bind mount used here (see 'parallel installs', above) deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/ w, deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/.pyc.[0-9] w, # for perl apps/services #include <abstractions/perl> # Missing from perl abstraction /usr/lib/@{multiarch}/perl{,5,-base}/auto/*.so mr, # Note: the following dangerous accesses should not be allowed in most # policy, but we cannot explicitly deny since other trusted interfaces might # add them. # Explicitly deny ptrace for now since it can be abused to break out of the # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 #audit deny ptrace (trace), # Explicitly deny capability mknod so apps can't create devices #audit deny capability mknod, # Explicitly deny mount, remount and umount so apps can't modify things in # their namespace #audit deny mount, #audit deny remount, #audit deny umount, # End dangerous accesses # Note: this potentially allows snaps to DoS other snaps via resource # exhaustion but we can't sensibly mediate this today. In the future we may # employ cgroup limits, AppArmor rlimit mlock rules or something else. capability ipc_lock, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /etc/bash.bashrc r, /etc/inputrc r, /etc/environment r, /etc/profile r, # user/group/seat lookups /etc/{passwd,group,nsswitch.conf} r, # very common /var/lib/extrausers/{passwd,group} r, /run/systemd/users/[0-9]* r, /etc/default/nss r, # libnss-systemd (subset from nameservice abstraction) # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. /run/systemd/userdb/ r, /run/systemd/userdb/io.systemd.Multiplexer rw, /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS /run/systemd/userdb/io.systemd.Machine rw, # systemd-machined /etc/libnl-3/{classid,pktloc} r, # apps that use libnl # For snappy reexec on 4.8+ kernels /usr/lib/snapd/snap-exec m, # For gdb support /usr/lib/snapd/snap-gdb-shim ixr, /usr/lib/snapd/snap-gdbserver-shim ixr, # For in-snap tab completion /etc/bash_completion.d/{,} r, /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here # uptime @{PROC}/uptime r, @{PROC}/loadavg r, # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib # which is allowed by the base abstraction, but on 14.04 it is an actual file # so need to add it here. Also allow read locks on the file. /etc/os-release rk, /usr/lib/os-release k, # Debian version of the host OS which might be required in AppArmor-secured Debian /etc/debian_version r, # systemd native journal API (see sd_journal_print(4)). This should be in # AppArmor's base abstraction, but until it is, include here. We include # the base journal path as well as the journal namespace pattern path. Each # journal namespace for quota groups will be prefixed with 'snap-'. /run/systemd/journal{,.snap-}/socket w, /run/systemd/journal{,.snap-}/stdout rw, # 'r' shouldn't be needed, but journald # doesn't leak anything so allow /run/systemd/journal{,.snap-}/dev-log w, # snapctl and its requirements /usr/bin/snapctl ixr, /usr/lib/snapd/snapctl ixr, @{PROC}/sys/net/core/somaxconn r, /run/snapd-snap.socket rw, # Note: for now, don't explicitly deny this noisy denial so --devmode isn't # broken but eventually we may conditionally deny this since it is an # information leak. #deny /{,var/}run/utmp r, # java @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/auxv r, @{PROC}/sys/vm/zone_reclaim_mode r, /etc/lsb-release r, /sys/devices//read_ahead_kb r, /sys/devices/system/cpu/ r, /sys/devices/system/node/node[0-9]/ r, /sys/kernel/mm/transparent_hugepage/enabled r, /sys/kernel/mm/transparent_hugepage/defrag r, # NOTE: this leaks running process but java seems to want it (even though it # seems to operate ok without it) and SDL apps crash without it. Allow owner # match until AppArmor kernel var is available to solve this properly (see # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Allow reading and writing to our file descriptors in /proc which, for # example, allow access to /dev/std{in,out,err} which are all symlinks to # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) # linkat() temporary file technique, allow all fds. Importantly, access to # another task's fd via this proc interface is mediated via 'ptrace (read)' # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so # this rule by itself doesn't allow opening another snap's fds via proc. owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, # Miscellaneous accesses /dev/{,u}random w, /etc/machine-id r, /etc/mime.types r, /etc/default/keyboard r, @{PROC}/ r, @{PROC}/version r, @{PROC}/version_signature r, /etc/{,writable/}hostname r, /etc/{,writable/}localtime r, /etc/{,writable/}mailname r, /etc/{,writable/}timezone r, owner @{PROC}/@{pid}/cgroup rk, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/fdinfo/* r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/[0-9]/smaps r, @{PROC}/@{pid}/task/[0-9]/stat r, @{PROC}/@{pid}/task/[0-9]/statm r, @{PROC}/@{pid}/task/[0-9]/status r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/shmmax r, # Allow apps to introspect the level of dbus mediation AppArmor implements. /sys/kernel/security/apparmor/features/dbus/mask r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_* r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/cap_last_cap r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request rw, /sys/devices/virtual/tty/{console,tty}/active r, /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.stat r, /sys/fs/cgroup/system.slice/snap.@{SNAP_INSTANCE_NAME}{,.}/memory.max r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.shares r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_{,score_}adj r, # Note: for now, don't explicitly deny write access so --devmode isn't broken # but eventually we may conditionally deny this since it allows the process # to increase the oom heuristic of other processes (make them more likely to # be killed). Once AppArmor kernel var is available to solve this properly, # this can safely be allowed since non-root processes won't be able to # decrease the value and root processes will only be able to with # 'capability sys_resource,' which we deny be default. # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, # Eases hardware assignment (doesn't give anything away) /etc/udev/udev.conf r, /sys/ r, /sys/bus/ r, /sys/class/ r, # this leaks interface names and stats, but not in a way that is traceable # to the user/device @{PROC}/net/dev r, @{PROC}/@{pid}/net/dev r, # Read-only of this snap /var/lib/snapd/snaps/@{SNAP_NAME}_.snap r, # Read-only of snapd restart state for snapctl specifically /var/lib/snapd/maintenance.json r, # Read-only for the install directory # bind mount used here (see 'parallel installs', above) @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/* mrklix, # Read-only install directory for other revisions to help with bugs like # LP: #1616650 and LP: #1655992 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Read-only home area for other versions # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ mrkix, # Experimental snap folder changes owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ mrkix, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/ wl, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl, # Writable home area for this version. # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/ wl, # Read-only system area for other versions # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ mrkix, # Writable system area only for this version # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/ wl, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/ wl, # The snap-confine program creates an app-specific private restricted /tmp # and will fail to launch the app if something goes wrong. As such, we can # simply allow full access to /tmp. /tmp/ r, /tmp/ mrwlkix, # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount not used here (see 'parallel installs', above) /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, # Also allow app-specific access for sem_open() /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user # bind mount not used here (see 'parallel installs', above) owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ rw, owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Allow apps from the same package to communicate with each other via an # abstract or anonymous socket unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.", unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # Allow apps from the same package to communicate with each other via DBus. # Note: this does not grant access to the DBus sockets of well known buses # (will still need to use an appropriate interface for that). dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # In addition to the above, dbus-run-session attempts reading these files # from the snap base runtime. /usr/share/dbus-1/services/{,} r, /usr/share/dbus-1/system-services/{,} r, # Allow apps to perform DBus introspection on org.freedesktop.DBus for both # the system and session buses. # Note: this does not grant access to the DBus sockets of these buses, but # we grant it here since it is missing from the dbus abstractions # (LP: #1866168) dbus (send) bus={session,system} path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow apps from the same package to signal each other via signals signal peer=snap.@{SNAP_INSTANCE_NAME}., # Allow receiving signals from all snaps (and focus on mediating sending of # signals) signal (receive) peer=snap., # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' /{,usr/}{,s}bin/udevadm ixr, /etc/udev/udev.conf r, /{,var/}run/udev/tags/snappy-assign/ r, @{PROC}/cmdline r, /sys/devices/*/uevent r, # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above # requires: # /run/udev/data/ r, # but that reveals too much about the system and cannot be granted to apps # by default at this time. # For convenience, allow apps to see what is in /dev even though cgroups # will block most access /dev/ r, /dev// r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because # the launcher uses a per-app devpts newinstance. /dev/ptmx rw, # Do the same with /sys/devices and /sys/class to help people using hw-assign /sys/devices/ r, /sys/devices// r, /sys/class/ r, /sys/class/*/ r, # Allow all snaps to chroot capability sys_chroot, # Lttng tracing is very noisy and should not be allowed by confined apps. Can # safely deny for the normal case (LP: #1260491). If/when an lttng-trace # interface is needed, we can rework this. deny /{dev,run,var/run}/shm/lttng-ust- rw, # Allow read-access on /home/ for navigating to other parts of the # filesystem. While this allows enumerating users, this is already allowed # via /etc/passwd and getent. @{HOMEDIRS}/ r, # Allow read-access to / for navigating to other parts of the filesystem. / r, # Snap-specific run directory. Bind mount not used here # (see 'parallel installs', above) /run/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Snap-specific lock directory and prerequisite navigation permissions. /run/lock/ r, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Default rules for core base runtimes # The base abstraction doesn't yet have this /{,usr/}lib/terminfo/ rk, /usr/share/terminfo/ k, /usr/share/zoneinfo/** k, # for python apps/services /usr/bin/python{,2,2.[0-9],3,3.[0-9]} ixr, # additional accesses needed for newer pythons in later bases /usr/lib{,32,64}/python3.[0-9]/.{pyc,so} mr, /usr/lib{,32,64}/python3.[0-9]/*.{egg,py,pth} r, /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, /usr/lib{,32,64}/python3.[0-9]/lib-dynload/.so mr, /usr/include/python3.[0-9]/pyconfig.h r, # for perl apps/services /usr/bin/perl{,5} ixr, # AppArmor <2.12 doesn't have rules for perl-base, so add them here /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]/.so mr, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /usr/share/terminfo/** r, # Common utilities for shell scripts /{,usr/}bin/arch ixr, /{,usr/}bin/{,g,m}awk ixr, /{,usr/}bin/base32 ixr, /{,usr/}bin/base64 ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/bunzip2 ixr, /{,usr/}bin/busctl ixr, /{,usr/}bin/bzcat ixr, /{,usr/}bin/bzdiff ixr, /{,usr/}bin/bzgrep ixr, /{,usr/}bin/bzip2 ixr, /{,usr/}bin/cat ixr, /{,usr/}bin/chgrp ixr, /{,usr/}bin/chmod ixr, /{,usr/}bin/chown ixr, /{,usr/}bin/clear ixr, /{,usr/}bin/cmp ixr, /{,usr/}bin/cp ixr, /{,usr/}bin/cpio ixr, /{,usr/}bin/cut ixr, /{,usr/}bin/date ixr, /{,usr/}bin/dbus-daemon ixr, /{,usr/}bin/dbus-run-session ixr, /{,usr/}bin/dbus-send ixr, /{,usr/}bin/dd ixr, /{,usr/}bin/diff{,3} ixr, /{,usr/}bin/dir ixr, /{,usr/}bin/dirname ixr, /{,usr/}bin/du ixr, /{,usr/}bin/echo ixr, /{,usr/}bin/{,e,f,r}grep ixr, /{,usr/}bin/env ixr, /{,usr/}bin/expr ixr, /{,usr/}bin/false ixr, /{,usr/}bin/find ixr, /{,usr/}bin/flock ixr, /{,usr/}bin/fmt ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/getconf ixr, /{,usr/}bin/getent ixr, /{,usr/}bin/getopt ixr, /{,usr/}bin/groups ixr, /{,usr/}bin/gzip ixr, /{,usr/}bin/head ixr, /{,usr/}bin/hostname ixr, /{,usr/}bin/id ixr, /{,usr/}bin/igawk ixr, /{,usr/}bin/infocmp ixr, /{,usr/}bin/kill ixr, /{,usr/}bin/ldd ixr, /{usr/,}lib{,32,64}/ld{,32,64}-.so ix, /{usr/,}lib/@{multiarch}/ld{,32,64}-.so* ix, /{,usr/}bin/less{,file,pipe} ixr, /{,usr/}bin/ln ixr, /{,usr/}bin/line ixr, /{,usr/}bin/link ixr, /{,usr/}bin/locale ixr, /{,usr/}bin/logger ixr, /{,usr/}bin/ls ixr, /{,usr/}bin/md5sum ixr, /{,usr/}bin/mkdir ixr, /{,usr/}bin/mkfifo ixr, /{,usr/}bin/mknod ixr, /{,usr/}bin/mktemp ixr, /{,usr/}bin/more ixr, /{,usr/}bin/mv ixr, /{,usr/}bin/nice ixr, /{,usr/}bin/nohup ixr, /{,usr/}bin/numfmt ixr, /{,usr/}bin/od ixr, /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial /{,usr/}bin/paste ixr, /{,usr/}bin/pgrep ixr, /{,usr/}bin/printenv ixr, /{,usr/}bin/printf ixr, /{,usr/}bin/ps ixr, /{,usr/}bin/pwd ixr, /{,usr/}bin/readlink ixr, /{,usr/}bin/realpath ixr, /{,usr/}bin/rev ixr, /{,usr/}bin/rm ixr, /{,usr/}bin/rmdir ixr, /{,usr/}bin/run-parts ixr, /{,usr/}bin/sed ixr, /{,usr/}bin/seq ixr, /{,usr/}bin/setpriv ixr, /{,usr/}bin/sha{1,224,256,384,512}sum ixr, /{,usr/}bin/shuf ixr, /{,usr/}bin/sleep ixr, /{,usr/}bin/sort ixr, /{,usr/}bin/stat ixr, /{,usr/}bin/stdbuf ixr, /{,usr/}bin/stty ixr, /{,usr/}bin/sync ixr, /{,usr/}bin/systemd-cat ixr, /{,usr/}bin/tac ixr, /{,usr/}bin/tail ixr, /{,usr/}bin/tar ixr, /{,usr/}bin/tee ixr, /{,usr/}bin/test ixr, /{,usr/}bin/tempfile ixr, /{,usr/}bin/tset ixr, /{,usr/}bin/touch ixr, /{,usr/}bin/tput ixr, /{,usr/}bin/tr ixr, /{,usr/}bin/true ixr, /{,usr/}bin/tty ixr, /{,usr/}bin/uname ixr, /{,usr/}bin/uniq ixr, /{,usr/}bin/unlink ixr, /{,usr/}bin/unxz ixr, /{,usr/}bin/unzip ixr, /{,usr/}bin/uptime ixr, /{,usr/}bin/vdir ixr, /{,usr/}bin/vim.tiny ixr, /{,usr/}bin/wc ixr, /{,usr/}bin/which{,.debianutils} ixr, /{,usr/}bin/xargs ixr, /{,usr/}bin/xz ixr, /{,usr/}bin/yes ixr, /{,usr/}bin/zcat ixr, /{,usr/}bin/z{,e,f}grep ixr, /{,usr/}bin/zip ixr, /{,usr/}bin/zipgrep ixr, # lsb-release /usr/bin/lsb_release ixr, /usr/bin/ r, /usr/share/distro-info/.csv r, # For printing the cache (we don't allow updating the cache) /{,usr/}sbin/ldconfig{,.real} ixr, # Allow all snaps to chroot /{,usr/}sbin/chroot ixr, # Description: Can change to any apparmor profile (including unconfined) thus # giving access to all resources of the system so LXD may manage what to give # to its containers. This gives device ownership to connected snaps. @{PROC}//attr/{,apparmor/}current r, /{,usr/}{,s}bin/aa-exec ux, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/{etc,usr/lib}/os-release r, # Description: Can query system status information. This is restricted because # it gives privileged read access to all processes on the system and should # only be used with trusted apps. # Needed by 'ps' @{PROC}/tty/drivers r, # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here # since since ps doesn't actually need to trace other processes. Note this # allows a number of accesses (assuming the associated /proc file is allowed), # such as various memory address locations and esp/eip via /proc//stat, # /proc//mem, /proc//personality, /proc//stack, /proc//syscall, # /proc//timerslack_ns and /proc//wchan (see man proc). # # Some files like /proc/kallsyms (but anything using %pK format specifier) need # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we # intentionally do not allow since it could be used to defeat KASLR. ptrace (read), # Other miscellaneous accesses for observing the system @{PROC}/cgroups r, @{PROC}/locks r, @{PROC}/modules r, @{PROC}/mdstat r, @{PROC}/schedstat r, @{PROC}/stat r, @{PROC}/vmstat r, @{PROC}/zoneinfo r, @{PROC}/diskstats r, @{PROC}/kallsyms r, @{PROC}/partitions r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @{PROC}/sys/kernel/panic r, @{PROC}/sys/kernel/panic_on_oops r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/panic_on_oom r, @{PROC}/sys/vm/swappiness r, # These are not process-specific (/proc//... and /proc//task//...) @{PROC}//{,task/,task//} r, @{PROC}//{,task//}autogroup r, @{PROC}//{,task//}auxv r, @{PROC}//{,task//}cgroup r, @{PROC}//{,task//}cmdline r, @{PROC}//{,task//}comm r, @{PROC}//{,task//}exe r, @{PROC}//{,task//}fdinfo/ r, @{PROC}//{,task//}io r, @{PROC}//{,task//}oom_score r, # allow reading of smaps_rollup, which is a summary of the memory use of a process, # but not smaps which contains a detailed mappings breakdown like # /proc/self/maps, which we do not allow access to for other processes @{PROC}//{,task//}smaps_rollup r, @{PROC}//{,task//}schedstat r, @{PROC}//{,task//}stat r, @{PROC}//{,task//}statm r, @{PROC}//{,task//}status r, @{PROC}//{,task//}wchan r, # Allow reading processes security label @{PROC}//{,task//}attr/{,apparmor/}current r, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/etc/os-release rk, /var/lib/snapd/hostfs/usr/lib/os-release rk, # Allow discovering the Kernel build config @{PROC}/config.gz r, /boot/config* r, # Allow discovering system-wide CFS Bandwidth Control information # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, /sys/fs/cgroup/memory/memory.stat r, #include <abstractions/dbus-strict> # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get{,All}, # Allow clients to introspect hostname1 # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Introspectable member=Introspect, # Allow clients to enumerate DBus connection names on common buses dbus (send) bus={session,system} path={/,/org/freedesktop/DBus} interface=org.freedesktop.DBus member={ListNames,ListActivatableNames} peer=(label=unconfined), # Allow clients to obtain the DBus machine ID on common buses. We do not # mediate the path since any peer can be used. dbus (send) bus={session,system} interface=org.freedesktop.DBus.Peer member=GetMachineId peer=(label=unconfined), # Allow clients to get properties of systemd (the manager) and # units dbus (send) bus=system interface=org.freedesktop.DBus.Properties path=/org/freedesktop/systemd1{,/*} member=Get{,All} peer=(label=unconfined), # Allow clients to explicitly list units with some of their details (path, # status) and get unit path, see # https://www.freedesktop.org/wiki/Software/systemd/dbus/ for details dbus (send) bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,ListUnits} peer=(label=unconfined), # Allow reading if protected hardlinks are enabled, but don't allow enabling or # disabling them @{PROC}/sys/fs/protected_hardlinks r, @{PROC}/sys/fs/protected_symlinks r, @{PROC}/sys/fs/protected_fifos r, @{PROC}/sys/fs/protected_regular r, # allow use of user namespaces userns, # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc # trigger a 'ptrace (trace)' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. # ptrace (trace) can be used to break out of the seccomp sandbox unless the # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd # has full ptrace support conditional on kernel support, explicitly deny to # silence noisy denials/avoid confusion and accidentally giving away this # dangerous access frivolously. deny ptrace (trace), deny capability sys_ptrace, } ��snap-confine.snapd.24505��0000644��00000076543�15027571546�0010664 0��ustar�00��# Author: Jamie Strandboge <jamie@canonical.com> #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d/" @{SNAP_MOUNT_DIR_LIST}="{,/var/lib/snapd}/snap" /snap/snapd/24505/usr/lib/snapd/snap-confine (attach_disconnected) { # Include any additional files that snapd chose to generate. # - for $HOME on remote file system. # - for $HOME on encrypted media # # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor # and https://forum.snapcraft.io/t/snaps-and-nfs-home/ #include "/var/lib/snapd/apparmor/snap-confine.internal" # We run privileged, so be fanatical about what we include and don't use # any abstractions /etc/ld.so.cache r, /etc/ld.so.preload r, # Do not assume that the interpreter is always named like # ld-linux-x86_64.so, as on some architectures there can be a version after # the .so suffix, eg. ld-linux-aarch64.so.1 /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld{-,64}.so mrix, # libc, you are funny /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre{,2}{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so mr, # normal libs in order /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so mr, /snap/snapd/24505/usr/lib/snapd/snap-confine mr, # This rule is needed when executing from a "base: core" devmode snap on # UC18 and newer where the /snap/snapd/24505/usr/lib/snapd/snap-confine inside the # "base: core" mount namespace always comes from the snapd snap, and thus # we will execute snap-confine via this path, and thus need to be able to # read this path when executing. It's also necessary on classic where both # the snapd and the core snap are installed at the same time. # TODO: remove this rule when we stop supporting executing other snaps from # inside devmode snaps, ideally even in the short term we would only include # this rule on core only, and specifically uc18 and newer where we need it /usr/lib/snapd/snap-confine mr, /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, /dev/pts/[0-9]* rw, /dev/tty rw, # SNAP_MOUNT_DIR probe logic /proc/1/root/snap r, # cgroup: devices capability sys_admin, capability dac_read_search, capability dac_override, /sys/fs/cgroup/ r, /sys/fs/cgroup/devices/ r, /sys/fs/cgroup/devices/snap./ rw, /sys/fs/cgroup/devices/snap./cgroup.procs w, /sys/fs/cgroup/devices/snap./devices.{allow,deny} w, # cgroup: freezer # Allow creating per-snap cgroup freezers and adding snap command (task) # invocations to the freezer. This allows for reliably enumerating all # running processes for the snap. In addition, allow enumerating processes # in the cgroup to determine if it is occupied. /sys/fs/cgroup/freezer/ r, /sys/fs/cgroup/freezer/snap./ w, /sys/fs/cgroup/freezer/snap./cgroup.procs rw, /sys/fs/cgroup/ r, /sys/fs/cgroup/* r, # cgroup: reading own cgroup @{PROC}/@{pid}/cgroup r, # cgroup: manage bpf map for device cgroup /sys/fs/bpf/ r, /sys/fs/bpf/snap/ rw, /sys/fs/bpf/snap/* rw, # s-c may need to raise the memlock limit capability sys_resource, # querying udev /etc/udev/udev.conf r, /sys//uevent r, /run/udev/ rw, /{,usr/}bin/tr ixr, /usr/lib/locale/** r, /usr/lib/@{multiarch}/gconv/gconv-modules r, /usr/lib/@{multiarch}/gconv/gconv-modules.cache r, # priv dropping capability setuid, capability setgid, # changing profile @{PROC}/[0-9]/attr/{,apparmor/}exec w, # Reading current profile @{PROC}/[0-9]/attr/{,apparmor/}current r, # Reading available filesystems @{PROC}/filesystems r, # To find where apparmor is mounted @{PROC}/[0-9]/mounts r, # To find if apparmor is enabled /sys/module/apparmor/parameters/enabled r, # For detecting if we're in a container /run/systemd/container r, # Don't allow changing profile to unconfined or profiles that start with # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on # the environment for determining the capabilities of the architecture. # 'unsafe' is ok here because the kernel will have already cleared the # environment as part of launching snap-confine with CAP_SYS_ADMIN. This # does leave directories as configured by ld.so.preload as well as # LD_PRELOAD to be set to a library which is in a directory configured by # ld.so.conf, but access to those locations is mediated by this profile # (which requires rules for specific locations). # TODO: use GenerateAAREExclusionPatterns for this, though the first # rule and the fact that the generative aspect is not an absolute filepath # complicate using that function directly change_profile unsafe /* -> [^u/], change_profile unsafe / -> u[^n], change_profile unsafe / -> un[^c], change_profile unsafe / -> unc[^o], change_profile unsafe / -> unco[^n], change_profile unsafe / -> uncon[^f], change_profile unsafe / -> unconf[^i], change_profile unsafe / -> unconfi[^n], change_profile unsafe / -> unconfin[^e], change_profile unsafe / -> unconfine[^d], change_profile unsafe / -> unconfined?, # allow changing to a few not caught above change_profile unsafe / -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, # LP: #1446794 - when this bug is fixed, change the above to: # deny change_profile unsafe / -> {unconfined,/}, # change_profile unsafe / -> , # reading seccomp filters. # Note 1: We still need to consider .bin extension because of global.bin file. # Note 2: This rule is not needed because of rule '/var/lib/** rw', however we keep it because at # some point we want to investigate if we can narrow the scope of the aforementioned rule. /{tmp/snap.rootfs_/,}var/lib/snapd/seccomp/bpf/.bin{,2} r, # adding a missing bpf mount mount fstype=bpf options=(rw) bpf -> /sys/fs/bpf/, # For mounting base dir by dir (write dirs and mount on them) /tmp/snap.rootfs_** rw, mount options=(remount ro) -> /tmp/snap.rootfs_/, mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}//// -> /tmp/snap.rootfs_/, # For mounting individual files mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///* -> /tmp/snap.rootfs_/, mount options=(rw rslave) -> /tmp/snap.rootfs_/, # Allow mounting dirs from / mount options=(rw rbind) // -> /tmp/snap.rootfs_*/, # LP: #1668659 and parallel instances of classic snaps mount options=(rw rbind) /snap/ -> /snap/, mount options=(rw rshared) -> /snap/, mount options=(rw rbind) /var/lib/snapd/snap/ -> /var/lib/snapd/snap/, mount options=(rw rshared) -> /var/lib/snapd/snap/, # boostrapping the mount namespace /tmp/snap.rootfs_/ rw, mount fstype=tmpfs none -> /tmp/snap.rootfs_/, mount options=(rw rshared) -> /, mount options=(rw bind) /tmp/snap.rootfs_/ -> /tmp/snap.rootfs_/, mount options=(rw unbindable) -> /tmp/snap.rootfs_/, # the next line is for classic system mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}/// -> /tmp/snap.rootfs_/, # the next line is for core system mount options=(rw rbind) / -> /tmp/snap.rootfs_/, # all of the constructed rootfs is a rslave mount options=(rw rslave) -> /tmp/snap.rootfs_/, # bidirectional mounts (for both classic and core) # NOTE: this doesn't capture the MERGED_USR configuration option so that # when a distro with merged /usr and / that uses apparmor shows up it # should be handled here. /{,run/}media/ w, mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_/{,run/}media/, /run/netns/ w, mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_/run/netns/, # unidirectional mounts (only for classic system) mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_/dev/, mount options=(rw rslave) -> /tmp/snap.rootfs_/dev/, mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_/etc/, mount options=(rw rslave) -> /tmp/snap.rootfs_/etc/, mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_/home/, mount options=(rw rslave) -> /tmp/snap.rootfs_/home/, mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_/root/, mount options=(rw rslave) -> /tmp/snap.rootfs_/root/, mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_/proc/, mount options=(rw rslave) -> /tmp/snap.rootfs_/proc/, mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_/sys/, mount options=(rw rslave) -> /tmp/snap.rootfs_/sys/, mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_/tmp/, mount options=(rw rslave) -> /tmp/snap.rootfs_/tmp/, mount options=(rw rbind) /var/lib/dhcp/ -> /tmp/snap.rootfs_/var/lib/dhcp/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/lib/dhcp/, mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_/var/lib/snapd/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/lib/snapd/, mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_/var/snap/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/snap/, mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_/var/tmp/, # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups mount options=(rw rbind) /var/volatile/tmp/ -> /tmp/snap.rootfs_/var/tmp/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/tmp/, mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_/run/, mount options=(rw rslave) -> /tmp/snap.rootfs_/run/, mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_/var/lib/extrausers/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/lib/extrausers/, mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_{,/usr}/lib/modules/, mount options=(rw rslave) -> /tmp/snap.rootfs_{,/usr}/lib/modules/, mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/firmware/ -> /tmp/snap.rootfs_{,/usr}/lib/firmware/, mount options=(rw rslave) -> /tmp/snap.rootfs_{,/usr}/lib/firmware/, mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_/var/log/, # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups mount options=(rw rbind) /var/volatile/log/ -> /tmp/snap.rootfs_/var/log/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/log/, mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_/usr/src/, mount options=(rw rslave) -> /tmp/snap.rootfs_/usr/src/, mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_/mnt/, mount options=(rw rslave) -> /tmp/snap.rootfs_/mnt/, # allow making host snap-exec available inside base snaps mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.rootfs_/usr/lib/snapd/, mount options=(rw slave) -> /tmp/snap.rootfs_/usr/lib/snapd/, # allow making re-execed host snap-exec available inside base snaps mount options=(ro bind) @{SNAP_MOUNT_DIR_LIST}/core//usr/lib/snapd/ -> /tmp/snap.rootfs_/usr/lib/snapd/, # allow making snapd snap tools available inside base snaps mount options=(ro bind) @{SNAP_MOUNT_DIR_LIST}/snapd//usr/lib/snapd/ -> /tmp/snap.rootfs_/usr/lib/snapd/, mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_/usr/bin/snapctl, mount options=(rw slave) -> /tmp/snap.rootfs_/usr/bin/snapctl, # /etc/alternatives (classic and normal mode) mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/alternatives/ -> /tmp/snap.rootfs_/etc/alternatives/, mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/ssl/ -> /tmp/snap.rootfs_/etc/ssl/, mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/nsswitch.conf -> /tmp/snap.rootfs_/etc/nsswitch.conf, mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/apparmor/ -> /tmp/snap.rootfs_/etc/apparmor/, mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/apparmor.d/ -> /tmp/snap.rootfs_/etc/apparmor.d/, # /etc/alternatives (core/legacy mode) mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_/etc/alternatives/, # making all those directories slave shared. mount options=(rw slave) -> /tmp/snap.rootfs_/etc/alternatives/, mount options=(rw slave) -> /tmp/snap.rootfs_/etc/ssl/, mount options=(rw slave) -> /tmp/snap.rootfs_/etc/nsswitch.conf, mount options=(rw slave) -> /tmp/snap.rootfs_/etc/apparmor/, mount options=(rw slave) -> /tmp/snap.rootfs_/etc/apparmor.d/, # the /snap directory mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}/ -> /tmp/snap.rootfs_/snap/, mount options=(rw rslave) -> /tmp/snap.rootfs_/snap/, # pivot_root preparation and execution mount options=(rw bind) /tmp/snap.rootfs_/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_/var/lib/snapd/hostfs/, mount options=(rw private) -> /tmp/snap.rootfs_/var/lib/snapd/hostfs/, # pivot_root mediation in AppArmor is not complete. See LP: #1791711. # However, we can mediate the new_root and put_old to be what we expect, # and then deny directory creation within old_root to prevent trivial # pivoting into an allowlisted path. pivot_root oldroot=/tmp/snap.rootfs_/var/lib/snapd/hostfs/ /tmp/snap.rootfs_/, # Explicitly deny creating the old_root directory in case it is # inadvertently added somewhere else. While this doesn't resolve # LP: #1791711, it provides some hardening. # For dir on dir mounts, we do need write permissions in /var though audit deny /tmp/snap.rootfs_/{var/lib/,var/lib/snapd/,var/lib/snapd/hostfs/} w, # cleanup umount /var/lib/snapd/hostfs/tmp/snap.rootfs_/, umount /var/lib/snapd/hostfs/sys/, umount /var/lib/snapd/hostfs/dev/, umount /var/lib/snapd/hostfs/proc/, mount options=(rw rslave) -> /var/lib/snapd/hostfs/, # Hide /writable from view of snaps. mount options=(rprivate) -> /{,var/lib/snapd/hostfs/}writable/, umount /{,var/lib/snapd/hostfs/}writable/, # set up user mount namespace mount options=(rslave) -> /, # set up mount namespace for parallel instances of classic snaps mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}/{,/} -> @{SNAP_MOUNT_DIR_LIST}/{,/}, mount options=(rslave) -> @{SNAP_MOUNT_DIR_LIST}/, mount options=(rslave) -> /var/snap/, mount options=(rw rbind) /var/snap/{,/} -> /var/snap/{,/}, mount options=(rw rshared) -> /var/snap/, # Allow reading the os-release file (possibly a symlink to /usr/lib). /{etc/,usr/lib/}os-release r, # Allow creating /var/lib/snapd/hostfs, if missing /var/lib/snapd/hostfs/ rw, # set up snap-specific private /tmp dir capability chown, /tmp/ rw, /tmp/snap-private-tmp/ rw, /tmp/snap-private-tmp/snap./ rw, /tmp/snap-private-tmp/snap./tmp/ rw, mount options=(rw private) -> /tmp/, mount options=(rw bind) /tmp/snap-private-tmp/snap./tmp/ -> /tmp/, mount fstype=devpts options=(rw) devpts -> /dev/pts/, mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD # Workaround for LP: #1584456 on older kernels that mistakenly think # /dev/pts/ptmx needs a trailing '/' mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/, mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/, # for running snaps on classic /snap/ r, /snap/ r, @{SNAP_MOUNT_DIR_LIST}/ r, @{SNAP_MOUNT_DIR_LIST}/ r, # NOTE: at this stage the /snap directory is stable as we have called # pivot_root already. # nvidia handling, glob needs /usr/ and the launcher must be # able to bind mount the nvidia dir /sys/module/nvidia/version r, /sys//drivers/nvidia{,_}/ r, /sys/*/nvidia/uevent r, /sys/module/nvidia{,_}/ r, /dev/nvidia[0-9]* r, /dev/nvidiactl r, /dev/nvidia-uvm r, /usr/** r, mount options=(rw bind) /usr/lib{,32}/nvidia-/ -> /{tmp/snap.rootfs_/,}var/lib/snapd/lib/gl{,32}/, mount options=(rw bind) /usr/lib{,32}/nvidia-/ -> /{tmp/snap.rootfs_/,}var/lib/snapd/lib/gl{,32}/, /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/{,} w, mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/, mount options=(remount ro bind) -> /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/, # Vulkan support /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/{,} w, mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/, mount options=(remount ro bind) -> /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/, # GLVND EGL vendor /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/{,} w, mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/, mount options=(remount ro bind) -> /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/, # create gl dirs as needed /tmp/snap.rootfs_/ r, /tmp/snap.rootfs_/var/ r, /tmp/snap.rootfs_/var/lib/ r, /tmp/snap.rootfs_/var/lib/snapd/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/* rw, /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/** rw, /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/** rw, # for chroot on steroids, we use pivot_root as a better chroot that makes # apparmor rules behave the same on classic and outside of classic. # for creating the user data directories: ~/snap, ~/snap/<name> and # ~/snap/<name>/<version> / r, @{HOMEDIRS}/ r, # These should both have 'owner' match but due to LP: #1466234, we can't # yet @{HOME}/ r, @{HOME}/snap/{,/,//} rw, # experimental @{HOME}/.snap/ rw, @{HOME}/.snap/data/{,/,//} rw, @{HOME}/Snap/{,/,//} rw, # Special case for classic* snaps that are used by users with existing dirs # in /var/lib/. Like jenkins, postgresql, mysql, puppet, ... # (see https://forum.snapcraft.io/t/9717) # TODO: this can be removed once we support home-dirs outside of /home # better /var/ r, /var/lib/ r, # These should both have 'owner' match but due to LP: #1466234, we can't # yet /var/lib// r, /var/lib//snap/{,/,//} rw, # for creating the user shared memory directories /{dev,run}/{,shm/} r, # This should both have 'owner' match but due to LP: #1466234, we can't yet /{dev,run}/shm/{,/,//} rw, # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and # /run/user/UID/<name> /run/user/{,[0-9]/,[0-9]//} rw, # Workaround https://launchpad.net/bugs/359338 until upstream handles # stacked filesystems generally. # encrypted ~/.Private and old-style encrypted $HOME @{HOME}/.Private/ r, @{HOME}/.Private/* mrwlk, # new-style encrypted $HOME @{HOMEDIRS}/.ecryptfs//.Private/ r, @{HOMEDIRS}/.ecryptfs//.Private/** mrwlk, # Allow snap-confine to move to the void, creating it if necessary. /var/lib/snapd/void/ rw, # Allow snap-confine to read snap contexts /var/lib/snapd/context/snap.