committing changes in /etc made by "apt install snapd"

Packages with configuration changes:
+snapd 2.49-1+rpi1+deb11u1 armhf

Package changes:
+snapd 2.49-1+rpi1+deb11u1 armhf
+squashfs-tools 1:4.4-2+deb11u2 armhf
master
Joshua Dye 1 year ago
parent 38c289b06f
commit e4adf254bd

@ -521,6 +521,7 @@ maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.oosplash'
maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.senddoc' maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.senddoc'
maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.soffice.bin' maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.soffice.bin'
maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.xpdfimport' maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.xpdfimport'
maybe chmod 0644 'apparmor.d/local/usr.lib.snapd.snap-confine.real'
maybe chmod 0644 'apparmor.d/local/usr.sbin.chronyd' maybe chmod 0644 'apparmor.d/local/usr.sbin.chronyd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.cups-browsed' maybe chmod 0644 'apparmor.d/local/usr.sbin.cups-browsed'
maybe chmod 0644 'apparmor.d/local/usr.sbin.cupsd' maybe chmod 0644 'apparmor.d/local/usr.sbin.cupsd'
@ -553,6 +554,7 @@ maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.oosplash'
maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.senddoc' maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.senddoc'
maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.soffice.bin' maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.soffice.bin'
maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.xpdfimport' maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.xpdfimport'
maybe chmod 0644 'apparmor.d/usr.lib.snapd.snap-confine.real'
maybe chmod 0644 'apparmor.d/usr.sbin.chronyd' maybe chmod 0644 'apparmor.d/usr.sbin.chronyd'
maybe chmod 0644 'apparmor.d/usr.sbin.cups-browsed' maybe chmod 0644 'apparmor.d/usr.sbin.cups-browsed'
maybe chmod 0644 'apparmor.d/usr.sbin.cupsd' maybe chmod 0644 'apparmor.d/usr.sbin.cupsd'
@ -566,6 +568,7 @@ maybe chmod 0444 'apt/apt.conf.d/01autoremove-kernels'
maybe chmod 0644 'apt/apt.conf.d/05etckeeper' maybe chmod 0644 'apt/apt.conf.d/05etckeeper'
maybe chmod 0644 'apt/apt.conf.d/20listchanges' maybe chmod 0644 'apt/apt.conf.d/20listchanges'
maybe chmod 0644 'apt/apt.conf.d/20packagekit' maybe chmod 0644 'apt/apt.conf.d/20packagekit'
maybe chmod 0644 'apt/apt.conf.d/20snapd.conf'
maybe chmod 0644 'apt/apt.conf.d/50raspi' maybe chmod 0644 'apt/apt.conf.d/50raspi'
maybe chmod 0644 'apt/apt.conf.d/70debconf' maybe chmod 0644 'apt/apt.conf.d/70debconf'
maybe chmod 0755 'apt/auth.conf.d' maybe chmod 0755 'apt/auth.conf.d'
@ -2191,6 +2194,7 @@ maybe chmod 0755 'ppp/ip-up.d/chrony'
maybe chmod 0644 'profile' maybe chmod 0644 'profile'
maybe chmod 0755 'profile.d' maybe chmod 0755 'profile.d'
maybe chmod 0644 'profile.d/Z97-byobu.sh' maybe chmod 0644 'profile.d/Z97-byobu.sh'
maybe chmod 0644 'profile.d/apps-bin-path.sh'
maybe chmod 0644 'profile.d/at-dbus-fix.sh' maybe chmod 0644 'profile.d/at-dbus-fix.sh'
maybe chmod 0644 'profile.d/bash_completion.sh' maybe chmod 0644 'profile.d/bash_completion.sh'
maybe chmod 0644 'profile.d/gawk.csh' maybe chmod 0644 'profile.d/gawk.csh'
@ -2420,6 +2424,7 @@ maybe chmod 0755 'systemd/system'
maybe chmod 0644 'systemd/system.conf' maybe chmod 0644 'systemd/system.conf'
maybe chmod 0644 'systemd/system/autologin@.service' maybe chmod 0644 'systemd/system/autologin@.service'
maybe chmod 0755 'systemd/system/bluetooth.target.wants' maybe chmod 0755 'systemd/system/bluetooth.target.wants'
maybe chmod 0755 'systemd/system/cloud-final.service.wants'
maybe chmod 0755 'systemd/system/default.target.wants' maybe chmod 0755 'systemd/system/default.target.wants'
maybe chmod 0755 'systemd/system/dev-serial1.device.wants' maybe chmod 0755 'systemd/system/dev-serial1.device.wants'
maybe chmod 0755 'systemd/system/dhcpcd.service.d' maybe chmod 0755 'systemd/system/dhcpcd.service.d'
@ -2513,6 +2518,7 @@ maybe chmod 0644 'xdg/autostart/onboard-autostart.desktop'
maybe chmod 0755 'xdg/autostart/pprompt.desktop' maybe chmod 0755 'xdg/autostart/pprompt.desktop'
maybe chmod 0644 'xdg/autostart/print-applet.desktop' maybe chmod 0644 'xdg/autostart/print-applet.desktop'
maybe chmod 0644 'xdg/autostart/pulseaudio.desktop' maybe chmod 0644 'xdg/autostart/pulseaudio.desktop'
maybe chmod 0644 'xdg/autostart/snap-userd-autostart.desktop'
maybe chmod 0644 'xdg/autostart/vnc_xrandr.desktop' maybe chmod 0644 'xdg/autostart/vnc_xrandr.desktop'
maybe chmod 0644 'xdg/autostart/xcompmgr.desktop' maybe chmod 0644 'xdg/autostart/xcompmgr.desktop'
maybe chmod 0644 'xdg/autostart/xdg-user-dirs.desktop' maybe chmod 0644 'xdg/autostart/xdg-user-dirs.desktop'

