0x1949 Team - FAZEMRX - MANAGER
Edit File: snap-update-ns.lxd
# Description: Allows snap-update-ns to construct the mount namespace specific # to a particular snap (see the name below). This specifically includes the # precise locations of the layout elements. # vim:syntax=apparmor #include <tunables/global> profile snap-update-ns.lxd (attach_disconnected) { # The next four rules mirror those above. We want to be able to read # and map snap-update-ns into memory but it may come from a variety of places. /usr/lib{,exec,64}/snapd/snap-update-ns mr, /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr, /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns mr, /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr, # Allow reading the dynamic linker cache. /etc/ld.so.cache r, # Allow reading, mapping and executing the dynamic linker. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix, # Allow reading and mapping various parts of the standard library and # dynamically loaded nss modules and what not. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, # Common devices accesses /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, # golang runtime variables /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, # glibc 2.27+ may poke this file to find out the number of CPUs # available in the system when creating a new arena for malloc, see # Golang issue 25628 /sys/devices/system/cpu/online r, # Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code). owner @{PROC}/@{pid}/cmdline r, # Allow reading of own maps (Go runtime) owner @{PROC}/@{pid}/maps r, # Allow reading file descriptor paths owner @{PROC}/@{pid}/fd/* r, # Allow reading /proc/version. For release.go WSL detection. @{PROC}/version r, # Allow reading own cgroups owner @{PROC}/@{pid}/cgroup r, # Allow reading somaxconn, required in newer distro releases @{PROC}/sys/net/core/somaxconn r, # but silence noisy denial of inet/inet6 deny network inet, deny network inet6, # Allow reading the os-release file (possibly a symlink to /usr/lib). /{etc/,usr/lib/}os-release r, # Allow creating/grabbing global and per-snap lock files. /run/snapd/lock/lxd.lock rwk, /run/snapd/lock/.lock rwk, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r, # Allow reading stored mount namespaces, /run/snapd/ns/ r, /run/snapd/ns/lxd.mnt r, # Allow reading per-snap desired mount profiles. Those are written by # snapd and represent the desired layout and content connections. /var/lib/snapd/mount/snap.lxd.fstab r, /var/lib/snapd/mount/snap.lxd.user-fstab r, # Allow reading and writing actual per-snap mount profiles. Note that # the wildcard in the rule to allow an atomic write + rename strategy. # Those files are written by snap-update-ns and represent the actual # mount profile at a given moment. /run/snapd/ns/snap.lxd.fstab{,.*} rw, # NOTE: at this stage the /snap directory is stable as we have called # pivot_root already. # Needed to perform mount/unmounts. capability sys_admin, # Needed for mimic construction. capability chown, # Needed for dropping to calling user when processing per-user mounts capability setuid, capability setgid, # Allow snap-update-ns to override file ownership and permission checks. # This is required because writable mimics now preserve the permissions # of the original and hence we may be asked to create a directory when the # parent is a tmpfs without DAC write access. capability dac_override, # Allow freezing and thawing the per-snap cgroup freezers # v1 hierarchy where we know the group name of all processes of # a given snap upfront /sys/fs/cgroup/freezer/snap.lxd/freezer.state rw, # v2 hierarchy, where we need to walk the tree to looking for the tracking # groups and act on each one /sys/fs/cgroup/ r, /sys/fs/cgroup/** r, /sys/fs/cgroup/**/snap.lxd.*.scope/cgroup.freeze rw, /sys/fs/cgroup/**/snap.lxd.*.service/cgroup.freeze rw, # Allow the content interface to bind fonts from the host filesystem mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/lxd/*/**, mount options=(rw private) -> /snap/lxd/*/**, umount /snap/lxd/*/**, # set up user mount namespace mount options=(rslave) -> /, # Allow traversing from the root directory and several well-known places. # Specific directory permissions are added by snippets below. / r, /etc/ r, /snap/ r, /tmp/ r, /usr/ r, /var/ r, /var/lib/ r, /var/lib/snapd/ r, /var/snap/ r, # Allow reading timezone data. /usr/share/zoneinfo/** r, # Don't allow anyone to touch /snap/bin audit deny mount /snap/bin/** -> /**, audit deny mount /** -> /snap/bin/**, # Don't allow bind mounts to /media which has special # sharing and propagates mount events outside of the snap namespace. audit deny mount -> /media, # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # Allow sending and receiving signals from ourselves. signal peer=@{profile_name}, # Commonly needed permissions for writable mimics. /tmp/ r, /tmp/.snap/{,**} rw, # snapd logger.go checks /proc/cmdline @{PROC}/cmdline r, # snap checks if vendored apparmor parser should be used at startup /usr/lib/snapd/info r, /lib/apparmor/functions r, # Allow snap-update-ns to open home directory owner @{HOME}/ r, # Read-only access to /boot mount options=(bind,rw) /var/lib/snapd/hostfs/boot/ -> /boot/, mount options=(bind,remount,ro) -> /boot/, umount /boot/, }