* r, # Allow snap-confine to unmount stale mount namespaces. umount /run/snapd/ns/.mnt, /run/snapd/ns/snap..fstab w, # Allow snap-confine to read and write mount namespace information files. /run/snapd/ns/snap..info rw, # Required to correctly unmount bound mount namespace. # See LP: #1735459 for details. umount /, # support for locking /run/snapd/lock/ rw, /run/snapd/lock/.lock rwk, # support for the mount namespace sharing capability sys_ptrace, # allow snap-confine to read /proc/1/ns/mnt ptrace read peer=unconfined, # https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21 ptrace trace peer=unconfined, mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/, mount options=(private) -> /run/snapd/ns/, / rw, /run/ rw, /run/snapd/ rw, /run/snapd/ns/ rw, /run/snapd/ns/.lock rwk, /run/snapd/ns/.mnt rw, ptrace (read, readby, tracedby) peer=/snap/snapd/24505/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, @{PROC}//mountinfo r, capability sys_chroot, capability sys_admin, signal (send, receive) set=(abrt) peer=/snap/snapd/24505/usr/lib/snapd/snap-confine, signal (send) set=(int) peer=/snap/snapd/24505/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, signal (send, receive) set=(int, alrm, exists) peer=/snap/snapd/24505/usr/lib/snapd/snap-confine, signal (receive) set=(exists) peer=/snap/snapd/24505/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # workaround for linux 4.13/upstream, see # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3 ptrace (trace, tracedby) peer=/snap/snapd/24505/usr/lib/snapd/snap-confine, # Allow reading snap cookies. /var/lib/snapd/cookie/snap. r, # For aa_change_hat() to go into ^mount-namespace-capture-helper @{PROC}/[0-9]/attr/{,apparmor/}current w, # As a special exception allow snap-confine to write to anything in /var/lib. # This code should be changed to allow delegation so that snap-confine can # inherit any file descriptor and pass it to the invoked application but # this is not possible in apparmor yet. # See https://bugs.launchpad.net/snapd/+bug/1815869 /var/lib/* rw, ^mount-namespace-capture-helper (attach_disconnected) { # We run privileged, so be fanatical about what we include and don't use # any abstractions /etc/ld.so.cache r, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld{-,64}.so* mrix, # libc, you are funny /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so mr, # normal libs in order /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so mr, /snap/snapd/24505/usr/lib/snapd/snap-confine mr, /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, capability sys_ptrace, capability sys_admin, # This allows us to read and bind mount the namespace file / r, @{PROC}/ r, @{PROC}// r, @{PROC}//ns/ r, @{PROC}//ns/mnt r, /run/ r, /run/snapd/ r, /run/snapd/ns/ r, /run/snapd/ns/.mnt rw, # NOTE: the source name is / even though we map /proc/123/ns/mnt mount options=(rw bind) / -> /run/snapd/ns/.mnt, # This is the SIGALRM that we send and receive if a timeout expires signal (send, receive) set=(alrm) peer=/snap/snapd/24505/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # Those two rules are exactly the same but we don't know if the parent process is still alive # and hence has the appropriate label or is already dead and hence has no label. signal (send) set=(exists) peer=/snap/snapd/24505/usr/lib/snapd/snap-confine, signal (send) set=(exists) peer=unconfined, # This is so that we can abort signal (send, receive) set=(abrt) peer=/snap/snapd/24505/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # This is the signal we get if snap-confine dies (we subscribe to it with prctl) signal (receive) set=(int) peer=/snap/snapd/24505/usr/lib/snapd/snap-confine, # This allows snap-confine to be killed from the outside. signal (receive) peer=unconfined, # This allows snap-confine to wait for us ptrace (read, trace, tracedby) peer=/snap/snapd/24505/usr/lib/snapd/snap-confine, } # Allow snap-confine to be killed signal (receive) peer=unconfined, # Allow switching to snap-update-ns with a per-snap profile. change_profile -> snap-update-ns., # Allow executing snap-update-ns when... # ...snap-confine is, conceptually, re-executing and uses snap-update-ns # from the distribution package. This is also the location used when using # the core/base snap on all-snap systems. The variants here represent # various locations of libexecdir across distributions. /usr/lib{,exec,64}/snapd/snap-update-ns r, # ...snap-confine is not, conceptually, re-executing and uses # snap-update-ns from the distribution package but we are already inside # the constructed mount namespace so we must traverse "hostfs". The # variants here represent various locations of libexecdir across # distributions. /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r, # ..snap-confine is, conceptually, re-executing and uses snap-update-ns # from the core or snapd snaps. Note that the location of the actual snap # varies from distribution to distribution. The variants here represent # different locations of snap mount directory across distributions. /{,var/lib/snapd/}snap/{core,snapd}//usr/lib/snapd/snap-update-ns r, # ...snap-confine is, conceptually, re-executing and uses snap-update-ns # from the core snap or snapd snap, but we are already inside the # constructed mount namespace. Here the apparmor kernel module # re-constructs the path to snap-update-ns using the "hostfs" mount entry # rather than the more "natural" /snap mount entry but we have no control # over that. This is reported as (LP: #1716339). The variants here # represent different locations of snap mount directory across # distributions. /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}//usr/lib/snapd/snap-update-ns r, # Allow executing snap-discard-ns, just like the set for snap-update-ns # above but with the key difference that snap-discard-ns does not # have a dedicated profile so we need to inherit snap-confine's profile. /usr/lib{,exec,64}/snapd/snap-discard-ns rix, /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-discard-ns rix, /{,var/lib/snapd/}snap/{core,snapd}//usr/lib/snapd/snap-discard-ns rix, /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}//usr/lib/snapd/snap-discard-ns rix, # Allow mounting /var/lib/jenkins from the host into the snap. mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_/var/lib/jenkins/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/lib/jenkins/, # Suppress noisy file_inherit denials (LP: #1850552) until LP: #1849753 is # fixed. deny /dev/shm/.org.chromium.Chromium.* rw, # While snap-confine itself doesn't require unix rules and therefore all # unix rules are implicitly denied, adding an explicit deny for unix to # silence noisy denials breaks nested lxd. Until the cause is determined, # do not use an explicit deny for unix. (LP: #1855355) #deny unix, # Explicitly deny these accesses which show up on Arch to silence the # denials for this unneeded access. deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9].so mr, deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_mymachines.[0-9].so mr, deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_systemd.[0-9].so mr, deny /etc/nsswitch.conf r, deny /etc/passwd r, } ��snap.lxd.hook.configure��0000644��00000072446�15027571546�0011166 0��ustar�00�� # vim:syntax=apparmor #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d" #include if exists "/var/lib/snapd/apparmor/snap-tuning" # snapd supports the concept of 'parallel installs' where snaps with the same # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz # may all be installed on the system. To support this, SNAP_NAME is set to the # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg # 'foo_bar'). The profile name and most rules therefore reference # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime # environment so the snap doesn't have to be aware of the distinction (eg, # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with # SNAP_NAME so the security policy will allow writing to both locations (since # they are equivalent). # This is a snap name without the instance key @{SNAP_NAME}="lxd" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="lxd" @{SNAP_INSTANCE_DESKTOP}="lxd" @{SNAP_COMMAND_NAME}="hook.configure" @{SNAP_REVISION}="31333" @{PROFILE_DBUS}="snap_2elxd_2ehook_2econfigure" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.lxd.hook.configure" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> # While in later versions of the base abstraction, include this explicitly # for series 16 and cross-distro /etc/ld.so.preload r, # The base abstraction doesn't yet have this /etc/sysconfig/clock r, owner @{PROC}/@{pid}/maps k, # /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but # in a format that is simpler to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. # Reading /proc/XXXX/maps is already allowed in the base template # via <abstractions/base>. Also, only the owner can read it, and the # kernel limits access to it by requiring 'ptrace' enabled, so allowing # to access /proc/XXXX/map_files can be considered secure too. owner @{PROC}/@{pid}/map_files/ r, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/ r, # for python apps/services #include <abstractions/python> /etc/python3.[0-9]/** r, # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 # for details) deny /usr/lib/python3/{,/}__pycache__/ w, deny /usr/lib/python3/{,/}__pycache__/.pyc.[0-9]* w, # bind mount used here (see 'parallel installs', above) deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/ w, deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/.pyc.[0-9] w, # for perl apps/services #include <abstractions/perl> # Missing from perl abstraction /usr/lib/@{multiarch}/perl{,5,-base}/auto/*.so mr, # Note: the following dangerous accesses should not be allowed in most # policy, but we cannot explicitly deny since other trusted interfaces might # add them. # Explicitly deny ptrace for now since it can be abused to break out of the # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 #audit deny ptrace (trace), # Explicitly deny capability mknod so apps can't create devices #audit deny capability mknod, # Explicitly deny mount, remount and umount so apps can't modify things in # their namespace #audit deny mount, #audit deny remount, #audit deny umount, # End dangerous accesses # Note: this potentially allows snaps to DoS other snaps via resource # exhaustion but we can't sensibly mediate this today. In the future we may # employ cgroup limits, AppArmor rlimit mlock rules or something else. capability ipc_lock, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /etc/bash.bashrc r, /etc/inputrc r, /etc/environment r, /etc/profile r, # user/group/seat lookups /etc/{passwd,group,nsswitch.conf} r, # very common /var/lib/extrausers/{passwd,group} r, /run/systemd/users/[0-9]* r, /etc/default/nss r, # libnss-systemd (subset from nameservice abstraction) # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. /run/systemd/userdb/ r, /run/systemd/userdb/io.systemd.Multiplexer rw, /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS /run/systemd/userdb/io.systemd.Machine rw, # systemd-machined /etc/libnl-3/{classid,pktloc} r, # apps that use libnl # For snappy reexec on 4.8+ kernels /usr/lib/snapd/snap-exec m, # For gdb support /usr/lib/snapd/snap-gdb-shim ixr, /usr/lib/snapd/snap-gdbserver-shim ixr, # For in-snap tab completion /etc/bash_completion.d/{,} r, /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here # uptime @{PROC}/uptime r, @{PROC}/loadavg r, # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib # which is allowed by the base abstraction, but on 14.04 it is an actual file # so need to add it here. Also allow read locks on the file. /etc/os-release rk, /usr/lib/os-release k, # Debian version of the host OS which might be required in AppArmor-secured Debian /etc/debian_version r, # systemd native journal API (see sd_journal_print(4)). This should be in # AppArmor's base abstraction, but until it is, include here. We include # the base journal path as well as the journal namespace pattern path. Each # journal namespace for quota groups will be prefixed with 'snap-'. /run/systemd/journal{,.snap-}/socket w, /run/systemd/journal{,.snap-}/stdout rw, # 'r' shouldn't be needed, but journald # doesn't leak anything so allow /run/systemd/journal{,.snap-}/dev-log w, # snapctl and its requirements /usr/bin/snapctl ixr, /usr/lib/snapd/snapctl ixr, @{PROC}/sys/net/core/somaxconn r, /run/snapd-snap.socket rw, # Note: for now, don't explicitly deny this noisy denial so --devmode isn't # broken but eventually we may conditionally deny this since it is an # information leak. #deny /{,var/}run/utmp r, # java @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/auxv r, @{PROC}/sys/vm/zone_reclaim_mode r, /etc/lsb-release r, /sys/devices//read_ahead_kb r, /sys/devices/system/cpu/ r, /sys/devices/system/node/node[0-9]/ r, /sys/kernel/mm/transparent_hugepage/enabled r, /sys/kernel/mm/transparent_hugepage/defrag r, # NOTE: this leaks running process but java seems to want it (even though it # seems to operate ok without it) and SDL apps crash without it. Allow owner # match until AppArmor kernel var is available to solve this properly (see # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Allow reading and writing to our file descriptors in /proc which, for # example, allow access to /dev/std{in,out,err} which are all symlinks to # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) # linkat() temporary file technique, allow all fds. Importantly, access to # another task's fd via this proc interface is mediated via 'ptrace (read)' # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so # this rule by itself doesn't allow opening another snap's fds via proc. owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, # Miscellaneous accesses /dev/{,u}random w, /etc/machine-id r, /etc/mime.types r, /etc/default/keyboard r, @{PROC}/ r, @{PROC}/version r, @{PROC}/version_signature r, /etc/{,writable/}hostname r, /etc/{,writable/}localtime r, /etc/{,writable/}mailname r, /etc/{,writable/}timezone r, owner @{PROC}/@{pid}/cgroup rk, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/fdinfo/* r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/[0-9]/smaps r, @{PROC}/@{pid}/task/[0-9]/stat r, @{PROC}/@{pid}/task/[0-9]/statm r, @{PROC}/@{pid}/task/[0-9]/status r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/shmmax r, # Allow apps to introspect the level of dbus mediation AppArmor implements. /sys/kernel/security/apparmor/features/dbus/mask r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_* r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/cap_last_cap r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request rw, /sys/devices/virtual/tty/{console,tty}/active r, /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.stat r, /sys/fs/cgroup/system.slice/snap.@{SNAP_INSTANCE_NAME}{,.}/memory.max r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.shares r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_{,score_}adj r, # Note: for now, don't explicitly deny write access so --devmode isn't broken # but eventually we may conditionally deny this since it allows the process # to increase the oom heuristic of other processes (make them more likely to # be killed). Once AppArmor kernel var is available to solve this properly, # this can safely be allowed since non-root processes won't be able to # decrease the value and root processes will only be able to with # 'capability sys_resource,' which we deny be default. # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, # Eases hardware assignment (doesn't give anything away) /etc/udev/udev.conf r, /sys/ r, /sys/bus/ r, /sys/class/ r, # this leaks interface names and stats, but not in a way that is traceable # to the user/device @{PROC}/net/dev r, @{PROC}/@{pid}/net/dev r, # Read-only of this snap /var/lib/snapd/snaps/@{SNAP_NAME}_.snap r, # Read-only of snapd restart state for snapctl specifically /var/lib/snapd/maintenance.json r, # Read-only for the install directory # bind mount used here (see 'parallel installs', above) @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/* mrklix, # Read-only install directory for other revisions to help with bugs like # LP: #1616650 and LP: #1655992 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Read-only home area for other versions # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ mrkix, # Experimental snap folder changes owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ mrkix, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/ wl, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl, # Writable home area for this version. # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/ wl, # Read-only system area for other versions # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ mrkix, # Writable system area only for this version # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/ wl, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/ wl, # The snap-confine program creates an app-specific private restricted /tmp # and will fail to launch the app if something goes wrong. As such, we can # simply allow full access to /tmp. /tmp/ r, /tmp/ mrwlkix, # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount not used here (see 'parallel installs', above) /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, # Also allow app-specific access for sem_open() /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user # bind mount not used here (see 'parallel installs', above) owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ rw, owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Allow apps from the same package to communicate with each other via an # abstract or anonymous socket unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.", unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # Allow apps from the same package to communicate with each other via DBus. # Note: this does not grant access to the DBus sockets of well known buses # (will still need to use an appropriate interface for that). dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # In addition to the above, dbus-run-session attempts reading these files # from the snap base runtime. /usr/share/dbus-1/services/{,} r, /usr/share/dbus-1/system-services/{,} r, # Allow apps to perform DBus introspection on org.freedesktop.DBus for both # the system and session buses. # Note: this does not grant access to the DBus sockets of these buses, but # we grant it here since it is missing from the dbus abstractions # (LP: #1866168) dbus (send) bus={session,system} path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow apps from the same package to signal each other via signals signal peer=snap.@{SNAP_INSTANCE_NAME}., # Allow receiving signals from all snaps (and focus on mediating sending of # signals) signal (receive) peer=snap., # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' /{,usr/}{,s}bin/udevadm ixr, /etc/udev/udev.conf r, /{,var/}run/udev/tags/snappy-assign/ r, @{PROC}/cmdline r, /sys/devices/*/uevent r, # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above # requires: # /run/udev/data/ r, # but that reveals too much about the system and cannot be granted to apps # by default at this time. # For convenience, allow apps to see what is in /dev even though cgroups # will block most access /dev/ r, /dev// r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because # the launcher uses a per-app devpts newinstance. /dev/ptmx rw, # Do the same with /sys/devices and /sys/class to help people using hw-assign /sys/devices/ r, /sys/devices// r, /sys/class/ r, /sys/class/*/ r, # Allow all snaps to chroot capability sys_chroot, # Lttng tracing is very noisy and should not be allowed by confined apps. Can # safely deny for the normal case (LP: #1260491). If/when an lttng-trace # interface is needed, we can rework this. deny /{dev,run,var/run}/shm/lttng-ust- rw, # Allow read-access on /home/ for navigating to other parts of the # filesystem. While this allows enumerating users, this is already allowed # via /etc/passwd and getent. @{HOMEDIRS}/ r, # Allow read-access to / for navigating to other parts of the filesystem. / r, # Snap-specific run directory. Bind mount not used here # (see 'parallel installs', above) /run/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Snap-specific lock directory and prerequisite navigation permissions. /run/lock/ r, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Default rules for core base runtimes # The base abstraction doesn't yet have this /{,usr/}lib/terminfo/ rk, /usr/share/terminfo/ k, /usr/share/zoneinfo/** k, # for python apps/services /usr/bin/python{,2,2.[0-9],3,3.[0-9]} ixr, # additional accesses needed for newer pythons in later bases /usr/lib{,32,64}/python3.[0-9]/.{pyc,so} mr, /usr/lib{,32,64}/python3.[0-9]/*.{egg,py,pth} r, /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, /usr/lib{,32,64}/python3.[0-9]/lib-dynload/.so mr, /usr/include/python3.[0-9]/pyconfig.h r, # for perl apps/services /usr/bin/perl{,5} ixr, # AppArmor <2.12 doesn't have rules for perl-base, so add them here /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]/.so mr, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /usr/share/terminfo/** r, # Common utilities for shell scripts /{,usr/}bin/arch ixr, /{,usr/}bin/{,g,m}awk ixr, /{,usr/}bin/base32 ixr, /{,usr/}bin/base64 ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/bunzip2 ixr, /{,usr/}bin/busctl ixr, /{,usr/}bin/bzcat ixr, /{,usr/}bin/bzdiff ixr, /{,usr/}bin/bzgrep ixr, /{,usr/}bin/bzip2 ixr, /{,usr/}bin/cat ixr, /{,usr/}bin/chgrp ixr, /{,usr/}bin/chmod ixr, /{,usr/}bin/chown ixr, /{,usr/}bin/clear ixr, /{,usr/}bin/cmp ixr, /{,usr/}bin/cp ixr, /{,usr/}bin/cpio ixr, /{,usr/}bin/cut ixr, /{,usr/}bin/date ixr, /{,usr/}bin/dbus-daemon ixr, /{,usr/}bin/dbus-run-session ixr, /{,usr/}bin/dbus-send ixr, /{,usr/}bin/dd ixr, /{,usr/}bin/diff{,3} ixr, /{,usr/}bin/dir ixr, /{,usr/}bin/dirname ixr, /{,usr/}bin/du ixr, /{,usr/}bin/echo ixr, /{,usr/}bin/{,e,f,r}grep ixr, /{,usr/}bin/env ixr, /{,usr/}bin/expr ixr, /{,usr/}bin/false ixr, /{,usr/}bin/find ixr, /{,usr/}bin/flock ixr, /{,usr/}bin/fmt ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/getconf ixr, /{,usr/}bin/getent ixr, /{,usr/}bin/getopt ixr, /{,usr/}bin/groups ixr, /{,usr/}bin/gzip ixr, /{,usr/}bin/head ixr, /{,usr/}bin/hostname ixr, /{,usr/}bin/id ixr, /{,usr/}bin/igawk ixr, /{,usr/}bin/infocmp ixr, /{,usr/}bin/kill ixr, /{,usr/}bin/ldd ixr, /{usr/,}lib{,32,64}/ld{,32,64}-.so ix, /{usr/,}lib/@{multiarch}/ld{,32,64}-.so* ix, /{,usr/}bin/less{,file,pipe} ixr, /{,usr/}bin/ln ixr, /{,usr/}bin/line ixr, /{,usr/}bin/link ixr, /{,usr/}bin/locale ixr, /{,usr/}bin/logger ixr, /{,usr/}bin/ls ixr, /{,usr/}bin/md5sum ixr, /{,usr/}bin/mkdir ixr, /{,usr/}bin/mkfifo ixr, /{,usr/}bin/mknod ixr, /{,usr/}bin/mktemp ixr, /{,usr/}bin/more ixr, /{,usr/}bin/mv ixr, /{,usr/}bin/nice ixr, /{,usr/}bin/nohup ixr, /{,usr/}bin/numfmt ixr, /{,usr/}bin/od ixr, /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial /{,usr/}bin/paste ixr, /{,usr/}bin/pgrep ixr, /{,usr/}bin/printenv ixr, /{,usr/}bin/printf ixr, /{,usr/}bin/ps ixr, /{,usr/}bin/pwd ixr, /{,usr/}bin/readlink ixr, /{,usr/}bin/realpath ixr, /{,usr/}bin/rev ixr, /{,usr/}bin/rm ixr, /{,usr/}bin/rmdir ixr, /{,usr/}bin/run-parts ixr, /{,usr/}bin/sed ixr, /{,usr/}bin/seq ixr, /{,usr/}bin/setpriv ixr, /{,usr/}bin/sha{1,224,256,384,512}sum ixr, /{,usr/}bin/shuf ixr, /{,usr/}bin/sleep ixr, /{,usr/}bin/sort ixr, /{,usr/}bin/stat ixr, /{,usr/}bin/stdbuf ixr, /{,usr/}bin/stty ixr, /{,usr/}bin/sync ixr, /{,usr/}bin/systemd-cat ixr, /{,usr/}bin/tac ixr, /{,usr/}bin/tail ixr, /{,usr/}bin/tar ixr, /{,usr/}bin/tee ixr, /{,usr/}bin/test ixr, /{,usr/}bin/tempfile ixr, /{,usr/}bin/tset ixr, /{,usr/}bin/touch ixr, /{,usr/}bin/tput ixr, /{,usr/}bin/tr ixr, /{,usr/}bin/true ixr, /{,usr/}bin/tty ixr, /{,usr/}bin/uname ixr, /{,usr/}bin/uniq ixr, /{,usr/}bin/unlink ixr, /{,usr/}bin/unxz ixr, /{,usr/}bin/unzip ixr, /{,usr/}bin/uptime ixr, /{,usr/}bin/vdir ixr, /{,usr/}bin/vim.tiny ixr, /{,usr/}bin/wc ixr, /{,usr/}bin/which{,.debianutils} ixr, /{,usr/}bin/xargs ixr, /{,usr/}bin/xz ixr, /{,usr/}bin/yes ixr, /{,usr/}bin/zcat ixr, /{,usr/}bin/z{,e,f}grep ixr, /{,usr/}bin/zip ixr, /{,usr/}bin/zipgrep ixr, # lsb-release /usr/bin/lsb_release ixr, /usr/bin/ r, /usr/share/distro-info/.csv r, # For printing the cache (we don't allow updating the cache) /{,usr/}sbin/ldconfig{,.real} ixr, # Allow all snaps to chroot /{,usr/}sbin/chroot ixr, # Description: Can access the network as a client. #include <abstractions/nameservice> /run/systemd/resolve/stub-resolv.conf rk, /etc/mdns.allow r, # not yet included in the mdns abstraction network netlink dgram, # not yet included in the nameservice abstraction # systemd-resolved (not yet included in nameservice abstraction) # # Allow access to the safe members of the systemd-resolved D-Bus API: # # https://www.freedesktop.org/wiki/Software/systemd/resolved/ # # This API may be used directly over the D-Bus system bus or it may be used # indirectly via the nss-resolve plugin: # # https://www.freedesktop.org/software/systemd/man/nss-resolve.html # #include <abstractions/dbus-strict> dbus send bus=system path="/org/freedesktop/resolve1" interface="org.freedesktop.resolve1.Manager" member="Resolve{Address,Hostname,Record,Service}" peer=(name="org.freedesktop.resolve1"), # libnss-systemd (D-Bus portion from nameservice abstraction) # Also allow lookups for systemd-exec's DynamicUsers via D-Bus # https://www.freedesktop.org/software/systemd/man/systemd.exec.html dbus send bus=system path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}" peer=(name="org.freedesktop.systemd1"), #include <abstractions/ssl_certs> @{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/net/ipv4/tcp_fastopen r, # Allow using netcat as client /{,usr/}bin/nc{,.openbsd} ixr, # Description: Can change to any apparmor profile (including unconfined) thus # giving access to all resources of the system so LXD may manage what to give # to its containers. This gives device ownership to connected snaps. @{PROC}//attr/{,apparmor/}current r, /{,usr/}{,s}bin/aa-exec ux, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/{etc,usr/lib}/os-release r, # Description: Can query system status information. This is restricted because # it gives privileged read access to all processes on the system and should # only be used with trusted apps. # Needed by 'ps' @{PROC}/tty/drivers r, # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here # since since ps doesn't actually need to trace other processes. Note this # allows a number of accesses (assuming the associated /proc file is allowed), # such as various memory address locations and esp/eip via /proc//stat, # /proc//mem, /proc//personality, /proc//stack, /proc//syscall, # /proc//timerslack_ns and /proc//wchan (see man proc). # # Some files like /proc/kallsyms (but anything using %pK format specifier) need # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we # intentionally do not allow since it could be used to defeat KASLR. ptrace (read), # Other miscellaneous accesses for observing the system @{PROC}/cgroups r, @{PROC}/locks r, @{PROC}/modules r, @{PROC}/mdstat r, @{PROC}/schedstat r, @{PROC}/stat r, @{PROC}/vmstat r, @{PROC}/zoneinfo r, @{PROC}/diskstats r, @{PROC}/kallsyms r, @{PROC}/partitions r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @{PROC}/sys/kernel/panic r, @{PROC}/sys/kernel/panic_on_oops r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/panic_on_oom r, @{PROC}/sys/vm/swappiness r, # These are not process-specific (/proc//... and /proc//task//...) @{PROC}//{,task/,task//} r, @{PROC}//{,task//}autogroup r, @{PROC}//{,task//}auxv r, @{PROC}//{,task//}cgroup r, @{PROC}//{,task//}cmdline r, @{PROC}//{,task//}comm r, @{PROC}//{,task//}exe r, @{PROC}//{,task//}fdinfo/ r, @{PROC}//{,task//}io r, @{PROC}//{,task//}oom_score r, # allow reading of smaps_rollup, which is a summary of the memory use of a process, # but not smaps which contains a detailed mappings breakdown like # /proc/self/maps, which we do not allow access to for other processes @{PROC}//{,task//}smaps_rollup r, @{PROC}//{,task//}schedstat r, @{PROC}//{,task//}stat r, @{PROC}//{,task//}statm r, @{PROC}//{,task//}status r, @{PROC}//{,task//}wchan r, # Allow reading processes security label @{PROC}//{,task//}attr/{,apparmor/}current r, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/etc/os-release rk, /var/lib/snapd/hostfs/usr/lib/os-release rk, # Allow discovering the Kernel build config @{PROC}/config.gz r, /boot/config* r, # Allow discovering system-wide CFS Bandwidth Control information # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, /sys/fs/cgroup/memory/memory.stat r, #include <abstractions/dbus-strict> # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get{,All}, # Allow clients to introspect hostname1 # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Introspectable member=Introspect, # Allow clients to enumerate DBus connection names on common buses dbus (send) bus={session,system} path={/,/org/freedesktop/DBus} interface=org.freedesktop.DBus member={ListNames,ListActivatableNames} peer=(label=unconfined), # Allow clients to obtain the DBus machine ID on common buses. We do not # mediate the path since any peer can be used. dbus (send) bus={session,system} interface=org.freedesktop.DBus.Peer member=GetMachineId peer=(label=unconfined), # Allow clients to get properties of systemd (the manager) and # units dbus (send) bus=system interface=org.freedesktop.DBus.Properties path=/org/freedesktop/systemd1{,/*} member=Get{,All} peer=(label=unconfined), # Allow clients to explicitly list units with some of their details (path, # status) and get unit path, see # https://www.freedesktop.org/wiki/Software/systemd/dbus/ for details dbus (send) bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,ListUnits} peer=(label=unconfined), # Allow reading if protected hardlinks are enabled, but don't allow enabling or # disabling them @{PROC}/sys/fs/protected_hardlinks r, @{PROC}/sys/fs/protected_symlinks r, @{PROC}/sys/fs/protected_fifos r, @{PROC}/sys/fs/protected_regular r, # allow use of user namespaces userns, # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc # trigger a 'ptrace (trace)' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. # ptrace (trace) can be used to break out of the seccomp sandbox unless the # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd # has full ptrace support conditional on kernel support, explicitly deny to # silence noisy denials/avoid confusion and accidentally giving away this # dangerous access frivolously. deny ptrace (trace), deny capability sys_ptrace, } ��snap.lxd.lxc��0000644��00000067421�15027571546�0007031 0��ustar�00�� # vim:syntax=apparmor #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d" #include if exists "/var/lib/snapd/apparmor/snap-tuning" # snapd supports the concept of 'parallel installs' where snaps with the same # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz # may all be installed on the system. To support this, SNAP_NAME is set to the # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg # 'foo_bar'). The profile name and most rules therefore reference # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime # environment so the snap doesn't have to be aware of the distinction (eg, # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with # SNAP_NAME so the security policy will allow writing to both locations (since # they are equivalent). # This is a snap name without the instance key @{SNAP_NAME}="lxd" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="lxd" @{SNAP_INSTANCE_DESKTOP}="lxd" @{SNAP_COMMAND_NAME}="lxc" @{SNAP_REVISION}="31333" @{PROFILE_DBUS}="snap_2elxd_2elxc" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.lxd.lxc" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> # While in later versions of the base abstraction, include this explicitly # for series 16 and cross-distro /etc/ld.so.preload r, # The base abstraction doesn't yet have this /etc/sysconfig/clock r, owner @{PROC}/@{pid}/maps k, # /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but # in a format that is simpler to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. # Reading /proc/XXXX/maps is already allowed in the base template # via <abstractions/base>. Also, only the owner can read it, and the # kernel limits access to it by requiring 'ptrace' enabled, so allowing # to access /proc/XXXX/map_files can be considered secure too. owner @{PROC}/@{pid}/map_files/ r, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/ r, # for python apps/services #include <abstractions/python> /etc/python3.[0-9]/* r, # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 # for details) deny /usr/lib/python3/{,/}__pycache__/ w, deny /usr/lib/python3/{,/}__pycache__/.pyc.[0-9]* w, # bind mount used here (see 'parallel installs', above) deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/ w, deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/.pyc.[0-9] w, # for perl apps/services #include <abstractions/perl> # Missing from perl abstraction /usr/lib/@{multiarch}/perl{,5,-base}/auto/*.so mr, # Note: the following dangerous accesses should not be allowed in most # policy, but we cannot explicitly deny since other trusted interfaces might # add them. # Explicitly deny ptrace for now since it can be abused to break out of the # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 #audit deny ptrace (trace), # Explicitly deny capability mknod so apps can't create devices #audit deny capability mknod, # Explicitly deny mount, remount and umount so apps can't modify things in # their namespace #audit deny mount, #audit deny remount, #audit deny umount, # End dangerous accesses # Note: this potentially allows snaps to DoS other snaps via resource # exhaustion but we can't sensibly mediate this today. In the future we may # employ cgroup limits, AppArmor rlimit mlock rules or something else. capability ipc_lock, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /etc/bash.bashrc r, /etc/inputrc r, /etc/environment r, /etc/profile r, # user/group/seat lookups /etc/{passwd,group,nsswitch.conf} r, # very common /var/lib/extrausers/{passwd,group} r, /run/systemd/users/[0-9]* r, /etc/default/nss r, # libnss-systemd (subset from nameservice abstraction) # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. /run/systemd/userdb/ r, /run/systemd/userdb/io.systemd.Multiplexer rw, /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS /run/systemd/userdb/io.systemd.Machine rw, # systemd-machined /etc/libnl-3/{classid,pktloc} r, # apps that use libnl # For snappy reexec on 4.8+ kernels /usr/lib/snapd/snap-exec m, # For gdb support /usr/lib/snapd/snap-gdb-shim ixr, /usr/lib/snapd/snap-gdbserver-shim ixr, # For in-snap tab completion /etc/bash_completion.d/{,} r, /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here # uptime @{PROC}/uptime r, @{PROC}/loadavg r, # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib # which is allowed by the base abstraction, but on 14.04 it is an actual file # so need to add it here. Also allow read locks on the file. /etc/os-release rk, /usr/lib/os-release k, # Debian version of the host OS which might be required in AppArmor-secured Debian /etc/debian_version r, # systemd native journal API (see sd_journal_print(4)). This should be in # AppArmor's base abstraction, but until it is, include here. We include # the base journal path as well as the journal namespace pattern path. Each # journal namespace for quota groups will be prefixed with 'snap-'. /run/systemd/journal{,.snap-}/socket w, /run/systemd/journal{,.snap-}/stdout rw, # 'r' shouldn't be needed, but journald # doesn't leak anything so allow /run/systemd/journal{,.snap-}/dev-log w, # snapctl and its requirements /usr/bin/snapctl ixr, /usr/lib/snapd/snapctl ixr, @{PROC}/sys/net/core/somaxconn r, /run/snapd-snap.socket rw, # Note: for now, don't explicitly deny this noisy denial so --devmode isn't # broken but eventually we may conditionally deny this since it is an # information leak. #deny /{,var/}run/utmp r, # java @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/auxv r, @{PROC}/sys/vm/zone_reclaim_mode r, /etc/lsb-release r, /sys/devices//read_ahead_kb r, /sys/devices/system/cpu/ r, /sys/devices/system/node/node[0-9]/ r, /sys/kernel/mm/transparent_hugepage/enabled r, /sys/kernel/mm/transparent_hugepage/defrag r, # NOTE: this leaks running process but java seems to want it (even though it # seems to operate ok without it) and SDL apps crash without it. Allow owner # match until AppArmor kernel var is available to solve this properly (see # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Allow reading and writing to our file descriptors in /proc which, for # example, allow access to /dev/std{in,out,err} which are all symlinks to # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) # linkat() temporary file technique, allow all fds. Importantly, access to # another task's fd via this proc interface is mediated via 'ptrace (read)' # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so # this rule by itself doesn't allow opening another snap's fds via proc. owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, # Miscellaneous accesses /dev/{,u}random w, /etc/machine-id r, /etc/mime.types r, /etc/default/keyboard r, @{PROC}/ r, @{PROC}/version r, @{PROC}/version_signature r, /etc/{,writable/}hostname r, /etc/{,writable/}localtime r, /etc/{,writable/}mailname r, /etc/{,writable/}timezone r, owner @{PROC}/@{pid}/cgroup rk, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/fdinfo/* r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/[0-9]/smaps r, @{PROC}/@{pid}/task/[0-9]/stat r, @{PROC}/@{pid}/task/[0-9]/statm r, @{PROC}/@{pid}/task/[0-9]/status r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/shmmax r, # Allow apps to introspect the level of dbus mediation AppArmor implements. /sys/kernel/security/apparmor/features/dbus/mask r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_* r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/cap_last_cap r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request rw, /sys/devices/virtual/tty/{console,tty}/active r, /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.stat r, /sys/fs/cgroup/system.slice/snap.@{SNAP_INSTANCE_NAME}{,.}/memory.max r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.shares r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_{,score_}adj r, # Note: for now, don't explicitly deny write access so --devmode isn't broken # but eventually we may conditionally deny this since it allows the process # to increase the oom heuristic of other processes (make them more likely to # be killed). Once AppArmor kernel var is available to solve this properly, # this can safely be allowed since non-root processes won't be able to # decrease the value and root processes will only be able to with # 'capability sys_resource,' which we deny be default. # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, # Eases hardware assignment (doesn't give anything away) /etc/udev/udev.conf r, /sys/ r, /sys/bus/ r, /sys/class/ r, # this leaks interface names and stats, but not in a way that is traceable # to the user/device @{PROC}/net/dev r, @{PROC}/@{pid}/net/dev r, # Read-only of this snap /var/lib/snapd/snaps/@{SNAP_NAME}_.snap r, # Read-only of snapd restart state for snapctl specifically /var/lib/snapd/maintenance.json r, # Read-only for the install directory # bind mount used here (see 'parallel installs', above) @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/* mrklix, # Read-only install directory for other revisions to help with bugs like # LP: #1616650 and LP: #1655992 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Read-only home area for other versions # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ mrkix, # Experimental snap folder changes owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ mrkix, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/ wl, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl, # Writable home area for this version. # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/ wl, # Read-only system area for other versions # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ mrkix, # Writable system area only for this version # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/ wl, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/ wl, # The snap-confine program creates an app-specific private restricted /tmp # and will fail to launch the app if something goes wrong. As such, we can # simply allow full access to /tmp. /tmp/ r, /tmp/ mrwlkix, # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount not used here (see 'parallel installs', above) /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, # Also allow app-specific access for sem_open() /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user # bind mount not used here (see 'parallel installs', above) owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ rw, owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Allow apps from the same package to communicate with each other via an # abstract or anonymous socket unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.", unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # Allow apps from the same package to communicate with each other via DBus. # Note: this does not grant access to the DBus sockets of well known buses # (will still need to use an appropriate interface for that). dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # In addition to the above, dbus-run-session attempts reading these files # from the snap base runtime. /usr/share/dbus-1/services/{,} r, /usr/share/dbus-1/system-services/{,} r, # Allow apps to perform DBus introspection on org.freedesktop.DBus for both # the system and session buses. # Note: this does not grant access to the DBus sockets of these buses, but # we grant it here since it is missing from the dbus abstractions # (LP: #1866168) dbus (send) bus={session,system} path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow apps from the same package to signal each other via signals signal peer=snap.