@ -0,0 +1,589 @@
# Author: Jamie Strandboge <jamie@canonical.com>
#include <tunables/global>
/usr/lib/snapd/snap-confine (attach_disconnected) {
# Include any additional files that snapd chose to generate.
# - for $HOME on NFS
# - for $HOME on encrypted media
#
# Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor
# and https://forum.snapcraft.io/t/snaps-and-nfs-home/
#include "/var/lib/snapd/apparmor/snap-confine"
# We run privileged, so be fanatical about what we include and don't use
# any abstractions
/etc/ld.so.cache r,
/etc/ld.so.preload r,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix,
# libc, you are funny
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre{,2}{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr,
# normal libs in order
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr,
/usr/lib/snapd/snap-confine mr,
# This rule is needed when executing from a "base: core" devmode snap on
# UC18 and newer where the /usr/lib/snapd/snap-confine inside the
# "base: core" mount namespace always comes from the snapd snap, and thus
# we will execute snap-confine via this path, and thus need to be able to
# read this path when executing. It's also necessary on classic where both
# the snapd and the core snap are installed at the same time.
# TODO: remove this rule when we stop supporting executing other snaps from
# inside devmode snaps, ideally even in the short term we would only include
# this rule on core only, and specifically uc18 and newer where we need it
#@VERBATIM_LIBEXECDIR_SNAP_CONFINE@ mr,
/dev/null rw,
/dev/full rw,
/dev/zero rw,
/dev/random r,
/dev/urandom r,
/dev/pts/[0-9]* rw,
/dev/tty rw,
# cgroup: devices
capability sys_admin,
capability dac_read_search,
capability dac_override,
/sys/fs/cgroup/ r,
/sys/fs/cgroup/devices/ r,
/sys/fs/cgroup/devices/snap.*/ rw,
/sys/fs/cgroup/devices/snap.*/cgroup.procs w,
/sys/fs/cgroup/devices/snap.*/devices.{allow,deny} w,
# cgroup: freezer
# Allow creating per-snap cgroup freezers and adding snap command (task)
# invocations to the freezer. This allows for reliably enumerating all
# running processes for the snap. In addition, allow enumerating processes
# in the cgroup to determine if it is occupied.
/sys/fs/cgroup/freezer/ r,
/sys/fs/cgroup/freezer/snap.*/ w,
/sys/fs/cgroup/freezer/snap.*/cgroup.procs rw,
# querying udev
/etc/udev/udev.conf r,
/sys/**/uevent r,
/run/udev/** rw,
/{,usr/}bin/tr ixr,
/usr/lib/locale/** r,
/usr/lib/@{multiarch}/gconv/gconv-modules r,
/usr/lib/@{multiarch}/gconv/gconv-modules.cache r,
# priv dropping
capability setuid,
capability setgid,
# changing profile
@{PROC}/[0-9]*/attr/{,apparmor/}exec w,
# Reading current profile
@{PROC}/[0-9]*/attr/{,apparmor/}current r,
# Reading available filesystems
@{PROC}/filesystems r,
# To find where apparmor is mounted
@{PROC}/[0-9]*/mounts r,
# To find if apparmor is enabled
/sys/module/apparmor/parameters/enabled r,
# Don't allow changing profile to unconfined or profiles that start with
# '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on
# the environment for determining the capabilities of the architecture.
# 'unsafe' is ok here because the kernel will have already cleared the
# environment as part of launching snap-confine with CAP_SYS_ADMIN. This
# does leave directories as configured by ld.so.preload as well as
# LD_PRELOAD to be set to a library which is in a directory configured by
# ld.so.conf, but access to those locations is mediated by this profile
# (which requires rules for specific locations).
change_profile unsafe /** -> [^u/]**,
change_profile unsafe /** -> u[^n]**,
change_profile unsafe /** -> un[^c]**,
change_profile unsafe /** -> unc[^o]**,
change_profile unsafe /** -> unco[^n]**,
change_profile unsafe /** -> uncon[^f]**,
change_profile unsafe /** -> unconf[^i]**,
change_profile unsafe /** -> unconfi[^n]**,
change_profile unsafe /** -> unconfin[^e]**,
change_profile unsafe /** -> unconfine[^d]**,
change_profile unsafe /** -> unconfined?**,
# allow changing to a few not caught above
change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
# LP: #1446794 - when this bug is fixed, change the above to:
# deny change_profile unsafe /** -> {unconfined,/**},
# change_profile unsafe /** -> **,
# reading seccomp filters
/{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r,
# LP: #1668659 and parallel instaces of classic snaps
mount options=(rw rbind) /snap/ -> /snap/,
mount options=(rw rshared) -> /snap/,
mount options=(rw rbind) /var/lib/snapd/snap/ -> /var/lib/snapd/snap/,
mount options=(rw rshared) -> /var/lib/snapd/snap/,
# boostrapping the mount namespace
mount options=(rw rshared) -> /,
mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/,
mount options=(rw unbindable) -> /tmp/snap.rootfs_*/,
# the next line is for classic system
mount options=(rw rbind) /snap/*/*/ -> /tmp/snap.rootfs_*/,
# the next line is for core system
mount options=(rw rbind) / -> /tmp/snap.rootfs_*/,
# all of the constructed rootfs is a rslave
mount options=(rw rslave) -> /tmp/snap.rootfs_*/,
