Server : Apache/2.4.52 (Ubuntu) System : Linux webserver 6.8.0-49-generic #49~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 6 17:42:15 UTC 2 x86_64 User : www-data ( 33) PHP Version : 8.1.2-1ubuntu2.21 Disable Function : NONE Directory : /var/lib/snapd/apparmor/profiles/ |
# Description: Allows snap-update-ns to construct the mount namespace specific
# to a particular snap (see the name below). This specifically includes the
# precise locations of the layout elements.
# vim:syntax=apparmor
#include <tunables/global>
#include if exists "/etc/apparmor.d/tunables/home.d"
profile snap-update-ns.canonical-livepatch (attach_disconnected) {
# The next four rules mirror those above. We want to be able to read
# and map snap-update-ns into memory but it may come from a variety of places.
/usr/lib{,exec,64}/snapd/snap-update-ns mr,
/var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr,
/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns mr,
/var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr,
# Allow reading the dynamic linker cache.
/etc/ld.so.cache r,
# Allow reading, mapping and executing the dynamic linker.
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix,
# Allow reading and mapping various parts of the standard library and
# dynamically loaded nss modules and what not.
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr,
# Common devices accesses
/dev/null rw,
/dev/full rw,
/dev/zero rw,
/dev/random r,
/dev/urandom r,
# golang runtime variables
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# glibc 2.27+ may poke this file to find out the number of CPUs
# available in the system when creating a new arena for malloc, see
# Golang issue 25628
/sys/devices/system/cpu/online r,
# Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code).