@{SNAP_INSTANCE_NAME}., # Allow receiving signals from all snaps (and focus on mediating sending of # signals) signal (receive) peer=snap., # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' /{,usr/}{,s}bin/udevadm ixr, /etc/udev/udev.conf r, /{,var/}run/udev/tags/snappy-assign/ r, @{PROC}/cmdline r, /sys/devices/*/uevent r, # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above # requires: # /run/udev/data/ r, # but that reveals too much about the system and cannot be granted to apps # by default at this time. # For convenience, allow apps to see what is in /dev even though cgroups # will block most access /dev/ r, /dev// r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because # the launcher uses a per-app devpts newinstance. /dev/ptmx rw, # Do the same with /sys/devices and /sys/class to help people using hw-assign /sys/devices/ r, /sys/devices// r, /sys/class/ r, /sys/class/*/ r, # Allow all snaps to chroot capability sys_chroot, # Lttng tracing is very noisy and should not be allowed by confined apps. Can # safely deny for the normal case (LP: #1260491). If/when an lttng-trace # interface is needed, we can rework this. deny /{dev,run,var/run}/shm/lttng-ust- rw, # Allow read-access on /home/ for navigating to other parts of the # filesystem. While this allows enumerating users, this is already allowed # via /etc/passwd and getent. @{HOMEDIRS}/ r, # Allow read-access to / for navigating to other parts of the filesystem. / r, # Snap-specific run directory. Bind mount not used here # (see 'parallel installs', above) /run/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Snap-specific lock directory and prerequisite navigation permissions. /run/lock/ r, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Default rules for core base runtimes # The base abstraction doesn't yet have this /{,usr/}lib/terminfo/ rk, /usr/share/terminfo/ k, /usr/share/zoneinfo/** k, # for python apps/services /usr/bin/python{,2,2.[0-9],3,3.[0-9]} ixr, # additional accesses needed for newer pythons in later bases /usr/lib{,32,64}/python3.[0-9]/.{pyc,so} mr, /usr/lib{,32,64}/python3.[0-9]/*.{egg,py,pth} r, /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, /usr/lib{,32,64}/python3.[0-9]/lib-dynload/.so mr, /usr/include/python3.[0-9]/pyconfig.h r, # for perl apps/services /usr/bin/perl{,5} ixr, # AppArmor <2.12 doesn't have rules for perl-base, so add them here /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]/.so mr, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /usr/share/terminfo/** r, # Common utilities for shell scripts /{,usr/}bin/arch ixr, /{,usr/}bin/{,g,m}awk ixr, /{,usr/}bin/base32 ixr, /{,usr/}bin/base64 ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/bunzip2 ixr, /{,usr/}bin/busctl ixr, /{,usr/}bin/bzcat ixr, /{,usr/}bin/bzdiff ixr, /{,usr/}bin/bzgrep ixr, /{,usr/}bin/bzip2 ixr, /{,usr/}bin/cat ixr, /{,usr/}bin/chgrp ixr, /{,usr/}bin/chmod ixr, /{,usr/}bin/chown ixr, /{,usr/}bin/clear ixr, /{,usr/}bin/cmp ixr, /{,usr/}bin/cp ixr, /{,usr/}bin/cpio ixr, /{,usr/}bin/cut ixr, /{,usr/}bin/date ixr, /{,usr/}bin/dbus-daemon ixr, /{,usr/}bin/dbus-run-session ixr, /{,usr/}bin/dbus-send ixr, /{,usr/}bin/dd ixr, /{,usr/}bin/diff{,3} ixr, /{,usr/}bin/dir ixr, /{,usr/}bin/dirname ixr, /{,usr/}bin/du ixr, /{,usr/}bin/echo ixr, /{,usr/}bin/{,e,f,r}grep ixr, /{,usr/}bin/env ixr, /{,usr/}bin/expr ixr, /{,usr/}bin/false ixr, /{,usr/}bin/find ixr, /{,usr/}bin/flock ixr, /{,usr/}bin/fmt ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/getconf ixr, /{,usr/}bin/getent ixr, /{,usr/}bin/getopt ixr, /{,usr/}bin/groups ixr, /{,usr/}bin/gzip ixr, /{,usr/}bin/head ixr, /{,usr/}bin/hostname ixr, /{,usr/}bin/id ixr, /{,usr/}bin/igawk ixr, /{,usr/}bin/infocmp ixr, /{,usr/}bin/kill ixr, /{,usr/}bin/ldd ixr, /{usr/,}lib{,32,64}/ld{,32,64}-.so ix, /{usr/,}lib/@{multiarch}/ld{,32,64}-.so* ix, /{,usr/}bin/less{,file,pipe} ixr, /{,usr/}bin/ln ixr, /{,usr/}bin/line ixr, /{,usr/}bin/link ixr, /{,usr/}bin/locale ixr, /{,usr/}bin/logger ixr, /{,usr/}bin/ls ixr, /{,usr/}bin/md5sum ixr, /{,usr/}bin/mkdir ixr, /{,usr/}bin/mkfifo ixr, /{,usr/}bin/mknod ixr, /{,usr/}bin/mktemp ixr, /{,usr/}bin/more ixr, /{,usr/}bin/mv ixr, /{,usr/}bin/nice ixr, /{,usr/}bin/nohup ixr, /{,usr/}bin/numfmt ixr, /{,usr/}bin/od ixr, /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial /{,usr/}bin/paste ixr, /{,usr/}bin/pgrep ixr, /{,usr/}bin/printenv ixr, /{,usr/}bin/printf ixr, /{,usr/}bin/ps ixr, /{,usr/}bin/pwd ixr, /{,usr/}bin/readlink ixr, /{,usr/}bin/realpath ixr, /{,usr/}bin/rev ixr, /{,usr/}bin/rm ixr, /{,usr/}bin/rmdir ixr, /{,usr/}bin/run-parts ixr, /{,usr/}bin/sed ixr, /{,usr/}bin/seq ixr, /{,usr/}bin/setpriv ixr, /{,usr/}bin/sha{1,224,256,384,512}sum ixr, /{,usr/}bin/shuf ixr, /{,usr/}bin/sleep ixr, /{,usr/}bin/sort ixr, /{,usr/}bin/stat ixr, /{,usr/}bin/stdbuf ixr, /{,usr/}bin/stty ixr, /{,usr/}bin/sync ixr, /{,usr/}bin/systemd-cat ixr, /{,usr/}bin/tac ixr, /{,usr/}bin/tail ixr, /{,usr/}bin/tar ixr, /{,usr/}bin/tee ixr, /{,usr/}bin/test ixr, /{,usr/}bin/tempfile ixr, /{,usr/}bin/tset ixr, /{,usr/}bin/touch ixr, /{,usr/}bin/tput ixr, /{,usr/}bin/tr ixr, /{,usr/}bin/true ixr, /{,usr/}bin/tty ixr, /{,usr/}bin/uname ixr, /{,usr/}bin/uniq ixr, /{,usr/}bin/unlink ixr, /{,usr/}bin/unxz ixr, /{,usr/}bin/unzip ixr, /{,usr/}bin/uptime ixr, /{,usr/}bin/vdir ixr, /{,usr/}bin/vim.tiny ixr, /{,usr/}bin/wc ixr, /{,usr/}bin/which{,.debianutils} ixr, /{,usr/}bin/xargs ixr, /{,usr/}bin/xz ixr, /{,usr/}bin/yes ixr, /{,usr/}bin/zcat ixr, /{,usr/}bin/z{,e,f}grep ixr, /{,usr/}bin/zip ixr, /{,usr/}bin/zipgrep ixr, # lsb-release /usr/bin/lsb_release ixr, /usr/bin/ r, /usr/share/distro-info/.csv r, # For printing the cache (we don't allow updating the cache) /{,usr/}sbin/ldconfig{,.real} ixr, # Allow all snaps to chroot /{,usr/}sbin/chroot ixr, # Description: Can change to any apparmor profile (including unconfined) thus # giving access to all resources of the system so LXD may manage what to give # to its containers. This gives device ownership to connected snaps. @{PROC}//attr/{,apparmor/}current r, /{,usr/}{,s}bin/aa-exec ux, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/{etc,usr/lib}/os-release r, # Description: Can query system status information. This is restricted because # it gives privileged read access to all processes on the system and should # only be used with trusted apps. # Needed by 'ps' @{PROC}/tty/drivers r, # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here # since since ps doesn't actually need to trace other processes. Note this # allows a number of accesses (assuming the associated /proc file is allowed), # such as various memory address locations and esp/eip via /proc//stat, # /proc//mem, /proc//personality, /proc//stack, /proc//syscall, # /proc//timerslack_ns and /proc//wchan (see man proc). # # Some files like /proc/kallsyms (but anything using %pK format specifier) need # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we # intentionally do not allow since it could be used to defeat KASLR. ptrace (read), # Other miscellaneous accesses for observing the system @{PROC}/cgroups r, @{PROC}/locks r, @{PROC}/modules r, @{PROC}/mdstat r, @{PROC}/schedstat r, @{PROC}/stat r, @{PROC}/vmstat r, @{PROC}/zoneinfo r, @{PROC}/diskstats r, @{PROC}/kallsyms r, @{PROC}/partitions r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @{PROC}/sys/kernel/panic r, @{PROC}/sys/kernel/panic_on_oops r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/panic_on_oom r, @{PROC}/sys/vm/swappiness r, # These are not process-specific (/proc//... and /proc//task//...) @{PROC}//{,task/,task//} r, @{PROC}//{,task//}autogroup r, @{PROC}//{,task//}auxv r, @{PROC}//{,task//}cgroup r, @{PROC}//{,task//}cmdline r, @{PROC}//{,task//}comm r, @{PROC}//{,task//}exe r, @{PROC}//{,task//}fdinfo/ r, @{PROC}//{,task//}io r, @{PROC}//{,task//}oom_score r, # allow reading of smaps_rollup, which is a summary of the memory use of a process, # but not smaps which contains a detailed mappings breakdown like # /proc/self/maps, which we do not allow access to for other processes @{PROC}//{,task//}smaps_rollup r, @{PROC}//{,task//}schedstat r, @{PROC}//{,task//}stat r, @{PROC}//{,task//}statm r, @{PROC}//{,task//}status r, @{PROC}//{,task//}wchan r, # Allow reading processes security label @{PROC}//{,task//}attr/{,apparmor/}current r, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/etc/os-release rk, /var/lib/snapd/hostfs/usr/lib/os-release rk, # Allow discovering the Kernel build config @{PROC}/config.gz r, /boot/config* r, # Allow discovering system-wide CFS Bandwidth Control information # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, /sys/fs/cgroup/memory/memory.stat r, #include <abstractions/dbus-strict> # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get{,All}, # Allow clients to introspect hostname1 # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Introspectable member=Introspect, # Allow clients to enumerate DBus connection names on common buses dbus (send) bus={session,system} path={/,/org/freedesktop/DBus} interface=org.freedesktop.DBus member={ListNames,ListActivatableNames} peer=(label=unconfined), # Allow clients to obtain the DBus machine ID on common buses. We do not # mediate the path since any peer can be used. dbus (send) bus={session,system} interface=org.freedesktop.DBus.Peer member=GetMachineId peer=(label=unconfined), # Allow clients to get properties of systemd (the manager) and # units dbus (send) bus=system interface=org.freedesktop.DBus.Properties path=/org/freedesktop/systemd1{,/*} member=Get{,All} peer=(label=unconfined), # Allow clients to explicitly list units with some of their details (path, # status) and get unit path, see # https://www.freedesktop.org/wiki/Software/systemd/dbus/ for details dbus (send) bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,ListUnits} peer=(label=unconfined), # Allow reading if protected hardlinks are enabled, but don't allow enabling or # disabling them @{PROC}/sys/fs/protected_hardlinks r, @{PROC}/sys/fs/protected_symlinks r, @{PROC}/sys/fs/protected_fifos r, @{PROC}/sys/fs/protected_regular r, # allow use of user namespaces userns, # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc # trigger a 'ptrace (trace)' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. # ptrace (trace) can be used to break out of the seccomp sandbox unless the # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd # has full ptrace support conditional on kernel support, explicitly deny to # silence noisy denials/avoid confusion and accidentally giving away this # dangerous access frivolously. deny ptrace (trace), deny capability sys_ptrace, } ��snap.lxd.hook.install��0000644��00000055463�15027571546�0010653 0��ustar�00�� # vim:syntax=apparmor #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d" #include if exists "/var/lib/snapd/apparmor/snap-tuning" # snapd supports the concept of 'parallel installs' where snaps with the same # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz # may all be installed on the system. To support this, SNAP_NAME is set to the # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg # 'foo_bar'). The profile name and most rules therefore reference # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime # environment so the snap doesn't have to be aware of the distinction (eg, # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with # SNAP_NAME so the security policy will allow writing to both locations (since # they are equivalent). # This is a snap name without the instance key @{SNAP_NAME}="lxd" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="lxd" @{SNAP_INSTANCE_DESKTOP}="lxd" @{SNAP_COMMAND_NAME}="hook.install" @{SNAP_REVISION}="31333" @{PROFILE_DBUS}="snap_2elxd_2ehook_2einstall" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.lxd.hook.install" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> # While in later versions of the base abstraction, include this explicitly # for series 16 and cross-distro /etc/ld.so.preload r, # The base abstraction doesn't yet have this /etc/sysconfig/clock r, owner @{PROC}/@{pid}/maps k, # /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but # in a format that is simpler to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. # Reading /proc/XXXX/maps is already allowed in the base template # via <abstractions/base>. Also, only the owner can read it, and the # kernel limits access to it by requiring 'ptrace' enabled, so allowing # to access /proc/XXXX/map_files can be considered secure too. owner @{PROC}/@{pid}/map_files/ r, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/ r, # for python apps/services #include <abstractions/python> /etc/python3.[0-9]/* r, # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 # for details) deny /usr/lib/python3/{,/}__pycache__/ w, deny /usr/lib/python3/{,/}__pycache__/.pyc.[0-9]* w, # bind mount used here (see 'parallel installs', above) deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/ w, deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/.pyc.[0-9] w, # for perl apps/services #include <abstractions/perl> # Missing from perl abstraction /usr/lib/@{multiarch}/perl{,5,-base}/auto/*.so mr, # Note: the following dangerous accesses should not be allowed in most # policy, but we cannot explicitly deny since other trusted interfaces might # add them. # Explicitly deny ptrace for now since it can be abused to break out of the # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 #audit deny ptrace (trace), # Explicitly deny capability mknod so apps can't create devices #audit deny capability mknod, # Explicitly deny mount, remount and umount so apps can't modify things in # their namespace #audit deny mount, #audit deny remount, #audit deny umount, # End dangerous accesses # Note: this potentially allows snaps to DoS other snaps via resource # exhaustion but we can't sensibly mediate this today. In the future we may # employ cgroup limits, AppArmor rlimit mlock rules or something else. capability ipc_lock, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /etc/bash.bashrc r, /etc/inputrc r, /etc/environment r, /etc/profile r, # user/group/seat lookups /etc/{passwd,group,nsswitch.conf} r, # very common /var/lib/extrausers/{passwd,group} r, /run/systemd/users/[0-9]* r, /etc/default/nss r, # libnss-systemd (subset from nameservice abstraction) # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. /run/systemd/userdb/ r, /run/systemd/userdb/io.systemd.Multiplexer rw, /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS /run/systemd/userdb/io.systemd.Machine rw, # systemd-machined /etc/libnl-3/{classid,pktloc} r, # apps that use libnl # For snappy reexec on 4.8+ kernels /usr/lib/snapd/snap-exec m, # For gdb support /usr/lib/snapd/snap-gdb-shim ixr, /usr/lib/snapd/snap-gdbserver-shim ixr, # For in-snap tab completion /etc/bash_completion.d/{,} r, /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here # uptime @{PROC}/uptime r, @{PROC}/loadavg r, # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib # which is allowed by the base abstraction, but on 14.04 it is an actual file # so need to add it here. Also allow read locks on the file. /etc/os-release rk, /usr/lib/os-release k, # Debian version of the host OS which might be required in AppArmor-secured Debian /etc/debian_version r, # systemd native journal API (see sd_journal_print(4)). This should be in # AppArmor's base abstraction, but until it is, include here. We include # the base journal path as well as the journal namespace pattern path. Each # journal namespace for quota groups will be prefixed with 'snap-'. /run/systemd/journal{,.snap-}/socket w, /run/systemd/journal{,.snap-}/stdout rw, # 'r' shouldn't be needed, but journald # doesn't leak anything so allow /run/systemd/journal{,.snap-}/dev-log w, # snapctl and its requirements /usr/bin/snapctl ixr, /usr/lib/snapd/snapctl ixr, @{PROC}/sys/net/core/somaxconn r, /run/snapd-snap.socket rw, # Note: for now, don't explicitly deny this noisy denial so --devmode isn't # broken but eventually we may conditionally deny this since it is an # information leak. #deny /{,var/}run/utmp r, # java @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/auxv r, @{PROC}/sys/vm/zone_reclaim_mode r, /etc/lsb-release r, /sys/devices//read_ahead_kb r, /sys/devices/system/cpu/ r, /sys/devices/system/node/node[0-9]/ r, /sys/kernel/mm/transparent_hugepage/enabled r, /sys/kernel/mm/transparent_hugepage/defrag r, # NOTE: this leaks running process but java seems to want it (even though it # seems to operate ok without it) and SDL apps crash without it. Allow owner # match until AppArmor kernel var is available to solve this properly (see # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Allow reading and writing to our file descriptors in /proc which, for # example, allow access to /dev/std{in,out,err} which are all symlinks to # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) # linkat() temporary file technique, allow all fds. Importantly, access to # another task's fd via this proc interface is mediated via 'ptrace (read)' # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so # this rule by itself doesn't allow opening another snap's fds via proc. owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, # Miscellaneous accesses /dev/{,u}random w, /etc/machine-id r, /etc/mime.types r, /etc/default/keyboard r, @{PROC}/ r, @{PROC}/version r, @{PROC}/version_signature r, /etc/{,writable/}hostname r, /etc/{,writable/}localtime r, /etc/{,writable/}mailname r, /etc/{,writable/}timezone r, owner @{PROC}/@{pid}/cgroup rk, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/fdinfo/* r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/[0-9]/smaps r, @{PROC}/@{pid}/task/[0-9]/stat r, @{PROC}/@{pid}/task/[0-9]/statm r, @{PROC}/@{pid}/task/[0-9]/status r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/shmmax r, # Allow apps to introspect the level of dbus mediation AppArmor implements. /sys/kernel/security/apparmor/features/dbus/mask r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_* r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/cap_last_cap r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request rw, /sys/devices/virtual/tty/{console,tty}/active r, /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.stat r, /sys/fs/cgroup/system.slice/snap.@{SNAP_INSTANCE_NAME}{,.}/memory.max r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.shares r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_{,score_}adj r, # Note: for now, don't explicitly deny write access so --devmode isn't broken # but eventually we may conditionally deny this since it allows the process # to increase the oom heuristic of other processes (make them more likely to # be killed). Once AppArmor kernel var is available to solve this properly, # this can safely be allowed since non-root processes won't be able to # decrease the value and root processes will only be able to with # 'capability sys_resource,' which we deny be default. # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, # Eases hardware assignment (doesn't give anything away) /etc/udev/udev.conf r, /sys/ r, /sys/bus/ r, /sys/class/ r, # this leaks interface names and stats, but not in a way that is traceable # to the user/device @{PROC}/net/dev r, @{PROC}/@{pid}/net/dev r, # Read-only of this snap /var/lib/snapd/snaps/@{SNAP_NAME}_.snap r, # Read-only of snapd restart state for snapctl specifically /var/lib/snapd/maintenance.json r, # Read-only for the install directory # bind mount used here (see 'parallel installs', above) @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/* mrklix, # Read-only install directory for other revisions to help with bugs like # LP: #1616650 and LP: #1655992 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Read-only home area for other versions # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ mrkix, # Experimental snap folder changes owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ mrkix, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/ wl, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl, # Writable home area for this version. # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/ wl, # Read-only system area for other versions # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ mrkix, # Writable system area only for this version # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/ wl, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/ wl, # The snap-confine program creates an app-specific private restricted /tmp # and will fail to launch the app if something goes wrong. As such, we can # simply allow full access to /tmp. /tmp/ r, /tmp/ mrwlkix, # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount not used here (see 'parallel installs', above) /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, # Also allow app-specific access for sem_open() /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user # bind mount not used here (see 'parallel installs', above) owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ rw, owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Allow apps from the same package to communicate with each other via an # abstract or anonymous socket unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.", unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # Allow apps from the same package to communicate with each other via DBus. # Note: this does not grant access to the DBus sockets of well known buses # (will still need to use an appropriate interface for that). dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # In addition to the above, dbus-run-session attempts reading these files # from the snap base runtime. /usr/share/dbus-1/services/{,} r, /usr/share/dbus-1/system-services/{,} r, # Allow apps to perform DBus introspection on org.freedesktop.DBus for both # the system and session buses. # Note: this does not grant access to the DBus sockets of these buses, but # we grant it here since it is missing from the dbus abstractions # (LP: #1866168) dbus (send) bus={session,system} path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow apps from the same package to signal each other via signals signal peer=snap.@{SNAP_INSTANCE_NAME}., # Allow receiving signals from all snaps (and focus on mediating sending of # signals) signal (receive) peer=snap., # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' /{,usr/}{,s}bin/udevadm ixr, /etc/udev/udev.conf r, /{,var/}run/udev/tags/snappy-assign/ r, @{PROC}/cmdline r, /sys/devices/*/uevent r, # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above # requires: # /run/udev/data/ r, # but that reveals too much about the system and cannot be granted to apps # by default at this time. # For convenience, allow apps to see what is in /dev even though cgroups # will block most access /dev/ r, /dev// r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because # the launcher uses a per-app devpts newinstance. /dev/ptmx rw, # Do the same with /sys/devices and /sys/class to help people using hw-assign /sys/devices/ r, /sys/devices// r, /sys/class/ r, /sys/class/*/ r, # Allow all snaps to chroot capability sys_chroot, # Lttng tracing is very noisy and should not be allowed by confined apps. Can # safely deny for the normal case (LP: #1260491). If/when an lttng-trace # interface is needed, we can rework this. deny /{dev,run,var/run}/shm/lttng-ust- rw, # Allow read-access on /home/ for navigating to other parts of the # filesystem. While this allows enumerating users, this is already allowed # via /etc/passwd and getent. @{HOMEDIRS}/ r, # Allow read-access to / for navigating to other parts of the filesystem. / r, # Snap-specific run directory. Bind mount not used here # (see 'parallel installs', above) /run/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Snap-specific lock directory and prerequisite navigation permissions. /run/lock/ r, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Default rules for core base runtimes # The base abstraction doesn't yet have this /{,usr/}lib/terminfo/ rk, /usr/share/terminfo/ k, /usr/share/zoneinfo/** k, # for python apps/services /usr/bin/python{,2,2.[0-9],3,3.[0-9]} ixr, # additional accesses needed for newer pythons in later bases /usr/lib{,32,64}/python3.[0-9]/.{pyc,so} mr, /usr/lib{,32,64}/python3.[0-9]/*.{egg,py,pth} r, /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, /usr/lib{,32,64}/python3.[0-9]/lib-dynload/.so mr, /usr/include/python3.[0-9]/pyconfig.h r, # for perl apps/services /usr/bin/perl{,5} ixr, # AppArmor <2.12 doesn't have rules for perl-base, so add them here /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]/.so mr, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /usr/share/terminfo/** r, # Common utilities for shell scripts /{,usr/}bin/arch ixr, /{,usr/}bin/{,g,m}awk ixr, /{,usr/}bin/base32 ixr, /{,usr/}bin/base64 ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/bunzip2 ixr, /{,usr/}bin/busctl ixr, /{,usr/}bin/bzcat ixr, /{,usr/}bin/bzdiff ixr, /{,usr/}bin/bzgrep ixr, /{,usr/}bin/bzip2 ixr, /{,usr/}bin/cat ixr, /{,usr/}bin/chgrp ixr, /{,usr/}bin/chmod ixr, /{,usr/}bin/chown ixr, /{,usr/}bin/clear ixr, /{,usr/}bin/cmp ixr, /{,usr/}bin/cp ixr, /{,usr/}bin/cpio ixr, /{,usr/}bin/cut ixr, /{,usr/}bin/date ixr, /{,usr/}bin/dbus-daemon ixr, /{,usr/}bin/dbus-run-session ixr, /{,usr/}bin/dbus-send ixr, /{,usr/}bin/dd ixr, /{,usr/}bin/diff{,3} ixr, /{,usr/}bin/dir ixr, /{,usr/}bin/dirname ixr, /{,usr/}bin/du ixr, /{,usr/}bin/echo ixr, /{,usr/}bin/{,e,f,r}grep ixr, /{,usr/}bin/env ixr, /{,usr/}bin/expr ixr, /{,usr/}bin/false ixr, /{,usr/}bin/find ixr, /{,usr/}bin/flock ixr, /{,usr/}bin/fmt ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/getconf ixr, /{,usr/}bin/getent ixr, /{,usr/}bin/getopt ixr, /{,usr/}bin/groups ixr, /{,usr/}bin/gzip ixr, /{,usr/}bin/head ixr, /{,usr/}bin/hostname ixr, /{,usr/}bin/id ixr, /{,usr/}bin/igawk ixr, /{,usr/}bin/infocmp ixr, /{,usr/}bin/kill ixr, /{,usr/}bin/ldd ixr, /{usr/,}lib{,32,64}/ld{,32,64}-.so ix, /{usr/,}lib/@{multiarch}/ld{,32,64}-.so* ix, /{,usr/}bin/less{,file,pipe} ixr, /{,usr/}bin/ln ixr, /{,usr/}bin/line ixr, /{,usr/}bin/link ixr, /{,usr/}bin/locale ixr, /{,usr/}bin/logger ixr, /{,usr/}bin/ls ixr, /{,usr/}bin/md5sum ixr, /{,usr/}bin/mkdir ixr, /{,usr/}bin/mkfifo ixr, /{,usr/}bin/mknod ixr, /{,usr/}bin/mktemp ixr, /{,usr/}bin/more ixr, /{,usr/}bin/mv ixr, /{,usr/}bin/nice ixr, /{,usr/}bin/nohup ixr, /{,usr/}bin/numfmt ixr, /{,usr/}bin/od ixr, /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial /{,usr/}bin/paste ixr, /{,usr/}bin/pgrep ixr, /{,usr/}bin/printenv ixr, /{,usr/}bin/printf ixr, /{,usr/}bin/ps ixr, /{,usr/}bin/pwd ixr, /{,usr/}bin/readlink ixr, /{,usr/}bin/realpath ixr, /{,usr/}bin/rev ixr, /{,usr/}bin/rm ixr, /{,usr/}bin/rmdir ixr, /{,usr/}bin/run-parts ixr, /{,usr/}bin/sed ixr, /{,usr/}bin/seq ixr, /{,usr/}bin/setpriv ixr, /{,usr/}bin/sha{1,224,256,384,512}sum ixr, /{,usr/}bin/shuf ixr, /{,usr/}bin/sleep ixr, /{,usr/}bin/sort ixr, /{,usr/}bin/stat ixr, /{,usr/}bin/stdbuf ixr, /{,usr/}bin/stty ixr, /{,usr/}bin/sync ixr, /{,usr/}bin/systemd-cat ixr, /{,usr/}bin/tac ixr, /{,usr/}bin/tail ixr, /{,usr/}bin/tar ixr, /{,usr/}bin/tee ixr, /{,usr/}bin/test ixr, /{,usr/}bin/tempfile ixr, /{,usr/}bin/tset ixr, /{,usr/}bin/touch ixr, /{,usr/}bin/tput ixr, /{,usr/}bin/tr ixr, /{,usr/}bin/true ixr, /{,usr/}bin/tty ixr, /{,usr/}bin/uname ixr, /{,usr/}bin/uniq ixr, /{,usr/}bin/unlink ixr, /{,usr/}bin/unxz ixr, /{,usr/}bin/unzip ixr, /{,usr/}bin/uptime ixr, /{,usr/}bin/vdir ixr, /{,usr/}bin/vim.tiny ixr, /{,usr/}bin/wc ixr, /{,usr/}bin/which{,.debianutils} ixr, /{,usr/}bin/xargs ixr, /{,usr/}bin/xz ixr, /{,usr/}bin/yes ixr, /{,usr/}bin/zcat ixr, /{,usr/}bin/z{,e,f}grep ixr, /{,usr/}bin/zip ixr, /{,usr/}bin/zipgrep ixr, # lsb-release /usr/bin/lsb_release ixr, /usr/bin/ r, /usr/share/distro-info/.csv r, # For printing the cache (we don't allow updating the cache) /{,usr/}sbin/ldconfig{,.real} ixr, # Allow all snaps to chroot /{,usr/}sbin/chroot ixr, # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc # trigger a 'ptrace (trace)' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. # ptrace (trace) can be used to break out of the seccomp sandbox unless the # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd # has full ptrace support conditional on kernel support, explicitly deny to # silence noisy denials/avoid confusion and accidentally giving away this # dangerous access frivolously. deny ptrace (trace), deny capability sys_ptrace, } ��snap.lxd.user-daemon��0000644��00000073163�15027571546�0010462 0��ustar�00�� # vim:syntax=apparmor #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d" #include if exists "/var/lib/snapd/apparmor/snap-tuning" # snapd supports the concept of 'parallel installs' where snaps with the same # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz # may all be installed on the system. To support this, SNAP_NAME is set to the # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg # 'foo_bar'). The profile name and most rules therefore reference # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime # environment so the snap doesn't have to be aware of the distinction (eg, # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with # SNAP_NAME so the security policy will allow writing to both locations (since # they are equivalent). # This is a snap name without the instance key @{SNAP_NAME}="lxd" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="lxd" @{SNAP_INSTANCE_DESKTOP}="lxd" @{SNAP_COMMAND_NAME}="user-daemon" @{SNAP_REVISION}="31333" @{PROFILE_DBUS}="snap_2elxd_2euser_2ddaemon" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.lxd.user-daemon" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> # While in later versions of the base abstraction, include this explicitly # for series 16 and cross-distro /etc/ld.so.preload r, # The base abstraction doesn't yet have this /etc/sysconfig/clock r, owner @{PROC}/@{pid}/maps k, # /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but # in a format that is simpler to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. # Reading /proc/XXXX/maps is already allowed in the base template # via <abstractions/base>. Also, only the owner can read it, and the # kernel limits access to it by requiring 'ptrace' enabled, so allowing # to access /proc/XXXX/map_files can be considered secure too. owner @{PROC}/@{pid}/map_files/ r, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/ r, # for python apps/services #include <abstractions/python> /etc/python3.[0-9]/* r, # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 # for details) deny /usr/lib/python3/{,/}__pycache__/ w, deny /usr/lib/python3/{,/}__pycache__/.pyc.[0-9]* w, # bind mount used here (see 'parallel installs', above) deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/ w, deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/.pyc.[0-9] w, # for perl apps/services #include <abstractions/perl> # Missing from perl abstraction /usr/lib/@{multiarch}/perl{,5,-base}/auto/*.so mr, # Note: the following dangerous accesses should not be allowed in most # policy, but we cannot explicitly deny since other trusted interfaces might # add them. # Explicitly deny ptrace for now since it can be abused to break out of the # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 #audit deny ptrace (trace), # Explicitly deny capability mknod so apps can't create devices #audit deny capability mknod, # Explicitly deny mount, remount and umount so apps can't modify things in # their namespace #audit deny mount, #audit deny remount, #audit deny umount, # End dangerous accesses # Note: this potentially allows snaps to DoS other snaps via resource # exhaustion but we can't sensibly mediate this today. In the future we may # employ cgroup limits, AppArmor rlimit mlock rules or something else. capability ipc_lock, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /etc/bash.bashrc r, /etc/inputrc r, /etc/environment r, /etc/profile r, # user/group/seat lookups /etc/{passwd,group,nsswitch.conf} r, # very common /var/lib/extrausers/{passwd,group} r, /run/systemd/users/[0-9]* r, /etc/default/nss r, # libnss-systemd (subset from nameservice abstraction) # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. /run/systemd/userdb/ r, /run/systemd/userdb/io.systemd.Multiplexer rw, /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS /run/systemd/userdb/io.systemd.Machine rw, # systemd-machined /etc/libnl-3/{classid,pktloc} r, # apps that use libnl # For snappy reexec on 4.8+ kernels /usr/lib/snapd/snap-exec m, # For gdb support /usr/lib/snapd/snap-gdb-shim ixr, /usr/lib/snapd/snap-gdbserver-shim ixr, # For in-snap tab completion /etc/bash_completion.d/{,} r, /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here # uptime @{PROC}/uptime r, @{PROC}/loadavg r, # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib # which is allowed by the base abstraction, but on 14.04 it is an actual file # so need to add it here. Also allow read locks on the file. /etc/os-release rk, /usr/lib/os-release k, # Debian version of the host OS which might be required in AppArmor-secured Debian /etc/debian_version r, # systemd native journal API (see sd_journal_print(4)). This should be in # AppArmor's base abstraction, but until it is, include here. We include # the base journal path as well as the journal namespace pattern path. Each # journal namespace for quota groups will be prefixed with 'snap-'. /run/systemd/journal{,.snap-}/socket w, /run/systemd/journal{,.snap-}/stdout rw, # 'r' shouldn't be needed, but journald # doesn't leak anything so allow /run/systemd/journal{,.snap-}/dev-log w, # snapctl and its requirements /usr/bin/snapctl ixr, /usr/lib/snapd/snapctl ixr, @{PROC}/sys/net/core/somaxconn r, /run/snapd-snap.socket rw, # Note: for now, don't explicitly deny this noisy denial so --devmode isn't # broken but eventually we may conditionally deny this since it is an # information leak. #deny /{,var/}run/utmp r, # java @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/auxv r, @{PROC}/sys/vm/zone_reclaim_mode r, /etc/lsb-release r, /sys/devices//read_ahead_kb r, /sys/devices/system/cpu/ r, /sys/devices/system/node/node[0-9]/ r, /sys/kernel/mm/transparent_hugepage/enabled r, /sys/kernel/mm/transparent_hugepage/defrag r, # NOTE: this leaks running process but java seems to want it (even though it # seems to operate ok without it) and SDL apps crash without it. Allow owner # match until AppArmor kernel var is available to solve this properly (see # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Allow reading and writing to our file descriptors in /proc which, for # example, allow access to /dev/std{in,out,err} which are all symlinks to # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) # linkat() temporary file technique, allow all fds. Importantly, access to # another task's fd via this proc interface is mediated via 'ptrace (read)' # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so # this rule by itself doesn't allow opening another snap's fds via proc. owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, # Miscellaneous accesses /dev/{,u}random w, /etc/machine-id r, /etc/mime.types r, /etc/default/keyboard r, @{PROC}/ r, @{PROC}/version r, @{PROC}/version_signature r, /etc/{,writable/}hostname r, /etc/{,writable/}localtime r, /etc/{,writable/}mailname r, /etc/{,writable/}timezone r, owner @{PROC}/@{pid}/cgroup rk, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/fdinfo/* r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/[0-9]/smaps r, @{PROC}/@{pid}/task/[0-9]/stat r, @{PROC}/@{pid}/task/[0-9]/statm r, @{PROC}/@{pid}/task/[0-9]/status r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/shmmax r, # Allow apps to introspect the level of dbus mediation AppArmor implements. /sys/kernel/security/apparmor/features/dbus/mask r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_* r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/cap_last_cap r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request rw, /sys/devices/virtual/tty/{console,tty}/active r, /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.stat r, /sys/fs/cgroup/system.slice/snap.@{SNAP_INSTANCE_NAME}{,.}/memory.max r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.shares r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_{,score_}adj r, # Note: for now, don't explicitly deny write access so --devmode isn't broken # but eventually we may conditionally deny this since it allows the process # to increase the oom heuristic of other processes (make them more likely to # be killed). Once AppArmor kernel var is available to solve this properly, # this can safely be allowed since non-root processes won't be able to # decrease the value and root processes will only be able to with # 'capability sys_resource,' which we deny be default. # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, # Eases hardware assignment (doesn't give anything away) /etc/udev/udev.conf r, /sys/ r, /sys/bus/ r, /sys/class/ r, # this leaks interface names and stats, but not in a way that is traceable # to the user/device @{PROC}/net/dev r, @{PROC}/@{pid}/net/dev r, # Read-only of this snap /var/lib/snapd/snaps/@{SNAP_NAME}_.snap r, # Read-only of snapd restart state for snapctl specifically /var/lib/snapd/maintenance.json r, # Read-only for the install directory # bind mount used here (see 'parallel installs', above) @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/* mrklix, # Read-only install directory for other revisions to help with bugs like # LP: #1616650 and LP: #1655992 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Read-only home area for other versions # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ mrkix, # Experimental snap folder changes owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ mrkix, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/ wl, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl, # Writable home area for this version. # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/ wl, # Read-only system area for other versions # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ mrkix, # Writable system area only for this version # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/ wl, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/ wl, # The snap-confine program creates an app-specific private restricted /tmp # and will fail to launch the app if something goes wrong. As such, we can # simply allow full access to /tmp. /tmp/ r, /tmp/ mrwlkix, # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount not used here (see 'parallel installs', above) /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, # Also allow app-specific access for sem_open() /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user # bind mount not used here (see 'parallel installs', above) owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ rw, owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Allow apps from the same package to communicate with each other via an # abstract or anonymous socket unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.", unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # Allow apps from the same package to communicate with each other via DBus. # Note: this does not grant access to the DBus sockets of well known buses # (will still need to use an appropriate interface for that). dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # In addition to the above, dbus-run-session attempts reading these files # from the snap base runtime. /usr/share/dbus-1/services/{,} r, /usr/share/dbus-1/system-services/{,} r, # Allow apps to perform DBus introspection on org.freedesktop.DBus for both # the system and session buses. # Note: this does not grant access to the DBus sockets of these buses, but # we grant it here since it is missing from the dbus abstractions # (LP: #1866168) dbus (send) bus={session,system} path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow apps from the same package to signal each other via signals signal peer=snap.