# bidirectional mounts (for both classic and core)
# NOTE: this doesn't capture the MERGED_USR configuration option so that
# when a distro with merged /usr and / that uses apparmor shows up it
# should be handled here.
/{,run/}media/ w,
mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_*/{,run/}media/,
/run/netns/ w,
mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/,
# unidirectional mounts (only for classic system)
mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/dev/,
mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/etc/,
mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/home/,
mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/root/,
mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/proc/,
mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/sys/,
mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/,
mount options=(rw rbind) /var/lib/dhcp/ -> /tmp/snap.rootfs_*/var/lib/dhcp/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/dhcp/,
mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/,
mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/snap/,
mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/tmp/,
mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/,
mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_*/var/lib/extrausers/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/extrausers/,
mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/firmware/ -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/,
mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/,
mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/,
mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_*/mnt/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/mnt/,
# allow making host snap-exec available inside base snaps
mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/,
# allow making re-execed host snap-exec available inside base snaps
mount options=(ro bind) /snap/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
# allow making snapd snap tools available inside base snaps
mount options=(ro bind) /snap/snapd/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl,
mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl,
# /etc/alternatives (classic and normal mode)
mount options=(rw bind) /snap/*/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
mount options=(rw bind) /snap/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/,
mount options=(rw bind) /snap/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
mount options=(rw bind) /snap/*/*/etc/apparmor/ -> /tmp/snap.rootfs_*/etc/apparmor/,
mount options=(rw bind) /snap/*/*/etc/apparmor.d/ -> /tmp/snap.rootfs_*/etc/apparmor.d/,
# /etc/alternatives (core/legacy mode)
mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
# making all those directories slave shared.
mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/,
mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/,
mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/apparmor/,
mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/apparmor.d/,
# the /snap directory
mount options=(rw rbind) /snap/ -> /tmp/snap.rootfs_*/snap/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/,
# pivot_root preparation and execution
mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
# pivot_root mediation in AppArmor is not complete. See LP: #1791711.
# However, we can mediate the new_root and put_old to be what we expect,
# and then deny directory creation within old_root to prevent trivial
# pivoting into a whitelisted path.
pivot_root oldroot=/tmp/snap.rootfs_*/var/lib/snapd/hostfs/ /tmp/snap.rootfs_*/,
# Explicitly deny creating the old_root directory in case it is
# inadvertently added somewhere else. While this doesn't resolve
# LP: #1791711, it provides some hardening.
audit deny /tmp/snap.rootfs_*/{var/,var/lib/,var/lib/snapd/,var/lib/snapd/hostfs/} w,
# cleanup
umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/,
umount /var/lib/snapd/hostfs/sys/,
umount /var/lib/snapd/hostfs/dev/,
umount /var/lib/snapd/hostfs/proc/,
mount options=(rw rslave) -> /var/lib/snapd/hostfs/,
# Hide /writable from view of snaps.
mount options=(rprivate) -> /{,var/lib/snapd/hostfs/}writable/,
umount /{,var/lib/snapd/hostfs/}writable/,
# set up user mount namespace
mount options=(rslave) -> /,
# set up mount namespace for parallel instances of classic snaps
mount options=(rw rbind) /snap/{,*/} -> /snap/{,*/},
mount options=(rslave) -> /snap/,
mount options=(rslave) -> /var/snap/,
mount options=(rw rbind) /var/snap/{,*/} -> /var/snap/{,*/},
mount options=(rw rshared) -> /var/snap/,
# Allow reading the os-release file (possibly a symlink to /usr/lib).
/{etc/,usr/lib/}os-release r,
# Allow creating /var/lib/snapd/hostfs, if missing
/var/lib/snapd/hostfs/ rw,
# set up snap-specific private /tmp dir
capability chown,
/tmp/ rw,
/tmp/snap.*/ rw,
/tmp/snap.*/tmp/ rw,
mount options=(rw private) -> /tmp/,
mount options=(rw bind) /tmp/snap.*/tmp/ -> /tmp/,
mount fstype=devpts options=(rw) devpts -> /dev/pts/,
mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting
mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD
# Workaround for LP: #1584456 on older kernels that mistakenly think
# /dev/pts/ptmx needs a trailing '/'
mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/,
mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/,
# for running snaps on classic
/snap/ r,
/snap/** r,
/snap/ r,
/snap/** r,
# NOTE: at this stage the /snap directory is stable as we have called
# pivot_root already.
# nvidia handling, glob needs /usr/** and the launcher must be
# able to bind mount the nvidia dir
/sys/module/nvidia/version r,
/sys/**/drivers/nvidia{,_*}/* r,
/sys/**/nvidia*/uevent r,
/sys/module/nvidia{,_*}/* r,
/dev/nvidia[0-9]* r,
/dev/nvidiactl r,
/dev/nvidia-uvm r,
/usr/** r,
mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
/tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w,
mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
# Vulkan support
/tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w,
mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
# GLVND EGL vendor
/tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/{,*} w,
mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/,
mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/,
# create gl dirs as needed
/tmp/snap.rootfs_*/ r,
/tmp/snap.rootfs_*/var/ r,
/tmp/snap.rootfs_*/var/lib/ r,
/tmp/snap.rootfs_*/var/lib/snapd/ r,
/tmp/snap.rootfs_*/var/lib/snapd/lib/ r,
/tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/ r,
/tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw,
/tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r,
/tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw,
/tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/ r,
/tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/** rw,
# for chroot on steroids, we use pivot_root as a better chroot that makes
# apparmor rules behave the same on classic and outside of classic.
# for creating the user data directories: ~/snap, ~/snap/<name> and
# ~/snap/<name>/<version>
/ r,
@{HOMEDIRS}/ r,
# These should both have 'owner' match but due to LP: #1466234, we can't
# yet
@{HOME}/ r,
@{HOME}/snap/{,*/,*/*/} rw,
# Special case for *classic* snaps that are used by users with existing dirs
# in /var/lib/. Like jenkins, postgresql, mysql, puppet, ...
# (see https://forum.snapcraft.io/t/9717)
# TODO: this can be removed once we support home-dirs outside of /home
# better
/var/ r,
/var/lib/ r,
# These should both have 'owner' match but due to LP: #1466234, we can't
# yet
/var/lib/*/ r,
/var/lib/*/snap/{,*/,*/*/} rw,
# for creating the user shared memory directories
/{dev,run}/{,shm/} r,
# This should both have 'owner' match but due to LP: #1466234, we can't yet
/{dev,run}/shm/{,*/,*/*/} rw,
# for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and
# /run/user/UID/<name>
/run/user/{,[0-9]*/,[0-9]*/*/} rw,
# Workaround https://launchpad.net/bugs/359338 until upstream handles
# stacked filesystems generally.
# encrypted ~/.Private and old-style encrypted $HOME
@{HOME}/.Private/ r,
@{HOME}/.Private/** mrwlk,
# new-style encrypted $HOME
@{HOMEDIRS}/.ecryptfs/*/.Private/ r,
@{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk,
# Allow snap-confine to move to the void, creating it if necessary.
/var/lib/snapd/void/ rw,
# Allow snap-confine to read snap contexts
/var/lib/snapd/context/snap.* r,
# Allow snap-confine to unmount stale mount namespaces.
umount /run/snapd/ns/*.mnt,
/run/snapd/ns/snap.*.fstab w,
# Allow snap-confine to read and write mount namespace information files.
/run/snapd/ns/snap.*.info rw,
# Required to correctly unmount bound mount namespace.
# See LP: #1735459 for details.
umount /,
# support for locking
/run/snapd/lock/ rw,
/run/snapd/lock/*.lock rwk,
# support for the mount namespace sharing
capability sys_ptrace,
# allow snap-confine to read /proc/1/ns/mnt
ptrace read peer=unconfined,
# https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21
ptrace trace peer=unconfined,
mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/,
mount options=(private) -> /run/snapd/ns/,
/ rw,
/run/ rw,
/run/snapd/ rw,
/run/snapd/ns/ rw,
/run/snapd/ns/*.lock rwk,
/run/snapd/ns/*.mnt rw,
ptrace (read, readby, tracedby) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
@{PROC}/*/mountinfo r,
capability sys_chroot,
capability sys_admin,
signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine,
signal (send) set=(int) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
signal (send, receive) set=(int, alrm, exists) peer=/usr/lib/snapd/snap-confine,
signal (receive) set=(exists) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
# workaround for linux 4.13/upstream, see
# https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3
ptrace (trace, tracedby) peer=/usr/lib/snapd/snap-confine,
# Allow reading snap cookies.
/var/lib/snapd/cookie/snap.* r,
# For aa_change_hat() to go into ^mount-namespace-capture-helper
@{PROC}/[0-9]*/attr/{,apparmor/}current w,
# As a special exception allow snap-confine to write to anything in /var/lib.
# This code should be changed to allow delegation so that snap-confine can
# inherit any file descriptor and pass it to the invoked application but
# this is not possible in apparmor yet.
# See https://bugs.launchpad.net/snapd/+bug/1815869
/var/lib/** rw,
