feat(snap): do not confine snap.

Curently ignored because of some incompatibilities with snap-confine. snap-confine is more important to confine than snap itself.
2023-09-10 12:07:35 +01:00 · 2023-09-10 12:07:35 +01:00 · 3147f7d59a
commit 3147f7d59a
parent aaed7a25da
10 changed files with 12 additions and 13 deletions
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -50,9 +50,9 @@ profile snap @{exec_path} {
  @{bin}/systemctl        rPx -> child-systemctl,

  /snap/{,**} rw,
-  @{lib_dirs}/snapd/snap-confine     rPx,
-  @{lib_dirs}/snapd/snap-seccomp     rPx,
-  @{lib_dirs}/snapd/snapd            rPx,
+  # @{lib_dirs}/snap-confine           rPx -> /usr/lib/snapd/snap-confine,
+  @{lib_dirs}/snapd/snap-seccomp     rPx -> snap-seccomp,
+  @{lib_dirs}/snapd/snapd            rPx -> snapd,

  /etc/fstab r,

--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -77,7 +77,6 @@ profile snapd @{exec_path} {
  @{bin}/kmod                     rPx,
  @{bin}/mount                    rix,
  @{bin}/runuser                  rCx -> runuser,
-  @{bin}/snap                     rPx,
  @{bin}/sync                     rix,
  @{bin}/systemctl                rix,
  @{bin}/systemd-detect-virt      rPx,
@ -88,7 +87,7 @@ profile snapd @{exec_path} {
  @{bin}/update-desktop-database  rPx,

  @{bin_dirs}/fc-cache-*              mr,
-  @{bin_dirs}/snap                   rPx -> snap,
+  @{bin_dirs}/snap                  rPUx,
  @{bin_dirs}/xdelta3                rix,
  @{lib_dirs}/@{multiarch}/**         mr,
  @{lib_dirs}/@{multiarch}/ld-*.so   rix,
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -56,7 +56,7 @@ profile sudo @{exec_path} {

  @{lib}/**                        rPUx,
  @{lib}/sudo/**                     mr,
-  /snap/snapd/@{int}/usr/bin/snap   rPx,
+  /snap/snapd/@{int}@{bin}/snap    rPUx,

  @{etc_ro}/environment r,
  @{etc_ro}/security/limits.d/{,*} r,