@{SNAP_INSTANCE_NAME}., # Allow receiving signals from all snaps (and focus on mediating sending of # signals) signal (receive) peer=snap., # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' /{,usr/}{,s}bin/udevadm ixr, /etc/udev/udev.conf r, /{,var/}run/udev/tags/snappy-assign/ r, @{PROC}/cmdline r, /sys/devices/*/uevent r, # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above # requires: # /run/udev/data/ r, # but that reveals too much about the system and cannot be granted to apps # by default at this time. # For convenience, allow apps to see what is in /dev even though cgroups # will block most access /dev/ r, /dev// r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because # the launcher uses a per-app devpts newinstance. /dev/ptmx rw, # Do the same with /sys/devices and /sys/class to help people using hw-assign /sys/devices/ r, /sys/devices// r, /sys/class/ r, /sys/class/*/ r, # Allow all snaps to chroot capability sys_chroot, # Lttng tracing is very noisy and should not be allowed by confined apps. Can # safely deny for the normal case (LP: #1260491). If/when an lttng-trace # interface is needed, we can rework this. deny /{dev,run,var/run}/shm/lttng-ust- rw, # Allow read-access on /home/ for navigating to other parts of the # filesystem. While this allows enumerating users, this is already allowed # via /etc/passwd and getent. @{HOMEDIRS}/ r, # Allow read-access to / for navigating to other parts of the filesystem. / r, # Snap-specific run directory. Bind mount not used here # (see 'parallel installs', above) /run/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Snap-specific lock directory and prerequisite navigation permissions. /run/lock/ r, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Default rules for core base runtimes # The base abstraction doesn't yet have this /{,usr/}lib/terminfo/ rk, /usr/share/terminfo/ k, /usr/share/zoneinfo/** k, # for python apps/services /usr/bin/python{,2,2.[0-9],3,3.[0-9]} ixr, # additional accesses needed for newer pythons in later bases /usr/lib{,32,64}/python3.[0-9]/.{pyc,so} mr, /usr/lib{,32,64}/python3.[0-9]/*.{egg,py,pth} r, /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, /usr/lib{,32,64}/python3.[0-9]/lib-dynload/.so mr, /usr/include/python3.[0-9]/pyconfig.h r, # for perl apps/services /usr/bin/perl{,5} ixr, # AppArmor <2.12 doesn't have rules for perl-base, so add them here /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]/.so mr, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /usr/share/terminfo/** r, # Common utilities for shell scripts /{,usr/}bin/arch ixr, /{,usr/}bin/{,g,m}awk ixr, /{,usr/}bin/base32 ixr, /{,usr/}bin/base64 ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/bunzip2 ixr, /{,usr/}bin/busctl ixr, /{,usr/}bin/bzcat ixr, /{,usr/}bin/bzdiff ixr, /{,usr/}bin/bzgrep ixr, /{,usr/}bin/bzip2 ixr, /{,usr/}bin/cat ixr, /{,usr/}bin/chgrp ixr, /{,usr/}bin/chmod ixr, /{,usr/}bin/chown ixr, /{,usr/}bin/clear ixr, /{,usr/}bin/cmp ixr, /{,usr/}bin/cp ixr, /{,usr/}bin/cpio ixr, /{,usr/}bin/cut ixr, /{,usr/}bin/date ixr, /{,usr/}bin/dbus-daemon ixr, /{,usr/}bin/dbus-run-session ixr, /{,usr/}bin/dbus-send ixr, /{,usr/}bin/dd ixr, /{,usr/}bin/diff{,3} ixr, /{,usr/}bin/dir ixr, /{,usr/}bin/dirname ixr, /{,usr/}bin/du ixr, /{,usr/}bin/echo ixr, /{,usr/}bin/{,e,f,r}grep ixr, /{,usr/}bin/env ixr, /{,usr/}bin/expr ixr, /{,usr/}bin/false ixr, /{,usr/}bin/find ixr, /{,usr/}bin/flock ixr, /{,usr/}bin/fmt ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/getconf ixr, /{,usr/}bin/getent ixr, /{,usr/}bin/getopt ixr, /{,usr/}bin/groups ixr, /{,usr/}bin/gzip ixr, /{,usr/}bin/head ixr, /{,usr/}bin/hostname ixr, /{,usr/}bin/id ixr, /{,usr/}bin/igawk ixr, /{,usr/}bin/infocmp ixr, /{,usr/}bin/kill ixr, /{,usr/}bin/ldd ixr, /{usr/,}lib{,32,64}/ld{,32,64}-.so ix, /{usr/,}lib/@{multiarch}/ld{,32,64}-.so* ix, /{,usr/}bin/less{,file,pipe} ixr, /{,usr/}bin/ln ixr, /{,usr/}bin/line ixr, /{,usr/}bin/link ixr, /{,usr/}bin/locale ixr, /{,usr/}bin/logger ixr, /{,usr/}bin/ls ixr, /{,usr/}bin/md5sum ixr, /{,usr/}bin/mkdir ixr, /{,usr/}bin/mkfifo ixr, /{,usr/}bin/mknod ixr, /{,usr/}bin/mktemp ixr, /{,usr/}bin/more ixr, /{,usr/}bin/mv ixr, /{,usr/}bin/nice ixr, /{,usr/}bin/nohup ixr, /{,usr/}bin/numfmt ixr, /{,usr/}bin/od ixr, /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial /{,usr/}bin/paste ixr, /{,usr/}bin/pgrep ixr, /{,usr/}bin/printenv ixr, /{,usr/}bin/printf ixr, /{,usr/}bin/ps ixr, /{,usr/}bin/pwd ixr, /{,usr/}bin/readlink ixr, /{,usr/}bin/realpath ixr, /{,usr/}bin/rev ixr, /{,usr/}bin/rm ixr, /{,usr/}bin/rmdir ixr, /{,usr/}bin/run-parts ixr, /{,usr/}bin/sed ixr, /{,usr/}bin/seq ixr, /{,usr/}bin/setpriv ixr, /{,usr/}bin/sha{1,224,256,384,512}sum ixr, /{,usr/}bin/shuf ixr, /{,usr/}bin/sleep ixr, /{,usr/}bin/sort ixr, /{,usr/}bin/stat ixr, /{,usr/}bin/stdbuf ixr, /{,usr/}bin/stty ixr, /{,usr/}bin/sync ixr, /{,usr/}bin/systemd-cat ixr, /{,usr/}bin/tac ixr, /{,usr/}bin/tail ixr, /{,usr/}bin/tar ixr, /{,usr/}bin/tee ixr, /{,usr/}bin/test ixr, /{,usr/}bin/tempfile ixr, /{,usr/}bin/tset ixr, /{,usr/}bin/touch ixr, /{,usr/}bin/tput ixr, /{,usr/}bin/tr ixr, /{,usr/}bin/true ixr, /{,usr/}bin/tty ixr, /{,usr/}bin/uname ixr, /{,usr/}bin/uniq ixr, /{,usr/}bin/unlink ixr, /{,usr/}bin/unxz ixr, /{,usr/}bin/unzip ixr, /{,usr/}bin/uptime ixr, /{,usr/}bin/vdir ixr, /{,usr/}bin/vim.tiny ixr, /{,usr/}bin/wc ixr, /{,usr/}bin/which{,.debianutils} ixr, /{,usr/}bin/xargs ixr, /{,usr/}bin/xz ixr, /{,usr/}bin/yes ixr, /{,usr/}bin/zcat ixr, /{,usr/}bin/z{,e,f}grep ixr, /{,usr/}bin/zip ixr, /{,usr/}bin/zipgrep ixr, # lsb-release /usr/bin/lsb_release ixr, /usr/bin/ r, /usr/share/distro-info/.csv r, # For printing the cache (we don't allow updating the cache) /{,usr/}sbin/ldconfig{,.real} ixr, # Allow all snaps to chroot /{,usr/}sbin/chroot ixr, # Description: Can access the network as a server. #include <abstractions/nameservice> /run/systemd/resolve/stub-resolv.conf rk, network netlink dgram, # not yet included in the nameservice abstraction # systemd-resolved (not yet included in nameservice abstraction) # # Allow access to the safe members of the systemd-resolved D-Bus API: # # https://www.freedesktop.org/wiki/Software/systemd/resolved/ # # This API may be used directly over the D-Bus system bus or it may be used # indirectly via the nss-resolve plugin: # # https://www.freedesktop.org/software/systemd/man/nss-resolve.html # #include <abstractions/dbus-strict> dbus send bus=system path="/org/freedesktop/resolve1" interface="org.freedesktop.resolve1.Manager" member="Resolve{Address,Hostname,Record,Service}" peer=(name="org.freedesktop.resolve1"), #include <abstractions/ssl_certs> # These probably shouldn't be something that apps should use, but this offers # no information disclosure since the files are in the read-only part of the # system. /etc/hosts.deny r, /etc/hosts.allow r, @{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/net/ipv4/ip_local_port_range r, # LP: #1496906: java apps need these for some reason and they leak the IPv6 IP # addresses and routes. Until we find another way to handle them (see the bug # for some options), we need to allow them to avoid developer confusion. @{PROC}/@{pid}/net/if_inet6 r, @{PROC}/@{pid}/net/ipv6_route r, # java apps attempt this, presumably to handle interface changes, but a # corresponding seccomp socket rule is required to use netlink. When # fine-grained netlink mediation is implemented (LP: #1669552), we can perhaps # allow 'read' with NETLINK_ROUTE, but for now we omit it here and don't # explicitly deny this noisy denial so --devmode isn't broken. LP: #1499897 #deny network netlink dgram, # Description: Can change to any apparmor profile (including unconfined) thus # giving access to all resources of the system so LXD may manage what to give # to its containers. This gives device ownership to connected snaps. @{PROC}//attr/{,apparmor/}current r, /{,usr/}{,s}bin/aa-exec ux, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/{etc,usr/lib}/os-release r, # Description: Can query system status information. This is restricted because # it gives privileged read access to all processes on the system and should # only be used with trusted apps. # Needed by 'ps' @{PROC}/tty/drivers r, # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here # since since ps doesn't actually need to trace other processes. Note this # allows a number of accesses (assuming the associated /proc file is allowed), # such as various memory address locations and esp/eip via /proc//stat, # /proc//mem, /proc//personality, /proc//stack, /proc//syscall, # /proc//timerslack_ns and /proc//wchan (see man proc). # # Some files like /proc/kallsyms (but anything using %pK format specifier) need # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we # intentionally do not allow since it could be used to defeat KASLR. ptrace (read), # Other miscellaneous accesses for observing the system @{PROC}/cgroups r, @{PROC}/locks r, @{PROC}/modules r, @{PROC}/mdstat r, @{PROC}/schedstat r, @{PROC}/stat r, @{PROC}/vmstat r, @{PROC}/zoneinfo r, @{PROC}/diskstats r, @{PROC}/kallsyms r, @{PROC}/partitions r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @{PROC}/sys/kernel/panic r, @{PROC}/sys/kernel/panic_on_oops r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/panic_on_oom r, @{PROC}/sys/vm/swappiness r, # These are not process-specific (/proc//... and /proc//task//...) @{PROC}//{,task/,task//} r, @{PROC}//{,task//}autogroup r, @{PROC}//{,task//}auxv r, @{PROC}//{,task//}cgroup r, @{PROC}//{,task//}cmdline r, @{PROC}//{,task//}comm r, @{PROC}//{,task//}exe r, @{PROC}//{,task//}fdinfo/ r, @{PROC}//{,task//}io r, @{PROC}//{,task//}oom_score r, # allow reading of smaps_rollup, which is a summary of the memory use of a process, # but not smaps which contains a detailed mappings breakdown like # /proc/self/maps, which we do not allow access to for other processes @{PROC}//{,task//}smaps_rollup r, @{PROC}//{,task//}schedstat r, @{PROC}//{,task//}stat r, @{PROC}//{,task//}statm r, @{PROC}//{,task//}status r, @{PROC}//{,task//}wchan r, # Allow reading processes security label @{PROC}//{,task//}attr/{,apparmor/}current r, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/etc/os-release rk, /var/lib/snapd/hostfs/usr/lib/os-release rk, # Allow discovering the Kernel build config @{PROC}/config.gz r, /boot/config* r, # Allow discovering system-wide CFS Bandwidth Control information # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, /sys/fs/cgroup/memory/memory.stat r, #include <abstractions/dbus-strict> # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get{,All}, # Allow clients to introspect hostname1 # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Introspectable member=Introspect, # Allow clients to enumerate DBus connection names on common buses dbus (send) bus={session,system} path={/,/org/freedesktop/DBus} interface=org.freedesktop.DBus member={ListNames,ListActivatableNames} peer=(label=unconfined), # Allow clients to obtain the DBus machine ID on common buses. We do not # mediate the path since any peer can be used. dbus (send) bus={session,system} interface=org.freedesktop.DBus.Peer member=GetMachineId peer=(label=unconfined), # Allow clients to get properties of systemd (the manager) and # units dbus (send) bus=system interface=org.freedesktop.DBus.Properties path=/org/freedesktop/systemd1{,/*} member=Get{,All} peer=(label=unconfined), # Allow clients to explicitly list units with some of their details (path, # status) and get unit path, see # https://www.freedesktop.org/wiki/Software/systemd/dbus/ for details dbus (send) bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,ListUnits} peer=(label=unconfined), # Allow reading if protected hardlinks are enabled, but don't allow enabling or # disabling them @{PROC}/sys/fs/protected_hardlinks r, @{PROC}/sys/fs/protected_symlinks r, @{PROC}/sys/fs/protected_fifos r, @{PROC}/sys/fs/protected_regular r, # allow use of user namespaces userns, # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc # trigger a 'ptrace (trace)' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. # ptrace (trace) can be used to break out of the seccomp sandbox unless the # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd # has full ptrace support conditional on kernel support, explicitly deny to # silence noisy denials/avoid confusion and accidentally giving away this # dangerous access frivolously. deny ptrace (trace), deny capability sys_ptrace, } ��snap.lxd.hook.remove��0000644��00000067453�15027571546�0010504 0��ustar�00�� # vim:syntax=apparmor #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d" #include if exists "/var/lib/snapd/apparmor/snap-tuning" # snapd supports the concept of 'parallel installs' where snaps with the same # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz # may all be installed on the system. To support this, SNAP_NAME is set to the # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg # 'foo_bar'). The profile name and most rules therefore reference # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime # environment so the snap doesn't have to be aware of the distinction (eg, # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with # SNAP_NAME so the security policy will allow writing to both locations (since # they are equivalent). # This is a snap name without the instance key @{SNAP_NAME}="lxd" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="lxd" @{SNAP_INSTANCE_DESKTOP}="lxd" @{SNAP_COMMAND_NAME}="hook.remove" @{SNAP_REVISION}="31333" @{PROFILE_DBUS}="snap_2elxd_2ehook_2eremove" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.lxd.hook.remove" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> # While in later versions of the base abstraction, include this explicitly # for series 16 and cross-distro /etc/ld.so.preload r, # The base abstraction doesn't yet have this /etc/sysconfig/clock r, owner @{PROC}/@{pid}/maps k, # /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but # in a format that is simpler to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. # Reading /proc/XXXX/maps is already allowed in the base template # via <abstractions/base>. Also, only the owner can read it, and the # kernel limits access to it by requiring 'ptrace' enabled, so allowing # to access /proc/XXXX/map_files can be considered secure too. owner @{PROC}/@{pid}/map_files/ r, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/ r, # for python apps/services #include <abstractions/python> /etc/python3.[0-9]/* r, # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 # for details) deny /usr/lib/python3/{,/}__pycache__/ w, deny /usr/lib/python3/{,/}__pycache__/.pyc.[0-9]* w, # bind mount used here (see 'parallel installs', above) deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/ w, deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/.pyc.[0-9] w, # for perl apps/services #include <abstractions/perl> # Missing from perl abstraction /usr/lib/@{multiarch}/perl{,5,-base}/auto/*.so mr, # Note: the following dangerous accesses should not be allowed in most # policy, but we cannot explicitly deny since other trusted interfaces might # add them. # Explicitly deny ptrace for now since it can be abused to break out of the # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 #audit deny ptrace (trace), # Explicitly deny capability mknod so apps can't create devices #audit deny capability mknod, # Explicitly deny mount, remount and umount so apps can't modify things in # their namespace #audit deny mount, #audit deny remount, #audit deny umount, # End dangerous accesses # Note: this potentially allows snaps to DoS other snaps via resource # exhaustion but we can't sensibly mediate this today. In the future we may # employ cgroup limits, AppArmor rlimit mlock rules or something else. capability ipc_lock, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /etc/bash.bashrc r, /etc/inputrc r, /etc/environment r, /etc/profile r, # user/group/seat lookups /etc/{passwd,group,nsswitch.conf} r, # very common /var/lib/extrausers/{passwd,group} r, /run/systemd/users/[0-9]* r, /etc/default/nss r, # libnss-systemd (subset from nameservice abstraction) # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. /run/systemd/userdb/ r, /run/systemd/userdb/io.systemd.Multiplexer rw, /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS /run/systemd/userdb/io.systemd.Machine rw, # systemd-machined /etc/libnl-3/{classid,pktloc} r, # apps that use libnl # For snappy reexec on 4.8+ kernels /usr/lib/snapd/snap-exec m, # For gdb support /usr/lib/snapd/snap-gdb-shim ixr, /usr/lib/snapd/snap-gdbserver-shim ixr, # For in-snap tab completion /etc/bash_completion.d/{,} r, /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here # uptime @{PROC}/uptime r, @{PROC}/loadavg r, # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib # which is allowed by the base abstraction, but on 14.04 it is an actual file # so need to add it here. Also allow read locks on the file. /etc/os-release rk, /usr/lib/os-release k, # Debian version of the host OS which might be required in AppArmor-secured Debian /etc/debian_version r, # systemd native journal API (see sd_journal_print(4)). This should be in # AppArmor's base abstraction, but until it is, include here. We include # the base journal path as well as the journal namespace pattern path. Each # journal namespace for quota groups will be prefixed with 'snap-'. /run/systemd/journal{,.snap-}/socket w, /run/systemd/journal{,.snap-}/stdout rw, # 'r' shouldn't be needed, but journald # doesn't leak anything so allow /run/systemd/journal{,.snap-}/dev-log w, # snapctl and its requirements /usr/bin/snapctl ixr, /usr/lib/snapd/snapctl ixr, @{PROC}/sys/net/core/somaxconn r, /run/snapd-snap.socket rw, # Note: for now, don't explicitly deny this noisy denial so --devmode isn't # broken but eventually we may conditionally deny this since it is an # information leak. #deny /{,var/}run/utmp r, # java @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/auxv r, @{PROC}/sys/vm/zone_reclaim_mode r, /etc/lsb-release r, /sys/devices//read_ahead_kb r, /sys/devices/system/cpu/ r, /sys/devices/system/node/node[0-9]/ r, /sys/kernel/mm/transparent_hugepage/enabled r, /sys/kernel/mm/transparent_hugepage/defrag r, # NOTE: this leaks running process but java seems to want it (even though it # seems to operate ok without it) and SDL apps crash without it. Allow owner # match until AppArmor kernel var is available to solve this properly (see # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Allow reading and writing to our file descriptors in /proc which, for # example, allow access to /dev/std{in,out,err} which are all symlinks to # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) # linkat() temporary file technique, allow all fds. Importantly, access to # another task's fd via this proc interface is mediated via 'ptrace (read)' # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so # this rule by itself doesn't allow opening another snap's fds via proc. owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, # Miscellaneous accesses /dev/{,u}random w, /etc/machine-id r, /etc/mime.types r, /etc/default/keyboard r, @{PROC}/ r, @{PROC}/version r, @{PROC}/version_signature r, /etc/{,writable/}hostname r, /etc/{,writable/}localtime r, /etc/{,writable/}mailname r, /etc/{,writable/}timezone r, owner @{PROC}/@{pid}/cgroup rk, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/fdinfo/* r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/[0-9]/smaps r, @{PROC}/@{pid}/task/[0-9]/stat r, @{PROC}/@{pid}/task/[0-9]/statm r, @{PROC}/@{pid}/task/[0-9]/status r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/shmmax r, # Allow apps to introspect the level of dbus mediation AppArmor implements. /sys/kernel/security/apparmor/features/dbus/mask r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_* r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/cap_last_cap r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request rw, /sys/devices/virtual/tty/{console,tty}/active r, /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.stat r, /sys/fs/cgroup/system.slice/snap.@{SNAP_INSTANCE_NAME}{,.}/memory.max r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.shares r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_{,score_}adj r, # Note: for now, don't explicitly deny write access so --devmode isn't broken # but eventually we may conditionally deny this since it allows the process # to increase the oom heuristic of other processes (make them more likely to # be killed). Once AppArmor kernel var is available to solve this properly, # this can safely be allowed since non-root processes won't be able to # decrease the value and root processes will only be able to with # 'capability sys_resource,' which we deny be default. # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, # Eases hardware assignment (doesn't give anything away) /etc/udev/udev.conf r, /sys/ r, /sys/bus/ r, /sys/class/ r, # this leaks interface names and stats, but not in a way that is traceable # to the user/device @{PROC}/net/dev r, @{PROC}/@{pid}/net/dev r, # Read-only of this snap /var/lib/snapd/snaps/@{SNAP_NAME}_.snap r, # Read-only of snapd restart state for snapctl specifically /var/lib/snapd/maintenance.json r, # Read-only for the install directory # bind mount used here (see 'parallel installs', above) @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/* mrklix, # Read-only install directory for other revisions to help with bugs like # LP: #1616650 and LP: #1655992 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Read-only home area for other versions # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ mrkix, # Experimental snap folder changes owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ mrkix, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/ wl, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl, # Writable home area for this version. # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/ wl, # Read-only system area for other versions # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ mrkix, # Writable system area only for this version # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/ wl, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/ wl, # The snap-confine program creates an app-specific private restricted /tmp # and will fail to launch the app if something goes wrong. As such, we can # simply allow full access to /tmp. /tmp/ r, /tmp/ mrwlkix, # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount not used here (see 'parallel installs', above) /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, # Also allow app-specific access for sem_open() /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user # bind mount not used here (see 'parallel installs', above) owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ rw, owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Allow apps from the same package to communicate with each other via an # abstract or anonymous socket unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.", unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # Allow apps from the same package to communicate with each other via DBus. # Note: this does not grant access to the DBus sockets of well known buses # (will still need to use an appropriate interface for that). dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # In addition to the above, dbus-run-session attempts reading these files # from the snap base runtime. /usr/share/dbus-1/services/{,} r, /usr/share/dbus-1/system-services/{,} r, # Allow apps to perform DBus introspection on org.freedesktop.DBus for both # the system and session buses. # Note: this does not grant access to the DBus sockets of these buses, but # we grant it here since it is missing from the dbus abstractions # (LP: #1866168) dbus (send) bus={session,system} path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow apps from the same package to signal each other via signals signal peer=snap.@{SNAP_INSTANCE_NAME}., # Allow receiving signals from all snaps (and focus on mediating sending of # signals) signal (receive) peer=snap., # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' /{,usr/}{,s}bin/udevadm ixr, /etc/udev/udev.conf r, /{,var/}run/udev/tags/snappy-assign/ r, @{PROC}/cmdline r, /sys/devices/*/uevent r, # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above # requires: # /run/udev/data/ r, # but that reveals too much about the system and cannot be granted to apps # by default at this time. # For convenience, allow apps to see what is in /dev even though cgroups # will block most access /dev/ r, /dev// r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because # the launcher uses a per-app devpts newinstance. /dev/ptmx rw, # Do the same with /sys/devices and /sys/class to help people using hw-assign /sys/devices/ r, /sys/devices// r, /sys/class/ r, /sys/class/*/ r, # Allow all snaps to chroot capability sys_chroot, # Lttng tracing is very noisy and should not be allowed by confined apps. Can # safely deny for the normal case (LP: #1260491). If/when an lttng-trace # interface is needed, we can rework this. deny /{dev,run,var/run}/shm/lttng-ust- rw, # Allow read-access on /home/ for navigating to other parts of the # filesystem. While this allows enumerating users, this is already allowed # via /etc/passwd and getent. @{HOMEDIRS}/ r, # Allow read-access to / for navigating to other parts of the filesystem. / r, # Snap-specific run directory. Bind mount not used here # (see 'parallel installs', above) /run/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Snap-specific lock directory and prerequisite navigation permissions. /run/lock/ r, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Default rules for core base runtimes # The base abstraction doesn't yet have this /{,usr/}lib/terminfo/ rk, /usr/share/terminfo/ k, /usr/share/zoneinfo/** k, # for python apps/services /usr/bin/python{,2,2.[0-9],3,3.[0-9]} ixr, # additional accesses needed for newer pythons in later bases /usr/lib{,32,64}/python3.[0-9]/.{pyc,so} mr, /usr/lib{,32,64}/python3.[0-9]/*.{egg,py,pth} r, /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, /usr/lib{,32,64}/python3.[0-9]/lib-dynload/.so mr, /usr/include/python3.[0-9]/pyconfig.h r, # for perl apps/services /usr/bin/perl{,5} ixr, # AppArmor <2.12 doesn't have rules for perl-base, so add them here /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]/.so mr, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /usr/share/terminfo/** r, # Common utilities for shell scripts /{,usr/}bin/arch ixr, /{,usr/}bin/{,g,m}awk ixr, /{,usr/}bin/base32 ixr, /{,usr/}bin/base64 ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/bunzip2 ixr, /{,usr/}bin/busctl ixr, /{,usr/}bin/bzcat ixr, /{,usr/}bin/bzdiff ixr, /{,usr/}bin/bzgrep ixr, /{,usr/}bin/bzip2 ixr, /{,usr/}bin/cat ixr, /{,usr/}bin/chgrp ixr, /{,usr/}bin/chmod ixr, /{,usr/}bin/chown ixr, /{,usr/}bin/clear ixr, /{,usr/}bin/cmp ixr, /{,usr/}bin/cp ixr, /{,usr/}bin/cpio ixr, /{,usr/}bin/cut ixr, /{,usr/}bin/date ixr, /{,usr/}bin/dbus-daemon ixr, /{,usr/}bin/dbus-run-session ixr, /{,usr/}bin/dbus-send ixr, /{,usr/}bin/dd ixr, /{,usr/}bin/diff{,3} ixr, /{,usr/}bin/dir ixr, /{,usr/}bin/dirname ixr, /{,usr/}bin/du ixr, /{,usr/}bin/echo ixr, /{,usr/}bin/{,e,f,r}grep ixr, /{,usr/}bin/env ixr, /{,usr/}bin/expr ixr, /{,usr/}bin/false ixr, /{,usr/}bin/find ixr, /{,usr/}bin/flock ixr, /{,usr/}bin/fmt ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/getconf ixr, /{,usr/}bin/getent ixr, /{,usr/}bin/getopt ixr, /{,usr/}bin/groups ixr, /{,usr/}bin/gzip ixr, /{,usr/}bin/head ixr, /{,usr/}bin/hostname ixr, /{,usr/}bin/id ixr, /{,usr/}bin/igawk ixr, /{,usr/}bin/infocmp ixr, /{,usr/}bin/kill ixr, /{,usr/}bin/ldd ixr, /{usr/,}lib{,32,64}/ld{,32,64}-.so ix, /{usr/,}lib/@{multiarch}/ld{,32,64}-.so* ix, /{,usr/}bin/less{,file,pipe} ixr, /{,usr/}bin/ln ixr, /{,usr/}bin/line ixr, /{,usr/}bin/link ixr, /{,usr/}bin/locale ixr, /{,usr/}bin/logger ixr, /{,usr/}bin/ls ixr, /{,usr/}bin/md5sum ixr, /{,usr/}bin/mkdir ixr, /{,usr/}bin/mkfifo ixr, /{,usr/}bin/mknod ixr, /{,usr/}bin/mktemp ixr, /{,usr/}bin/more ixr, /{,usr/}bin/mv ixr, /{,usr/}bin/nice ixr, /{,usr/}bin/nohup ixr, /{,usr/}bin/numfmt ixr, /{,usr/}bin/od ixr, /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial /{,usr/}bin/paste ixr, /{,usr/}bin/pgrep ixr, /{,usr/}bin/printenv ixr, /{,usr/}bin/printf ixr, /{,usr/}bin/ps ixr, /{,usr/}bin/pwd ixr, /{,usr/}bin/readlink ixr, /{,usr/}bin/realpath ixr, /{,usr/}bin/rev ixr, /{,usr/}bin/rm ixr, /{,usr/}bin/rmdir ixr, /{,usr/}bin/run-parts ixr, /{,usr/}bin/sed ixr, /{,usr/}bin/seq ixr, /{,usr/}bin/setpriv ixr, /{,usr/}bin/sha{1,224,256,384,512}sum ixr, /{,usr/}bin/shuf ixr, /{,usr/}bin/sleep ixr, /{,usr/}bin/sort ixr, /{,usr/}bin/stat ixr, /{,usr/}bin/stdbuf ixr, /{,usr/}bin/stty ixr, /{,usr/}bin/sync ixr, /{,usr/}bin/systemd-cat ixr, /{,usr/}bin/tac ixr, /{,usr/}bin/tail ixr, /{,usr/}bin/tar ixr, /{,usr/}bin/tee ixr, /{,usr/}bin/test ixr, /{,usr/}bin/tempfile ixr, /{,usr/}bin/tset ixr, /{,usr/}bin/touch ixr, /{,usr/}bin/tput ixr, /{,usr/}bin/tr ixr, /{,usr/}bin/true ixr, /{,usr/}bin/tty ixr, /{,usr/}bin/uname ixr, /{,usr/}bin/uniq ixr, /{,usr/}bin/unlink ixr, /{,usr/}bin/unxz ixr, /{,usr/}bin/unzip ixr, /{,usr/}bin/uptime ixr, /{,usr/}bin/vdir ixr, /{,usr/}bin/vim.tiny ixr, /{,usr/}bin/wc ixr, /{,usr/}bin/which{,.debianutils} ixr, /{,usr/}bin/xargs ixr, /{,usr/}bin/xz ixr, /{,usr/}bin/yes ixr, /{,usr/}bin/zcat ixr, /{,usr/}bin/z{,e,f}grep ixr, /{,usr/}bin/zip ixr, /{,usr/}bin/zipgrep ixr, # lsb-release /usr/bin/lsb_release ixr, /usr/bin/ r, /usr/share/distro-info/.csv r, # For printing the cache (we don't allow updating the cache) /{,usr/}sbin/ldconfig{,.real} ixr, # Allow all snaps to chroot /{,usr/}sbin/chroot ixr, # Description: Can change to any apparmor profile (including unconfined) thus # giving access to all resources of the system so LXD may manage what to give # to its containers. This gives device ownership to connected snaps. @{PROC}//attr/{,apparmor/}current r, /{,usr/}{,s}bin/aa-exec ux, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/{etc,usr/lib}/os-release r, # Description: Can query system status information. This is restricted because # it gives privileged read access to all processes on the system and should # only be used with trusted apps. # Needed by 'ps' @{PROC}/tty/drivers r, # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here # since since ps doesn't actually need to trace other processes. Note this # allows a number of accesses (assuming the associated /proc file is allowed), # such as various memory address locations and esp/eip via /proc//stat, # /proc//mem, /proc//personality, /proc//stack, /proc//syscall, # /proc//timerslack_ns and /proc//wchan (see man proc). # # Some files like /proc/kallsyms (but anything using %pK format specifier) need # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we # intentionally do not allow since it could be used to defeat KASLR. ptrace (read), # Other miscellaneous accesses for observing the system @{PROC}/cgroups r, @{PROC}/locks r, @{PROC}/modules r, @{PROC}/mdstat r, @{PROC}/schedstat r, @{PROC}/stat r, @{PROC}/vmstat r, @{PROC}/zoneinfo r, @{PROC}/diskstats r, @{PROC}/kallsyms r, @{PROC}/partitions r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @{PROC}/sys/kernel/panic r, @{PROC}/sys/kernel/panic_on_oops r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/panic_on_oom r, @{PROC}/sys/vm/swappiness r, # These are not process-specific (/proc//... and /proc//task//...) @{PROC}//{,task/,task//} r, @{PROC}//{,task//}autogroup r, @{PROC}//{,task//}auxv r, @{PROC}//{,task//}cgroup r, @{PROC}//{,task//}cmdline r, @{PROC}//{,task//}comm r, @{PROC}//{,task//}exe r, @{PROC}//{,task//}fdinfo/ r, @{PROC}//{,task//}io r, @{PROC}//{,task//}oom_score r, # allow reading of smaps_rollup, which is a summary of the memory use of a process, # but not smaps which contains a detailed mappings breakdown like # /proc/self/maps, which we do not allow access to for other processes @{PROC}//{,task//}smaps_rollup r, @{PROC}//{,task//}schedstat r, @{PROC}//{,task//}stat r, @{PROC}//{,task//}statm r, @{PROC}//{,task//}status r, @{PROC}//{,task//}wchan r, # Allow reading processes security label @{PROC}//{,task//}attr/{,apparmor/}current r, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/etc/os-release rk, /var/lib/snapd/hostfs/usr/lib/os-release rk, # Allow discovering the Kernel build config @{PROC}/config.gz r, /boot/config* r, # Allow discovering system-wide CFS Bandwidth Control information # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, /sys/fs/cgroup/memory/memory.stat r, #include <abstractions/dbus-strict> # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get{,All}, # Allow clients to introspect hostname1 # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Introspectable member=Introspect, # Allow clients to enumerate DBus connection names on common buses dbus (send) bus={session,system} path={/,/org/freedesktop/DBus} interface=org.freedesktop.DBus member={ListNames,ListActivatableNames} peer=(label=unconfined), # Allow clients to obtain the DBus machine ID on common buses. We do not # mediate the path since any peer can be used. dbus (send) bus={session,system} interface=org.freedesktop.DBus.Peer member=GetMachineId peer=(label=unconfined), # Allow clients to get properties of systemd (the manager) and # units dbus (send) bus=system interface=org.freedesktop.DBus.Properties path=/org/freedesktop/systemd1{,/*} member=Get{,All} peer=(label=unconfined), # Allow clients to explicitly list units with some of their details (path, # status) and get unit path, see # https://www.freedesktop.org/wiki/Software/systemd/dbus/ for details dbus (send) bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,ListUnits} peer=(label=unconfined), # Allow reading if protected hardlinks are enabled, but don't allow enabling or # disabling them @{PROC}/sys/fs/protected_hardlinks r, @{PROC}/sys/fs/protected_symlinks r, @{PROC}/sys/fs/protected_fifos r, @{PROC}/sys/fs/protected_regular r, # allow use of user namespaces userns, # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc # trigger a 'ptrace (trace)' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. # ptrace (trace) can be used to break out of the seccomp sandbox unless the # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd # has full ptrace support conditional on kernel support, explicitly deny to # silence noisy denials/avoid confusion and accidentally giving away this # dangerous access frivolously. deny ptrace (trace), deny capability sys_ptrace, } ��snap-confine.snapd.24718��0000644��00000076543�15027571546�0010672 0��ustar�00��# Author: Jamie Strandboge <jamie@canonical.com> #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d/" @{SNAP_MOUNT_DIR_LIST}="{,/var/lib/snapd}/snap" /snap/snapd/24718/usr/lib/snapd/snap-confine (attach_disconnected) { # Include any additional files that snapd chose to generate. # - for $HOME on remote file system. # - for $HOME on encrypted media # # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor # and https://forum.snapcraft.io/t/snaps-and-nfs-home/ #include "/var/lib/snapd/apparmor/snap-confine.internal" # We run privileged, so be fanatical about what we include and don't use # any abstractions /etc/ld.so.cache r, /etc/ld.so.preload r, # Do not assume that the interpreter is always named like # ld-linux-x86_64.so, as on some architectures there can be a version after # the .so suffix, eg. ld-linux-aarch64.so.1 /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld{-,64}.so mrix, # libc, you are funny /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre{,2}{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so mr, # normal libs in order /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so mr, /snap/snapd/24718/usr/lib/snapd/snap-confine mr, # This rule is needed when executing from a "base: core" devmode snap on # UC18 and newer where the /snap/snapd/24718/usr/lib/snapd/snap-confine inside the # "base: core" mount namespace always comes from the snapd snap, and thus # we will execute snap-confine via this path, and thus need to be able to # read this path when executing. It's also necessary on classic where both # the snapd and the core snap are installed at the same time. # TODO: remove this rule when we stop supporting executing other snaps from # inside devmode snaps, ideally even in the short term we would only include # this rule on core only, and specifically uc18 and newer where we need it /usr/lib/snapd/snap-confine mr, /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, /dev/pts/[0-9]* rw, /dev/tty rw, # SNAP_MOUNT_DIR probe logic /proc/1/root/snap r, # cgroup: devices capability sys_admin, capability dac_read_search, capability dac_override, /sys/fs/cgroup/ r, /sys/fs/cgroup/devices/ r, /sys/fs/cgroup/devices/snap./ rw, /sys/fs/cgroup/devices/snap./cgroup.procs w, /sys/fs/cgroup/devices/snap./devices.