%PDF- %PDF-
Direktori : /var/lib/snapd/apparmor/profiles/ |
Current File : /var/lib/snapd/apparmor/profiles/snap.firefox.hook.configure |
# vim:syntax=apparmor #include <tunables/global> #include if exists "/var/lib/snapd/apparmor/snap-tuning" # snapd supports the concept of 'parallel installs' where snaps with the same # name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz # may all be installed on the system. To support this, SNAP_NAME is set to the # name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg # 'foo_bar'). The profile name and most rules therefore reference # SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime # environment so the snap doesn't have to be aware of the distinction (eg, # SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with # SNAP_NAME so the security policy will allow writing to both locations (since # they are equivalent). # This is a snap name without the instance key @{SNAP_NAME}="firefox" # This is a snap name with instance key @{SNAP_INSTANCE_NAME}="firefox" @{SNAP_INSTANCE_DESKTOP}="firefox" @{SNAP_COMMAND_NAME}="hook.configure" @{SNAP_REVISION}="5091" @{PROFILE_DBUS}="snap_2efirefox_2ehook_2econfigure" @{INSTALL_DIR}="/{,var/lib/snapd/}snap" profile "snap.firefox.hook.configure" flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> # While in later versions of the base abstraction, include this explicitly # for series 16 and cross-distro /etc/ld.so.preload r, # The base abstraction doesn't yet have this /etc/sysconfig/clock r, owner @{PROC}/@{pid}/maps k, # /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but # in a format that is simpler to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. # Reading /proc/XXXX/maps is already allowed in the base template # via <abstractions/base>. Also, only the owner can read it, and the # kernel limits access to it by requiring 'ptrace' enabled, so allowing # to access /proc/XXXX/map_files can be considered secure too. owner @{PROC}/@{pid}/map_files/ r, # While the base abstraction has rules for encryptfs encrypted home and # private directories, it is missing rules for directory read on the toplevel # directory of the mount (LP: #1848919) owner @{HOME}/.Private/ r, owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r, # for python apps/services #include <abstractions/python> /etc/python3.[0-9]*/** r, # explicitly deny noisy denials to read-only filesystems (see LP: #1496895 # for details) deny /usr/lib/python3*/{,**/}__pycache__/ w, deny /usr/lib/python3*/{,**/}__pycache__/**.pyc.[0-9]* w, # bind mount used here (see 'parallel installs', above) deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/ w, deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/*.pyc.[0-9]* w, # for perl apps/services #include <abstractions/perl> # Missing from perl abstraction /usr/lib/@{multiarch}/perl{,5,-base}/auto/**.so* mr, # Note: the following dangerous accesses should not be allowed in most # policy, but we cannot explicitly deny since other trusted interfaces might # add them. # Explicitly deny ptrace for now since it can be abused to break out of the # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 #audit deny ptrace (trace), # Explicitly deny capability mknod so apps can't create devices #audit deny capability mknod, # Explicitly deny mount, remount and umount so apps can't modify things in # their namespace #audit deny mount, #audit deny remount, #audit deny umount, # End dangerous accesses # Note: this potentially allows snaps to DoS other snaps via resource # exhaustion but we can't sensibly mediate this today. In the future we may # employ cgroup limits, AppArmor rlimit mlock rules or something else. capability ipc_lock, # for bash 'binaries' (do *not* use abstractions/bash) # user-specific bash files /etc/bash.bashrc r, /etc/inputrc r, /etc/environment r, /etc/profile r, # user/group/seat lookups /etc/{passwd,group,nsswitch.conf} r, # very common /var/lib/extrausers/{passwd,group} r, /run/systemd/users/[0-9]* r, /etc/default/nss r, # libnss-systemd (subset from nameservice abstraction) # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. /run/systemd/userdb/ r, /run/systemd/userdb/io.systemd.Multiplexer rw, /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS /run/systemd/userdb/io.systemd.Machine rw, # systemd-machined /etc/libnl-3/{classid,pktloc} r, # apps that use libnl # For snappy reexec on 4.8+ kernels /usr/lib/snapd/snap-exec m, # For gdb support /usr/lib/snapd/snap-gdb-shim ixr, /usr/lib/snapd/snap-gdbserver-shim ixr, # For in-snap tab completion /etc/bash_completion.d/{,*} r, /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal) /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here # uptime @{PROC}/uptime r, @{PROC}/loadavg r, # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib # which is allowed by the base abstraction, but on 14.04 it is an actual file # so need to add it here. Also allow read locks on the file. /etc/os-release rk, /usr/lib/os-release k, # systemd native journal API (see sd_journal_print(4)). This should be in # AppArmor's base abstraction, but until it is, include here. We include # the base journal path as well as the journal namespace pattern path. Each # journal namespace for quota groups will be prefixed with 'snap-'. /run/systemd/journal{,.snap-*}/socket w, /run/systemd/journal{,.snap-*}/stdout rw, # 'r' shouldn't be needed, but journald # doesn't leak anything so allow # snapctl and its requirements /usr/bin/snapctl ixr, /usr/lib/snapd/snapctl ixr, @{PROC}/sys/net/core/somaxconn r, /run/snapd-snap.socket rw, # Note: for now, don't explicitly deny this noisy denial so --devmode isn't # broken but eventually we may conditionally deny this since it is an # information leak. #deny /{,var/}run/utmp r, # java @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/auxv r, @{PROC}/sys/vm/zone_reclaim_mode r, /etc/lsb-release r, /sys/devices/**/read_ahead_kb r, /sys/devices/system/cpu/** r, /sys/devices/system/node/node[0-9]*/* r, /sys/kernel/mm/transparent_hugepage/enabled r, /sys/kernel/mm/transparent_hugepage/defrag r, # NOTE: this leaks running process but java seems to want it (even though it # seems to operate ok without it) and SDL apps crash without it. Allow owner # match until AppArmor kernel var is available to solve this properly (see # LP: #1546825 for details). comm is a subset of cmdline, so allow it too. owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, # Per man(5) proc, the kernel enforces that a thread may only modify its comm # value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Allow reading and writing to our file descriptors in /proc which, for # example, allow access to /dev/std{in,out,err} which are all symlinks to # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE) # linkat() temporary file technique, allow all fds. Importantly, access to # another task's fd via this proc interface is mediated via 'ptrace (read)' # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so # this rule by itself doesn't allow opening another snap's fds via proc. owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw, # Miscellaneous accesses /dev/{,u}random w, /etc/machine-id r, /etc/mime.types r, /etc/default/keyboard r, @{PROC}/ r, @{PROC}/version r, @{PROC}/version_signature r, /etc/{,writable/}hostname r, /etc/{,writable/}localtime r, /etc/{,writable/}mailname r, /etc/{,writable/}timezone r, owner @{PROC}/@{pid}/cgroup rk, @{PROC}/@{pid}/cpuset r, @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/[0-9]*/smaps r, @{PROC}/@{pid}/task/[0-9]*/stat r, @{PROC}/@{pid}/task/[0-9]*/statm r, @{PROC}/@{pid}/task/[0-9]*/status r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/ostype r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/shmmax r, # Allow apps to introspect the level of dbus mediation AppArmor implements. /sys/kernel/security/apparmor/features/dbus/mask r, @{PROC}/sys/fs/file-max r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inotify/max_* r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/cap_last_cap r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request rw, /sys/devices/virtual/tty/{console,tty*}/active r, /sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,**/}snap.@{SNAP_INSTANCE_NAME}{,.*}/memory.limit_in_bytes r, /sys/fs/cgroup/memory/{,**/}snap.@{SNAP_INSTANCE_NAME}{,.*}/memory.stat r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,**/}snap.@{SNAP_INSTANCE_NAME}{,.*}/cpu.cfs_{period,quota}_us r, /sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r, /sys/fs/cgroup/cpu,cpuacct/{,**/}snap.@{SNAP_INSTANCE_NAME}{,.