owner @{PROC}/@{pid}/cmdline r,
# Allow reading of own maps (Go runtime)
owner @{PROC}/@{pid}/maps r,
# Allow reading file descriptor paths
owner @{PROC}/@{pid}/fd/* r,
# Allow reading /proc/version. For release.go WSL detection.
@{PROC}/version r,
# Allow reading own cgroups
owner @{PROC}/@{pid}/cgroup r,
# Allow reading somaxconn, required in newer distro releases
@{PROC}/sys/net/core/somaxconn r,
# but silence noisy denial of inet/inet6
deny network inet,
deny network inet6,
# Allow reading the os-release file (possibly a symlink to /usr/lib).
/{etc/,usr/lib/}os-release r,
# Allow creating/grabbing global and per-snap lock files.
/run/snapd/lock/canonical-livepatch.lock rwk,
/run/snapd/lock/.lock rwk,
# While the base abstraction has rules for encryptfs encrypted home and
# private directories, it is missing rules for directory read on the toplevel
# directory of the mount (LP: #1848919)
owner @{HOME}/.Private/ r,
owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
# Allow reading stored mount namespaces,
/run/snapd/ns/ r,
/run/snapd/ns/canonical-livepatch.mnt r,
# Allow reading per-snap desired mount profiles. Those are written by
# snapd and represent the desired layout and content connections.
/var/lib/snapd/mount/snap.canonical-livepatch.fstab r,
/var/lib/snapd/mount/snap.canonical-livepatch.user-fstab r,
# Allow reading and writing actual per-snap mount profiles. Note that
# the wildcard in the rule to allow an atomic write + rename strategy.
# Those files are written by snap-update-ns and represent the actual
# mount profile at a given moment.
/run/snapd/ns/snap.canonical-livepatch.fstab{,.*} rw,
# NOTE: at this stage the /snap directory is stable as we have called
# pivot_root already.
# Needed to perform mount/unmounts.
capability sys_admin,
# Needed for mimic construction.
capability chown,
# Needed for dropping to calling user when processing per-user mounts
capability setuid,
capability setgid,
# Allow snap-update-ns to override file ownership and permission checks.
# This is required because writable mimics now preserve the permissions
# of the original and hence we may be asked to create a directory when the
# parent is a tmpfs without DAC write access.
capability dac_override,
# Allow freezing and thawing the per-snap cgroup freezers
# v1 hierarchy where we know the group name of all processes of
# a given snap upfront
/sys/fs/cgroup/freezer/snap.canonical-livepatch/freezer.state rw,
# v2 hierarchy, where we need to walk the tree to looking for the tracking
# groups and act on each one
/sys/fs/cgroup/ r,
/sys/fs/cgroup/** r,
/sys/fs/cgroup/**/snap.canonical-livepatch.*.scope/cgroup.freeze rw,
/sys/fs/cgroup/**/snap.canonical-livepatch.*.service/cgroup.freeze rw,
# Allow the content interface to bind fonts from the host filesystem
mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/canonical-livepatch/*/**,
mount options=(rw private) -> /snap/canonical-livepatch/*/**,
umount /snap/canonical-livepatch/*/**,
# set up user mount namespace
mount options=(rslave) -> /,
# Allow traversing from the root directory and several well-known places.
# Specific directory permissions are added by snippets below.
/ r,
/etc/ r,
/snap/ r,
/tmp/ r,
/usr/ r,
/var/ r,
/var/lib/ r,
/var/lib/snapd/ r,
/var/snap/ r,
# Allow reading timezone data.
/usr/share/zoneinfo/** r,
# Don't allow anyone to touch /snap/bin
audit deny mount /snap/bin/** -> /**,
audit deny mount /** -> /snap/bin/**,
# Don't allow bind mounts to /media which has special
# sharing and propagates mount events outside of the snap namespace.
audit deny mount -> /media,
# Allow receiving signals from unconfined (eg, systemd)
signal (receive) peer=unconfined,
# Allow sending and receiving signals from ourselves.
signal peer=@{profile_name},
# Commonly needed permissions for writable mimics.
/tmp/ r,
/tmp/.snap/{,**} rw,
# snapd logger.go checks /proc/cmdline
@{PROC}/cmdline r,
# snap checks if vendored apparmor parser should be used at startup
/usr/lib/snapd/info r,
/lib/apparmor/functions r,
# Allow snap-update-ns to open home directory
owner @{HOME}/ r,
/var/ r,
/var/lib/ r,
/var/lib/snapd/ r,
/var/lib/snapd/hostfs/ r,
/var/lib/snapd/hostfs/var/ r,
/var/lib/snapd/hostfs/var/lib/ r,
/var/lib/snapd/hostfs/var/lib/dhcp/ r,
/var/lib/dhcp/ r,
mount options=(rw bind) /var/lib/snapd/hostfs/var/lib/dhcp/ -> /var/lib/dhcp/,
umount /var/lib/dhcp/,
# Read-only access to /boot
mount options=(bind,rw) /var/lib/snapd/hostfs/boot/ -> /boot/,
mount options=(bind,remount,ro) -> /boot/,
umount /boot/,
# Mount documentation of system packages
mount options=(bind) /var/lib/snapd/hostfs/usr/share/doc/ -> /usr/share/doc/,
remount options=(bind, ro) /usr/share/doc/,
umount /usr/share/doc/,
mount options=(bind) /var/lib/snapd/hostfs/usr/local/share/doc/ -> /usr/local/share/doc/,
remount options=(bind, ro) /usr/local/share/doc/,
umount /usr/local/share/doc/,
mount options=(bind) /var/lib/snapd/hostfs/usr/share/cups/doc-root/ -> /usr/share/cups/doc-root/,
remount options=(bind, ro) /usr/share/cups/doc-root/,
umount /usr/share/cups/doc-root/,
mount options=(bind) /var/lib/snapd/hostfs/usr/share/gimp/2.0/help/ -> /usr/share/gimp/2.0/help/,
remount options=(bind, ro) /usr/share/gimp/2.0/help/,
umount /usr/share/gimp/2.0/help/,
mount options=(bind) /var/lib/snapd/hostfs/usr/share/gtk-doc/ -> /usr/share/gtk-doc/,
remount options=(bind, ro) /usr/share/gtk-doc/,
umount /usr/share/gtk-doc/,
mount options=(bind) /var/lib/snapd/hostfs/usr/share/javascript/ -> /usr/share/javascript/,
remount options=(bind, ro) /usr/share/javascript/,
umount /usr/share/javascript/,
mount options=(bind) /var/lib/snapd/hostfs/usr/share/libreoffice/help/ -> /usr/share/libreoffice/help/,
remount options=(bind, ro) /usr/share/libreoffice/help/,
umount /usr/share/libreoffice/help/,
mount options=(bind) /var/lib/snapd/hostfs/usr/share/sphinx_rtd_theme/ -> /usr/share/sphinx_rtd_theme/,
remount options=(bind, ro) /usr/share/sphinx_rtd_theme/,
umount /usr/share/sphinx_rtd_theme/,
mount options=(bind) /var/lib/snapd/hostfs/usr/share/xubuntu-docs/ -> /usr/share/xubuntu-docs/,
remount options=(bind, ro) /usr/share/xubuntu-docs/,
umount /usr/share/xubuntu-docs/,
# Writable mimic /usr/share/cups
# .. permissions for traversing the prefix that is assumed to exist
"/" r,
"/usr/" r,
# .. variant with mimic at /usr/share/
# Allow reading the mimic directory, it must exist in the first place.
"/usr/share/" r,
# Allow setting the read-only directory aside via a bind mount.
"/tmp/.snap/usr/share/" rw,
mount options=(rbind, rw) "/usr/share/" -> "/tmp/.snap/usr/share/",
# Allow mounting tmpfs over the read-only directory.
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/",
# Allow creating empty files and directories for bind mounting things
# to reconstruct the now-writable parent directory.
"/tmp/.snap/usr/share/*/" rw,
"/usr/share/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/share/*/" -> "/usr/share/*/",
"/tmp/.snap/usr/share/*" rw,
"/usr/share/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/share/*" -> "/usr/share/*",
# Allow unmounting the auxiliary directory.
# TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
mount options=(rprivate) -> "/tmp/.snap/usr/share/",
umount "/tmp/.snap/usr/share/",
# Allow unmounting the destination directory as well as anything
# inside. This lets us perform the undo plan in case the writable
# mimic fails.
mount options=(rprivate) -> "/usr/share/",
mount options=(rprivate) -> "/usr/share/*",
mount options=(rprivate) -> "/usr/share/*/",
umount "/usr/share/",
umount "/usr/share/*",
umount "/usr/share/*/",
# .. variant with mimic at /usr/share/cups/
"/usr/share/cups/" r,
"/tmp/.snap/usr/share/cups/" rw,
mount options=(rbind, rw) "/usr/share/cups/" -> "/tmp/.snap/usr/share/cups/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/cups/",
"/tmp/.snap/usr/share/cups/*/" rw,
"/usr/share/cups/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/share/cups/*/" -> "/usr/share/cups/*/",
"/tmp/.snap/usr/share/cups/*" rw,
"/usr/share/cups/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/share/cups/*" -> "/usr/share/cups/*",
mount options=(rprivate) -> "/tmp/.snap/usr/share/cups/",
umount "/tmp/.snap/usr/share/cups/",
mount options=(rprivate) -> "/usr/share/cups/",
mount options=(rprivate) -> "/usr/share/cups/*",
mount options=(rprivate) -> "/usr/share/cups/*/",
umount "/usr/share/cups/",
umount "/usr/share/cups/*",
umount "/usr/share/cups/*/",
# Writable mimic /usr/share/gimp/2.0
# .. variant with mimic at /usr/share/gimp/
"/usr/share/gimp/" r,
"/tmp/.snap/usr/share/gimp/" rw,
mount options=(rbind, rw) "/usr/share/gimp/" -> "/tmp/.snap/usr/share/gimp/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/gimp/",
"/tmp/.snap/usr/share/gimp/*/" rw,
"/usr/share/gimp/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/share/gimp/*/" -> "/usr/share/gimp/*/",
"/tmp/.snap/usr/share/gimp/*" rw,
"/usr/share/gimp/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/share/gimp/*" -> "/usr/share/gimp/*",
mount options=(rprivate) -> "/tmp/.snap/usr/share/gimp/",
umount "/tmp/.snap/usr/share/gimp/",
mount options=(rprivate) -> "/usr/share/gimp/",
mount options=(rprivate) -> "/usr/share/gimp/*",
mount options=(rprivate) -> "/usr/share/gimp/*/",
umount "/usr/share/gimp/",
umount "/usr/share/gimp/*",
umount "/usr/share/gimp/*/",
# .. variant with mimic at /usr/share/gimp/2.0/
"/usr/share/gimp/2.0/" r,
"/tmp/.snap/usr/share/gimp/2.0/" rw,
mount options=(rbind, rw) "/usr/share/gimp/2.0/" -> "/tmp/.snap/usr/share/gimp/2.0/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/gimp/2.0/",
"/tmp/.snap/usr/share/gimp/2.0/*/" rw,
"/usr/share/gimp/2.0/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/share/gimp/2.0/*/" -> "/usr/share/gimp/2.0/*/",
"/tmp/.snap/usr/share/gimp/2.0/*" rw,
"/usr/share/gimp/2.0/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/share/gimp/2.0/*" -> "/usr/share/gimp/2.0/*",
mount options=(rprivate) -> "/tmp/.snap/usr/share/gimp/2.0/",
umount "/tmp/.snap/usr/share/gimp/2.0/",
mount options=(rprivate) -> "/usr/share/gimp/2.0/",
mount options=(rprivate) -> "/usr/share/gimp/2.0/*",
mount options=(rprivate) -> "/usr/share/gimp/2.0/*/",
umount "/usr/share/gimp/2.0/",
umount "/usr/share/gimp/2.0/*",
umount "/usr/share/gimp/2.0/*/",
# Writable mimic /usr/share/javascript
# .. variant with mimic at /usr/share/javascript/
"/usr/share/javascript/" r,
"/tmp/.snap/usr/share/javascript/" rw,
mount options=(rbind, rw) "/usr/share/javascript/" -> "/tmp/.snap/usr/share/javascript/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/javascript/",
"/tmp/.snap/usr/share/javascript/*/" rw,
"/usr/share/javascript/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/share/javascript/*/" -> "/usr/share/javascript/*/",
"/tmp/.snap/usr/share/javascript/*" rw,
"/usr/share/javascript/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/share/javascript/*" -> "/usr/share/javascript/*",
mount options=(rprivate) -> "/tmp/.snap/usr/share/javascript/",
umount "/tmp/.snap/usr/share/javascript/",
mount options=(rprivate) -> "/usr/share/javascript/",
mount options=(rprivate) -> "/usr/share/javascript/*",
mount options=(rprivate) -> "/usr/share/javascript/*/",
umount "/usr/share/javascript/",
umount "/usr/share/javascript/*",
umount "/usr/share/javascript/*/",
# Writable mimic /usr/share/libreoffice
# .. variant with mimic at /usr/share/libreoffice/
"/usr/share/libreoffice/" r,
"/tmp/.snap/usr/share/libreoffice/" rw,
mount options=(rbind, rw) "/usr/share/libreoffice/" -> "/tmp/.snap/usr/share/libreoffice/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/libreoffice/",
"/tmp/.snap/usr/share/libreoffice/*/" rw,
"/usr/share/libreoffice/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/share/libreoffice/*/" -> "/usr/share/libreoffice/*/",
"/tmp/.snap/usr/share/libreoffice/*" rw,
"/usr/share/libreoffice/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/share/libreoffice/*" -> "/usr/share/libreoffice/*",
mount options=(rprivate) -> "/tmp/.snap/usr/share/libreoffice/",
umount "/tmp/.snap/usr/share/libreoffice/",
mount options=(rprivate) -> "/usr/share/libreoffice/",
mount options=(rprivate) -> "/usr/share/libreoffice/*",
mount options=(rprivate) -> "/usr/share/libreoffice/*/",
umount "/usr/share/libreoffice/",
umount "/usr/share/libreoffice/*",
umount "/usr/share/libreoffice/*/",
# Writable mimic /usr/share/sphinx_rtd_theme
# .. variant with mimic at /usr/share/sphinx_rtd_theme/
"/usr/share/sphinx_rtd_theme/" r,
"/tmp/.snap/usr/share/sphinx_rtd_theme/" rw,
mount options=(rbind, rw) "/usr/share/sphinx_rtd_theme/" -> "/tmp/.snap/usr/share/sphinx_rtd_theme/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/sphinx_rtd_theme/",
"/tmp/.snap/usr/share/sphinx_rtd_theme/*/" rw,
"/usr/share/sphinx_rtd_theme/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/share/sphinx_rtd_theme/*/" -> "/usr/share/sphinx_rtd_theme/*/",
"/tmp/.snap/usr/share/sphinx_rtd_theme/*" rw,
"/usr/share/sphinx_rtd_theme/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/share/sphinx_rtd_theme/*" -> "/usr/share/sphinx_rtd_theme/*",
mount options=(rprivate) -> "/tmp/.snap/usr/share/sphinx_rtd_theme/",
umount "/tmp/.snap/usr/share/sphinx_rtd_theme/",
mount options=(rprivate) -> "/usr/share/sphinx_rtd_theme/",
mount options=(rprivate) -> "/usr/share/sphinx_rtd_theme/*",
mount options=(rprivate) -> "/usr/share/sphinx_rtd_theme/*/",
umount "/usr/share/sphinx_rtd_theme/",
umount "/usr/share/sphinx_rtd_theme/*",
umount "/usr/share/sphinx_rtd_theme/*/",
}