^mount-namespace-capture-helper (attach_disconnected) {
# We run privileged, so be fanatical about what we include and don't use
# any abstractions
/etc/ld.so.cache r,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix,
# libc, you are funny
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr,
# normal libs in order
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr,
/usr/lib/snapd/snap-confine mr,
/dev/null rw,
/dev/full rw,
/dev/zero rw,
/dev/random r,
/dev/urandom r,
capability sys_ptrace,
capability sys_admin,
# This allows us to read and bind mount the namespace file
/ r,
@{PROC}/ r,
@{PROC}/*/ r,
@{PROC}/*/ns/ r,
@{PROC}/*/ns/mnt r,
/run/ r,
/run/snapd/ r,
/run/snapd/ns/ r,
/run/snapd/ns/*.mnt rw,
# NOTE: the source name is / even though we map /proc/123/ns/mnt
mount options=(rw bind) / -> /run/snapd/ns/*.mnt,
# This is the SIGALRM that we send and receive if a timeout expires
signal (send, receive) set=(alrm) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
# Those two rules are exactly the same but we don't know if the parent process is still alive
# and hence has the appropriate label or is already dead and hence has no label.
signal (send) set=(exists) peer=/usr/lib/snapd/snap-confine,
signal (send) set=(exists) peer=unconfined,
# This is so that we can abort
signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper,
# This is the signal we get if snap-confine dies (we subscribe to it with prctl)
signal (receive) set=(int) peer=/usr/lib/snapd/snap-confine,
# This allows snap-confine to be killed from the outside.
signal (receive) peer=unconfined,
# This allows snap-confine to wait for us
ptrace (read, trace, tracedby) peer=/usr/lib/snapd/snap-confine,
}
# Allow snap-confine to be killed
signal (receive) peer=unconfined,
# Allow switching to snap-update-ns with a per-snap profile.
change_profile -> snap-update-ns.*,
# Allow executing snap-update-ns when...
# ...snap-confine is, conceptually, re-executing and uses snap-update-ns
# from the distribution package. This is also the location used when using
# the core/base snap on all-snap systems. The variants here represent
# various locations of libexecdir across distributions.
/usr/lib{,exec,64}/snapd/snap-update-ns r,
# ...snap-confine is not, conceptually, re-executing and uses
# snap-update-ns from the distribution package but we are already inside
# the constructed mount namespace so we must traverse "hostfs". The
# variants here represent various locations of libexecdir across
# distributions.
/var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r,
# ..snap-confine is, conceptually, re-executing and uses snap-update-ns
# from the core or snapd snaps. Note that the location of the actual snap
# varies from distribution to distribution. The variants here represent
# different locations of snap mount directory across distributions.
/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r,
# ...snap-confine is, conceptually, re-executing and uses snap-update-ns
# from the core snap or snapd snap, but we are already inside the
# constructed mount namespace. Here the apparmor kernel module
# re-constructs the path to snap-update-ns using the "hostfs" mount entry
# rather than the more "natural" /snap mount entry but we have no control
# over that. This is reported as (LP: #1716339). The variants here
# represent different locations of snap mount directory across
# distributions.
/var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns r,
# Allow executing snap-discard-ns, just like the set for snap-update-ns
# above but with the key difference that snap-discard-ns does not
# have a dedicated profile so we need to inherit snap-confine's profile.
/usr/lib{,exec,64}/snapd/snap-discard-ns rix,
/var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-discard-ns rix,
/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix,
/var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-discard-ns rix,
# Allow mounting /var/lib/jenkins from the host into the snap.
mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_*/var/lib/jenkins/,
mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/jenkins/,
# Suppress noisy file_inherit denials (LP: #1850552) until LP: #1849753 is
# fixed.
deny /dev/shm/.org.chromium.Chromium.* rw,
# While snap-confine itself doesn't require unix rules and therefore all
# unix rules are implicitly denied, adding an explicit deny for unix to
# silence noisy denials breaks nested lxd. Until the cause is determined,
# do not use an explicit deny for unix. (LP: #1855355)
#deny unix,
# Explicitly deny these accesses which show up on Arch to silence the
# denials for this unneeded access.
deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9]*.so* mr,
deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_mymachines.[0-9]*.so* mr,
deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_systemd.[0-9]*.so* mr,
deny /etc/nsswitch.conf r,
deny /etc/passwd r,
}

@ -0,0 +1 @@
AptCli::Hooks::Install { "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"; };

@ -161,6 +161,7 @@ application/x-app-package; pi-gpk-install-local-file %s; test=test -n "$DISPLAY"
application/vnclicense-key; vnclicensehelper -key %s; test=test -n "$DISPLAY" application/vnclicense-key; vnclicensehelper -key %s; test=test -n "$DISPLAY"
application/vnc-shortcut; vncviewer %s; test=test -n "$DISPLAY" application/vnc-shortcut; vncviewer %s; test=test -n "$DISPLAY"
application/x-scratch3; /usr/lib/scratch3/scratch-desktop %s; test=test -n "$DISPLAY" application/x-scratch3; /usr/lib/scratch3/scratch-desktop %s; test=test -n "$DISPLAY"
x-scheme-handler/snap; /usr/bin/snap handle-link %s; test=test -n "$DISPLAY"
application/x-image; squeak %s; test=test -n "$DISPLAY" application/x-image; squeak %s; test=test -n "$DISPLAY"
application/squeak-image; squeak %s; test=test -n "$DISPLAY" application/squeak-image; squeak %s; test=test -n "$DISPLAY"
application/squeak-project; squeak %s; test=test -n "$DISPLAY" application/squeak-project; squeak %s; test=test -n "$DISPLAY"

