mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(snap): do not confine snap.

Browse source 
Curently ignored because of some incompatibilities with snap-confine.

snap-confine is more important to confine than snap itself.
This commit is contained in:
Alexandre Pujol 2023-09-10 12:07:35 +01:00
parent aaed7a25da
commit 3147f7d59a
Failed to generate hash of commit
10 changed files with 12 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/apt/command-not-found
View file

@ -21,7 +21,7 @@ profile command-not-found @{exec_path} {
@{bin}/python3.[0-9]* r, @{bin}/python3.[0-9]* r,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/snap rPx, @{bin}/snap rPUx,
/var/lib/command-not-found/commands.db rwk, /var/lib/command-not-found/commands.db rwk,

2
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -109,7 +109,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
@{bin}/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
@{bin}/nautilus rPx, @{bin}/nautilus rPx,
@{bin}/snap rPx, @{bin}/snap rPUx,
@{bin}/kreadconfig5 rPx, @{bin}/kreadconfig5 rPx,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,

2
apparmor.d/groups/systemd/systemd-udevd
View file

@ -55,7 +55,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
@{bin}/sed rix, @{bin}/sed rix,
@{bin}/setfacl rix, @{bin}/setfacl rix,
@{bin}/sg_inq rix, @{bin}/sg_inq rix,
@{bin}/snap rPx, @{bin}/snap rPUx,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@{bin}/touch rix, @{bin}/touch rix,
@{bin}/unshare rix, @{bin}/unshare rix,

2
apparmor.d/groups/ubuntu/notify-reboot-required
View file

@ -15,7 +15,7 @@ profile notify-reboot-required @{exec_path} {
@{bin}/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
@{bin}/gettext rix, @{bin}/gettext rix,
@{bin}/snap rPx, @{bin}/snap rPUx,
/usr/share/update-notifier/notify-reboot-required r, /usr/share/update-notifier/notify-reboot-required r,

2
apparmor.d/groups/ubuntu/subiquity-console-conf
View file

@ -37,7 +37,7 @@ profile subiquity-console-conf @{exec_path} {
@{bin}/journalctl rCx -> journalctl, @{bin}/journalctl rCx -> journalctl,
@{bin}/ssh-keygen rPx, @{bin}/ssh-keygen rPx,
@{bin}/sshd rPx, @{bin}/sshd rPx,
/{snap/snapd/@{int}/,}{usr/,}bin/snap rPx, # TODO: rCx, @{bin}/snap rPUx,
/usr/lib/snapd/snap-recovery-chooser rPUx, /usr/lib/snapd/snap-recovery-chooser rPUx,
/usr/share/netplan/netplan.script rPUx, # TODO: rPx, /usr/share/netplan/netplan.script rPUx, # TODO: rPx,

2
apparmor.d/groups/ubuntu/update-notifier
View file

@ -40,7 +40,7 @@ profile update-notifier @{exec_path} {
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/pkexec rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked @{bin}/pkexec rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked
@{bin}/snap rPx, @{bin}/snap rPUx,
@{bin}/software-properties-gtk rPx, @{bin}/software-properties-gtk rPx,
@{bin}/systemctl rPx -> child-systemctl, @{bin}/systemctl rPx -> child-systemctl,
@{bin}/update-manager rPx, @{bin}/update-manager rPx,

2
apparmor.d/profiles-m-r/run-parts
View file

@ -151,7 +151,7 @@ profile run-parts @{exec_path} {
@{bin}/tr rix, @{bin}/tr rix,
@{bin}/uname rix, @{bin}/uname rix,
@{bin}/snap rPx, @{bin}/snap rPUx,
@{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx,
@{lib}/update-notifier/update-motd-fsck-at-reboot rPx, @{lib}/update-notifier/update-motd-fsck-at-reboot rPx,
@{lib}/update-notifier/update-motd-reboot-required rix, @{lib}/update-notifier/update-motd-reboot-required rix,

6
apparmor.d/profiles-s-z/snap
View file

@ -50,9 +50,9 @@ profile snap @{exec_path} {
@{bin}/systemctl rPx -> child-systemctl, @{bin}/systemctl rPx -> child-systemctl,
/snap/{,**} rw, /snap/{,**} rw,
@{lib_dirs}/snapd/snap-confine rPx, # @{lib_dirs}/snap-confine rPx -> /usr/lib/snapd/snap-confine,
@{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snap-seccomp rPx -> snap-seccomp,
@{lib_dirs}/snapd/snapd rPx, @{lib_dirs}/snapd/snapd rPx -> snapd,
/etc/fstab r, /etc/fstab r,

3
apparmor.d/profiles-s-z/snapd
View file

@ -77,7 +77,6 @@ profile snapd @{exec_path} {
@{bin}/kmod rPx, @{bin}/kmod rPx,
@{bin}/mount rix, @{bin}/mount rix,
@{bin}/runuser rCx -> runuser, @{bin}/runuser rCx -> runuser,
@{bin}/snap rPx,
@{bin}/sync rix, @{bin}/sync rix,
@{bin}/systemctl rix, @{bin}/systemctl rix,
@{bin}/systemd-detect-virt rPx, @{bin}/systemd-detect-virt rPx,
@ -88,7 +87,7 @@ profile snapd @{exec_path} {
@{bin}/update-desktop-database rPx, @{bin}/update-desktop-database rPx,
@{bin_dirs}/fc-cache-* mr, @{bin_dirs}/fc-cache-* mr,
@{bin_dirs}/snap rPx -> snap, @{bin_dirs}/snap rPUx,
@{bin_dirs}/xdelta3 rix, @{bin_dirs}/xdelta3 rix,
@{lib_dirs}/@{multiarch}/** mr, @{lib_dirs}/@{multiarch}/** mr,
@{lib_dirs}/@{multiarch}/ld-*.so rix, @{lib_dirs}/@{multiarch}/ld-*.so rix,

2
apparmor.d/profiles-s-z/sudo
View file

@ -56,7 +56,7 @@ profile sudo @{exec_path} {
@{lib}/** rPUx, @{lib}/** rPUx,
@{lib}/sudo/** mr, @{lib}/sudo/** mr,
/snap/snapd/@{int}/usr/bin/snap rPx, /snap/snapd/@{int}@{bin}/snap rPUx,
@{etc_ro}/environment r, @{etc_ro}/environment r,
@{etc_ro}/security/limits.d/{,*} r, @{etc_ro}/security/limits.d/{,*} r,