felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): update snap profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-09-11 22:13:12 +02:00
parent b569d44703
commit 394dc54ceb
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
3 changed files with 43 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

31
apparmor.d/groups/snap/snap
View file

@ -17,13 +17,19 @@ profile snap @{exec_path} flags=(attach_disconnected) {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
capability chown, capability chown,
capability dac_override, capability dac_override,
capability dac_read_search, capability dac_read_search,
capability setuid, capability setuid,
capability sys_admin, capability sys_admin,
capability sys_ptrace,
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw, network netlink raw,
ptrace read peer=snap.*, ptrace read peer=snap.*,
@ -36,7 +42,7 @@ profile snap @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.SessionAgent
#aa:dbus own bus=session name=io.snapcraft.Settings #aa:dbus own bus=session name=io.snapcraft.Settings
#aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.snap-store #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.*
#aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"
#aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
@ -59,8 +65,10 @@ profile snap @{exec_path} flags=(attach_disconnected) {
@{bin}/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@{bin}/systemd-run rCx -> run, # Start snap from the cli @{bin}/systemd-run rCx -> run, # Start snap from the cli
@{bin}/unsquashfs rCx -> unsquashfs,
@{bin}/xdg-settings rCx -> xdg-settings, @{bin}/xdg-settings rCx -> xdg-settings,
@{bin_dirs}/xdelta3 ix,
@{lib_dirs}/** mr, @{lib_dirs}/** mr,
@{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-confine rPx,
@{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snap-seccomp rPx,
@ -80,6 +88,9 @@ profile snap @{exec_path} flags=(attach_disconnected) {
@{HOME}/.snap/{,**} rw, @{HOME}/.snap/{,**} rw,
@{HOME}/snap/{,**} rw, @{HOME}/snap/{,**} rw,
@{user_pkg_dirs}/** r,
owner @{tmp}/read-file@{int}/unpack/{,**} w,
owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, owner @{tmp}/snapd-auto-import-mount-@{int}/ rw,
@{run}/user/@{uid}/bus rw, @{run}/user/@{uid}/bus rw,
@ -176,14 +187,30 @@ profile snap @{exec_path} flags=(attach_disconnected) {
include <abstractions/app/systemctl> include <abstractions/app/systemctl>
include <abstractions/bus/org.freedesktop.systemd1> include <abstractions/bus/org.freedesktop.systemd1>
network unix stream, capability net_admin,
network unix stream,
network (send receive) netlink raw,
@{run}/systemd/notify w,
owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/systemd/notify rw,
owner @{run}/user/@{uid}/systemd/private rw, owner @{run}/user/@{uid}/systemd/private rw,
include if exists <local/snap_systemctl> include if exists <local/snap_systemctl>
} }
profile unsquashfs {
include <abstractions/base>
@{bin}/unsquashfs mr,
/**.snap r,
owner /tmp/read-file@{int}/unpack/{,**} w,
include if exists <local/snap_unsquashfs>
}
include if exists <local/snap> include if exists <local/snap>
} }

4
apparmor.d/groups/snap/snap-update-ns
View file

@ -34,7 +34,9 @@ profile snap-update-ns @{exec_path} {
@{lib_dirs}/**.so* mr, @{lib_dirs}/**.so* mr,
@{lib}/@{multiarch}/webkit2gtk-@{version}/ w, @{lib}/@{multiarch}/webkit2gtk-@{version}/ w,
/usr/share/xml/iso-codes/ w,
/usr/share/xml/ r,
/usr/share/xml/iso-codes/ rw,
/var/lib/snapd/mount/{,*} r, /var/lib/snapd/mount/{,*} r,

12
apparmor.d/groups/snap/snapd
View file

@ -97,10 +97,11 @@ profile snapd @{exec_path} {
@{lib_dirs}/snapd/snap-update-ns rPx, @{lib_dirs}/snapd/snap-update-ns rPx,
/usr/share/bash-completion/{,**} r, /usr/share/bash-completion/{,**} r,
/usr/share/dbus-1/{system,session}.d/{,snapd*} rw, /usr/share/dbus-1/{system,session}.d/ rw,
/usr/share/dbus-1/{system,session}.d/snapd* rw,
/usr/share/dbus-1/services/*snap* r, /usr/share/dbus-1/services/*snap* r,
/usr/share/polkit-1/actions/{,**} r, /usr/share/polkit-1/actions/{,**} r,
/usr/share/polkit-1/actions/snap.*.policy r, /usr/share/polkit-1/actions/snap.*.policy* rw,
@{etc_ro}/environment r, @{etc_ro}/environment r,
/etc/apparmor.d/*snapd.snap* r, /etc/apparmor.d/*snapd.snap* r,
@ -190,6 +191,8 @@ profile snapd @{exec_path} {
network netlink raw, network netlink raw,
ptrace read peer=@{p_systemd},
/etc/systemd/system/{,**/} r, /etc/systemd/system/{,**/} r,
/etc/systemd/system/snap* rw, /etc/systemd/system/snap* rw,
/etc/systemd/user/{,**/} rw, /etc/systemd/user/{,**/} rw,
@ -229,9 +232,12 @@ profile snapd @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{sbin}/runuser mr, @{sbin}/runuser mr,
@{sh_path} ix,
@{bin}/gzip ix,
@{bin}/tar ix, @{bin}/tar ix,
owner @{HOME}/snap/*/common/.cache/{,**} r, owner @{HOME}/snap/*/{,**} r,
include if exists <local/snapd_runuser> include if exists <local/snapd_runuser>
} }