From 3147f7d59a461246ed1f21f822879fbcc4467423 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Sep 2023 12:07:35 +0100 Subject: [PATCH] feat(snap): do not confine snap. Curently ignored because of some incompatibilities with snap-confine. snap-confine is more important to confine than snap itself. --- apparmor.d/groups/apt/command-not-found | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/systemd/systemd-udevd | 2 +- apparmor.d/groups/ubuntu/notify-reboot-required | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-m-r/run-parts | 2 +- apparmor.d/profiles-s-z/snap | 6 +++--- apparmor.d/profiles-s-z/snapd | 3 +-- apparmor.d/profiles-s-z/sudo | 2 +- 10 files changed, 12 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 4dc754e6..98d224bd 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -21,7 +21,7 @@ profile command-not-found @{exec_path} { @{bin}/python3.[0-9]* r, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/snap rPx, + @{bin}/snap rPUx, /var/lib/command-not-found/commands.db rwk, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index c88f1c3c..fe4a7f83 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -109,7 +109,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/{,ba,da}sh rix, @{bin}/nautilus rPx, - @{bin}/snap rPx, + @{bin}/snap rPUx, @{bin}/kreadconfig5 rPx, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 8dfa3dd3..bf9400da 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -55,7 +55,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/sed rix, @{bin}/setfacl rix, @{bin}/sg_inq rix, - @{bin}/snap rPx, + @{bin}/snap rPUx, @{bin}/systemctl rCx -> systemctl, @{bin}/touch rix, @{bin}/unshare rix, diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required index f4692ec0..8e69d4a2 100644 --- a/apparmor.d/groups/ubuntu/notify-reboot-required +++ b/apparmor.d/groups/ubuntu/notify-reboot-required @@ -15,7 +15,7 @@ profile notify-reboot-required @{exec_path} { @{bin}/{,ba,da}sh rix, @{bin}/gettext rix, - @{bin}/snap rPx, + @{bin}/snap rPUx, /usr/share/update-notifier/notify-reboot-required r, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index b57c825a..12f5f32d 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -37,7 +37,7 @@ profile subiquity-console-conf @{exec_path} { @{bin}/journalctl rCx -> journalctl, @{bin}/ssh-keygen rPx, @{bin}/sshd rPx, - /{snap/snapd/@{int}/,}{usr/,}bin/snap rPx, # TODO: rCx, + @{bin}/snap rPUx, /usr/lib/snapd/snap-recovery-chooser rPUx, /usr/share/netplan/netplan.script rPUx, # TODO: rPx, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 39d97c16..ba22f65d 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -40,7 +40,7 @@ profile update-notifier @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/lsb_release rPx -> lsb_release, @{bin}/pkexec rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked - @{bin}/snap rPx, + @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @{bin}/systemctl rPx -> child-systemctl, @{bin}/update-manager rPx, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 06f0a7ca..088b93b9 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -151,7 +151,7 @@ profile run-parts @{exec_path} { @{bin}/tr rix, @{bin}/uname rix, - @{bin}/snap rPx, + @{bin}/snap rPUx, @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, @{lib}/update-notifier/update-motd-reboot-required rix, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index a1368e1b..3a4d3af5 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -50,9 +50,9 @@ profile snap @{exec_path} { @{bin}/systemctl rPx -> child-systemctl, /snap/{,**} rw, - @{lib_dirs}/snapd/snap-confine rPx, - @{lib_dirs}/snapd/snap-seccomp rPx, - @{lib_dirs}/snapd/snapd rPx, + # @{lib_dirs}/snap-confine rPx -> /usr/lib/snapd/snap-confine, + @{lib_dirs}/snapd/snap-seccomp rPx -> snap-seccomp, + @{lib_dirs}/snapd/snapd rPx -> snapd, /etc/fstab r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 30162134..1f89259b 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -77,7 +77,6 @@ profile snapd @{exec_path} { @{bin}/kmod rPx, @{bin}/mount rix, @{bin}/runuser rCx -> runuser, - @{bin}/snap rPx, @{bin}/sync rix, @{bin}/systemctl rix, @{bin}/systemd-detect-virt rPx, @@ -88,7 +87,7 @@ profile snapd @{exec_path} { @{bin}/update-desktop-database rPx, @{bin_dirs}/fc-cache-* mr, - @{bin_dirs}/snap rPx -> snap, + @{bin_dirs}/snap rPUx, @{bin_dirs}/xdelta3 rix, @{lib_dirs}/@{multiarch}/** mr, @{lib_dirs}/@{multiarch}/ld-*.so rix, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index a68df18f..c9d068ef 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -56,7 +56,7 @@ profile sudo @{exec_path} { @{lib}/** rPUx, @{lib}/sudo/** mr, - /snap/snapd/@{int}/usr/bin/snap rPx, + /snap/snapd/@{int}@{bin}/snap rPUx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*} r,