mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
profiles: update snap_browsers permissions
The snap_browsers abstraction requires more permissions
due to updates on snaps.
Some of the permissions are not required in older versions of
Ubuntu that use 2.12 and 2.13, but are introduced for unification
and ease of maintenance purposes. These include:
all dbus permissions,
@{PROC}/sys/kernel/random/uuid r,
owner @{PROC}/@{pid}/cgroup r,
/var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia
parent
69302067b0
commit
eb828dde6f
1 changed files with 9 additions and 2 deletions
|
|
@ -1,6 +1,7 @@
|
|||
profile snap_browsers {
|
||||
include if exists <abstractions/snap_browsers.d>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
/etc/passwd r,
|
||||
/etc/nsswitch.conf r,
|
||||
|
|
@ -8,7 +9,6 @@ profile snap_browsers {
|
|||
|
||||
# noisy
|
||||
deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu
|
||||
deny /run/snapd.socket rw,
|
||||
|
||||
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrix, # re-exec
|
||||
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/info r,
|
||||
|
|
@ -16,14 +16,19 @@ profile snap_browsers {
|
|||
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-seccomp rPix,
|
||||
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-confine Pix,
|
||||
/var/lib/snapd/system-key r,
|
||||
/run/snapd.socket rw,
|
||||
|
||||
@{PROC}/version r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/net/core/somaxconn r,
|
||||
@{PROC}/sys/kernel/seccomp/actions_avail r,
|
||||
@{PROC}/sys/kernel/random/uuid r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{HOME}/.snap/auth.json r, # if exists, required
|
||||
owner /run/user/[0-9]*/bus rw,
|
||||
|
||||
dbus send bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="StartTransientUnit" peer=(name="org.freedesktop.systemd1"),
|
||||
dbus receive bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="JobRemoved",
|
||||
|
||||
/sys/kernel/security/apparmor/features/ r,
|
||||
|
||||
|
|
@ -31,5 +36,7 @@ profile snap_browsers {
|
|||
/snap/chromium/[0-9]*/meta/{snap.yaml,hooks/} r,
|
||||
/snap/firefox/[0-9]*/meta/{snap.yaml,hooks/} r,
|
||||
/snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,
|
||||
|
||||
/var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
|
||||
# add other browsers here
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue