From 054b723255b0db425bfac3e94ce3e41e226b243e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Mar 2025 13:44:50 +0100 Subject: [PATCH] feat(profile): improve core snap profiles. --- apparmor.d/groups/snap/snap | 2 +- apparmor.d/groups/snap/snapd | 37 +++++++++++++++++++++++------------- tests/integration/snap.bats | 31 +++++++++++++++++++++++++----- 3 files changed, 51 insertions(+), 19 deletions(-) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 84bab99e0..4911e128e 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -25,7 +25,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { network netlink raw, - ptrace read peer=snap.snap-store.snap-store, + ptrace read peer=snap.*, unix (send, receive) type=stream peer=(label=apt), diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 3e6a4460a..46c4b3cb2 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -50,7 +50,7 @@ profile snapd @{exec_path} { ptrace read peer=@{p_systemd}, ptrace read peer=snap{,.*}, - unix (bind) type=stream addr=@@{udbus}/bus/systemctl/, + signal send set=kill peer=journalctl, dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager @@ -64,29 +64,28 @@ profile snapd @{exec_path} { @{exec_path} mrix, - @{bin}/adduser rPx, - @{bin}/groupadd rPx, - @{bin}/hostnamectl rPx, - @{bin}/ssh-keygen rPx, - @{bin}/useradd rPx, - @{sh_path} rix, + @{bin}/adduser rPx, @{bin}/apparmor_parser rPx, @{bin}/cp rix, @{bin}/getent rix, + @{bin}/groupadd rPx, @{bin}/gzip rix, + @{bin}/hostnamectl rPx, @{bin}/journalctl rPx, @{bin}/kmod rPx, @{bin}/mount rix, @{bin}/runuser rCx -> runuser, + @{bin}/ssh-keygen rPx, @{bin}/sync rix, - @{bin}/systemctl rix, + @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/tar rix, @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/unsquashfs rix, @{bin}/update-desktop-database rPx, + @{bin}/useradd rPx, @{bin_dirs}/fc-cache-* mr, @{bin_dirs}/snap rPUx, @@ -111,11 +110,6 @@ profile snapd @{exec_path} { /etc/modprobe.d/{,**/} r, /etc/modules-load.d/{,**/} r, /etc/modules-load.d/*snap* rw, - /etc/systemd/system/{,**/} r, - /etc/systemd/system/snap* rw, - /etc/systemd/user/{,**/} rw, - /etc/systemd/user/**/*snap* rw, - /etc/systemd/user/*snap* rw, /etc/udev/rules.d/{,*snap*} rw, /snap/{,**} rw, @@ -181,6 +175,23 @@ profile snapd @{exec_path} { /dev/loop-control rw, + profile systemctl { + include + include + + capability net_admin, + + /etc/systemd/system/{,**/} r, + /etc/systemd/system/snap* rw, + /etc/systemd/user/{,**/} rw, + /etc/systemd/user/**/*snap* rw, + /etc/systemd/user/*snap* rw, + + @{run}/systemd/notify rw, + + include if exists + } + profile runuser { include diff --git a/tests/integration/snap.bats b/tests/integration/snap.bats index 1eff200a8..a670a9ece 100644 --- a/tests/integration/snap.bats +++ b/tests/integration/snap.bats @@ -10,11 +10,11 @@ load common } @test "snap: Install a package" { - sudo snap install nano-strict + sudo snap install vault } @test "snap: Update a package to another channel (track, risk, or branch)" { - sudo snap refresh nano-strict --channel=edge + sudo snap refresh vault --channel=edge } @test "snap: Update all packages" { @@ -25,10 +25,31 @@ load common sudo snap list } -@test "snap: Check for recent snap changes in the system" { - sudo snap changes +@test "snap: lists information about the services" { + sudo snap services + sudo snap services vault +} + +@test "snap: starts, and optionally enables, the given services" { + sudo snap start --enable vault +} + +@test "snap: logs of the given services" { + sudo snap logs vault || true +} + +@test "snap: restarts the given services" { + sudo snap restart vault +} + +@test "snap: stops, and optionally disables, the given services" { + sudo snap stop --disable vault } @test "snap: Uninstall a package" { - sudo snap remove nano-strict + sudo snap remove vault +} + +@test "snap: Check for recent snap changes in the system" { + sudo snap changes }