@ -0,0 +1,22 @@
# shellcheck shell=sh
# Expand $PATH to include the directory where snappy applications go.
snap_bin_path="/snap/bin"
if [ -n "${PATH##*${snap_bin_path}}" ] && [ -n "${PATH##*${snap_bin_path}:*}" ]; then
export PATH=$PATH:${snap_bin_path}
fi
# Ensure base distro defaults xdg path are set if nothing filed up some
# defaults yet.
if [ -z "$XDG_DATA_DIRS" ]; then
export XDG_DATA_DIRS="/usr/local/share:/usr/share"
fi
# Desktop files (used by desktop environments within both X11 and Wayland) are
# looked for in XDG_DATA_DIRS; make sure it includes the relevant directory for
# snappy applications' desktop files.
snap_xdg_path="/var/lib/snapd/desktop"
if [ -n "${XDG_DATA_DIRS##*${snap_xdg_path}}" ] && [ -n "${XDG_DATA_DIRS##*${snap_xdg_path}:*}" ]; then
export XDG_DATA_DIRS="${XDG_DATA_DIRS}:${snap_xdg_path}"
fi

@ -0,0 +1 @@
/lib/systemd/system/snapd.seeded.service

@ -0,0 +1 @@
/lib/systemd/system/snapd.recovery-chooser-trigger.service

@ -0,0 +1 @@
/lib/systemd/system/snapd.seeded.service

@ -0,0 +1 @@
/lib/systemd/system/snapd.service

@ -0,0 +1 @@
/lib/systemd/system/snapd.socket

@ -0,0 +1,6 @@
[Desktop Entry]
Name=Snap user application autostart helper
Comment=Helper program for launching snap applications that are configured to start automatically.
Exec=/usr/bin/snap userd --autostart
Type=Application
NoDisplay=true
Loading…
Cancel
Save