feat(profile): snap - ensure snap profile can all rm their own lib_dirs.

2025-03-23 16:33:18 +01:00 · 2025-03-23 16:33:18 +01:00 · d44001b71f
commit d44001b71f
parent a5385c594a
6 changed files with 5 additions and 1 deletions
--- a/apparmor.d/groups/snap/snap-discard-ns
+++ b/apparmor.d/groups/snap/snap-discard-ns
@ -20,6 +20,7 @@ profile snap-discard-ns @{exec_path} {
  umount @{run}/snapd/ns/*.mnt,

  @{exec_path} mr,
+  @{lib_dirs}/**.so* mr,

  / r,
  @{run}/ r,
--- a/apparmor.d/groups/snap/snap-failure
+++ b/apparmor.d/groups/snap/snap-failure
@ -13,6 +13,7 @@ profile snap-failure @{exec_path} {
  include <abstractions/base>

  @{exec_path} mr,
+  @{lib_dirs}/**.so* mr,

  @{bin}/systemctl         rCx -> systemctl,
  @{lib_dirs}/snapd/snapd  rPx,
--- a/apparmor.d/groups/snap/snap-seccomp
+++ b/apparmor.d/groups/snap/snap-seccomp
@ -19,7 +19,6 @@ profile snap-seccomp @{exec_path} {
  network netlink raw,

  @{exec_path} mr,
-
  @{lib_dirs}/**.so* mr,

  @{bin}/getent rix,
--- a/apparmor.d/groups/snap/snap-update-ns
+++ b/apparmor.d/groups/snap/snap-update-ns
@ -30,6 +30,7 @@ profile snap-update-ns @{exec_path} {
  umount /usr/share/xml/iso-codes/,

  @{exec_path} mr,
+  @{lib_dirs}/**.so* mr,

  @{lib}/@{multiarch}/webkit2gtk-@{version}/ w,
  /usr/share/xml/iso-codes/ w,
--- a/apparmor.d/groups/snap/snapd-aa-prompt-listener
+++ b/apparmor.d/groups/snap/snapd-aa-prompt-listener
@ -13,6 +13,7 @@ profile snapd-aa-prompt-listener @{exec_path} {
  include <abstractions/base>

  @{exec_path} mrix,
+  @{lib_dirs}/**.so* mr,

  @{lib_dirs}/snapd/info r,

--- a/apparmor.d/groups/snap/snapd-aa-prompt-ui
+++ b/apparmor.d/groups/snap/snapd-aa-prompt-ui
@ -13,6 +13,7 @@ profile snapd-aa-prompt-ui @{exec_path} {
  include <abstractions/base>

  @{exec_path} mrix,
+  @{lib_dirs}/**.so* mr,

  @{lib_dirs}/snapd/info r,