{allow,deny} w, # cgroup: freezer # Allow creating per-snap cgroup freezers and adding snap command (task) # invocations to the freezer. This allows for reliably enumerating all # running processes for the snap. In addition, allow enumerating processes # in the cgroup to determine if it is occupied. /sys/fs/cgroup/freezer/ r, /sys/fs/cgroup/freezer/snap./ w, /sys/fs/cgroup/freezer/snap./cgroup.procs rw, /sys/fs/cgroup/ r, /sys/fs/cgroup/* r, # cgroup: reading own cgroup @{PROC}/@{pid}/cgroup r, # cgroup: manage bpf map for device cgroup /sys/fs/bpf/ r, /sys/fs/bpf/snap/ rw, /sys/fs/bpf/snap/* rw, # s-c may need to raise the memlock limit capability sys_resource, # querying udev /etc/udev/udev.conf r, /sys//uevent r, /run/udev/ rw, /{,usr/}bin/tr ixr, /usr/lib/locale/** r, /usr/lib/@{multiarch}/gconv/gconv-modules r, /usr/lib/@{multiarch}/gconv/gconv-modules.cache r, # priv dropping capability setuid, capability setgid, # changing profile @{PROC}/[0-9]/attr/{,apparmor/}exec w, # Reading current profile @{PROC}/[0-9]/attr/{,apparmor/}current r, # Reading available filesystems @{PROC}/filesystems r, # To find where apparmor is mounted @{PROC}/[0-9]/mounts r, # To find if apparmor is enabled /sys/module/apparmor/parameters/enabled r, # For detecting if we're in a container /run/systemd/container r, # Don't allow changing profile to unconfined or profiles that start with # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on # the environment for determining the capabilities of the architecture. # 'unsafe' is ok here because the kernel will have already cleared the # environment as part of launching snap-confine with CAP_SYS_ADMIN. This # does leave directories as configured by ld.so.preload as well as # LD_PRELOAD to be set to a library which is in a directory configured by # ld.so.conf, but access to those locations is mediated by this profile # (which requires rules for specific locations). # TODO: use GenerateAAREExclusionPatterns for this, though the first # rule and the fact that the generative aspect is not an absolute filepath # complicate using that function directly change_profile unsafe /* -> [^u/], change_profile unsafe / -> u[^n], change_profile unsafe / -> un[^c], change_profile unsafe / -> unc[^o], change_profile unsafe / -> unco[^n], change_profile unsafe / -> uncon[^f], change_profile unsafe / -> unconf[^i], change_profile unsafe / -> unconfi[^n], change_profile unsafe / -> unconfin[^e], change_profile unsafe / -> unconfine[^d], change_profile unsafe / -> unconfined?, # allow changing to a few not caught above change_profile unsafe / -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, # LP: #1446794 - when this bug is fixed, change the above to: # deny change_profile unsafe / -> {unconfined,/}, # change_profile unsafe / -> , # reading seccomp filters. # Note 1: We still need to consider .bin extension because of global.bin file. # Note 2: This rule is not needed because of rule '/var/lib/** rw', however we keep it because at # some point we want to investigate if we can narrow the scope of the aforementioned rule. /{tmp/snap.rootfs_/,}var/lib/snapd/seccomp/bpf/.bin{,2} r, # adding a missing bpf mount mount fstype=bpf options=(rw) bpf -> /sys/fs/bpf/, # For mounting base dir by dir (write dirs and mount on them) /tmp/snap.rootfs_** rw, mount options=(remount ro) -> /tmp/snap.rootfs_/, mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}//// -> /tmp/snap.rootfs_/, # For mounting individual files mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///* -> /tmp/snap.rootfs_/, mount options=(rw rslave) -> /tmp/snap.rootfs_/, # Allow mounting dirs from / mount options=(rw rbind) // -> /tmp/snap.rootfs_*/, # LP: #1668659 and parallel instances of classic snaps mount options=(rw rbind) /snap/ -> /snap/, mount options=(rw rshared) -> /snap/, mount options=(rw rbind) /var/lib/snapd/snap/ -> /var/lib/snapd/snap/, mount options=(rw rshared) -> /var/lib/snapd/snap/, # boostrapping the mount namespace /tmp/snap.rootfs_/ rw, mount fstype=tmpfs none -> /tmp/snap.rootfs_/, mount options=(rw rshared) -> /, mount options=(rw bind) /tmp/snap.rootfs_/ -> /tmp/snap.rootfs_/, mount options=(rw unbindable) -> /tmp/snap.rootfs_/, # the next line is for classic system mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}/// -> /tmp/snap.rootfs_/, # the next line is for core system mount options=(rw rbind) / -> /tmp/snap.rootfs_/, # all of the constructed rootfs is a rslave mount options=(rw rslave) -> /tmp/snap.rootfs_/, # bidirectional mounts (for both classic and core) # NOTE: this doesn't capture the MERGED_USR configuration option so that # when a distro with merged /usr and / that uses apparmor shows up it # should be handled here. /{,run/}media/ w, mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_/{,run/}media/, /run/netns/ w, mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_/run/netns/, # unidirectional mounts (only for classic system) mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_/dev/, mount options=(rw rslave) -> /tmp/snap.rootfs_/dev/, mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_/etc/, mount options=(rw rslave) -> /tmp/snap.rootfs_/etc/, mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_/home/, mount options=(rw rslave) -> /tmp/snap.rootfs_/home/, mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_/root/, mount options=(rw rslave) -> /tmp/snap.rootfs_/root/, mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_/proc/, mount options=(rw rslave) -> /tmp/snap.rootfs_/proc/, mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_/sys/, mount options=(rw rslave) -> /tmp/snap.rootfs_/sys/, mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_/tmp/, mount options=(rw rslave) -> /tmp/snap.rootfs_/tmp/, mount options=(rw rbind) /var/lib/dhcp/ -> /tmp/snap.rootfs_/var/lib/dhcp/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/lib/dhcp/, mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_/var/lib/snapd/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/lib/snapd/, mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_/var/snap/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/snap/, mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_/var/tmp/, # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups mount options=(rw rbind) /var/volatile/tmp/ -> /tmp/snap.rootfs_/var/tmp/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/tmp/, mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_/run/, mount options=(rw rslave) -> /tmp/snap.rootfs_/run/, mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_/var/lib/extrausers/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/lib/extrausers/, mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_{,/usr}/lib/modules/, mount options=(rw rslave) -> /tmp/snap.rootfs_{,/usr}/lib/modules/, mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/firmware/ -> /tmp/snap.rootfs_{,/usr}/lib/firmware/, mount options=(rw rslave) -> /tmp/snap.rootfs_{,/usr}/lib/firmware/, mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_/var/log/, # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups mount options=(rw rbind) /var/volatile/log/ -> /tmp/snap.rootfs_/var/log/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/log/, mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_/usr/src/, mount options=(rw rslave) -> /tmp/snap.rootfs_/usr/src/, mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_/mnt/, mount options=(rw rslave) -> /tmp/snap.rootfs_/mnt/, # allow making host snap-exec available inside base snaps mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.rootfs_/usr/lib/snapd/, mount options=(rw slave) -> /tmp/snap.rootfs_/usr/lib/snapd/, # allow making re-execed host snap-exec available inside base snaps mount options=(ro bind) @{SNAP_MOUNT_DIR_LIST}/core//usr/lib/snapd/ -> /tmp/snap.rootfs_/usr/lib/snapd/, # allow making snapd snap tools available inside base snaps mount options=(ro bind) @{SNAP_MOUNT_DIR_LIST}/snapd//usr/lib/snapd/ -> /tmp/snap.rootfs_/usr/lib/snapd/, mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_/usr/bin/snapctl, mount options=(rw slave) -> /tmp/snap.rootfs_/usr/bin/snapctl, # /etc/alternatives (classic and normal mode) mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/alternatives/ -> /tmp/snap.rootfs_/etc/alternatives/, mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/ssl/ -> /tmp/snap.rootfs_/etc/ssl/, mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/nsswitch.conf -> /tmp/snap.rootfs_/etc/nsswitch.conf, mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/apparmor/ -> /tmp/snap.rootfs_/etc/apparmor/, mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/apparmor.d/ -> /tmp/snap.rootfs_/etc/apparmor.d/, # /etc/alternatives (core/legacy mode) mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_/etc/alternatives/, # making all those directories slave shared. mount options=(rw slave) -> /tmp/snap.rootfs_/etc/alternatives/, mount options=(rw slave) -> /tmp/snap.rootfs_/etc/ssl/, mount options=(rw slave) -> /tmp/snap.rootfs_/etc/nsswitch.conf, mount options=(rw slave) -> /tmp/snap.rootfs_/etc/apparmor/, mount options=(rw slave) -> /tmp/snap.rootfs_/etc/apparmor.d/, # the /snap directory mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}/ -> /tmp/snap.rootfs_/snap/, mount options=(rw rslave) -> /tmp/snap.rootfs_/snap/, # pivot_root preparation and execution mount options=(rw bind) /tmp/snap.rootfs_/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_/var/lib/snapd/hostfs/, mount options=(rw private) -> /tmp/snap.rootfs_/var/lib/snapd/hostfs/, # pivot_root mediation in AppArmor is not complete. See LP: #1791711. # However, we can mediate the new_root and put_old to be what we expect, # and then deny directory creation within old_root to prevent trivial # pivoting into an allowlisted path. pivot_root oldroot=/tmp/snap.rootfs_/var/lib/snapd/hostfs/ /tmp/snap.rootfs_/, # Explicitly deny creating the old_root directory in case it is # inadvertently added somewhere else. While this doesn't resolve # LP: #1791711, it provides some hardening. # For dir on dir mounts, we do need write permissions in /var though audit deny /tmp/snap.rootfs_/{var/lib/,var/lib/snapd/,var/lib/snapd/hostfs/} w, # cleanup umount /var/lib/snapd/hostfs/tmp/snap.rootfs_/, umount /var/lib/snapd/hostfs/sys/, umount /var/lib/snapd/hostfs/dev/, umount /var/lib/snapd/hostfs/proc/, mount options=(rw rslave) -> /var/lib/snapd/hostfs/, # Hide /writable from view of snaps. mount options=(rprivate) -> /{,var/lib/snapd/hostfs/}writable/, umount /{,var/lib/snapd/hostfs/}writable/, # set up user mount namespace mount options=(rslave) -> /, # set up mount namespace for parallel instances of classic snaps mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}/{,/} -> @{SNAP_MOUNT_DIR_LIST}/{,/}, mount options=(rslave) -> @{SNAP_MOUNT_DIR_LIST}/, mount options=(rslave) -> /var/snap/, mount options=(rw rbind) /var/snap/{,/} -> /var/snap/{,/}, mount options=(rw rshared) -> /var/snap/, # Allow reading the os-release file (possibly a symlink to /usr/lib). /{etc/,usr/lib/}os-release r, # Allow creating /var/lib/snapd/hostfs, if missing /var/lib/snapd/hostfs/ rw, # set up snap-specific private /tmp dir capability chown, /tmp/ rw, /tmp/snap-private-tmp/ rw, /tmp/snap-private-tmp/snap./ rw, /tmp/snap-private-tmp/snap./tmp/ rw, mount options=(rw private) -> /tmp/, mount options=(rw bind) /tmp/snap-private-tmp/snap./tmp/ -> /tmp/, mount fstype=devpts options=(rw) devpts -> /dev/pts/, mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD # Workaround for LP: #1584456 on older kernels that mistakenly think # /dev/pts/ptmx needs a trailing '/' mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/, mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/, # for running snaps on classic /snap/ r, /snap/ r, @{SNAP_MOUNT_DIR_LIST}/ r, @{SNAP_MOUNT_DIR_LIST}/ r, # NOTE: at this stage the /snap directory is stable as we have called # pivot_root already. # nvidia handling, glob needs /usr/ and the launcher must be # able to bind mount the nvidia dir /sys/module/nvidia/version r, /sys//drivers/nvidia{,_}/ r, /sys/*/nvidia/uevent r, /sys/module/nvidia{,_}/ r, /dev/nvidia[0-9]* r, /dev/nvidiactl r, /dev/nvidia-uvm r, /usr/** r, mount options=(rw bind) /usr/lib{,32}/nvidia-/ -> /{tmp/snap.rootfs_/,}var/lib/snapd/lib/gl{,32}/, mount options=(rw bind) /usr/lib{,32}/nvidia-/ -> /{tmp/snap.rootfs_/,}var/lib/snapd/lib/gl{,32}/, /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/{,} w, mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/, mount options=(remount ro bind) -> /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/, # Vulkan support /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/{,} w, mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/, mount options=(remount ro bind) -> /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/, # GLVND EGL vendor /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/{,} w, mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/, mount options=(remount ro bind) -> /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/, # create gl dirs as needed /tmp/snap.rootfs_/ r, /tmp/snap.rootfs_/var/ r, /tmp/snap.rootfs_/var/lib/ r, /tmp/snap.rootfs_/var/lib/snapd/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/* rw, /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/** rw, /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/** rw, # for chroot on steroids, we use pivot_root as a better chroot that makes # apparmor rules behave the same on classic and outside of classic. # for creating the user data directories: ~/snap, ~/snap/<name> and # ~/snap/<name>/<version> / r, @{HOMEDIRS}/ r, # These should both have 'owner' match but due to LP: #1466234, we can't # yet @{HOME}/ r, @{HOME}/snap/{,/,//} rw, # experimental @{HOME}/.snap/ rw, @{HOME}/.snap/data/{,/,//} rw, @{HOME}/Snap/{,/,//} rw, # Special case for classic* snaps that are used by users with existing dirs # in /var/lib/. Like jenkins, postgresql, mysql, puppet, ... # (see https://forum.snapcraft.io/t/9717) # TODO: this can be removed once we support home-dirs outside of /home # better /var/ r, /var/lib/ r, # These should both have 'owner' match but due to LP: #1466234, we can't # yet /var/lib// r, /var/lib//snap/{,/,//} rw, # for creating the user shared memory directories /{dev,run}/{,shm/} r, # This should both have 'owner' match but due to LP: #1466234, we can't yet /{dev,run}/shm/{,/,//} rw, # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and # /run/user/UID/<name> /run/user/{,[0-9]/,[0-9]//} rw, # Workaround https://launchpad.net/bugs/359338 until upstream handles # stacked filesystems generally. # encrypted ~/.Private and old-style encrypted $HOME @{HOME}/.Private/ r, @{HOME}/.Private/* mrwlk, # new-style encrypted $HOME @{HOMEDIRS}/.ecryptfs//.Private/ r, @{HOMEDIRS}/.ecryptfs//.Private/** mrwlk, # Allow snap-confine to move to the void, creating it if necessary. /var/lib/snapd/void/ rw, # Allow snap-confine to read snap contexts /var/lib/snapd/context/snap.* r, # Allow snap-confine to unmount stale mount namespaces. umount /run/snapd/ns/.mnt, /run/snapd/ns/snap..fstab w, # Allow snap-confine to read and write mount namespace information files. /run/snapd/ns/snap..info rw, # Required to correctly unmount bound mount namespace. # See LP: #1735459 for details. umount /, # support for locking /run/snapd/lock/ rw, /run/snapd/lock/.lock rwk, # support for the mount namespace sharing capability sys_ptrace, # allow snap-confine to read /proc/1/ns/mnt ptrace read peer=unconfined, # https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21 ptrace trace peer=unconfined, mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/, mount options=(private) -> /run/snapd/ns/, / rw, /run/ rw, /run/snapd/ rw, /run/snapd/ns/ rw, /run/snapd/ns/.lock rwk, /run/snapd/ns/.mnt rw, ptrace (read, readby, tracedby) peer=/snap/snapd/24718/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, @{PROC}//mountinfo r, capability sys_chroot, capability sys_admin, signal (send, receive) set=(abrt) peer=/snap/snapd/24718/usr/lib/snapd/snap-confine, signal (send) set=(int) peer=/snap/snapd/24718/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, signal (send, receive) set=(int, alrm, exists) peer=/snap/snapd/24718/usr/lib/snapd/snap-confine, signal (receive) set=(exists) peer=/snap/snapd/24718/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # workaround for linux 4.13/upstream, see # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3 ptrace (trace, tracedby) peer=/snap/snapd/24718/usr/lib/snapd/snap-confine, # Allow reading snap cookies. /var/lib/snapd/cookie/snap. r, # For aa_change_hat() to go into ^mount-namespace-capture-helper @{PROC}/[0-9]/attr/{,apparmor/}current w, # As a special exception allow snap-confine to write to anything in /var/lib. # This code should be changed to allow delegation so that snap-confine can # inherit any file descriptor and pass it to the invoked application but # this is not possible in apparmor yet. # See https://bugs.launchpad.net/snapd/+bug/1815869 /var/lib/* rw, ^mount-namespace-capture-helper (attach_disconnected) { # We run privileged, so be fanatical about what we include and don't use # any abstractions /etc/ld.so.cache r, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld{-,64}.so* mrix, # libc, you are funny /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so mr, # normal libs in order /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so mr, /snap/snapd/24718/usr/lib/snapd/snap-confine mr, /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, capability sys_ptrace, capability sys_admin, # This allows us to read and bind mount the namespace file / r, @{PROC}/ r, @{PROC}// r, @{PROC}//ns/ r, @{PROC}//ns/mnt r, /run/ r, /run/snapd/ r, /run/snapd/ns/ r, /run/snapd/ns/.mnt rw, # NOTE: the source name is / even though we map /proc/123/ns/mnt mount options=(rw bind) / -> /run/snapd/ns/.mnt, # This is the SIGALRM that we send and receive if a timeout expires signal (send, receive) set=(alrm) peer=/snap/snapd/24718/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # Those two rules are exactly the same but we don't know if the parent process is still alive # and hence has the appropriate label or is already dead and hence has no label. signal (send) set=(exists) peer=/snap/snapd/24718/usr/lib/snapd/snap-confine, signal (send) set=(exists) peer=unconfined, # This is so that we can abort signal (send, receive) set=(abrt) peer=/snap/snapd/24718/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # This is the signal we get if snap-confine dies (we subscribe to it with prctl) signal (receive) set=(int) peer=/snap/snapd/24718/usr/lib/snapd/snap-confine, # This allows snap-confine to be killed from the outside. signal (receive) peer=unconfined, # This allows snap-confine to wait for us ptrace (read, trace, tracedby) peer=/snap/snapd/24718/usr/lib/snapd/snap-confine, } # Allow snap-confine to be killed signal (receive) peer=unconfined, # Allow switching to snap-update-ns with a per-snap profile. change_profile -> snap-update-ns., # Allow executing snap-update-ns when... # ...snap-confine is, conceptually, re-executing and uses snap-update-ns # from the distribution package. This is also the location used when using # the core/base snap on all-snap systems. The variants here represent # various locations of libexecdir across distributions. /usr/lib{,exec,64}/snapd/snap-update-ns r, # ...snap-confine is not, conceptually, re-executing and uses # snap-update-ns from the distribution package but we are already inside # the constructed mount namespace so we must traverse "hostfs". The # variants here represent various locations of libexecdir across # distributions. /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r, # ..snap-confine is, conceptually, re-executing and uses snap-update-ns # from the core or snapd snaps. Note that the location of the actual snap # varies from distribution to distribution. The variants here represent # different locations of snap mount directory across distributions. /{,var/lib/snapd/}snap/{core,snapd}//usr/lib/snapd/snap-update-ns r, # ...snap-confine is, conceptually, re-executing and uses snap-update-ns # from the core snap or snapd snap, but we are already inside the # constructed mount namespace. Here the apparmor kernel module # re-constructs the path to snap-update-ns using the "hostfs" mount entry # rather than the more "natural" /snap mount entry but we have no control # over that. This is reported as (LP: #1716339). The variants here # represent different locations of snap mount directory across # distributions. /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}//usr/lib/snapd/snap-update-ns r, # Allow executing snap-discard-ns, just like the set for snap-update-ns # above but with the key difference that snap-discard-ns does not # have a dedicated profile so we need to inherit snap-confine's profile. /usr/lib{,exec,64}/snapd/snap-discard-ns rix, /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-discard-ns rix, /{,var/lib/snapd/}snap/{core,snapd}//usr/lib/snapd/snap-discard-ns rix, /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}//usr/lib/snapd/snap-discard-ns rix, # Allow mounting /var/lib/jenkins from the host into the snap. mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_/var/lib/jenkins/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/lib/jenkins/, # Suppress noisy file_inherit denials (LP: #1850552) until LP: #1849753 is # fixed. deny /dev/shm/.org.chromium.Chromium.* rw, # While snap-confine itself doesn't require unix rules and therefore all # unix rules are implicitly denied, adding an explicit deny for unix to # silence noisy denials breaks nested lxd. Until the cause is determined, # do not use an explicit deny for unix. (LP: #1855355) #deny unix, # Explicitly deny these accesses which show up on Arch to silence the # denials for this unneeded access. deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9].so mr, deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_mymachines.[0-9].so mr, deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_systemd.[0-9].so mr, deny /etc/nsswitch.conf r, deny /etc/passwd r, } ��snap.lxd.activate��0000644��00000067440�15027571546�0010044 0��ustar�00�� # vim:syntax=apparmor #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d" #include if exists "/var/lib/snapd/apparmor/snap-tuning" # snapd supports the concept of 'parallel installs' where snaps with the same # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz # may all be installed on the system. To support this, SNAP_NAME is set to the # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg # 'foo_bar'). The profile name and most rules therefore reference # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime # environment so the snap doesn't have to be aware of the distinction (eg, # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with # SNAP_NAME so the security policy will allow writing to both locations (since # they are equivalent). # This is a snap name without the instance key @{SNAP_NAME}="lxd" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="lxd" @{SNAP_INSTANCE_DESKTOP}="lxd" @{SNAP_COMMAND_NAME}="activate" @{SNAP_REVISION}="31333" @{PROFILE_DBUS}="snap_2elxd_2eactivate" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.lxd.activate" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> # While in later versions of the base abstraction, include this explicitly # for series 16 and cross-distro /etc/ld.so.preload r, # The base abstraction doesn't yet have this /etc/sysconfig/clock r, owner @{PROC}/@{pid}/maps k, # /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but # in a format that is simpler to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. # Reading /proc/XXXX/maps is already allowed in the base template # via <abstractions/base>. Also, only the owner can read it, and the # kernel limits access to it by requiring 'ptrace' enabled, so allowing # to access /proc/XXXX/map_files can be considered secure too. owner @{PROC}/@{pid}/map_files/ r, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/ r, # for python apps/services #include <abstractions/python> /etc/python3.[0-9]/** r, # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 # for details) deny /usr/lib/python3/{,/}__pycache__/ w, deny /usr/lib/python3/{,/}__pycache__/.pyc.[0-9]* w, # bind mount used here (see 'parallel installs', above) deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/ w, deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/.pyc.[0-9] w, # for perl apps/services #include <abstractions/perl> # Missing from perl abstraction /usr/lib/@{multiarch}/perl{,5,-base}/auto/*.so mr, # Note: the following dangerous accesses should not be allowed in most # policy, but we cannot explicitly deny since other trusted interfaces might # add them. # Explicitly deny ptrace for now since it can be abused to break out of the # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 #audit deny ptrace (trace), # Explicitly deny capability mknod so apps can't create devices #audit deny capability mknod, # Explicitly deny mount, remount and umount so apps can't modify things in # their namespace #audit deny mount, #audit deny remount, #audit deny umount, # End dangerous accesses # Note: this potentially allows snaps to DoS other snaps via resource # exhaustion but we can't sensibly mediate this today. In the future we may # employ cgroup limits, AppArmor rlimit mlock rules or something else. capability ipc_lock, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /etc/bash.bashrc r, /etc/inputrc r, /etc/environment r, /etc/profile r, # user/group/seat lookups /etc/{passwd,group,nsswitch.conf} r, # very common /var/lib/extrausers/{passwd,group} r, /run/systemd/users/[0-9]* r, /etc/default/nss r, # libnss-systemd (subset from nameservice abstraction) # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. /run/systemd/userdb/ r, /run/systemd/userdb/io.systemd.Multiplexer rw, /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS /run/systemd/userdb/io.systemd.Machine rw, # systemd-machined /etc/libnl-3/{classid,pktloc} r, # apps that use libnl # For snappy reexec on 4.8+ kernels /usr/lib/snapd/snap-exec m, # For gdb support /usr/lib/snapd/snap-gdb-shim ixr, /usr/lib/snapd/snap-gdbserver-shim ixr, # For in-snap tab completion /etc/bash_completion.d/{,} r, /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here # uptime @{PROC}/uptime r, @{PROC}/loadavg r, # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib # which is allowed by the base abstraction, but on 14.04 it is an actual file # so need to add it here. Also allow read locks on the file. /etc/os-release rk, /usr/lib/os-release k, # Debian version of the host OS which might be required in AppArmor-secured Debian /etc/debian_version r, # systemd native journal API (see sd_journal_print(4)). This should be in # AppArmor's base abstraction, but until it is, include here. We include # the base journal path as well as the journal namespace pattern path. Each # journal namespace for quota groups will be prefixed with 'snap-'. /run/systemd/journal{,.snap-}/socket w, /run/systemd/journal{,.snap-}/stdout rw, # 'r' shouldn't be needed, but journald # doesn't leak anything so allow /run/systemd/journal{,.snap-}/dev-log w, # snapctl and its requirements /usr/bin/snapctl ixr, /usr/lib/snapd/snapctl ixr, @{PROC}/sys/net/core/somaxconn r, /run/snapd-snap.socket rw, # Note: for now, don't explicitly deny this noisy denial so --devmode isn't # broken but eventually we may conditionally deny this since it is an # information leak. #deny /{,var/}run/utmp r, # java @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/auxv r, @{PROC}/sys/vm/zone_reclaim_mode r, /etc/lsb-release r, /sys/devices//read_ahead_kb r, /sys/devices/system/cpu/ r, /sys/devices/system/node/node[0-9]/ r, /sys/kernel/mm/transparent_hugepage/enabled r, /sys/kernel/mm/transparent_hugepage/defrag r, # NOTE: this leaks running process but java seems to want it (even though it # seems to operate ok without it) and SDL apps crash without it. Allow owner # match until AppArmor kernel var is available to solve this properly (see # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Allow reading and writing to our file descriptors in /proc which, for # example, allow access to /dev/std{in,out,err} which are all symlinks to # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) # linkat() temporary file technique, allow all fds. Importantly, access to # another task's fd via this proc interface is mediated via 'ptrace (read)' # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so # this rule by itself doesn't allow opening another snap's fds via proc. owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, # Miscellaneous accesses /dev/{,u}random w, /etc/machine-id r, /etc/mime.types r, /etc/default/keyboard r, @{PROC}/ r, @{PROC}/version r, @{PROC}/version_signature r, /etc/{,writable/}hostname r, /etc/{,writable/}localtime r, /etc/{,writable/}mailname r, /etc/{,writable/}timezone r, owner @{PROC}/@{pid}/cgroup rk, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/fdinfo/* r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/[0-9]/smaps r, @{PROC}/@{pid}/task/[0-9]/stat r, @{PROC}/@{pid}/task/[0-9]/statm r, @{PROC}/@{pid}/task/[0-9]/status r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/shmmax r, # Allow apps to introspect the level of dbus mediation AppArmor implements. /sys/kernel/security/apparmor/features/dbus/mask r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_* r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/cap_last_cap r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request rw, /sys/devices/virtual/tty/{console,tty}/active r, /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.stat r, /sys/fs/cgroup/system.slice/snap.@{SNAP_INSTANCE_NAME}{,.}/memory.max r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.shares r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_{,score_}adj r, # Note: for now, don't explicitly deny write access so --devmode isn't broken # but eventually we may conditionally deny this since it allows the process # to increase the oom heuristic of other processes (make them more likely to # be killed). Once AppArmor kernel var is available to solve this properly, # this can safely be allowed since non-root processes won't be able to # decrease the value and root processes will only be able to with # 'capability sys_resource,' which we deny be default. # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, # Eases hardware assignment (doesn't give anything away) /etc/udev/udev.conf r, /sys/ r, /sys/bus/ r, /sys/class/ r, # this leaks interface names and stats, but not in a way that is traceable # to the user/device @{PROC}/net/dev r, @{PROC}/@{pid}/net/dev r, # Read-only of this snap /var/lib/snapd/snaps/@{SNAP_NAME}_.snap r, # Read-only of snapd restart state for snapctl specifically /var/lib/snapd/maintenance.json r, # Read-only for the install directory # bind mount used here (see 'parallel installs', above) @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/* mrklix, # Read-only install directory for other revisions to help with bugs like # LP: #1616650 and LP: #1655992 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Read-only home area for other versions # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ mrkix, # Experimental snap folder changes owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ mrkix, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/ wl, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl, # Writable home area for this version. # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/ wl, # Read-only system area for other versions # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ mrkix, # Writable system area only for this version # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/ wl, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/ wl, # The snap-confine program creates an app-specific private restricted /tmp # and will fail to launch the app if something goes wrong. As such, we can # simply allow full access to /tmp. /tmp/ r, /tmp/ mrwlkix, # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount not used here (see 'parallel installs', above) /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, # Also allow app-specific access for sem_open() /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user # bind mount not used here (see 'parallel installs', above) owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ rw, owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Allow apps from the same package to communicate with each other via an # abstract or anonymous socket unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.", unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # Allow apps from the same package to communicate with each other via DBus. # Note: this does not grant access to the DBus sockets of well known buses # (will still need to use an appropriate interface for that). dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # In addition to the above, dbus-run-session attempts reading these files # from the snap base runtime. /usr/share/dbus-1/services/{,} r, /usr/share/dbus-1/system-services/{,} r, # Allow apps to perform DBus introspection on org.freedesktop.DBus for both # the system and session buses. # Note: this does not grant access to the DBus sockets of these buses, but # we grant it here since it is missing from the dbus abstractions # (LP: #1866168) dbus (send) bus={session,system} path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow apps from the same package to signal each other via signals signal peer=snap.@{SNAP_INSTANCE_NAME}., # Allow receiving signals from all snaps (and focus on mediating sending of # signals) signal (receive) peer=snap., # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' /{,usr/}{,s}bin/udevadm ixr, /etc/udev/udev.conf r, /{,var/}run/udev/tags/snappy-assign/ r, @{PROC}/cmdline r, /sys/devices/*/uevent r, # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above # requires: # /run/udev/data/ r, # but that reveals too much about the system and cannot be granted to apps # by default at this time. # For convenience, allow apps to see what is in /dev even though cgroups # will block most access /dev/ r, /dev// r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because # the launcher uses a per-app devpts newinstance. /dev/ptmx rw, # Do the same with /sys/devices and /sys/class to help people using hw-assign /sys/devices/ r, /sys/devices// r, /sys/class/ r, /sys/class/*/ r, # Allow all snaps to chroot capability sys_chroot, # Lttng tracing is very noisy and should not be allowed by confined apps. Can # safely deny for the normal case (LP: #1260491). If/when an lttng-trace # interface is needed, we can rework this. deny /{dev,run,var/run}/shm/lttng-ust- rw, # Allow read-access on /home/ for navigating to other parts of the # filesystem. While this allows enumerating users, this is already allowed # via /etc/passwd and getent. @{HOMEDIRS}/ r, # Allow read-access to / for navigating to other parts of the filesystem. / r, # Snap-specific run directory. Bind mount not used here # (see 'parallel installs', above) /run/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Snap-specific lock directory and prerequisite navigation permissions. /run/lock/ r, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Default rules for core base runtimes # The base abstraction doesn't yet have this /{,usr/}lib/terminfo/ rk, /usr/share/terminfo/ k, /usr/share/zoneinfo/** k, # for python apps/services /usr/bin/python{,2,2.[0-9],3,3.[0-9]} ixr, # additional accesses needed for newer pythons in later bases /usr/lib{,32,64}/python3.[0-9]/.{pyc,so} mr, /usr/lib{,32,64}/python3.[0-9]/*.{egg,py,pth} r, /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, /usr/lib{,32,64}/python3.[0-9]/lib-dynload/.so mr, /usr/include/python3.[0-9]/pyconfig.h r, # for perl apps/services /usr/bin/perl{,5} ixr, # AppArmor <2.12 doesn't have rules for perl-base, so add them here /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]/.so mr, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /usr/share/terminfo/** r, # Common utilities for shell scripts /{,usr/}bin/arch ixr, /{,usr/}bin/{,g,m}awk ixr, /{,usr/}bin/base32 ixr, /{,usr/}bin/base64 ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/bunzip2 ixr, /{,usr/}bin/busctl ixr, /{,usr/}bin/bzcat ixr, /{,usr/}bin/bzdiff ixr, /{,usr/}bin/bzgrep ixr, /{,usr/}bin/bzip2 ixr, /{,usr/}bin/cat ixr, /{,usr/}bin/chgrp ixr, /{,usr/}bin/chmod ixr, /{,usr/}bin/chown ixr, /{,usr/}bin/clear ixr, /{,usr/}bin/cmp ixr, /{,usr/}bin/cp ixr, /{,usr/}bin/cpio ixr, /{,usr/}bin/cut ixr, /{,usr/}bin/date ixr, /{,usr/}bin/dbus-daemon ixr, /{,usr/}bin/dbus-run-session ixr, /{,usr/}bin/dbus-send ixr, /{,usr/}bin/dd ixr, /{,usr/}bin/diff{,3} ixr, /{,usr/}bin/dir ixr, /{,usr/}bin/dirname ixr, /{,usr/}bin/du ixr, /{,usr/}bin/echo ixr, /{,usr/}bin/{,e,f,r}grep ixr, /{,usr/}bin/env ixr, /{,usr/}bin/expr ixr, /{,usr/}bin/false ixr, /{,usr/}bin/find ixr, /{,usr/}bin/flock ixr, /{,usr/}bin/fmt ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/getconf ixr, /{,usr/}bin/getent ixr, /{,usr/}bin/getopt ixr, /{,usr/}bin/groups ixr, /{,usr/}bin/gzip ixr, /{,usr/}bin/head ixr, /{,usr/}bin/hostname ixr, /{,usr/}bin/id ixr, /{,usr/}bin/igawk ixr, /{,usr/}bin/infocmp ixr, /{,usr/}bin/kill ixr, /{,usr/}bin/ldd ixr, /{usr/,}lib{,32,64}/ld{,32,64}-.so ix, /{usr/,}lib/@{multiarch}/ld{,32,64}-.so* ix, /{,usr/}bin/less{,file,pipe} ixr, /{,usr/}bin/ln ixr, /{,usr/}bin/line ixr, /{,usr/}bin/link ixr, /{,usr/}bin/locale ixr, /{,usr/}bin/logger ixr, /{,usr/}bin/ls ixr, /{,usr/}bin/md5sum ixr, /{,usr/}bin/mkdir ixr, /{,usr/}bin/mkfifo ixr, /{,usr/}bin/mknod ixr, /{,usr/}bin/mktemp ixr, /{,usr/}bin/more ixr, /{,usr/}bin/mv ixr, /{,usr/}bin/nice ixr, /{,usr/}bin/nohup ixr, /{,usr/}bin/numfmt ixr, /{,usr/}bin/od ixr, /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial /{,usr/}bin/paste ixr, /{,usr/}bin/pgrep ixr, /{,usr/}bin/printenv ixr, /{,usr/}bin/printf ixr, /{,usr/}bin/ps ixr, /{,usr/}bin/pwd ixr, /{,usr/}bin/readlink ixr, /{,usr/}bin/realpath ixr, /{,usr/}bin/rev ixr, /{,usr/}bin/rm ixr, /{,usr/}bin/rmdir ixr, /{,usr/}bin/run-parts ixr, /{,usr/}bin/sed ixr, /{,usr/}bin/seq ixr, /{,usr/}bin/setpriv ixr, /{,usr/}bin/sha{1,224,256,384,512}sum ixr, /{,usr/}bin/shuf ixr, /{,usr/}bin/sleep ixr, /{,usr/}bin/sort ixr, /{,usr/}bin/stat ixr, /{,usr/}bin/stdbuf ixr, /{,usr/}bin/stty ixr, /{,usr/}bin/sync ixr, /{,usr/}bin/systemd-cat ixr, /{,usr/}bin/tac ixr, /{,usr/}bin/tail ixr, /{,usr/}bin/tar ixr, /{,usr/}bin/tee ixr, /{,usr/}bin/test ixr, /{,usr/}bin/tempfile ixr, /{,usr/}bin/tset ixr, /{,usr/}bin/touch ixr, /{,usr/}bin/tput ixr, /{,usr/}bin/tr ixr, /{,usr/}bin/true ixr, /{,usr/}bin/tty ixr, /{,usr/}bin/uname ixr, /{,usr/}bin/uniq ixr, /{,usr/}bin/unlink ixr, /{,usr/}bin/unxz ixr, /{,usr/}bin/unzip ixr, /{,usr/}bin/uptime ixr, /{,usr/}bin/vdir ixr, /{,usr/}bin/vim.tiny ixr, /{,usr/}bin/wc ixr, /{,usr/}bin/which{,.debianutils} ixr, /{,usr/}bin/xargs ixr, /{,usr/}bin/xz ixr, /{,usr/}bin/yes ixr, /{,usr/}bin/zcat ixr, /{,usr/}bin/z{,e,f}grep ixr, /{,usr/}bin/zip ixr, /{,usr/}bin/zipgrep ixr, # lsb-release /usr/bin/lsb_release ixr, /usr/bin/ r, /usr/share/distro-info/.csv r, # For printing the cache (we don't allow updating the cache) /{,usr/}sbin/ldconfig{,.real} ixr, # Allow all snaps to chroot /{,usr/}sbin/chroot ixr, # Description: Can change to any apparmor profile (including unconfined) thus # giving access to all resources of the system so LXD may manage what to give # to its containers. This gives device ownership to connected snaps. @{PROC}//attr/{,apparmor/}current r, /{,usr/}{,s}bin/aa-exec ux, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/{etc,usr/lib}/os-release r, # Description: Can query system status information. This is restricted because # it gives privileged read access to all processes on the system and should # only be used with trusted apps. # Needed by 'ps' @{PROC}/tty/drivers r, # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here # since since ps doesn't actually need to trace other processes. Note this # allows a number of accesses (assuming the associated /proc file is allowed), # such as various memory address locations and esp/eip via /proc//stat, # /proc//mem, /proc//personality, /proc//stack, /proc//syscall, # /proc//timerslack_ns and /proc//wchan (see man proc). # # Some files like /proc/kallsyms (but anything using %pK format specifier) need # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we # intentionally do not allow since it could be used to defeat KASLR. ptrace (read), # Other miscellaneous accesses for observing the system @{PROC}/cgroups r, @{PROC}/locks r, @{PROC}/modules r, @{PROC}/mdstat r, @{PROC}/schedstat r, @{PROC}/stat r, @{PROC}/vmstat r, @{PROC}/zoneinfo r, @{PROC}/diskstats r, @{PROC}/kallsyms r, @{PROC}/partitions r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @{PROC}/sys/kernel/panic r, @{PROC}/sys/kernel/panic_on_oops r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/panic_on_oom r, @{PROC}/sys/vm/swappiness r, # These are not process-specific (/proc//... and /proc//task//...) @{PROC}//{,task/,task//} r, @{PROC}//{,task//}autogroup r, @{PROC}//{,task//}auxv r, @{PROC}//{,task//}cgroup r, @{PROC}//{,task//}cmdline r, @{PROC}//{,task//}comm r, @{PROC}//{,task//}exe r, @{PROC}//{,task//}fdinfo/ r, @{PROC}//{,task//}io r, @{PROC}//{,task//}oom_score r, # allow reading of smaps_rollup, which is a summary of the memory use of a process, # but not smaps which contains a detailed mappings breakdown like # /proc/self/maps, which we do not allow access to for other processes @{PROC}//{,task//}smaps_rollup r, @{PROC}//{,task//}schedstat r, @{PROC}//{,task//}stat r, @{PROC}//{,task//}statm r, @{PROC}//{,task//}status r, @{PROC}//{,task//}wchan r, # Allow reading processes security label @{PROC}//{,task//}attr/{,apparmor/}current r, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/etc/os-release rk, /var/lib/snapd/hostfs/usr/lib/os-release rk, # Allow discovering the Kernel build config @{PROC}/config.gz r, /boot/config* r, # Allow discovering system-wide CFS Bandwidth Control information # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, /sys/fs/cgroup/memory/memory.stat r, #include <abstractions/dbus-strict> # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get{,All}, # Allow clients to introspect hostname1 # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Introspectable member=Introspect, # Allow clients to enumerate DBus connection names on common buses dbus (send) bus={session,system} path={/,/org/freedesktop/DBus} interface=org.freedesktop.DBus member={ListNames,ListActivatableNames} peer=(label=unconfined), # Allow clients to obtain the DBus machine ID on common buses. We do not # mediate the path since any peer can be used. dbus (send) bus={session,system} interface=org.freedesktop.DBus.Peer member=GetMachineId peer=(label=unconfined), # Allow clients to get properties of systemd (the manager) and # units dbus (send) bus=system interface=org.freedesktop.DBus.Properties path=/org/freedesktop/systemd1{,/*} member=Get{,All} peer=(label=unconfined), # Allow clients to explicitly list units with some of their details (path, # status) and get unit path, see # https://www.freedesktop.org/wiki/Software/systemd/dbus/ for details dbus (send) bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,ListUnits} peer=(label=unconfined), # Allow reading if protected hardlinks are enabled, but don't allow enabling or # disabling them @{PROC}/sys/fs/protected_hardlinks r, @{PROC}/sys/fs/protected_symlinks r, @{PROC}/sys/fs/protected_fifos r, @{PROC}/sys/fs/protected_regular r, # allow use of user namespaces userns, # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc # trigger a 'ptrace (trace)' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. # ptrace (trace) can be used to break out of the seccomp sandbox unless the # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd # has full ptrace support conditional on kernel support, explicitly deny to # silence noisy denials/avoid confusion and accidentally giving away this # dangerous access frivolously. deny ptrace (trace), deny capability sys_ptrace, } ��snap-update-ns.lxd��0000644��00000013630�15027571546�0010133 0��ustar�00�� # Description: Allows snap-update-ns to construct the mount namespace specific # to a particular snap (see the name below). This specifically includes the # precise locations of the layout elements. # vim:syntax=apparmor #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d" profile snap-update-ns.lxd (attach_disconnected) { # The next four rules mirror those above. We want to be able to read # and map snap-update-ns into memory but it may come from a variety of places. /usr/lib{,exec,64}/snapd/snap-update-ns mr, /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr, /{,var/lib/snapd/}snap/{core,snapd}//usr/lib/snapd/snap-update-ns mr, /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core//usr/lib/snapd/snap-update-ns mr, # Allow reading the dynamic linker cache. /etc/ld.so.cache r, # Allow reading, mapping and executing the dynamic linker. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-.so mrix, # Allow reading and mapping various parts of the standard library and # dynamically loaded nss modules and what not. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]}.so mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]}.so mr, # Common devices accesses /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, # golang runtime variables /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, # glibc 2.27+ may poke this file to find out the number of CPUs # available in the system when creating a new arena for malloc, see # Golang issue 25628 /sys/devices/system/cpu/online r, # Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code). owner @{PROC}/@{pid}/cmdline r, # Allow reading of own maps (Go runtime) owner @{PROC}/@{pid}/maps r, # Allow reading file descriptor paths owner @{PROC}/@{pid}/fd/* r, # Allow reading /proc/version. For release.go WSL detection. @{PROC}/version r, # Allow reading own cgroups owner @{PROC}/@{pid}/cgroup r, # Allow reading somaxconn, required in newer distro releases @{PROC}/sys/net/core/somaxconn r, # but silence noisy denial of inet/inet6 deny network inet, deny network inet6, # Allow reading the os-release file (possibly a symlink to /usr/lib). /{etc/,usr/lib/}os-release r, # Allow creating/grabbing global and per-snap lock files. /run/snapd/lock/lxd.lock rwk, /run/snapd/lock/.lock rwk, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/ r, # Allow reading stored mount namespaces, /run/snapd/ns/ r, /run/snapd/ns/lxd.mnt r, # Allow reading per-snap desired mount profiles. Those are written by # snapd and represent the desired layout and content connections. /var/lib/snapd/mount/snap.lxd.fstab r, /var/lib/snapd/mount/snap.lxd.user-fstab r, # Allow reading and writing actual per-snap mount profiles. Note that # the wildcard in the rule to allow an atomic write + rename strategy. # Those files are written by snap-update-ns and represent the actual # mount profile at a given moment. /run/snapd/ns/snap.lxd.fstab{,.} rw, # NOTE: at this stage the /snap directory is stable as we have called # pivot_root already. # Needed to perform mount/unmounts. capability sys_admin, # Needed for mimic construction. capability chown, # Needed for dropping to calling user when processing per-user mounts capability setuid, capability setgid, # Allow snap-update-ns to override file ownership and permission checks. # This is required because writable mimics now preserve the permissions # of the original and hence we may be asked to create a directory when the # parent is a tmpfs without DAC write access. capability dac_override, # Allow freezing and thawing the per-snap cgroup freezers # v1 hierarchy where we know the group name of all processes of # a given snap upfront /sys/fs/cgroup/freezer/snap.lxd/freezer.state rw, # v2 hierarchy, where we need to walk the tree to looking for the tracking # groups and act on each one /sys/fs/cgroup/ r, /sys/fs/cgroup/ r, /sys/fs/cgroup//snap.lxd..scope/cgroup.freeze rw, /sys/fs/cgroup//snap.lxd..service/cgroup.freeze rw, # Allow the content interface to bind fonts from the host filesystem mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/lxd//, mount options=(rw private) -> /snap/lxd//*, umount /snap/lxd//, # set up user mount namespace mount options=(rslave) -> /, # Allow traversing from the root directory and several well-known places. # Specific directory permissions are added by snippets below. / r, /etc/ r, /snap/ r, /tmp/ r, /usr/ r, /var/ r, /var/lib/ r, /var/lib/snapd/ r, /var/snap/ r, # Allow reading timezone data. /usr/share/zoneinfo/ r, # Don't allow anyone to touch /snap/bin audit deny mount /snap/bin/ -> /, audit deny mount / -> /snap/bin/, # Don't allow bind mounts to /media which has special # sharing and propagates mount events outside of the snap namespace. audit deny mount -> /media, # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # Allow sending and receiving signals from ourselves. signal peer=@{profile_name}, # Commonly needed permissions for writable mimics. /tmp/ r, /tmp/.snap/{,*} rw, # snapd logger.go checks /proc/cmdline @{PROC}/cmdline r, # snap checks if vendored apparmor parser should be used at startup /usr/lib/snapd/info r, /lib/apparmor/functions r, # Allow snap-update-ns to open home directory owner @{HOME}/ r, # Read-only access to /boot mount options=(bind,rw) /var/lib/snapd/hostfs/boot/ -> /boot/, mount options=(bind,remount,ro) -> /boot/, umount /boot/, } ��snap.lxd.lxd��0000644��00000067421�15027571546�0007032 0��ustar�00�� # vim:syntax=apparmor #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d" #include if exists "/var/lib/snapd/apparmor/snap-tuning" # snapd supports the concept of 'parallel installs' where snaps with the same # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz # may all be installed on the system. To support this, SNAP_NAME is set to the # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg # 'foo_bar'). The profile name and most rules therefore reference # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime # environment so the snap doesn't have to be aware of the distinction (eg, # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with # SNAP_NAME so the security policy will allow writing to both locations (since # they are equivalent). # This is a snap name without the instance key @{SNAP_NAME}="lxd" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="lxd" @{SNAP_INSTANCE_DESKTOP}="lxd" @{SNAP_COMMAND_NAME}="lxd" @{SNAP_REVISION}="31333" @{PROFILE_DBUS}="snap_2elxd_2elxd" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.lxd.lxd" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> # While in later versions of the base abstraction, include this explicitly # for series 16 and cross-distro /etc/ld.so.preload r, # The base abstraction doesn't yet have this /etc/sysconfig/clock r, owner @{PROC}/@{pid}/maps k, # /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but # in a format that is simpler to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. # Reading /proc/XXXX/maps is already allowed in the base template # via <abstractions/base>. Also, only the owner can read it, and the # kernel limits access to it by requiring 'ptrace' enabled, so allowing # to access /proc/XXXX/map_files can be considered secure too. owner @{PROC}/@{pid}/map_files/ r, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/ r, # for python apps/services #include <abstractions/python> /etc/python3.[0-9]/* r, # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 # for details) deny /usr/lib/python3/{,/}__pycache__/ w, deny /usr/lib/python3/{,/}__pycache__/.pyc.[0-9]* w, # bind mount used here (see 'parallel installs', above) deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/ w, deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/.pyc.[0-9] w, # for perl apps/services #include <abstractions/perl> # Missing from perl abstraction /usr/lib/@{multiarch}/perl{,5,-base}/auto/*.so mr, # Note: the following dangerous accesses should not be allowed in most # policy, but we cannot explicitly deny since other trusted interfaces might # add them. # Explicitly deny ptrace for now since it can be abused to break out of the # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 #audit deny ptrace (trace), # Explicitly deny capability mknod so apps can't create devices #audit deny capability mknod, # Explicitly deny mount, remount and umount so apps can't modify things in # their namespace #audit deny mount, #audit deny remount, #audit deny umount, # End dangerous accesses # Note: this potentially allows snaps to DoS other snaps via resource # exhaustion but we can't sensibly mediate this today. In the future we may # employ cgroup limits, AppArmor rlimit mlock rules or something else. capability ipc_lock, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /etc/bash.bashrc r, /etc/inputrc r, /etc/environment r, /etc/profile r, # user/group/seat lookups /etc/{passwd,group,nsswitch.conf} r, # very common /var/lib/extrausers/{passwd,group} r, /run/systemd/users/[0-9]* r, /etc/default/nss r, # libnss-systemd (subset from nameservice abstraction) # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. /run/systemd/userdb/ r, /run/systemd/userdb/io.systemd.Multiplexer rw, /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS /run/systemd/userdb/io.systemd.Machine rw, # systemd-machined /etc/libnl-3/{classid,pktloc} r, # apps that use libnl # For snappy reexec on 4.8+ kernels /usr/lib/snapd/snap-exec m, # For gdb support /usr/lib/snapd/snap-gdb-shim ixr, /usr/lib/snapd/snap-gdbserver-shim ixr, # For in-snap tab completion /etc/bash_completion.d/{,} r, /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here # uptime @{PROC}/uptime r, @{PROC}/loadavg r, # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib # which is allowed by the base abstraction, but on 14.04 it is an actual file # so need to add it here. Also allow read locks on the file. /etc/os-release rk, /usr/lib/os-release k, # Debian version of the host OS which might be required in AppArmor-secured Debian /etc/debian_version r, # systemd native journal API (see sd_journal_print(4)). This should be in # AppArmor's base abstraction, but until it is, include here. We include # the base journal path as well as the journal namespace pattern path. Each # journal namespace for quota groups will be prefixed with 'snap-'. /run/systemd/journal{,.snap-}/socket w, /run/systemd/journal{,.snap-}/stdout rw, # 'r' shouldn't be needed, but journald # doesn't leak anything so allow /run/systemd/journal{,.snap-}/dev-log w, # snapctl and its requirements /usr/bin/snapctl ixr, /usr/lib/snapd/snapctl ixr, @{PROC}/sys/net/core/somaxconn r, /run/snapd-snap.socket rw, # Note: for now, don't explicitly deny this noisy denial so --devmode isn't # broken but eventually we may conditionally deny this since it is an # information leak. #deny /{,var/}run/utmp r, # java @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/auxv r, @{PROC}/sys/vm/zone_reclaim_mode r, /etc/lsb-release r, /sys/devices//read_ahead_kb r, /sys/devices/system/cpu/ r, /sys/devices/system/node/node[0-9]/ r, /sys/kernel/mm/transparent_hugepage/enabled r, /sys/kernel/mm/transparent_hugepage/defrag r, # NOTE: this leaks running process but java seems to want it (even though it # seems to operate ok without it) and SDL apps crash without it. Allow owner # match until AppArmor kernel var is available to solve this properly (see # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Allow reading and writing to our file descriptors in /proc which, for # example, allow access to /dev/std{in,out,err} which are all symlinks to # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) # linkat() temporary file technique, allow all fds. Importantly, access to # another task's fd via this proc interface is mediated via 'ptrace (read)' # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so # this rule by itself doesn't allow opening another snap's fds via proc. owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, # Miscellaneous accesses /dev/{,u}random w, /etc/machine-id r, /etc/mime.types r, /etc/default/keyboard r, @{PROC}/ r, @{PROC}/version r, @{PROC}/version_signature r, /etc/{,writable/}hostname r, /etc/{,writable/}localtime r, /etc/{,writable/}mailname r, /etc/{,writable/}timezone r, owner @{PROC}/@{pid}/cgroup rk, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/fdinfo/* r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/[0-9]/smaps r, @{PROC}/@{pid}/task/[0-9]/stat r, @{PROC}/@{pid}/task/[0-9]/statm r, @{PROC}/@{pid}/task/[0-9]/status r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/shmmax r, # Allow apps to introspect the level of dbus mediation AppArmor implements. /sys/kernel/security/apparmor/features/dbus/mask r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_* r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/cap_last_cap r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request rw, /sys/devices/virtual/tty/{console,tty}/active r, /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.stat r, /sys/fs/cgroup/system.slice/snap.@{SNAP_INSTANCE_NAME}{,.}/memory.max r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.shares r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_{,score_}adj r, # Note: for now, don't explicitly deny write access so --devmode isn't broken # but eventually we may conditionally deny this since it allows the process # to increase the oom heuristic of other processes (make them more likely to # be killed). Once AppArmor kernel var is available to solve this properly, # this can safely be allowed since non-root processes won't be able to # decrease the value and root processes will only be able to with # 'capability sys_resource,' which we deny be default. # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, # Eases hardware assignment (doesn't give anything away) /etc/udev/udev.conf r, /sys/ r, /sys/bus/ r, /sys/class/ r, # this leaks interface names and stats, but not in a way that is traceable # to the user/device @{PROC}/net/dev r, @{PROC}/@{pid}/net/dev r, # Read-only of this snap /var/lib/snapd/snaps/@{SNAP_NAME}_.snap r, # Read-only of snapd restart state for snapctl specifically /var/lib/snapd/maintenance.json r, # Read-only for the install directory # bind mount used here (see 'parallel installs', above) @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/* mrklix, # Read-only install directory for other revisions to help with bugs like # LP: #1616650 and LP: #1655992 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Read-only home area for other versions # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ mrkix, # Experimental snap folder changes owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ mrkix, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/ wl, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl, # Writable home area for this version. # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/ wl, # Read-only system area for other versions # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ mrkix, # Writable system area only for this version # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/ wl, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/ wl, # The snap-confine program creates an app-specific private restricted /tmp # and will fail to launch the app if something goes wrong. As such, we can # simply allow full access to /tmp. /tmp/ r, /tmp/ mrwlkix, # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount not used here (see 'parallel installs', above) /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, # Also allow app-specific access for sem_open() /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user # bind mount not used here (see 'parallel installs', above) owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ rw, owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Allow apps from the same package to communicate with each other via an # abstract or anonymous socket unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.", unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # Allow apps from the same package to communicate with each other via DBus. # Note: this does not grant access to the DBus sockets of well known buses # (will still need to use an appropriate interface for that). dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # In addition to the above, dbus-run-session attempts reading these files # from the snap base runtime. /usr/share/dbus-1/services/{,} r, /usr/share/dbus-1/system-services/{,} r, # Allow apps to perform DBus introspection on org.freedesktop.DBus for both # the system and session buses. # Note: this does not grant access to the DBus sockets of these buses, but # we grant it here since it is missing from the dbus abstractions # (LP: #1866168) dbus (send) bus={session,system} path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow apps from the same package to signal each other via signals signal peer=snap.@{SNAP_INSTANCE_NAME}., # Allow receiving signals from all snaps (and focus on mediating sending of # signals) signal (receive) peer=snap., # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' /{,usr/}{,s}bin/udevadm ixr, /etc/udev/udev.conf r, /{,var/}run/udev/tags/snappy-assign/ r, @{PROC}/cmdline r, /sys/devices/*/uevent r, # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above # requires: # /run/udev/data/ r, # but that reveals too much about the system and cannot be granted to apps # by default at this time. # For convenience, allow apps to see what is in /dev even though cgroups # will block most access /dev/ r, /dev// r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because # the launcher uses a per-app devpts newinstance. /dev/ptmx rw, # Do the same with /sys/devices and /sys/class to help people using hw-assign /sys/devices/ r, /sys/devices// r, /sys/class/ r, /sys/class/*/ r, # Allow all snaps to chroot capability sys_chroot, # Lttng tracing is very noisy and should not be allowed by confined apps. Can # safely deny for the normal case (LP: #1260491). If/when an lttng-trace # interface is needed, we can rework this. deny /{dev,run,var/run}/shm/lttng-ust- rw, # Allow read-access on /home/ for navigating to other parts of the # filesystem. While this allows enumerating users, this is already allowed # via /etc/passwd and getent. @{HOMEDIRS}/ r, # Allow read-access to / for navigating to other parts of the filesystem. / r, # Snap-specific run directory. Bind mount not used here # (see 'parallel installs', above) /run/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Snap-specific lock directory and prerequisite navigation permissions. /run/lock/ r, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Default rules for core base runtimes # The base abstraction doesn't yet have this /{,usr/}lib/terminfo/ rk, /usr/share/terminfo/ k, /usr/share/zoneinfo/** k, # for python apps/services /usr/bin/python{,2,2.[0-9],3,3.[0-9]} ixr, # additional accesses needed for newer pythons in later bases /usr/lib{,32,64}/python3.[0-9]/.{pyc,so} mr, /usr/lib{,32,64}/python3.[0-9]/*.{egg,py,pth} r, /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, /usr/lib{,32,64}/python3.[0-9]/lib-dynload/.so mr, /usr/include/python3.[0-9]/pyconfig.h r, # for perl apps/services /usr/bin/perl{,5} ixr, # AppArmor <2.12 doesn't have rules for perl-base, so add them here /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]/.so mr, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /usr/share/terminfo/** r, # Common utilities for shell scripts /{,usr/}bin/arch ixr, /{,usr/}bin/{,g,m}awk ixr, /{,usr/}bin/base32 ixr, /{,usr/}bin/base64 ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/bunzip2 ixr, /{,usr/}bin/busctl ixr, /{,usr/}bin/bzcat ixr, /{,usr/}bin/bzdiff ixr, /{,usr/}bin/bzgrep ixr, /{,usr/}bin/bzip2 ixr, /{,usr/}bin/cat ixr, /{,usr/}bin/chgrp ixr, /{,usr/}bin/chmod ixr, /{,usr/}bin/chown ixr, /{,usr/}bin/clear ixr, /{,usr/}bin/cmp ixr, /{,usr/}bin/cp ixr, /{,usr/}bin/cpio ixr, /{,usr/}bin/cut ixr, /{,usr/}bin/date ixr, /{,usr/}bin/dbus-daemon ixr, /{,usr/}bin/dbus-run-session ixr, /{,usr/}bin/dbus-send ixr, /{,usr/}bin/dd ixr, /{,usr/}bin/diff{,3} ixr, /{,usr/}bin/dir ixr, /{,usr/}bin/dirname ixr, /{,usr/}bin/du ixr, /{,usr/}bin/echo ixr, /{,usr/}bin/{,e,f,r}grep ixr, /{,usr/}bin/env ixr, /{,usr/}bin/expr ixr, /{,usr/}bin/false ixr, /{,usr/}bin/find ixr, /{,usr/}bin/flock ixr, /{,usr/}bin/fmt ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/getconf ixr, /{,usr/}bin/getent ixr, /{,usr/}bin/getopt ixr, /{,usr/}bin/groups ixr, /{,usr/}bin/gzip ixr, /{,usr/}bin/head ixr, /{,usr/}bin/hostname ixr, /{,usr/}bin/id ixr, /{,usr/}bin/igawk ixr, /{,usr/}bin/infocmp ixr, /{,usr/}bin/kill ixr, /{,usr/}bin/ldd ixr, /{usr/,}lib{,32,64}/ld{,32,64}-.so ix, /{usr/,}lib/@{multiarch}/ld{,32,64}-.so* ix, /{,usr/}bin/less{,file,pipe} ixr, /{,usr/}bin/ln ixr, /{,usr/}bin/line ixr, /{,usr/}bin/link ixr, /{,usr/}bin/locale ixr, /{,usr/}bin/logger ixr, /{,usr/}bin/ls ixr, /{,usr/}bin/md5sum ixr, /{,usr/}bin/mkdir ixr, /{,usr/}bin/mkfifo ixr, /{,usr/}bin/mknod ixr, /{,usr/}bin/mktemp ixr, /{,usr/}bin/more ixr, /{,usr/}bin/mv ixr, /{,usr/}bin/nice ixr, /{,usr/}bin/nohup ixr, /{,usr/}bin/numfmt ixr, /{,usr/}bin/od ixr, /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial /{,usr/}bin/paste ixr, /{,usr/}bin/pgrep ixr, /{,usr/}bin/printenv ixr, /{,usr/}bin/printf ixr, /{,usr/}bin/ps ixr, /{,usr/}bin/pwd ixr, /{,usr/}bin/readlink ixr, /{,usr/}bin/realpath ixr, /{,usr/}bin/rev ixr, /{,usr/}bin/rm ixr, /{,usr/}bin/rmdir ixr, /{,usr/}bin/run-parts ixr, /{,usr/}bin/sed ixr, /{,usr/}bin/seq ixr, /{,usr/}bin/setpriv ixr, /{,usr/}bin/sha{1,224,256,384,512}sum ixr, /{,usr/}bin/shuf ixr, /{,usr/}bin/sleep ixr, /{,usr/}bin/sort ixr, /{,usr/}bin/stat ixr, /{,usr/}bin/stdbuf ixr, /{,usr/}bin/stty ixr, /{,usr/}bin/sync ixr, /{,usr/}bin/systemd-cat ixr, /{,usr/}bin/tac ixr, /{,usr/}bin/tail ixr, /{,usr/}bin/tar ixr, /{,usr/}bin/tee ixr, /{,usr/}bin/test ixr, /{,usr/}bin/tempfile ixr, /{,usr/}bin/tset ixr, /{,usr/}bin/touch ixr, /{,usr/}bin/tput ixr, /{,usr/}bin/tr ixr, /{,usr/}bin/true ixr, /{,usr/}bin/tty ixr, /{,usr/}bin/uname ixr, /{,usr/}bin/uniq ixr, /{,usr/}bin/unlink ixr, /{,usr/}bin/unxz ixr, /{,usr/}bin/unzip ixr, /{,usr/}bin/uptime ixr, /{,usr/}bin/vdir ixr, /{,usr/}bin/vim.tiny ixr, /{,usr/}bin/wc ixr, /{,usr/}bin/which{,.debianutils} ixr, /{,usr/}bin/xargs ixr, /{,usr/}bin/xz ixr, /{,usr/}bin/yes ixr, /{,usr/}bin/zcat ixr, /{,usr/}bin/z{,e,f}grep ixr, /{,usr/}bin/zip ixr, /{,usr/}bin/zipgrep ixr, # lsb-release /usr/bin/lsb_release ixr, /usr/bin/ r, /usr/share/distro-info/.csv r, # For printing the cache (we don't allow updating the cache) /{,usr/}sbin/ldconfig{,.real} ixr, # Allow all snaps to chroot /{,usr/}sbin/chroot ixr, # Description: Can change to any apparmor profile (including unconfined) thus # giving access to all resources of the system so LXD may manage what to give # to its containers. This gives device ownership to connected snaps. @{PROC}//attr/{,apparmor/}current r, /{,usr/}{,s}bin/aa-exec ux, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/{etc,usr/lib}/os-release r, # Description: Can query system status information. This is restricted because # it gives privileged read access to all processes on the system and should # only be used with trusted apps. # Needed by 'ps' @{PROC}/tty/drivers r, # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here # since since ps doesn't actually need to trace other processes. Note this # allows a number of accesses (assuming the associated /proc file is allowed), # such as various memory address locations and esp/eip via /proc//stat, # /proc//mem, /proc//personality, /proc//stack, /proc//syscall, # /proc//timerslack_ns and /proc//wchan (see man proc). # # Some files like /proc/kallsyms (but anything using %pK format specifier) need # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we # intentionally do not allow since it could be used to defeat KASLR. ptrace (read), # Other miscellaneous accesses for observing the system @{PROC}/cgroups r, @{PROC}/locks r, @{PROC}/modules r, @{PROC}/mdstat r, @{PROC}/schedstat r, @{PROC}/stat r, @{PROC}/vmstat r, @{PROC}/zoneinfo r, @{PROC}/diskstats r, @{PROC}/kallsyms r, @{PROC}/partitions r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @{PROC}/sys/kernel/panic r, @{PROC}/sys/kernel/panic_on_oops r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/panic_on_oom r, @{PROC}/sys/vm/swappiness r, # These are not process-specific (/proc//... and /proc//task//...) @{PROC}//{,task/,task//} r, @{PROC}//{,task//}autogroup r, @{PROC}//{,task//}auxv r, @{PROC}//{,task//}cgroup r, @{PROC}//{,task//}cmdline r, @{PROC}//{,task//}comm r, @{PROC}//{,task//}exe r, @{PROC}//{,task//}fdinfo/ r, @{PROC}//{,task//}io r, @{PROC}//{,task//}oom_score r, # allow reading of smaps_rollup, which is a summary of the memory use of a process, # but not smaps which contains a detailed mappings breakdown like # /proc/self/maps, which we do not allow access to for other processes @{PROC}//{,task//}smaps_rollup r, @{PROC}//{,task//}schedstat r, @{PROC}//{,task//}stat r, @{PROC}//{,task//}statm r, @{PROC}//{,task//}status r, @{PROC}//{,task//}wchan r, # Allow reading processes security label @{PROC}//{,task//}attr/{,apparmor/}current r, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/etc/os-release rk, /var/lib/snapd/hostfs/usr/lib/os-release rk, # Allow discovering the Kernel build config @{PROC}/config.gz r, /boot/config* r, # Allow discovering system-wide CFS Bandwidth Control information # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, /sys/fs/cgroup/memory/memory.stat r, #include <abstractions/dbus-strict> # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get{,All}, # Allow clients to introspect hostname1 # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Introspectable member=Introspect, # Allow clients to enumerate DBus connection names on common buses dbus (send) bus={session,system} path={/,/org/freedesktop/DBus} interface=org.freedesktop.DBus member={ListNames,ListActivatableNames} peer=(label=unconfined), # Allow clients to obtain the DBus machine ID on common buses. We do not # mediate the path since any peer can be used. dbus (send) bus={session,system} interface=org.freedesktop.DBus.Peer member=GetMachineId peer=(label=unconfined), # Allow clients to get properties of systemd (the manager) and # units dbus (send) bus=system interface=org.freedesktop.DBus.Properties path=/org/freedesktop/systemd1{,/*} member=Get{,All} peer=(label=unconfined), # Allow clients to explicitly list units with some of their details (path, # status) and get unit path, see # https://www.freedesktop.org/wiki/Software/systemd/dbus/ for details dbus (send) bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,ListUnits} peer=(label=unconfined), # Allow reading if protected hardlinks are enabled, but don't allow enabling or # disabling them @{PROC}/sys/fs/protected_hardlinks r, @{PROC}/sys/fs/protected_symlinks r, @{PROC}/sys/fs/protected_fifos r, @{PROC}/sys/fs/protected_regular r, # allow use of user namespaces userns, # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc # trigger a 'ptrace (trace)' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. # ptrace (trace) can be used to break out of the seccomp sandbox unless the # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd # has full ptrace support conditional on kernel support, explicitly deny to # silence noisy denials/avoid confusion and accidentally giving away this # dangerous access frivolously. deny ptrace (trace), deny capability sys_ptrace, } ��snap.lxd.lxc-to-lxd��0000644��00000067452�15027571546�0010242 0��ustar�00�� # vim:syntax=apparmor #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d" #include if exists "/var/lib/snapd/apparmor/snap-tuning" # snapd supports the concept of 'parallel installs' where snaps with the same # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz # may all be installed on the system. To support this, SNAP_NAME is set to the # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg # 'foo_bar'). The profile name and most rules therefore reference # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime # environment so the snap doesn't have to be aware of the distinction (eg, # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with # SNAP_NAME so the security policy will allow writing to both locations (since # they are equivalent). # This is a snap name without the instance key @{SNAP_NAME}="lxd" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="lxd" @{SNAP_INSTANCE_DESKTOP}="lxd" @{SNAP_COMMAND_NAME}="lxc-to-lxd" @{SNAP_REVISION}="31333" @{PROFILE_DBUS}="snap_2elxd_2elxc_2dto_2dlxd" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.lxd.lxc-to-lxd" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> # While in later versions of the base abstraction, include this explicitly # for series 16 and cross-distro /etc/ld.so.preload r, # The base abstraction doesn't yet have this /etc/sysconfig/clock r, owner @{PROC}/@{pid}/maps k, # /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but # in a format that is simpler to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. # Reading /proc/XXXX/maps is already allowed in the base template # via <abstractions/base>. Also, only the owner can read it, and the # kernel limits access to it by requiring 'ptrace' enabled, so allowing # to access /proc/XXXX/map_files can be considered secure too. owner @{PROC}/@{pid}/map_files/ r, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/ r, # for python apps/services #include <abstractions/python> /etc/python3.[0-9]/* r, # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 # for details) deny /usr/lib/python3/{,/}__pycache__/ w, deny /usr/lib/python3/{,/}__pycache__/.pyc.[0-9]* w, # bind mount used here (see 'parallel installs', above) deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/ w, deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/.pyc.[0-9] w, # for perl apps/services #include <abstractions/perl> # Missing from perl abstraction /usr/lib/@{multiarch}/perl{,5,-base}/auto/*.so mr, # Note: the following dangerous accesses should not be allowed in most # policy, but we cannot explicitly deny since other trusted interfaces might # add them. # Explicitly deny ptrace for now since it can be abused to break out of the # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 #audit deny ptrace (trace), # Explicitly deny capability mknod so apps can't create devices #audit deny capability mknod, # Explicitly deny mount, remount and umount so apps can't modify things in # their namespace #audit deny mount, #audit deny remount, #audit deny umount, # End dangerous accesses # Note: this potentially allows snaps to DoS other snaps via resource # exhaustion but we can't sensibly mediate this today. In the future we may # employ cgroup limits, AppArmor rlimit mlock rules or something else. capability ipc_lock, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /etc/bash.bashrc r, /etc/inputrc r, /etc/environment r, /etc/profile r, # user/group/seat lookups /etc/{passwd,group,nsswitch.conf} r, # very common /var/lib/extrausers/{passwd,group} r, /run/systemd/users/[0-9]* r, /etc/default/nss r, # libnss-systemd (subset from nameservice abstraction) # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. /run/systemd/userdb/ r, /run/systemd/userdb/io.systemd.Multiplexer rw, /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS /run/systemd/userdb/io.systemd.Machine rw, # systemd-machined /etc/libnl-3/{classid,pktloc} r, # apps that use libnl # For snappy reexec on 4.8+ kernels /usr/lib/snapd/snap-exec m, # For gdb support /usr/lib/snapd/snap-gdb-shim ixr, /usr/lib/snapd/snap-gdbserver-shim ixr, # For in-snap tab completion /etc/bash_completion.d/{,} r, /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here # uptime @{PROC}/uptime r, @{PROC}/loadavg r, # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib # which is allowed by the base abstraction, but on 14.04 it is an actual file # so need to add it here. Also allow read locks on the file. /etc/os-release rk, /usr/lib/os-release k, # Debian version of the host OS which might be required in AppArmor-secured Debian /etc/debian_version r, # systemd native journal API (see sd_journal_print(4)). This should be in # AppArmor's base abstraction, but until it is, include here. We include # the base journal path as well as the journal namespace pattern path. Each # journal namespace for quota groups will be prefixed with 'snap-'. /run/systemd/journal{,.snap-}/socket w, /run/systemd/journal{,.snap-}/stdout rw, # 'r' shouldn't be needed, but journald # doesn't leak anything so allow /run/systemd/journal{,.snap-}/dev-log w, # snapctl and its requirements /usr/bin/snapctl ixr, /usr/lib/snapd/snapctl ixr, @{PROC}/sys/net/core/somaxconn r, /run/snapd-snap.socket rw, # Note: for now, don't explicitly deny this noisy denial so --devmode isn't # broken but eventually we may conditionally deny this since it is an # information leak. #deny /{,var/}run/utmp r, # java @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/auxv r, @{PROC}/sys/vm/zone_reclaim_mode r, /etc/lsb-release r, /sys/devices//read_ahead_kb r, /sys/devices/system/cpu/ r, /sys/devices/system/node/node[0-9]/ r, /sys/kernel/mm/transparent_hugepage/enabled r, /sys/kernel/mm/transparent_hugepage/defrag r, # NOTE: this leaks running process but java seems to want it (even though it # seems to operate ok without it) and SDL apps crash without it. Allow owner # match until AppArmor kernel var is available to solve this properly (see # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Allow reading and writing to our file descriptors in /proc which, for # example, allow access to /dev/std{in,out,err} which are all symlinks to # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) # linkat() temporary file technique, allow all fds. Importantly, access to # another task's fd via this proc interface is mediated via 'ptrace (read)' # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so # this rule by itself doesn't allow opening another snap's fds via proc. owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, # Miscellaneous accesses /dev/{,u}random w, /etc/machine-id r, /etc/mime.types r, /etc/default/keyboard r, @{PROC}/ r, @{PROC}/version r, @{PROC}/version_signature r, /etc/{,writable/}hostname r, /etc/{,writable/}localtime r, /etc/{,writable/}mailname r, /etc/{,writable/}timezone r, owner @{PROC}/@{pid}/cgroup rk, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/fdinfo/* r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/[0-9]/smaps r, @{PROC}/@{pid}/task/[0-9]/stat r, @{PROC}/@{pid}/task/[0-9]/statm r, @{PROC}/@{pid}/task/[0-9]/status r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/shmmax r, # Allow apps to introspect the level of dbus mediation AppArmor implements. /sys/kernel/security/apparmor/features/dbus/mask r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_* r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/cap_last_cap r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request rw, /sys/devices/virtual/tty/{console,tty}/active r, /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.stat r, /sys/fs/cgroup/system.slice/snap.@{SNAP_INSTANCE_NAME}{,.}/memory.max r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.shares r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_{,score_}adj r, # Note: for now, don't explicitly deny write access so --devmode isn't broken # but eventually we may conditionally deny this since it allows the process # to increase the oom heuristic of other processes (make them more likely to # be killed). Once AppArmor kernel var is available to solve this properly, # this can safely be allowed since non-root processes won't be able to # decrease the value and root processes will only be able to with # 'capability sys_resource,' which we deny be default. # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, # Eases hardware assignment (doesn't give anything away) /etc/udev/udev.conf r, /sys/ r, /sys/bus/ r, /sys/class/ r, # this leaks interface names and stats, but not in a way that is traceable # to the user/device @{PROC}/net/dev r, @{PROC}/@{pid}/net/dev r, # Read-only of this snap /var/lib/snapd/snaps/@{SNAP_NAME}_.snap r, # Read-only of snapd restart state for snapctl specifically /var/lib/snapd/maintenance.json r, # Read-only for the install directory # bind mount used here (see 'parallel installs', above) @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/* mrklix, # Read-only install directory for other revisions to help with bugs like # LP: #1616650 and LP: #1655992 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Read-only home area for other versions # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ mrkix, # Experimental snap folder changes owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ mrkix, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/ wl, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl, # Writable home area for this version. # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/ wl, # Read-only system area for other versions # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ mrkix, # Writable system area only for this version # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/ wl, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/ wl, # The snap-confine program creates an app-specific private restricted /tmp # and will fail to launch the app if something goes wrong. As such, we can # simply allow full access to /tmp. /tmp/ r, /tmp/ mrwlkix, # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount not used here (see 'parallel installs', above) /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, # Also allow app-specific access for sem_open() /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user # bind mount not used here (see 'parallel installs', above) owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ rw, owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Allow apps from the same package to communicate with each other via an # abstract or anonymous socket unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.", unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # Allow apps from the same package to communicate with each other via DBus. # Note: this does not grant access to the DBus sockets of well known buses # (will still need to use an appropriate interface for that). dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # In addition to the above, dbus-run-session attempts reading these files # from the snap base runtime. /usr/share/dbus-1/services/{,} r, /usr/share/dbus-1/system-services/{,} r, # Allow apps to perform DBus introspection on org.freedesktop.DBus for both # the system and session buses. # Note: this does not grant access to the DBus sockets of these buses, but # we grant it here since it is missing from the dbus abstractions # (LP: #1866168) dbus (send) bus={session,system} path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow apps from the same package to signal each other via signals signal peer=snap.