From e169ea5ccfc972a62c047dde71e57e6f8753ee1e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 5 Sep 2023 13:59:37 +0100 Subject: [PATCH] fix(profiles): ensure entry points for snap work. --- apparmor.d/profiles-s-z/snap | 11 +++++++---- apparmor.d/profiles-s-z/snap-discard-ns | 4 +++- apparmor.d/profiles-s-z/snap-failure | 9 ++++++--- apparmor.d/profiles-s-z/snap-seccomp | 6 +++--- apparmor.d/profiles-s-z/snap-update-ns | 4 +++- apparmor.d/profiles-s-z/snapd | 25 ++++++++++++++----------- 6 files changed, 36 insertions(+), 23 deletions(-) diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index a882e5475..d3809fff4 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -6,7 +6,10 @@ abi , include -@{exec_path} = @{bin}/snap /snap/snapd/@{int}@{bin}/snap +@{bin_dirs} = @{bin}/ /snap/snapd/@{int}@{bin}/ +@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}/ + +@{exec_path} = @{bin_dirs}/snap profile snap @{exec_path} { include include @@ -43,9 +46,9 @@ profile snap @{exec_path} { @{bin}/systemctl rPx -> child-systemctl, /snap/{,**} rw, - /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snap-confine rPx, - /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snap-seccomp rPx, - /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snapd r, + @{lib_dirs}/snapd/snap-confine rPx, + @{lib_dirs}/snapd/snap-seccomp rPx, + @{lib_dirs}/snapd/snapd rPx, /etc/fstab r, diff --git a/apparmor.d/profiles-s-z/snap-discard-ns b/apparmor.d/profiles-s-z/snap-discard-ns index c22141a7e..6cddd3390 100644 --- a/apparmor.d/profiles-s-z/snap-discard-ns +++ b/apparmor.d/profiles-s-z/snap-discard-ns @@ -6,7 +6,9 @@ abi , include -@{exec_path} = @{lib}/snapd/snap-discard-ns /snap/snapd/@{int}@{lib}/snapd/snap-discard-ns +@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}/ + +@{exec_path} = @{lib_dirs}/snapd/snap-discard-ns profile snap-discard-ns @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure index 00759882c..22e0265d5 100644 --- a/apparmor.d/profiles-s-z/snap-failure +++ b/apparmor.d/profiles-s-z/snap-failure @@ -6,14 +6,17 @@ abi , include -@{exec_path} = @{lib}/snapd/snap-failure /snap/snapd/@{int}@{lib}/snapd/snap-failure +@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}/ + +@{exec_path} = @{lib_dirs}/snapd/snap-failure profile snap-failure @{exec_path} { include @{exec_path} mr, - @{bin}/systemctl rCx -> child-systemctl, - /snap/snapd/@{int}@{lib}/snapd/snapd rPx, + @{bin}/systemctl rPx -> child-systemctl, + + @{lib_dirs}/snapd/snapd rPx, /var/lib/snapd/sequence/snapd.json r, diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp index 1be17540d..c4583b2b5 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -6,7 +6,9 @@ abi , include -@{exec_path} = @{lib}/snapd/snap-seccomp /snap/snapd/@{int}@{lib}/snapd/snap-seccomp +@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}/ + +@{exec_path} = @{lib_dirs}/snapd/snap-seccomp profile snap-seccomp @{exec_path} { include include @@ -16,8 +18,6 @@ profile snap-seccomp @{exec_path} { @{exec_path} mr, - /snap/snapd/@{int}/usr/lib/snapd/snap-seccomp r, - /var/lib/snapd/seccomp/bpf/{,**} rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index eba22e2c4..92349fb1b 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -6,7 +6,9 @@ abi , include -@{exec_path} = @{lib}/snapd/snap-update-ns /snap/snapd/@{int}@{lib}/snapd/snap-update-ns +@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}/ + +@{exec_path} = @{lib_dirs}/snapd/snap-update-ns profile snap-update-ns @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 97299bc3d..0dc5a6867 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -6,7 +6,10 @@ abi , include -@{exec_path} = @{lib}/snapd/snapd /snap/snapd/@{int}@{lib}/snapd/snapd +@{bin_dirs} = @{bin}/ /snap/snapd/@{int}@{bin}/ +@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}/ + +@{exec_path} = @{lib_dirs}/snapd/snapd profile snapd @{exec_path} { include include @@ -58,7 +61,7 @@ profile snapd @{exec_path} { member=CheckAuthorization peer=(name=org.freedesktop.PolicyKit1), - @{exec_path} mr, + @{exec_path} mrix, @{bin}/adduser rPx, @{bin}/cloud-init rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope @@ -84,15 +87,15 @@ profile snapd @{exec_path} { @{bin}/unsquashfs rix, @{bin}/update-desktop-database rPx, - /{snap/snapd/@{int}/,}{usr/,}bin/fc-cache-* mr, - /{snap/snapd/@{int}/,}{usr/,}bin/snap rPx, - /{snap/snapd/@{int}/,}{usr/,}bin/xdelta3 rix, # TODO: rPx ? - /{snap/snapd/@{int}/,}{usr/,}lib/@{multiarch}/** mr, - /{snap/snapd/@{int}/,}{usr/,}lib/@{multiarch}/ld-*.so rix, - /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snap-discard-ns rPx, - /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snap-seccomp rPx, - /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snap-update-ns rPx, - /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snapd rix, + @{bin_dirs}/fc-cache-* mr, + @{bin_dirs}/snap rPx, + @{bin_dirs}/xdelta3 rix, + @{lib_dirs}/@{multiarch}/** mr, + @{lib_dirs}/@{multiarch}/ld-*.so rix, + @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, + @{lib_dirs}/snapd/snap-discard-ns rPx, + @{lib_dirs}/snapd/snap-seccomp rPx, + @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} r,