@{SNAP_INSTANCE_NAME}., # Allow receiving signals from all snaps (and focus on mediating sending of # signals) signal (receive) peer=snap., # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' /{,usr/}{,s}bin/udevadm ixr, /etc/udev/udev.conf r, /{,var/}run/udev/tags/snappy-assign/ r, @{PROC}/cmdline r, /sys/devices/*/uevent r, # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above # requires: # /run/udev/data/ r, # but that reveals too much about the system and cannot be granted to apps # by default at this time. # For convenience, allow apps to see what is in /dev even though cgroups # will block most access /dev/ r, /dev// r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because # the launcher uses a per-app devpts newinstance. /dev/ptmx rw, # Do the same with /sys/devices and /sys/class to help people using hw-assign /sys/devices/ r, /sys/devices// r, /sys/class/ r, /sys/class/*/ r, # Allow all snaps to chroot capability sys_chroot, # Lttng tracing is very noisy and should not be allowed by confined apps. Can # safely deny for the normal case (LP: #1260491). If/when an lttng-trace # interface is needed, we can rework this. deny /{dev,run,var/run}/shm/lttng-ust- rw, # Allow read-access on /home/ for navigating to other parts of the # filesystem. While this allows enumerating users, this is already allowed # via /etc/passwd and getent. @{HOMEDIRS}/ r, # Allow read-access to / for navigating to other parts of the filesystem. / r, # Snap-specific run directory. Bind mount not used here # (see 'parallel installs', above) /run/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Snap-specific lock directory and prerequisite navigation permissions. /run/lock/ r, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Default rules for core base runtimes # The base abstraction doesn't yet have this /{,usr/}lib/terminfo/ rk, /usr/share/terminfo/ k, /usr/share/zoneinfo/** k, # for python apps/services /usr/bin/python{,2,2.[0-9],3,3.[0-9]} ixr, # additional accesses needed for newer pythons in later bases /usr/lib{,32,64}/python3.[0-9]/.{pyc,so} mr, /usr/lib{,32,64}/python3.[0-9]/*.{egg,py,pth} r, /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, /usr/lib{,32,64}/python3.[0-9]/lib-dynload/.so mr, /usr/include/python3.[0-9]/pyconfig.h r, # for perl apps/services /usr/bin/perl{,5} ixr, # AppArmor <2.12 doesn't have rules for perl-base, so add them here /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]/.so mr, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /usr/share/terminfo/** r, # Common utilities for shell scripts /{,usr/}bin/arch ixr, /{,usr/}bin/{,g,m}awk ixr, /{,usr/}bin/base32 ixr, /{,usr/}bin/base64 ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/bunzip2 ixr, /{,usr/}bin/busctl ixr, /{,usr/}bin/bzcat ixr, /{,usr/}bin/bzdiff ixr, /{,usr/}bin/bzgrep ixr, /{,usr/}bin/bzip2 ixr, /{,usr/}bin/cat ixr, /{,usr/}bin/chgrp ixr, /{,usr/}bin/chmod ixr, /{,usr/}bin/chown ixr, /{,usr/}bin/clear ixr, /{,usr/}bin/cmp ixr, /{,usr/}bin/cp ixr, /{,usr/}bin/cpio ixr, /{,usr/}bin/cut ixr, /{,usr/}bin/date ixr, /{,usr/}bin/dbus-daemon ixr, /{,usr/}bin/dbus-run-session ixr, /{,usr/}bin/dbus-send ixr, /{,usr/}bin/dd ixr, /{,usr/}bin/diff{,3} ixr, /{,usr/}bin/dir ixr, /{,usr/}bin/dirname ixr, /{,usr/}bin/du ixr, /{,usr/}bin/echo ixr, /{,usr/}bin/{,e,f,r}grep ixr, /{,usr/}bin/env ixr, /{,usr/}bin/expr ixr, /{,usr/}bin/false ixr, /{,usr/}bin/find ixr, /{,usr/}bin/flock ixr, /{,usr/}bin/fmt ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/getconf ixr, /{,usr/}bin/getent ixr, /{,usr/}bin/getopt ixr, /{,usr/}bin/groups ixr, /{,usr/}bin/gzip ixr, /{,usr/}bin/head ixr, /{,usr/}bin/hostname ixr, /{,usr/}bin/id ixr, /{,usr/}bin/igawk ixr, /{,usr/}bin/infocmp ixr, /{,usr/}bin/kill ixr, /{,usr/}bin/ldd ixr, /{usr/,}lib{,32,64}/ld{,32,64}-.so ix, /{usr/,}lib/@{multiarch}/ld{,32,64}-.so* ix, /{,usr/}bin/less{,file,pipe} ixr, /{,usr/}bin/ln ixr, /{,usr/}bin/line ixr, /{,usr/}bin/link ixr, /{,usr/}bin/locale ixr, /{,usr/}bin/logger ixr, /{,usr/}bin/ls ixr, /{,usr/}bin/md5sum ixr, /{,usr/}bin/mkdir ixr, /{,usr/}bin/mkfifo ixr, /{,usr/}bin/mknod ixr, /{,usr/}bin/mktemp ixr, /{,usr/}bin/more ixr, /{,usr/}bin/mv ixr, /{,usr/}bin/nice ixr, /{,usr/}bin/nohup ixr, /{,usr/}bin/numfmt ixr, /{,usr/}bin/od ixr, /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial /{,usr/}bin/paste ixr, /{,usr/}bin/pgrep ixr, /{,usr/}bin/printenv ixr, /{,usr/}bin/printf ixr, /{,usr/}bin/ps ixr, /{,usr/}bin/pwd ixr, /{,usr/}bin/readlink ixr, /{,usr/}bin/realpath ixr, /{,usr/}bin/rev ixr, /{,usr/}bin/rm ixr, /{,usr/}bin/rmdir ixr, /{,usr/}bin/run-parts ixr, /{,usr/}bin/sed ixr, /{,usr/}bin/seq ixr, /{,usr/}bin/setpriv ixr, /{,usr/}bin/sha{1,224,256,384,512}sum ixr, /{,usr/}bin/shuf ixr, /{,usr/}bin/sleep ixr, /{,usr/}bin/sort ixr, /{,usr/}bin/stat ixr, /{,usr/}bin/stdbuf ixr, /{,usr/}bin/stty ixr, /{,usr/}bin/sync ixr, /{,usr/}bin/systemd-cat ixr, /{,usr/}bin/tac ixr, /{,usr/}bin/tail ixr, /{,usr/}bin/tar ixr, /{,usr/}bin/tee ixr, /{,usr/}bin/test ixr, /{,usr/}bin/tempfile ixr, /{,usr/}bin/tset ixr, /{,usr/}bin/touch ixr, /{,usr/}bin/tput ixr, /{,usr/}bin/tr ixr, /{,usr/}bin/true ixr, /{,usr/}bin/tty ixr, /{,usr/}bin/uname ixr, /{,usr/}bin/uniq ixr, /{,usr/}bin/unlink ixr, /{,usr/}bin/unxz ixr, /{,usr/}bin/unzip ixr, /{,usr/}bin/uptime ixr, /{,usr/}bin/vdir ixr, /{,usr/}bin/vim.tiny ixr, /{,usr/}bin/wc ixr, /{,usr/}bin/which{,.debianutils} ixr, /{,usr/}bin/xargs ixr, /{,usr/}bin/xz ixr, /{,usr/}bin/yes ixr, /{,usr/}bin/zcat ixr, /{,usr/}bin/z{,e,f}grep ixr, /{,usr/}bin/zip ixr, /{,usr/}bin/zipgrep ixr, # lsb-release /usr/bin/lsb_release ixr, /usr/bin/ r, /usr/share/distro-info/.csv r, # For printing the cache (we don't allow updating the cache) /{,usr/}sbin/ldconfig{,.real} ixr, # Allow all snaps to chroot /{,usr/}sbin/chroot ixr, # Description: Can change to any apparmor profile (including unconfined) thus # giving access to all resources of the system so LXD may manage what to give # to its containers. This gives device ownership to connected snaps. @{PROC}//attr/{,apparmor/}current r, /{,usr/}{,s}bin/aa-exec ux, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/{etc,usr/lib}/os-release r, # Description: Can query system status information. This is restricted because # it gives privileged read access to all processes on the system and should # only be used with trusted apps. # Needed by 'ps' @{PROC}/tty/drivers r, # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here # since since ps doesn't actually need to trace other processes. Note this # allows a number of accesses (assuming the associated /proc file is allowed), # such as various memory address locations and esp/eip via /proc//stat, # /proc//mem, /proc//personality, /proc//stack, /proc//syscall, # /proc//timerslack_ns and /proc//wchan (see man proc). # # Some files like /proc/kallsyms (but anything using %pK format specifier) need # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we # intentionally do not allow since it could be used to defeat KASLR. ptrace (read), # Other miscellaneous accesses for observing the system @{PROC}/cgroups r, @{PROC}/locks r, @{PROC}/modules r, @{PROC}/mdstat r, @{PROC}/schedstat r, @{PROC}/stat r, @{PROC}/vmstat r, @{PROC}/zoneinfo r, @{PROC}/diskstats r, @{PROC}/kallsyms r, @{PROC}/partitions r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @{PROC}/sys/kernel/panic r, @{PROC}/sys/kernel/panic_on_oops r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/panic_on_oom r, @{PROC}/sys/vm/swappiness r, # These are not process-specific (/proc//... and /proc//task//...) @{PROC}//{,task/,task//} r, @{PROC}//{,task//}autogroup r, @{PROC}//{,task//}auxv r, @{PROC}//{,task//}cgroup r, @{PROC}//{,task//}cmdline r, @{PROC}//{,task//}comm r, @{PROC}//{,task//}exe r, @{PROC}//{,task//}fdinfo/ r, @{PROC}//{,task//}io r, @{PROC}//{,task//}oom_score r, # allow reading of smaps_rollup, which is a summary of the memory use of a process, # but not smaps which contains a detailed mappings breakdown like # /proc/self/maps, which we do not allow access to for other processes @{PROC}//{,task//}smaps_rollup r, @{PROC}//{,task//}schedstat r, @{PROC}//{,task//}stat r, @{PROC}//{,task//}statm r, @{PROC}//{,task//}status r, @{PROC}//{,task//}wchan r, # Allow reading processes security label @{PROC}//{,task//}attr/{,apparmor/}current r, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/etc/os-release rk, /var/lib/snapd/hostfs/usr/lib/os-release rk, # Allow discovering the Kernel build config @{PROC}/config.gz r, /boot/config* r, # Allow discovering system-wide CFS Bandwidth Control information # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, /sys/fs/cgroup/memory/memory.stat r, #include <abstractions/dbus-strict> # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get{,All}, # Allow clients to introspect hostname1 # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Introspectable member=Introspect, # Allow clients to enumerate DBus connection names on common buses dbus (send) bus={session,system} path={/,/org/freedesktop/DBus} interface=org.freedesktop.DBus member={ListNames,ListActivatableNames} peer=(label=unconfined), # Allow clients to obtain the DBus machine ID on common buses. We do not # mediate the path since any peer can be used. dbus (send) bus={session,system} interface=org.freedesktop.DBus.Peer member=GetMachineId peer=(label=unconfined), # Allow clients to get properties of systemd (the manager) and # units dbus (send) bus=system interface=org.freedesktop.DBus.Properties path=/org/freedesktop/systemd1{,/*} member=Get{,All} peer=(label=unconfined), # Allow clients to explicitly list units with some of their details (path, # status) and get unit path, see # https://www.freedesktop.org/wiki/Software/systemd/dbus/ for details dbus (send) bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,ListUnits} peer=(label=unconfined), # Allow reading if protected hardlinks are enabled, but don't allow enabling or # disabling them @{PROC}/sys/fs/protected_hardlinks r, @{PROC}/sys/fs/protected_symlinks r, @{PROC}/sys/fs/protected_fifos r, @{PROC}/sys/fs/protected_regular r, # allow use of user namespaces userns, # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc # trigger a 'ptrace (trace)' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. # ptrace (trace) can be used to break out of the seccomp sandbox unless the # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd # has full ptrace support conditional on kernel support, explicitly deny to # silence noisy denials/avoid confusion and accidentally giving away this # dangerous access frivolously. deny ptrace (trace), deny capability sys_ptrace, } ��snap.lxd.check-kernel��0000644��00000067456�15027571546�0010606 0��ustar�00�� # vim:syntax=apparmor #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d" #include if exists "/var/lib/snapd/apparmor/snap-tuning" # snapd supports the concept of 'parallel installs' where snaps with the same # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz # may all be installed on the system. To support this, SNAP_NAME is set to the # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg # 'foo_bar'). The profile name and most rules therefore reference # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime # environment so the snap doesn't have to be aware of the distinction (eg, # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with # SNAP_NAME so the security policy will allow writing to both locations (since # they are equivalent). # This is a snap name without the instance key @{SNAP_NAME}="lxd" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="lxd" @{SNAP_INSTANCE_DESKTOP}="lxd" @{SNAP_COMMAND_NAME}="check-kernel" @{SNAP_REVISION}="31333" @{PROFILE_DBUS}="snap_2elxd_2echeck_2dkernel" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.lxd.check-kernel" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> # While in later versions of the base abstraction, include this explicitly # for series 16 and cross-distro /etc/ld.so.preload r, # The base abstraction doesn't yet have this /etc/sysconfig/clock r, owner @{PROC}/@{pid}/maps k, # /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but # in a format that is simpler to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. # Reading /proc/XXXX/maps is already allowed in the base template # via <abstractions/base>. Also, only the owner can read it, and the # kernel limits access to it by requiring 'ptrace' enabled, so allowing # to access /proc/XXXX/map_files can be considered secure too. owner @{PROC}/@{pid}/map_files/ r, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/ r, # for python apps/services #include <abstractions/python> /etc/python3.[0-9]/* r, # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 # for details) deny /usr/lib/python3/{,/}__pycache__/ w, deny /usr/lib/python3/{,/}__pycache__/.pyc.[0-9]* w, # bind mount used here (see 'parallel installs', above) deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/ w, deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/.pyc.[0-9] w, # for perl apps/services #include <abstractions/perl> # Missing from perl abstraction /usr/lib/@{multiarch}/perl{,5,-base}/auto/*.so mr, # Note: the following dangerous accesses should not be allowed in most # policy, but we cannot explicitly deny since other trusted interfaces might # add them. # Explicitly deny ptrace for now since it can be abused to break out of the # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 #audit deny ptrace (trace), # Explicitly deny capability mknod so apps can't create devices #audit deny capability mknod, # Explicitly deny mount, remount and umount so apps can't modify things in # their namespace #audit deny mount, #audit deny remount, #audit deny umount, # End dangerous accesses # Note: this potentially allows snaps to DoS other snaps via resource # exhaustion but we can't sensibly mediate this today. In the future we may # employ cgroup limits, AppArmor rlimit mlock rules or something else. capability ipc_lock, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /etc/bash.bashrc r, /etc/inputrc r, /etc/environment r, /etc/profile r, # user/group/seat lookups /etc/{passwd,group,nsswitch.conf} r, # very common /var/lib/extrausers/{passwd,group} r, /run/systemd/users/[0-9]* r, /etc/default/nss r, # libnss-systemd (subset from nameservice abstraction) # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. /run/systemd/userdb/ r, /run/systemd/userdb/io.systemd.Multiplexer rw, /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS /run/systemd/userdb/io.systemd.Machine rw, # systemd-machined /etc/libnl-3/{classid,pktloc} r, # apps that use libnl # For snappy reexec on 4.8+ kernels /usr/lib/snapd/snap-exec m, # For gdb support /usr/lib/snapd/snap-gdb-shim ixr, /usr/lib/snapd/snap-gdbserver-shim ixr, # For in-snap tab completion /etc/bash_completion.d/{,} r, /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here # uptime @{PROC}/uptime r, @{PROC}/loadavg r, # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib # which is allowed by the base abstraction, but on 14.04 it is an actual file # so need to add it here. Also allow read locks on the file. /etc/os-release rk, /usr/lib/os-release k, # Debian version of the host OS which might be required in AppArmor-secured Debian /etc/debian_version r, # systemd native journal API (see sd_journal_print(4)). This should be in # AppArmor's base abstraction, but until it is, include here. We include # the base journal path as well as the journal namespace pattern path. Each # journal namespace for quota groups will be prefixed with 'snap-'. /run/systemd/journal{,.snap-}/socket w, /run/systemd/journal{,.snap-}/stdout rw, # 'r' shouldn't be needed, but journald # doesn't leak anything so allow /run/systemd/journal{,.snap-}/dev-log w, # snapctl and its requirements /usr/bin/snapctl ixr, /usr/lib/snapd/snapctl ixr, @{PROC}/sys/net/core/somaxconn r, /run/snapd-snap.socket rw, # Note: for now, don't explicitly deny this noisy denial so --devmode isn't # broken but eventually we may conditionally deny this since it is an # information leak. #deny /{,var/}run/utmp r, # java @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/auxv r, @{PROC}/sys/vm/zone_reclaim_mode r, /etc/lsb-release r, /sys/devices//read_ahead_kb r, /sys/devices/system/cpu/ r, /sys/devices/system/node/node[0-9]/ r, /sys/kernel/mm/transparent_hugepage/enabled r, /sys/kernel/mm/transparent_hugepage/defrag r, # NOTE: this leaks running process but java seems to want it (even though it # seems to operate ok without it) and SDL apps crash without it. Allow owner # match until AppArmor kernel var is available to solve this properly (see # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Allow reading and writing to our file descriptors in /proc which, for # example, allow access to /dev/std{in,out,err} which are all symlinks to # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) # linkat() temporary file technique, allow all fds. Importantly, access to # another task's fd via this proc interface is mediated via 'ptrace (read)' # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so # this rule by itself doesn't allow opening another snap's fds via proc. owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, # Miscellaneous accesses /dev/{,u}random w, /etc/machine-id r, /etc/mime.types r, /etc/default/keyboard r, @{PROC}/ r, @{PROC}/version r, @{PROC}/version_signature r, /etc/{,writable/}hostname r, /etc/{,writable/}localtime r, /etc/{,writable/}mailname r, /etc/{,writable/}timezone r, owner @{PROC}/@{pid}/cgroup rk, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/fdinfo/* r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/[0-9]/smaps r, @{PROC}/@{pid}/task/[0-9]/stat r, @{PROC}/@{pid}/task/[0-9]/statm r, @{PROC}/@{pid}/task/[0-9]/status r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/shmmax r, # Allow apps to introspect the level of dbus mediation AppArmor implements. /sys/kernel/security/apparmor/features/dbus/mask r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_* r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/cap_last_cap r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request rw, /sys/devices/virtual/tty/{console,tty}/active r, /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.stat r, /sys/fs/cgroup/system.slice/snap.@{SNAP_INSTANCE_NAME}{,.}/memory.max r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.shares r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_{,score_}adj r, # Note: for now, don't explicitly deny write access so --devmode isn't broken # but eventually we may conditionally deny this since it allows the process # to increase the oom heuristic of other processes (make them more likely to # be killed). Once AppArmor kernel var is available to solve this properly, # this can safely be allowed since non-root processes won't be able to # decrease the value and root processes will only be able to with # 'capability sys_resource,' which we deny be default. # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, # Eases hardware assignment (doesn't give anything away) /etc/udev/udev.conf r, /sys/ r, /sys/bus/ r, /sys/class/ r, # this leaks interface names and stats, but not in a way that is traceable # to the user/device @{PROC}/net/dev r, @{PROC}/@{pid}/net/dev r, # Read-only of this snap /var/lib/snapd/snaps/@{SNAP_NAME}_.snap r, # Read-only of snapd restart state for snapctl specifically /var/lib/snapd/maintenance.json r, # Read-only for the install directory # bind mount used here (see 'parallel installs', above) @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/* mrklix, # Read-only install directory for other revisions to help with bugs like # LP: #1616650 and LP: #1655992 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Read-only home area for other versions # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ mrkix, # Experimental snap folder changes owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ mrkix, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/ wl, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl, # Writable home area for this version. # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/ wl, # Read-only system area for other versions # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ mrkix, # Writable system area only for this version # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/ wl, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/ wl, # The snap-confine program creates an app-specific private restricted /tmp # and will fail to launch the app if something goes wrong. As such, we can # simply allow full access to /tmp. /tmp/ r, /tmp/ mrwlkix, # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount not used here (see 'parallel installs', above) /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, # Also allow app-specific access for sem_open() /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user # bind mount not used here (see 'parallel installs', above) owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ rw, owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Allow apps from the same package to communicate with each other via an # abstract or anonymous socket unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.", unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # Allow apps from the same package to communicate with each other via DBus. # Note: this does not grant access to the DBus sockets of well known buses # (will still need to use an appropriate interface for that). dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # In addition to the above, dbus-run-session attempts reading these files # from the snap base runtime. /usr/share/dbus-1/services/{,} r, /usr/share/dbus-1/system-services/{,} r, # Allow apps to perform DBus introspection on org.freedesktop.DBus for both # the system and session buses. # Note: this does not grant access to the DBus sockets of these buses, but # we grant it here since it is missing from the dbus abstractions # (LP: #1866168) dbus (send) bus={session,system} path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow apps from the same package to signal each other via signals signal peer=snap.@{SNAP_INSTANCE_NAME}., # Allow receiving signals from all snaps (and focus on mediating sending of # signals) signal (receive) peer=snap., # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' /{,usr/}{,s}bin/udevadm ixr, /etc/udev/udev.conf r, /{,var/}run/udev/tags/snappy-assign/ r, @{PROC}/cmdline r, /sys/devices/*/uevent r, # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above # requires: # /run/udev/data/ r, # but that reveals too much about the system and cannot be granted to apps # by default at this time. # For convenience, allow apps to see what is in /dev even though cgroups # will block most access /dev/ r, /dev// r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because # the launcher uses a per-app devpts newinstance. /dev/ptmx rw, # Do the same with /sys/devices and /sys/class to help people using hw-assign /sys/devices/ r, /sys/devices// r, /sys/class/ r, /sys/class/*/ r, # Allow all snaps to chroot capability sys_chroot, # Lttng tracing is very noisy and should not be allowed by confined apps. Can # safely deny for the normal case (LP: #1260491). If/when an lttng-trace # interface is needed, we can rework this. deny /{dev,run,var/run}/shm/lttng-ust- rw, # Allow read-access on /home/ for navigating to other parts of the # filesystem. While this allows enumerating users, this is already allowed # via /etc/passwd and getent. @{HOMEDIRS}/ r, # Allow read-access to / for navigating to other parts of the filesystem. / r, # Snap-specific run directory. Bind mount not used here # (see 'parallel installs', above) /run/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Snap-specific lock directory and prerequisite navigation permissions. /run/lock/ r, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Default rules for core base runtimes # The base abstraction doesn't yet have this /{,usr/}lib/terminfo/ rk, /usr/share/terminfo/ k, /usr/share/zoneinfo/** k, # for python apps/services /usr/bin/python{,2,2.[0-9],3,3.[0-9]} ixr, # additional accesses needed for newer pythons in later bases /usr/lib{,32,64}/python3.[0-9]/.{pyc,so} mr, /usr/lib{,32,64}/python3.[0-9]/*.{egg,py,pth} r, /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, /usr/lib{,32,64}/python3.[0-9]/lib-dynload/.so mr, /usr/include/python3.[0-9]/pyconfig.h r, # for perl apps/services /usr/bin/perl{,5} ixr, # AppArmor <2.12 doesn't have rules for perl-base, so add them here /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]/.so mr, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /usr/share/terminfo/** r, # Common utilities for shell scripts /{,usr/}bin/arch ixr, /{,usr/}bin/{,g,m}awk ixr, /{,usr/}bin/base32 ixr, /{,usr/}bin/base64 ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/bunzip2 ixr, /{,usr/}bin/busctl ixr, /{,usr/}bin/bzcat ixr, /{,usr/}bin/bzdiff ixr, /{,usr/}bin/bzgrep ixr, /{,usr/}bin/bzip2 ixr, /{,usr/}bin/cat ixr, /{,usr/}bin/chgrp ixr, /{,usr/}bin/chmod ixr, /{,usr/}bin/chown ixr, /{,usr/}bin/clear ixr, /{,usr/}bin/cmp ixr, /{,usr/}bin/cp ixr, /{,usr/}bin/cpio ixr, /{,usr/}bin/cut ixr, /{,usr/}bin/date ixr, /{,usr/}bin/dbus-daemon ixr, /{,usr/}bin/dbus-run-session ixr, /{,usr/}bin/dbus-send ixr, /{,usr/}bin/dd ixr, /{,usr/}bin/diff{,3} ixr, /{,usr/}bin/dir ixr, /{,usr/}bin/dirname ixr, /{,usr/}bin/du ixr, /{,usr/}bin/echo ixr, /{,usr/}bin/{,e,f,r}grep ixr, /{,usr/}bin/env ixr, /{,usr/}bin/expr ixr, /{,usr/}bin/false ixr, /{,usr/}bin/find ixr, /{,usr/}bin/flock ixr, /{,usr/}bin/fmt ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/getconf ixr, /{,usr/}bin/getent ixr, /{,usr/}bin/getopt ixr, /{,usr/}bin/groups ixr, /{,usr/}bin/gzip ixr, /{,usr/}bin/head ixr, /{,usr/}bin/hostname ixr, /{,usr/}bin/id ixr, /{,usr/}bin/igawk ixr, /{,usr/}bin/infocmp ixr, /{,usr/}bin/kill ixr, /{,usr/}bin/ldd ixr, /{usr/,}lib{,32,64}/ld{,32,64}-.so ix, /{usr/,}lib/@{multiarch}/ld{,32,64}-.so* ix, /{,usr/}bin/less{,file,pipe} ixr, /{,usr/}bin/ln ixr, /{,usr/}bin/line ixr, /{,usr/}bin/link ixr, /{,usr/}bin/locale ixr, /{,usr/}bin/logger ixr, /{,usr/}bin/ls ixr, /{,usr/}bin/md5sum ixr, /{,usr/}bin/mkdir ixr, /{,usr/}bin/mkfifo ixr, /{,usr/}bin/mknod ixr, /{,usr/}bin/mktemp ixr, /{,usr/}bin/more ixr, /{,usr/}bin/mv ixr, /{,usr/}bin/nice ixr, /{,usr/}bin/nohup ixr, /{,usr/}bin/numfmt ixr, /{,usr/}bin/od ixr, /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial /{,usr/}bin/paste ixr, /{,usr/}bin/pgrep ixr, /{,usr/}bin/printenv ixr, /{,usr/}bin/printf ixr, /{,usr/}bin/ps ixr, /{,usr/}bin/pwd ixr, /{,usr/}bin/readlink ixr, /{,usr/}bin/realpath ixr, /{,usr/}bin/rev ixr, /{,usr/}bin/rm ixr, /{,usr/}bin/rmdir ixr, /{,usr/}bin/run-parts ixr, /{,usr/}bin/sed ixr, /{,usr/}bin/seq ixr, /{,usr/}bin/setpriv ixr, /{,usr/}bin/sha{1,224,256,384,512}sum ixr, /{,usr/}bin/shuf ixr, /{,usr/}bin/sleep ixr, /{,usr/}bin/sort ixr, /{,usr/}bin/stat ixr, /{,usr/}bin/stdbuf ixr, /{,usr/}bin/stty ixr, /{,usr/}bin/sync ixr, /{,usr/}bin/systemd-cat ixr, /{,usr/}bin/tac ixr, /{,usr/}bin/tail ixr, /{,usr/}bin/tar ixr, /{,usr/}bin/tee ixr, /{,usr/}bin/test ixr, /{,usr/}bin/tempfile ixr, /{,usr/}bin/tset ixr, /{,usr/}bin/touch ixr, /{,usr/}bin/tput ixr, /{,usr/}bin/tr ixr, /{,usr/}bin/true ixr, /{,usr/}bin/tty ixr, /{,usr/}bin/uname ixr, /{,usr/}bin/uniq ixr, /{,usr/}bin/unlink ixr, /{,usr/}bin/unxz ixr, /{,usr/}bin/unzip ixr, /{,usr/}bin/uptime ixr, /{,usr/}bin/vdir ixr, /{,usr/}bin/vim.tiny ixr, /{,usr/}bin/wc ixr, /{,usr/}bin/which{,.debianutils} ixr, /{,usr/}bin/xargs ixr, /{,usr/}bin/xz ixr, /{,usr/}bin/yes ixr, /{,usr/}bin/zcat ixr, /{,usr/}bin/z{,e,f}grep ixr, /{,usr/}bin/zip ixr, /{,usr/}bin/zipgrep ixr, # lsb-release /usr/bin/lsb_release ixr, /usr/bin/ r, /usr/share/distro-info/.csv r, # For printing the cache (we don't allow updating the cache) /{,usr/}sbin/ldconfig{,.real} ixr, # Allow all snaps to chroot /{,usr/}sbin/chroot ixr, # Description: Can change to any apparmor profile (including unconfined) thus # giving access to all resources of the system so LXD may manage what to give # to its containers. This gives device ownership to connected snaps. @{PROC}//attr/{,apparmor/}current r, /{,usr/}{,s}bin/aa-exec ux, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/{etc,usr/lib}/os-release r, # Description: Can query system status information. This is restricted because # it gives privileged read access to all processes on the system and should # only be used with trusted apps. # Needed by 'ps' @{PROC}/tty/drivers r, # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here # since since ps doesn't actually need to trace other processes. Note this # allows a number of accesses (assuming the associated /proc file is allowed), # such as various memory address locations and esp/eip via /proc//stat, # /proc//mem, /proc//personality, /proc//stack, /proc//syscall, # /proc//timerslack_ns and /proc//wchan (see man proc). # # Some files like /proc/kallsyms (but anything using %pK format specifier) need # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we # intentionally do not allow since it could be used to defeat KASLR. ptrace (read), # Other miscellaneous accesses for observing the system @{PROC}/cgroups r, @{PROC}/locks r, @{PROC}/modules r, @{PROC}/mdstat r, @{PROC}/schedstat r, @{PROC}/stat r, @{PROC}/vmstat r, @{PROC}/zoneinfo r, @{PROC}/diskstats r, @{PROC}/kallsyms r, @{PROC}/partitions r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @{PROC}/sys/kernel/panic r, @{PROC}/sys/kernel/panic_on_oops r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/panic_on_oom r, @{PROC}/sys/vm/swappiness r, # These are not process-specific (/proc//... and /proc//task//...) @{PROC}//{,task/,task//} r, @{PROC}//{,task//}autogroup r, @{PROC}//{,task//}auxv r, @{PROC}//{,task//}cgroup r, @{PROC}//{,task//}cmdline r, @{PROC}//{,task//}comm r, @{PROC}//{,task//}exe r, @{PROC}//{,task//}fdinfo/ r, @{PROC}//{,task//}io r, @{PROC}//{,task//}oom_score r, # allow reading of smaps_rollup, which is a summary of the memory use of a process, # but not smaps which contains a detailed mappings breakdown like # /proc/self/maps, which we do not allow access to for other processes @{PROC}//{,task//}smaps_rollup r, @{PROC}//{,task//}schedstat r, @{PROC}//{,task//}stat r, @{PROC}//{,task//}statm r, @{PROC}//{,task//}status r, @{PROC}//{,task//}wchan r, # Allow reading processes security label @{PROC}//{,task//}attr/{,apparmor/}current r, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/etc/os-release rk, /var/lib/snapd/hostfs/usr/lib/os-release rk, # Allow discovering the Kernel build config @{PROC}/config.gz r, /boot/config* r, # Allow discovering system-wide CFS Bandwidth Control information # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, /sys/fs/cgroup/memory/memory.stat r, #include <abstractions/dbus-strict> # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get{,All}, # Allow clients to introspect hostname1 # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Introspectable member=Introspect, # Allow clients to enumerate DBus connection names on common buses dbus (send) bus={session,system} path={/,/org/freedesktop/DBus} interface=org.freedesktop.DBus member={ListNames,ListActivatableNames} peer=(label=unconfined), # Allow clients to obtain the DBus machine ID on common buses. We do not # mediate the path since any peer can be used. dbus (send) bus={session,system} interface=org.freedesktop.DBus.Peer member=GetMachineId peer=(label=unconfined), # Allow clients to get properties of systemd (the manager) and # units dbus (send) bus=system interface=org.freedesktop.DBus.Properties path=/org/freedesktop/systemd1{,/*} member=Get{,All} peer=(label=unconfined), # Allow clients to explicitly list units with some of their details (path, # status) and get unit path, see # https://www.freedesktop.org/wiki/Software/systemd/dbus/ for details dbus (send) bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,ListUnits} peer=(label=unconfined), # Allow reading if protected hardlinks are enabled, but don't allow enabling or # disabling them @{PROC}/sys/fs/protected_hardlinks r, @{PROC}/sys/fs/protected_symlinks r, @{PROC}/sys/fs/protected_fifos r, @{PROC}/sys/fs/protected_regular r, # allow use of user namespaces userns, # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc # trigger a 'ptrace (trace)' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. # ptrace (trace) can be used to break out of the seccomp sandbox unless the # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd # has full ptrace support conditional on kernel support, explicitly deny to # silence noisy denials/avoid confusion and accidentally giving away this # dangerous access frivolously. deny ptrace (trace), deny capability sys_ptrace, } ��snap.lxd.buginfo��0000644��00000067435�15027571546�0007701 0��ustar�00�� # vim:syntax=apparmor #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d" #include if exists "/var/lib/snapd/apparmor/snap-tuning" # snapd supports the concept of 'parallel installs' where snaps with the same # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz # may all be installed on the system. To support this, SNAP_NAME is set to the # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg # 'foo_bar'). The profile name and most rules therefore reference # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime # environment so the snap doesn't have to be aware of the distinction (eg, # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with # SNAP_NAME so the security policy will allow writing to both locations (since # they are equivalent). # This is a snap name without the instance key @{SNAP_NAME}="lxd" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="lxd" @{SNAP_INSTANCE_DESKTOP}="lxd" @{SNAP_COMMAND_NAME}="buginfo" @{SNAP_REVISION}="31333" @{PROFILE_DBUS}="snap_2elxd_2ebuginfo" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.lxd.buginfo" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> # While in later versions of the base abstraction, include this explicitly # for series 16 and cross-distro /etc/ld.so.preload r, # The base abstraction doesn't yet have this /etc/sysconfig/clock r, owner @{PROC}/@{pid}/maps k, # /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but # in a format that is simpler to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. # Reading /proc/XXXX/maps is already allowed in the base template # via <abstractions/base>. Also, only the owner can read it, and the # kernel limits access to it by requiring 'ptrace' enabled, so allowing # to access /proc/XXXX/map_files can be considered secure too. owner @{PROC}/@{pid}/map_files/ r, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/ r, # for python apps/services #include <abstractions/python> /etc/python3.[0-9]/* r, # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 # for details) deny /usr/lib/python3/{,/}__pycache__/ w, deny /usr/lib/python3/{,/}__pycache__/.pyc.[0-9]* w, # bind mount used here (see 'parallel installs', above) deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/ w, deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/.pyc.[0-9] w, # for perl apps/services #include <abstractions/perl> # Missing from perl abstraction /usr/lib/@{multiarch}/perl{,5,-base}/auto/*.so mr, # Note: the following dangerous accesses should not be allowed in most # policy, but we cannot explicitly deny since other trusted interfaces might # add them. # Explicitly deny ptrace for now since it can be abused to break out of the # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 #audit deny ptrace (trace), # Explicitly deny capability mknod so apps can't create devices #audit deny capability mknod, # Explicitly deny mount, remount and umount so apps can't modify things in # their namespace #audit deny mount, #audit deny remount, #audit deny umount, # End dangerous accesses # Note: this potentially allows snaps to DoS other snaps via resource # exhaustion but we can't sensibly mediate this today. In the future we may # employ cgroup limits, AppArmor rlimit mlock rules or something else. capability ipc_lock, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /etc/bash.bashrc r, /etc/inputrc r, /etc/environment r, /etc/profile r, # user/group/seat lookups /etc/{passwd,group,nsswitch.conf} r, # very common /var/lib/extrausers/{passwd,group} r, /run/systemd/users/[0-9]* r, /etc/default/nss r, # libnss-systemd (subset from nameservice abstraction) # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. /run/systemd/userdb/ r, /run/systemd/userdb/io.systemd.Multiplexer rw, /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS /run/systemd/userdb/io.systemd.Machine rw, # systemd-machined /etc/libnl-3/{classid,pktloc} r, # apps that use libnl # For snappy reexec on 4.8+ kernels /usr/lib/snapd/snap-exec m, # For gdb support /usr/lib/snapd/snap-gdb-shim ixr, /usr/lib/snapd/snap-gdbserver-shim ixr, # For in-snap tab completion /etc/bash_completion.d/{,} r, /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here # uptime @{PROC}/uptime r, @{PROC}/loadavg r, # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib # which is allowed by the base abstraction, but on 14.04 it is an actual file # so need to add it here. Also allow read locks on the file. /etc/os-release rk, /usr/lib/os-release k, # Debian version of the host OS which might be required in AppArmor-secured Debian /etc/debian_version r, # systemd native journal API (see sd_journal_print(4)). This should be in # AppArmor's base abstraction, but until it is, include here. We include # the base journal path as well as the journal namespace pattern path. Each # journal namespace for quota groups will be prefixed with 'snap-'. /run/systemd/journal{,.snap-}/socket w, /run/systemd/journal{,.snap-}/stdout rw, # 'r' shouldn't be needed, but journald # doesn't leak anything so allow /run/systemd/journal{,.snap-}/dev-log w, # snapctl and its requirements /usr/bin/snapctl ixr, /usr/lib/snapd/snapctl ixr, @{PROC}/sys/net/core/somaxconn r, /run/snapd-snap.socket rw, # Note: for now, don't explicitly deny this noisy denial so --devmode isn't # broken but eventually we may conditionally deny this since it is an # information leak. #deny /{,var/}run/utmp r, # java @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/auxv r, @{PROC}/sys/vm/zone_reclaim_mode r, /etc/lsb-release r, /sys/devices//read_ahead_kb r, /sys/devices/system/cpu/ r, /sys/devices/system/node/node[0-9]/ r, /sys/kernel/mm/transparent_hugepage/enabled r, /sys/kernel/mm/transparent_hugepage/defrag r, # NOTE: this leaks running process but java seems to want it (even though it # seems to operate ok without it) and SDL apps crash without it. Allow owner # match until AppArmor kernel var is available to solve this properly (see # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Allow reading and writing to our file descriptors in /proc which, for # example, allow access to /dev/std{in,out,err} which are all symlinks to # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) # linkat() temporary file technique, allow all fds. Importantly, access to # another task's fd via this proc interface is mediated via 'ptrace (read)' # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so # this rule by itself doesn't allow opening another snap's fds via proc. owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, # Miscellaneous accesses /dev/{,u}random w, /etc/machine-id r, /etc/mime.types r, /etc/default/keyboard r, @{PROC}/ r, @{PROC}/version r, @{PROC}/version_signature r, /etc/{,writable/}hostname r, /etc/{,writable/}localtime r, /etc/{,writable/}mailname r, /etc/{,writable/}timezone r, owner @{PROC}/@{pid}/cgroup rk, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/fdinfo/* r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/[0-9]/smaps r, @{PROC}/@{pid}/task/[0-9]/stat r, @{PROC}/@{pid}/task/[0-9]/statm r, @{PROC}/@{pid}/task/[0-9]/status r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/shmmax r, # Allow apps to introspect the level of dbus mediation AppArmor implements. /sys/kernel/security/apparmor/features/dbus/mask r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_* r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/cap_last_cap r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request rw, /sys/devices/virtual/tty/{console,tty}/active r, /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.stat r, /sys/fs/cgroup/system.slice/snap.@{SNAP_INSTANCE_NAME}{,.}/memory.max r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.shares r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_{,score_}adj r, # Note: for now, don't explicitly deny write access so --devmode isn't broken # but eventually we may conditionally deny this since it allows the process # to increase the oom heuristic of other processes (make them more likely to # be killed). Once AppArmor kernel var is available to solve this properly, # this can safely be allowed since non-root processes won't be able to # decrease the value and root processes will only be able to with # 'capability sys_resource,' which we deny be default. # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, # Eases hardware assignment (doesn't give anything away) /etc/udev/udev.conf r, /sys/ r, /sys/bus/ r, /sys/class/ r, # this leaks interface names and stats, but not in a way that is traceable # to the user/device @{PROC}/net/dev r, @{PROC}/@{pid}/net/dev r, # Read-only of this snap /var/lib/snapd/snaps/@{SNAP_NAME}_.snap r, # Read-only of snapd restart state for snapctl specifically /var/lib/snapd/maintenance.json r, # Read-only for the install directory # bind mount used here (see 'parallel installs', above) @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/* mrklix, # Read-only install directory for other revisions to help with bugs like # LP: #1616650 and LP: #1655992 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Read-only home area for other versions # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ mrkix, # Experimental snap folder changes owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ mrkix, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/ wl, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl, # Writable home area for this version. # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/ wl, # Read-only system area for other versions # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ mrkix, # Writable system area only for this version # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/ wl, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/ wl, # The snap-confine program creates an app-specific private restricted /tmp # and will fail to launch the app if something goes wrong. As such, we can # simply allow full access to /tmp. /tmp/ r, /tmp/ mrwlkix, # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount not used here (see 'parallel installs', above) /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, # Also allow app-specific access for sem_open() /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user # bind mount not used here (see 'parallel installs', above) owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ rw, owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Allow apps from the same package to communicate with each other via an # abstract or anonymous socket unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.", unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # Allow apps from the same package to communicate with each other via DBus. # Note: this does not grant access to the DBus sockets of well known buses # (will still need to use an appropriate interface for that). dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # In addition to the above, dbus-run-session attempts reading these files # from the snap base runtime. /usr/share/dbus-1/services/{,} r, /usr/share/dbus-1/system-services/{,} r, # Allow apps to perform DBus introspection on org.freedesktop.DBus for both # the system and session buses. # Note: this does not grant access to the DBus sockets of these buses, but # we grant it here since it is missing from the dbus abstractions # (LP: #1866168) dbus (send) bus={session,system} path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow apps from the same package to signal each other via signals signal peer=snap.@{SNAP_INSTANCE_NAME}., # Allow receiving signals from all snaps (and focus on mediating sending of # signals) signal (receive) peer=snap., # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' /{,usr/}{,s}bin/udevadm ixr, /etc/udev/udev.conf r, /{,var/}run/udev/tags/snappy-assign/ r, @{PROC}/cmdline r, /sys/devices/*/uevent r, # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above # requires: # /run/udev/data/ r, # but that reveals too much about the system and cannot be granted to apps # by default at this time. # For convenience, allow apps to see what is in /dev even though cgroups # will block most access /dev/ r, /dev// r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because # the launcher uses a per-app devpts newinstance. /dev/ptmx rw, # Do the same with /sys/devices and /sys/class to help people using hw-assign /sys/devices/ r, /sys/devices// r, /sys/class/ r, /sys/class/*/ r, # Allow all snaps to chroot capability sys_chroot, # Lttng tracing is very noisy and should not be allowed by confined apps. Can # safely deny for the normal case (LP: #1260491). If/when an lttng-trace # interface is needed, we can rework this. deny /{dev,run,var/run}/shm/lttng-ust- rw, # Allow read-access on /home/ for navigating to other parts of the # filesystem. While this allows enumerating users, this is already allowed # via /etc/passwd and getent. @{HOMEDIRS}/ r, # Allow read-access to / for navigating to other parts of the filesystem. / r, # Snap-specific run directory. Bind mount not used here # (see 'parallel installs', above) /run/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Snap-specific lock directory and prerequisite navigation permissions. /run/lock/ r, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Default rules for core base runtimes # The base abstraction doesn't yet have this /{,usr/}lib/terminfo/ rk, /usr/share/terminfo/ k, /usr/share/zoneinfo/** k, # for python apps/services /usr/bin/python{,2,2.[0-9],3,3.[0-9]} ixr, # additional accesses needed for newer pythons in later bases /usr/lib{,32,64}/python3.[0-9]/.{pyc,so} mr, /usr/lib{,32,64}/python3.[0-9]/*.{egg,py,pth} r, /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, /usr/lib{,32,64}/python3.[0-9]/lib-dynload/.so mr, /usr/include/python3.[0-9]/pyconfig.h r, # for perl apps/services /usr/bin/perl{,5} ixr, # AppArmor <2.12 doesn't have rules for perl-base, so add them here /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]/.so mr, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /usr/share/terminfo/** r, # Common utilities for shell scripts /{,usr/}bin/arch ixr, /{,usr/}bin/{,g,m}awk ixr, /{,usr/}bin/base32 ixr, /{,usr/}bin/base64 ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/bunzip2 ixr, /{,usr/}bin/busctl ixr, /{,usr/}bin/bzcat ixr, /{,usr/}bin/bzdiff ixr, /{,usr/}bin/bzgrep ixr, /{,usr/}bin/bzip2 ixr, /{,usr/}bin/cat ixr, /{,usr/}bin/chgrp ixr, /{,usr/}bin/chmod ixr, /{,usr/}bin/chown ixr, /{,usr/}bin/clear ixr, /{,usr/}bin/cmp ixr, /{,usr/}bin/cp ixr, /{,usr/}bin/cpio ixr, /{,usr/}bin/cut ixr, /{,usr/}bin/date ixr, /{,usr/}bin/dbus-daemon ixr, /{,usr/}bin/dbus-run-session ixr, /{,usr/}bin/dbus-send ixr, /{,usr/}bin/dd ixr, /{,usr/}bin/diff{,3} ixr, /{,usr/}bin/dir ixr, /{,usr/}bin/dirname ixr, /{,usr/}bin/du ixr, /{,usr/}bin/echo ixr, /{,usr/}bin/{,e,f,r}grep ixr, /{,usr/}bin/env ixr, /{,usr/}bin/expr ixr, /{,usr/}bin/false ixr, /{,usr/}bin/find ixr, /{,usr/}bin/flock ixr, /{,usr/}bin/fmt ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/getconf ixr, /{,usr/}bin/getent ixr, /{,usr/}bin/getopt ixr, /{,usr/}bin/groups ixr, /{,usr/}bin/gzip ixr, /{,usr/}bin/head ixr, /{,usr/}bin/hostname ixr, /{,usr/}bin/id ixr, /{,usr/}bin/igawk ixr, /{,usr/}bin/infocmp ixr, /{,usr/}bin/kill ixr, /{,usr/}bin/ldd ixr, /{usr/,}lib{,32,64}/ld{,32,64}-.so ix, /{usr/,}lib/@{multiarch}/ld{,32,64}-.so* ix, /{,usr/}bin/less{,file,pipe} ixr, /{,usr/}bin/ln ixr, /{,usr/}bin/line ixr, /{,usr/}bin/link ixr, /{,usr/}bin/locale ixr, /{,usr/}bin/logger ixr, /{,usr/}bin/ls ixr, /{,usr/}bin/md5sum ixr, /{,usr/}bin/mkdir ixr, /{,usr/}bin/mkfifo ixr, /{,usr/}bin/mknod ixr, /{,usr/}bin/mktemp ixr, /{,usr/}bin/more ixr, /{,usr/}bin/mv ixr, /{,usr/}bin/nice ixr, /{,usr/}bin/nohup ixr, /{,usr/}bin/numfmt ixr, /{,usr/}bin/od ixr, /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial /{,usr/}bin/paste ixr, /{,usr/}bin/pgrep ixr, /{,usr/}bin/printenv ixr, /{,usr/}bin/printf ixr, /{,usr/}bin/ps ixr, /{,usr/}bin/pwd ixr, /{,usr/}bin/readlink ixr, /{,usr/}bin/realpath ixr, /{,usr/}bin/rev ixr, /{,usr/}bin/rm ixr, /{,usr/}bin/rmdir ixr, /{,usr/}bin/run-parts ixr, /{,usr/}bin/sed ixr, /{,usr/}bin/seq ixr, /{,usr/}bin/setpriv ixr, /{,usr/}bin/sha{1,224,256,384,512}sum ixr, /{,usr/}bin/shuf ixr, /{,usr/}bin/sleep ixr, /{,usr/}bin/sort ixr, /{,usr/}bin/stat ixr, /{,usr/}bin/stdbuf ixr, /{,usr/}bin/stty ixr, /{,usr/}bin/sync ixr, /{,usr/}bin/systemd-cat ixr, /{,usr/}bin/tac ixr, /{,usr/}bin/tail ixr, /{,usr/}bin/tar ixr, /{,usr/}bin/tee ixr, /{,usr/}bin/test ixr, /{,usr/}bin/tempfile ixr, /{,usr/}bin/tset ixr, /{,usr/}bin/touch ixr, /{,usr/}bin/tput ixr, /{,usr/}bin/tr ixr, /{,usr/}bin/true ixr, /{,usr/}bin/tty ixr, /{,usr/}bin/uname ixr, /{,usr/}bin/uniq ixr, /{,usr/}bin/unlink ixr, /{,usr/}bin/unxz ixr, /{,usr/}bin/unzip ixr, /{,usr/}bin/uptime ixr, /{,usr/}bin/vdir ixr, /{,usr/}bin/vim.tiny ixr, /{,usr/}bin/wc ixr, /{,usr/}bin/which{,.debianutils} ixr, /{,usr/}bin/xargs ixr, /{,usr/}bin/xz ixr, /{,usr/}bin/yes ixr, /{,usr/}bin/zcat ixr, /{,usr/}bin/z{,e,f}grep ixr, /{,usr/}bin/zip ixr, /{,usr/}bin/zipgrep ixr, # lsb-release /usr/bin/lsb_release ixr, /usr/bin/ r, /usr/share/distro-info/.csv r, # For printing the cache (we don't allow updating the cache) /{,usr/}sbin/ldconfig{,.real} ixr, # Allow all snaps to chroot /{,usr/}sbin/chroot ixr, # Description: Can change to any apparmor profile (including unconfined) thus # giving access to all resources of the system so LXD may manage what to give # to its containers. This gives device ownership to connected snaps. @{PROC}//attr/{,apparmor/}current r, /{,usr/}{,s}bin/aa-exec ux, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/{etc,usr/lib}/os-release r, # Description: Can query system status information. This is restricted because # it gives privileged read access to all processes on the system and should # only be used with trusted apps. # Needed by 'ps' @{PROC}/tty/drivers r, # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here # since since ps doesn't actually need to trace other processes. Note this # allows a number of accesses (assuming the associated /proc file is allowed), # such as various memory address locations and esp/eip via /proc//stat, # /proc//mem, /proc//personality, /proc//stack, /proc//syscall, # /proc//timerslack_ns and /proc//wchan (see man proc). # # Some files like /proc/kallsyms (but anything using %pK format specifier) need # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we # intentionally do not allow since it could be used to defeat KASLR. ptrace (read), # Other miscellaneous accesses for observing the system @{PROC}/cgroups r, @{PROC}/locks r, @{PROC}/modules r, @{PROC}/mdstat r, @{PROC}/schedstat r, @{PROC}/stat r, @{PROC}/vmstat r, @{PROC}/zoneinfo r, @{PROC}/diskstats r, @{PROC}/kallsyms r, @{PROC}/partitions r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @{PROC}/sys/kernel/panic r, @{PROC}/sys/kernel/panic_on_oops r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/panic_on_oom r, @{PROC}/sys/vm/swappiness r, # These are not process-specific (/proc//... and /proc//task//...) @{PROC}//{,task/,task//} r, @{PROC}//{,task//}autogroup r, @{PROC}//{,task//}auxv r, @{PROC}//{,task//}cgroup r, @{PROC}//{,task//}cmdline r, @{PROC}//{,task//}comm r, @{PROC}//{,task//}exe r, @{PROC}//{,task//}fdinfo/ r, @{PROC}//{,task//}io r, @{PROC}//{,task//}oom_score r, # allow reading of smaps_rollup, which is a summary of the memory use of a process, # but not smaps which contains a detailed mappings breakdown like # /proc/self/maps, which we do not allow access to for other processes @{PROC}//{,task//}smaps_rollup r, @{PROC}//{,task//}schedstat r, @{PROC}//{,task//}stat r, @{PROC}//{,task//}statm r, @{PROC}//{,task//}status r, @{PROC}//{,task//}wchan r, # Allow reading processes security label @{PROC}//{,task//}attr/{,apparmor/}current r, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/etc/os-release rk, /var/lib/snapd/hostfs/usr/lib/os-release rk, # Allow discovering the Kernel build config @{PROC}/config.gz r, /boot/config* r, # Allow discovering system-wide CFS Bandwidth Control information # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, /sys/fs/cgroup/memory/memory.stat r, #include <abstractions/dbus-strict> # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get{,All}, # Allow clients to introspect hostname1 # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Introspectable member=Introspect, # Allow clients to enumerate DBus connection names on common buses dbus (send) bus={session,system} path={/,/org/freedesktop/DBus} interface=org.freedesktop.DBus member={ListNames,ListActivatableNames} peer=(label=unconfined), # Allow clients to obtain the DBus machine ID on common buses. We do not # mediate the path since any peer can be used. dbus (send) bus={session,system} interface=org.freedesktop.DBus.Peer member=GetMachineId peer=(label=unconfined), # Allow clients to get properties of systemd (the manager) and # units dbus (send) bus=system interface=org.freedesktop.DBus.Properties path=/org/freedesktop/systemd1{,/*} member=Get{,All} peer=(label=unconfined), # Allow clients to explicitly list units with some of their details (path, # status) and get unit path, see # https://www.freedesktop.org/wiki/Software/systemd/dbus/ for details dbus (send) bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,ListUnits} peer=(label=unconfined), # Allow reading if protected hardlinks are enabled, but don't allow enabling or # disabling them @{PROC}/sys/fs/protected_hardlinks r, @{PROC}/sys/fs/protected_symlinks r, @{PROC}/sys/fs/protected_fifos r, @{PROC}/sys/fs/protected_regular r, # allow use of user namespaces userns, # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc # trigger a 'ptrace (trace)' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. # ptrace (trace) can be used to break out of the seccomp sandbox unless the # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd # has full ptrace support conditional on kernel support, explicitly deny to # silence noisy denials/avoid confusion and accidentally giving away this # dangerous access frivolously. deny ptrace (trace), deny capability sys_ptrace, } ��snap.lxd.migrate��0000644��00000067435�15027571546�0007700 0��ustar�00�� # vim:syntax=apparmor #include <tunables/global> #include if exists "/etc/apparmor.d/tunables/home.d" #include if exists "/var/lib/snapd/apparmor/snap-tuning" # snapd supports the concept of 'parallel installs' where snaps with the same # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz # may all be installed on the system. To support this, SNAP_NAME is set to the # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg # 'foo_bar'). The profile name and most rules therefore reference # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime # environment so the snap doesn't have to be aware of the distinction (eg, # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with # SNAP_NAME so the security policy will allow writing to both locations (since # they are equivalent). # This is a snap name without the instance key @{SNAP_NAME}="lxd" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="lxd" @{SNAP_INSTANCE_DESKTOP}="lxd" @{SNAP_COMMAND_NAME}="migrate" @{SNAP_REVISION}="31333" @{PROFILE_DBUS}="snap_2elxd_2emigrate" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.lxd.migrate" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> # While in later versions of the base abstraction, include this explicitly # for series 16 and cross-distro /etc/ld.so.preload r, # The base abstraction doesn't yet have this /etc/sysconfig/clock r, owner @{PROC}/@{pid}/maps k, # /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but # in a format that is simpler to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. # Reading /proc/XXXX/maps is already allowed in the base template # via <abstractions/base>. Also, only the owner can read it, and the # kernel limits access to it by requiring 'ptrace' enabled, so allowing # to access /proc/XXXX/map_files can be considered secure too. owner @{PROC}/@{pid}/map_files/ r, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/ r, # for python apps/services #include <abstractions/python> /etc/python3.[0-9]/* r, # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 # for details) deny /usr/lib/python3/{,/}__pycache__/ w, deny /usr/lib/python3/{,/}__pycache__/.pyc.[0-9]* w, # bind mount used here (see 'parallel installs', above) deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/ w, deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}//__pycache__/.pyc.[0-9] w, # for perl apps/services #include <abstractions/perl> # Missing from perl abstraction /usr/lib/@{multiarch}/perl{,5,-base}/auto/*.so mr, # Note: the following dangerous accesses should not be allowed in most # policy, but we cannot explicitly deny since other trusted interfaces might # add them. # Explicitly deny ptrace for now since it can be abused to break out of the # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 #audit deny ptrace (trace), # Explicitly deny capability mknod so apps can't create devices #audit deny capability mknod, # Explicitly deny mount, remount and umount so apps can't modify things in # their namespace #audit deny mount, #audit deny remount, #audit deny umount, # End dangerous accesses # Note: this potentially allows snaps to DoS other snaps via resource # exhaustion but we can't sensibly mediate this today. In the future we may # employ cgroup limits, AppArmor rlimit mlock rules or something else. capability ipc_lock, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /etc/bash.bashrc r, /etc/inputrc r, /etc/environment r, /etc/profile r, # user/group/seat lookups /etc/{passwd,group,nsswitch.conf} r, # very common /var/lib/extrausers/{passwd,group} r, /run/systemd/users/[0-9]* r, /etc/default/nss r, # libnss-systemd (subset from nameservice abstraction) # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. /run/systemd/userdb/ r, /run/systemd/userdb/io.systemd.Multiplexer rw, /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS /run/systemd/userdb/io.systemd.Machine rw, # systemd-machined /etc/libnl-3/{classid,pktloc} r, # apps that use libnl # For snappy reexec on 4.8+ kernels /usr/lib/snapd/snap-exec m, # For gdb support /usr/lib/snapd/snap-gdb-shim ixr, /usr/lib/snapd/snap-gdbserver-shim ixr, # For in-snap tab completion /etc/bash_completion.d/{,} r, /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here # uptime @{PROC}/uptime r, @{PROC}/loadavg r, # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib # which is allowed by the base abstraction, but on 14.04 it is an actual file # so need to add it here. Also allow read locks on the file. /etc/os-release rk, /usr/lib/os-release k, # Debian version of the host OS which might be required in AppArmor-secured Debian /etc/debian_version r, # systemd native journal API (see sd_journal_print(4)). This should be in # AppArmor's base abstraction, but until it is, include here. We include # the base journal path as well as the journal namespace pattern path. Each # journal namespace for quota groups will be prefixed with 'snap-'. /run/systemd/journal{,.snap-}/socket w, /run/systemd/journal{,.snap-}/stdout rw, # 'r' shouldn't be needed, but journald # doesn't leak anything so allow /run/systemd/journal{,.snap-}/dev-log w, # snapctl and its requirements /usr/bin/snapctl ixr, /usr/lib/snapd/snapctl ixr, @{PROC}/sys/net/core/somaxconn r, /run/snapd-snap.socket rw, # Note: for now, don't explicitly deny this noisy denial so --devmode isn't # broken but eventually we may conditionally deny this since it is an # information leak. #deny /{,var/}run/utmp r, # java @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/auxv r, @{PROC}/sys/vm/zone_reclaim_mode r, /etc/lsb-release r, /sys/devices//read_ahead_kb r, /sys/devices/system/cpu/ r, /sys/devices/system/node/node[0-9]/ r, /sys/kernel/mm/transparent_hugepage/enabled r, /sys/kernel/mm/transparent_hugepage/defrag r, # NOTE: this leaks running process but java seems to want it (even though it # seems to operate ok without it) and SDL apps crash without it. Allow owner # match until AppArmor kernel var is available to solve this properly (see # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Allow reading and writing to our file descriptors in /proc which, for # example, allow access to /dev/std{in,out,err} which are all symlinks to # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) # linkat() temporary file technique, allow all fds. Importantly, access to # another task's fd via this proc interface is mediated via 'ptrace (read)' # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so # this rule by itself doesn't allow opening another snap's fds via proc. owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, # Miscellaneous accesses /dev/{,u}random w, /etc/machine-id r, /etc/mime.types r, /etc/default/keyboard r, @{PROC}/ r, @{PROC}/version r, @{PROC}/version_signature r, /etc/{,writable/}hostname r, /etc/{,writable/}localtime r, /etc/{,writable/}mailname r, /etc/{,writable/}timezone r, owner @{PROC}/@{pid}/cgroup rk, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/fdinfo/* r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/[0-9]/smaps r, @{PROC}/@{pid}/task/[0-9]/stat r, @{PROC}/@{pid}/task/[0-9]/statm r, @{PROC}/@{pid}/task/[0-9]/status r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/shmmax r, # Allow apps to introspect the level of dbus mediation AppArmor implements. /sys/kernel/security/apparmor/features/dbus/mask r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_* r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/cap_last_cap r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request rw, /sys/devices/virtual/tty/{console,tty}/active r, /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/memory.stat r, /sys/fs/cgroup/system.slice/snap.@{SNAP_INSTANCE_NAME}{,.}/memory.max r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/{,*/}snap.@{SNAP_INSTANCE_NAME}{,.}/cpu.shares r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_{,score_}adj r, # Note: for now, don't explicitly deny write access so --devmode isn't broken # but eventually we may conditionally deny this since it allows the process # to increase the oom heuristic of other processes (make them more likely to # be killed). Once AppArmor kernel var is available to solve this properly, # this can safely be allowed since non-root processes won't be able to # decrease the value and root processes will only be able to with # 'capability sys_resource,' which we deny be default. # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, # Eases hardware assignment (doesn't give anything away) /etc/udev/udev.conf r, /sys/ r, /sys/bus/ r, /sys/class/ r, # this leaks interface names and stats, but not in a way that is traceable # to the user/device @{PROC}/net/dev r, @{PROC}/@{pid}/net/dev r, # Read-only of this snap /var/lib/snapd/snaps/@{SNAP_NAME}_.snap r, # Read-only of snapd restart state for snapctl specifically /var/lib/snapd/maintenance.json r, # Read-only for the install directory # bind mount used here (see 'parallel installs', above) @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/* mrklix, # Read-only install directory for other revisions to help with bugs like # LP: #1616650 and LP: #1655992 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Read-only home area for other versions # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ mrkix, # Experimental snap folder changes owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ mrkix, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/ wl, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl, # Writable home area for this version. # bind mount not used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/ wl, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/ wl, # Read-only system area for other versions # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ mrkix, # Writable system area only for this version # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/ wl, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/ wl, # The snap-confine program creates an app-specific private restricted /tmp # and will fail to launch the app if something goes wrong. As such, we can # simply allow full access to /tmp. /tmp/ r, /tmp/ mrwlkix, # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount not used here (see 'parallel installs', above) /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, # Also allow app-specific access for sem_open() /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user # bind mount not used here (see 'parallel installs', above) owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ rw, owner /run/user/[0-9]/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Allow apps from the same package to communicate with each other via an # abstract or anonymous socket unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.", unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # Allow apps from the same package to communicate with each other via DBus. # Note: this does not grant access to the DBus sockets of well known buses # (will still need to use an appropriate interface for that). dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.), # In addition to the above, dbus-run-session attempts reading these files # from the snap base runtime. /usr/share/dbus-1/services/{,} r, /usr/share/dbus-1/system-services/{,} r, # Allow apps to perform DBus introspection on org.freedesktop.DBus for both # the system and session buses. # Note: this does not grant access to the DBus sockets of these buses, but # we grant it here since it is missing from the dbus abstractions # (LP: #1866168) dbus (send) bus={session,system} path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow apps from the same package to signal each other via signals signal peer=snap.@{SNAP_INSTANCE_NAME}., # Allow receiving signals from all snaps (and focus on mediating sending of # signals) signal (receive) peer=snap., # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' /{,usr/}{,s}bin/udevadm ixr, /etc/udev/udev.conf r, /{,var/}run/udev/tags/snappy-assign/ r, @{PROC}/cmdline r, /sys/devices/*/uevent r, # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above # requires: # /run/udev/data/ r, # but that reveals too much about the system and cannot be granted to apps # by default at this time. # For convenience, allow apps to see what is in /dev even though cgroups # will block most access /dev/ r, /dev// r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because # the launcher uses a per-app devpts newinstance. /dev/ptmx rw, # Do the same with /sys/devices and /sys/class to help people using hw-assign /sys/devices/ r, /sys/devices// r, /sys/class/ r, /sys/class/*/ r, # Allow all snaps to chroot capability sys_chroot, # Lttng tracing is very noisy and should not be allowed by confined apps. Can # safely deny for the normal case (LP: #1260491). If/when an lttng-trace # interface is needed, we can rework this. deny /{dev,run,var/run}/shm/lttng-ust- rw, # Allow read-access on /home/ for navigating to other parts of the # filesystem. While this allows enumerating users, this is already allowed # via /etc/passwd and getent. @{HOMEDIRS}/ r, # Allow read-access to / for navigating to other parts of the filesystem. / r, # Snap-specific run directory. Bind mount not used here # (see 'parallel installs', above) /run/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Snap-specific lock directory and prerequisite navigation permissions. /run/lock/ r, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ mrwklix, # Default rules for core base runtimes # The base abstraction doesn't yet have this /{,usr/}lib/terminfo/ rk, /usr/share/terminfo/ k, /usr/share/zoneinfo/** k, # for python apps/services /usr/bin/python{,2,2.[0-9],3,3.[0-9]} ixr, # additional accesses needed for newer pythons in later bases /usr/lib{,32,64}/python3.[0-9]/.{pyc,so} mr, /usr/lib{,32,64}/python3.[0-9]/*.{egg,py,pth} r, /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r, /usr/lib{,32,64}/python3.[0-9]/lib-dynload/.so mr, /usr/include/python3.[0-9]/pyconfig.h r, # for perl apps/services /usr/bin/perl{,5} ixr, # AppArmor <2.12 doesn't have rules for perl-base, so add them here /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]/.so mr, # for bash 'binaries' (do not use abstractions/bash) # user-specific bash files /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /usr/share/terminfo/** r, # Common utilities for shell scripts /{,usr/}bin/arch ixr, /{,usr/}bin/{,g,m}awk ixr, /{,usr/}bin/base32 ixr, /{,usr/}bin/base64 ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/bunzip2 ixr, /{,usr/}bin/busctl ixr, /{,usr/}bin/bzcat ixr, /{,usr/}bin/bzdiff ixr, /{,usr/}bin/bzgrep ixr, /{,usr/}bin/bzip2 ixr, /{,usr/}bin/cat ixr, /{,usr/}bin/chgrp ixr, /{,usr/}bin/chmod ixr, /{,usr/}bin/chown ixr, /{,usr/}bin/clear ixr, /{,usr/}bin/cmp ixr, /{,usr/}bin/cp ixr, /{,usr/}bin/cpio ixr, /{,usr/}bin/cut ixr, /{,usr/}bin/date ixr, /{,usr/}bin/dbus-daemon ixr, /{,usr/}bin/dbus-run-session ixr, /{,usr/}bin/dbus-send ixr, /{,usr/}bin/dd ixr, /{,usr/}bin/diff{,3} ixr, /{,usr/}bin/dir ixr, /{,usr/}bin/dirname ixr, /{,usr/}bin/du ixr, /{,usr/}bin/echo ixr, /{,usr/}bin/{,e,f,r}grep ixr, /{,usr/}bin/env ixr, /{,usr/}bin/expr ixr, /{,usr/}bin/false ixr, /{,usr/}bin/find ixr, /{,usr/}bin/flock ixr, /{,usr/}bin/fmt ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/getconf ixr, /{,usr/}bin/getent ixr, /{,usr/}bin/getopt ixr, /{,usr/}bin/groups ixr, /{,usr/}bin/gzip ixr, /{,usr/}bin/head ixr, /{,usr/}bin/hostname ixr, /{,usr/}bin/id ixr, /{,usr/}bin/igawk ixr, /{,usr/}bin/infocmp ixr, /{,usr/}bin/kill ixr, /{,usr/}bin/ldd ixr, /{usr/,}lib{,32,64}/ld{,32,64}-.so ix, /{usr/,}lib/@{multiarch}/ld{,32,64}-.so* ix, /{,usr/}bin/less{,file,pipe} ixr, /{,usr/}bin/ln ixr, /{,usr/}bin/line ixr, /{,usr/}bin/link ixr, /{,usr/}bin/locale ixr, /{,usr/}bin/logger ixr, /{,usr/}bin/ls ixr, /{,usr/}bin/md5sum ixr, /{,usr/}bin/mkdir ixr, /{,usr/}bin/mkfifo ixr, /{,usr/}bin/mknod ixr, /{,usr/}bin/mktemp ixr, /{,usr/}bin/more ixr, /{,usr/}bin/mv ixr, /{,usr/}bin/nice ixr, /{,usr/}bin/nohup ixr, /{,usr/}bin/numfmt ixr, /{,usr/}bin/od ixr, /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial /{,usr/}bin/paste ixr, /{,usr/}bin/pgrep ixr, /{,usr/}bin/printenv ixr, /{,usr/}bin/printf ixr, /{,usr/}bin/ps ixr, /{,usr/}bin/pwd ixr, /{,usr/}bin/readlink ixr, /{,usr/}bin/realpath ixr, /{,usr/}bin/rev ixr, /{,usr/}bin/rm ixr, /{,usr/}bin/rmdir ixr, /{,usr/}bin/run-parts ixr, /{,usr/}bin/sed ixr, /{,usr/}bin/seq ixr, /{,usr/}bin/setpriv ixr, /{,usr/}bin/sha{1,224,256,384,512}sum ixr, /{,usr/}bin/shuf ixr, /{,usr/}bin/sleep ixr, /{,usr/}bin/sort ixr, /{,usr/}bin/stat ixr, /{,usr/}bin/stdbuf ixr, /{,usr/}bin/stty ixr, /{,usr/}bin/sync ixr, /{,usr/}bin/systemd-cat ixr, /{,usr/}bin/tac ixr, /{,usr/}bin/tail ixr, /{,usr/}bin/tar ixr, /{,usr/}bin/tee ixr, /{,usr/}bin/test ixr, /{,usr/}bin/tempfile ixr, /{,usr/}bin/tset ixr, /{,usr/}bin/touch ixr, /{,usr/}bin/tput ixr, /{,usr/}bin/tr ixr, /{,usr/}bin/true ixr, /{,usr/}bin/tty ixr, /{,usr/}bin/uname ixr, /{,usr/}bin/uniq ixr, /{,usr/}bin/unlink ixr, /{,usr/}bin/unxz ixr, /{,usr/}bin/unzip ixr, /{,usr/}bin/uptime ixr, /{,usr/}bin/vdir ixr, /{,usr/}bin/vim.tiny ixr, /{,usr/}bin/wc ixr, /{,usr/}bin/which{,.debianutils} ixr, /{,usr/}bin/xargs ixr, /{,usr/}bin/xz ixr, /{,usr/}bin/yes ixr, /{,usr/}bin/zcat ixr, /{,usr/}bin/z{,e,f}grep ixr, /{,usr/}bin/zip ixr, /{,usr/}bin/zipgrep ixr, # lsb-release /usr/bin/lsb_release ixr, /usr/bin/ r, /usr/share/distro-info/.csv r, # For printing the cache (we don't allow updating the cache) /{,usr/}sbin/ldconfig{,.real} ixr, # Allow all snaps to chroot /{,usr/}sbin/chroot ixr, # Description: Can change to any apparmor profile (including unconfined) thus # giving access to all resources of the system so LXD may manage what to give # to its containers. This gives device ownership to connected snaps. @{PROC}//attr/{,apparmor/}current r, /{,usr/}{,s}bin/aa-exec ux, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/{etc,usr/lib}/os-release r, # Description: Can query system status information. This is restricted because # it gives privileged read access to all processes on the system and should # only be used with trusted apps. # Needed by 'ps' @{PROC}/tty/drivers r, # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here # since since ps doesn't actually need to trace other processes. Note this # allows a number of accesses (assuming the associated /proc file is allowed), # such as various memory address locations and esp/eip via /proc//stat, # /proc//mem, /proc//personality, /proc//stack, /proc//syscall, # /proc//timerslack_ns and /proc//wchan (see man proc). # # Some files like /proc/kallsyms (but anything using %pK format specifier) need # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we # intentionally do not allow since it could be used to defeat KASLR. ptrace (read), # Other miscellaneous accesses for observing the system @{PROC}/cgroups r, @{PROC}/locks r, @{PROC}/modules r, @{PROC}/mdstat r, @{PROC}/schedstat r, @{PROC}/stat r, @{PROC}/vmstat r, @{PROC}/zoneinfo r, @{PROC}/diskstats r, @{PROC}/kallsyms r, @{PROC}/partitions r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @{PROC}/sys/kernel/panic r, @{PROC}/sys/kernel/panic_on_oops r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/panic_on_oom r, @{PROC}/sys/vm/swappiness r, # These are not process-specific (/proc//... and /proc//task//...) @{PROC}//{,task/,task//} r, @{PROC}//{,task//}autogroup r, @{PROC}//{,task//}auxv r, @{PROC}//{,task//}cgroup r, @{PROC}//{,task//}cmdline r, @{PROC}//{,task//}comm r, @{PROC}//{,task//}exe r, @{PROC}//{,task//}fdinfo/ r, @{PROC}//{,task//}io r, @{PROC}//{,task//}oom_score r, # allow reading of smaps_rollup, which is a summary of the memory use of a process, # but not smaps which contains a detailed mappings breakdown like # /proc/self/maps, which we do not allow access to for other processes @{PROC}//{,task//}smaps_rollup r, @{PROC}//{,task//}schedstat r, @{PROC}//{,task//}stat r, @{PROC}//{,task//}statm r, @{PROC}//{,task//}status r, @{PROC}//{,task//}wchan r, # Allow reading processes security label @{PROC}//{,task//}attr/{,apparmor/}current r, # Allow discovering the os-release of the host /var/lib/snapd/hostfs/etc/os-release rk, /var/lib/snapd/hostfs/usr/lib/os-release rk, # Allow discovering the Kernel build config @{PROC}/config.gz r, /boot/config* r, # Allow discovering system-wide CFS Bandwidth Control information # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, /sys/fs/cgroup/memory/memory.stat r, #include <abstractions/dbus-strict> # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get{,All}, # Allow clients to introspect hostname1 # do not use peer=(label=unconfined) here since this is DBus activated dbus (send) bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Introspectable member=Introspect, # Allow clients to enumerate DBus connection names on common buses dbus (send) bus={session,system} path={/,/org/freedesktop/DBus} interface=org.freedesktop.DBus member={ListNames,ListActivatableNames} peer=(label=unconfined), # Allow clients to obtain the DBus machine ID on common buses. We do not # mediate the path since any peer can be used. dbus (send) bus={session,system} interface=org.freedesktop.DBus.Peer member=GetMachineId peer=(label=unconfined), # Allow clients to get properties of systemd (the manager) and # units dbus (send) bus=system interface=org.freedesktop.DBus.Properties path=/org/freedesktop/systemd1{,/**} member=Get{,All} peer=(label=unconfined), # Allow clients to explicitly list units with some of their details (path, # status) and get unit path, see # https://www.freedesktop.org/wiki/Software/systemd/dbus/ for details dbus (send) bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,ListUnits} peer=(label=unconfined), # Allow reading if protected hardlinks are enabled, but don't allow enabling or # disabling them @{PROC}/sys/fs/protected_hardlinks r, @{PROC}/sys/fs/protected_symlinks r, @{PROC}/sys/fs/protected_fifos r, @{PROC}/sys/fs/protected_regular r, # allow use of user namespaces userns, # While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc # trigger a 'ptrace (trace)' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. # ptrace (trace) can be used to break out of the seccomp sandbox unless the # kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd # has full ptrace support conditional on kernel support, explicitly deny to # silence noisy denials/avoid confusion and accidentally giving away this # dangerous access frivolously. deny ptrace (trace), deny capability sys_ptrace, } ��

| ver. 1.4 | Github | . | PHP 8.2.28 | Generation time: 0.03 | proxy | phpinfo | Settings