*}/cpu.shares r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, # Reads of oom_adj and oom_score_adj are safe owner @{PROC}/@{pid}/oom_{,score_}adj r, # Note: for now, don't explicitly deny write access so --devmode isn't broken # but eventually we may conditionally deny this since it allows the process # to increase the oom heuristic of other processes (make them more likely to # be killed). Once AppArmor kernel var is available to solve this properly, # this can safely be allowed since non-root processes won't be able to # decrease the value and root processes will only be able to with # 'capability sys_resource,' which we deny be default. # deny owner @{PROC}/@{pid}/oom_{,score_}adj w, # Eases hardware assignment (doesn't give anything away) /etc/udev/udev.conf r, /sys/ r, /sys/bus/ r, /sys/class/ r, # this leaks interface names and stats, but not in a way that is traceable # to the user/device @{PROC}/net/dev r, @{PROC}/@{pid}/net/dev r, # Read-only of this snap /var/lib/snapd/snaps/@{SNAP_NAME}_*.snap r, # Read-only of snapd restart state for snapctl specifically /var/lib/snapd/maintenance.json r, # Read-only for the install directory # bind mount used here (see 'parallel installs', above) @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r, @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/** mrklix, # Read-only install directory for other revisions to help with bugs like # LP: #1616650 and LP: #1655992 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Read-only home area for other versions # bind mount *not* used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/** mrkix, # Experimental snap folder changes owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/** mrkix, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/** wl, owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/** wl, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r, owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl, # Writable home area for this version. # bind mount *not* used here (see 'parallel installs', above) owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/** wl, owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/** wl, # Read-only system area for other versions # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix, # Writable system area only for this version # bind mount used here (see 'parallel installs', above) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/** wl, /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/** wl, # The ubuntu-core-launcher creates an app-specific private restricted /tmp # and will fail to launch the app if something goes wrong. As such, we can # simply allow full access to /tmp. /tmp/ r, /tmp/** mrwlkix, # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount *not* used here (see 'parallel installs', above) /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix, # Also allow app-specific access for sem_open() /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk, # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user # bind mount *not* used here (see 'parallel installs', above) owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/ rw, owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/** mrwklix, # Allow apps from the same package to communicate with each other via an # abstract or anonymous socket unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.**", unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.*), # Allow apps from the same package to communicate with each other via DBus. # Note: this does not grant access to the DBus sockets of well known buses # (will still need to use an appropriate interface for that). dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.*), # In addition to the above, dbus-run-session attempts reading these files # from the snap base runtime. /usr/share/dbus-1/services/{,*} r, /usr/share/dbus-1/system-services/{,*} r, # Allow apps to perform DBus introspection on org.freedesktop.DBus for both # the system and session buses. # Note: this does not grant access to the DBus sockets of these buses, but # we grant it here since it is missing from the dbus abstractions # (LP: #1866168) dbus (send) bus={session,system} path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow apps from the same package to signal each other via signals signal peer=snap.@{SNAP_INSTANCE_NAME}.*, # Allow receiving signals from all snaps (and focus on mediating sending of # signals) signal (receive) peer=snap.*, # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign' /{,usr/}{,s}bin/udevadm ixr, /etc/udev/udev.conf r, /{,var/}run/udev/tags/snappy-assign/ r, @{PROC}/cmdline r, /sys/devices/**/uevent r, # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above # requires: # /run/udev/data/* r, # but that reveals too much about the system and cannot be granted to apps # by default at this time. # For convenience, allow apps to see what is in /dev even though cgroups # will block most access /dev/ r, /dev/**/ r, # Allow setting up pseudoterminal via /dev/pts system. This is safe because # the launcher uses a per-app devpts newinstance. /dev/ptmx rw, # Do the same with /sys/devices and /sys/class to help people using hw-assign /sys/devices/ r, /sys/devices/**/ r, /sys/class/ r, /sys/class/**/ r, # Allow all snaps to chroot capability sys_chroot, # Lttng tracing is very noisy and should not be allowed by confined apps. Can # safely deny for the normal case (LP: #1260491). If/when an lttng-trace # interface is needed, we can rework this. deny /{dev,run,var/run}/shm/lttng-ust-* rw, # Allow read-access on /home/ for navigating to other parts of the # filesystem. While this allows enumerating users, this is already allowed # via /etc/passwd and getent. @{HOMEDIRS}/ r, # Allow read-access to / for navigating to other parts of the filesystem. / r, # Snap-specific run directory. Bind mount *not* used here # (see 'parallel installs', above) /run/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/snap.@{SNAP_INSTANCE_NAME}/** mrwklix, # Snap-specific lock directory and prerequisite navigation permissions. /run/lock/ r, /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw, /run/lock/snap.@{SNAP_INSTANCE_NAME}/** mrwklix, # Default rules for core base runtimes # The base abstraction doesn't yet have this /{,usr/}lib/terminfo/** rk, /usr/share/terminfo/** k, /usr/share/zoneinfo/** k, # for python apps/services /usr/bin/python{,2,2.[0-9]*,3,3.[0-9]*} ixr, # additional accesses needed for newer pythons in later bases /usr/lib{,32,64}/python3.[0-9]*/**.{pyc,so} mr, /usr/lib{,32,64}/python3.[0-9]*/**.{egg,py,pth} r, /usr/lib{,32,64}/python3.[0-9]*/{site,dist}-packages/ r, /usr/lib{,32,64}/python3.[0-9]*/lib-dynload/*.so mr, /usr/include/python3.[0-9]*/pyconfig.h r, # for perl apps/services /usr/bin/perl{,5*} ixr, # AppArmor <2.12 doesn't have rules for perl-base, so add them here /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr, # for bash 'binaries' (do *not* use abstractions/bash) # user-specific bash files /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /usr/share/terminfo/** r, # Common utilities for shell scripts /{,usr/}bin/arch ixr, /{,usr/}bin/{,g,m}awk ixr, /{,usr/}bin/base32 ixr, /{,usr/}bin/base64 ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/bunzip2 ixr, /{,usr/}bin/busctl ixr, /{,usr/}bin/bzcat ixr, /{,usr/}bin/bzdiff ixr, /{,usr/}bin/bzgrep ixr, /{,usr/}bin/bzip2 ixr, /{,usr/}bin/cat ixr, /{,usr/}bin/chgrp ixr, /{,usr/}bin/chmod ixr, /{,usr/}bin/chown ixr, /{,usr/}bin/clear ixr, /{,usr/}bin/cmp ixr, /{,usr/}bin/cp ixr, /{,usr/}bin/cpio ixr, /{,usr/}bin/cut ixr, /{,usr/}bin/date ixr, /{,usr/}bin/dbus-daemon ixr, /{,usr/}bin/dbus-run-session ixr, /{,usr/}bin/dbus-send ixr, /{,usr/}bin/dd ixr, /{,usr/}bin/diff{,3} ixr, /{,usr/}bin/dir ixr, /{,usr/}bin/dirname ixr, /{,usr/}bin/du ixr, /{,usr/}bin/echo ixr, /{,usr/}bin/{,e,f,r}grep ixr, /{,usr/}bin/env ixr, /{,usr/}bin/expr ixr, /{,usr/}bin/false ixr, /{,usr/}bin/find ixr, /{,usr/}bin/flock ixr, /{,usr/}bin/fmt ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/getconf ixr, /{,usr/}bin/getent ixr, /{,usr/}bin/getopt ixr, /{,usr/}bin/groups ixr, /{,usr/}bin/gzip ixr, /{,usr/}bin/head ixr, /{,usr/}bin/hostname ixr, /{,usr/}bin/id ixr, /{,usr/}bin/igawk ixr, /{,usr/}bin/infocmp ixr, /{,usr/}bin/kill ixr, /{,usr/}bin/ldd ixr, /{usr/,}lib{,32,64}/ld{,32,64}-*.so ix, /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so* ix, /{,usr/}bin/less{,file,pipe} ixr, /{,usr/}bin/ln ixr, /{,usr/}bin/line ixr, /{,usr/}bin/link ixr, /{,usr/}bin/locale ixr, /{,usr/}bin/logger ixr, /{,usr/}bin/ls ixr, /{,usr/}bin/md5sum ixr, /{,usr/}bin/mkdir ixr, /{,usr/}bin/mkfifo ixr, /{,usr/}bin/mknod ixr, /{,usr/}bin/mktemp ixr, /{,usr/}bin/more ixr, /{,usr/}bin/mv ixr, /{,usr/}bin/nice ixr, /{,usr/}bin/nohup ixr, /{,usr/}bin/numfmt ixr, /{,usr/}bin/od ixr, /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial /{,usr/}bin/paste ixr, /{,usr/}bin/pgrep ixr, /{,usr/}bin/printenv ixr, /{,usr/}bin/printf ixr, /{,usr/}bin/ps ixr, /{,usr/}bin/pwd ixr, /{,usr/}bin/readlink ixr, /{,usr/}bin/realpath ixr, /{,usr/}bin/rev ixr, /{,usr/}bin/rm ixr, /{,usr/}bin/rmdir ixr, /{,usr/}bin/run-parts ixr, /{,usr/}bin/sed ixr, /{,usr/}bin/seq ixr, /{,usr/}bin/sha{1,224,256,384,512}sum ixr, /{,usr/}bin/shuf ixr, /{,usr/}bin/sleep ixr, /{,usr/}bin/sort ixr, /{,usr/}bin/stat ixr, /{,usr/}bin/stdbuf ixr, /{,usr/}bin/stty ixr, /{,usr/}bin/sync ixr, /{,usr/}bin/systemd-cat ixr, /{,usr/}bin/tac ixr, /{,usr/}bin/tail ixr, /{,usr/}bin/tar ixr, /{,usr/}bin/tee ixr, /{,usr/}bin/test ixr, /{,usr/}bin/tempfile ixr, /{,usr/}bin/tset ixr, /{,usr/}bin/touch ixr, /{,usr/}bin/tput ixr, /{,usr/}bin/tr ixr, /{,usr/}bin/true ixr, /{,usr/}bin/tty ixr, /{,usr/}bin/uname ixr, /{,usr/}bin/uniq ixr, /{,usr/}bin/unlink ixr, /{,usr/}bin/unxz ixr, /{,usr/}bin/unzip ixr, /{,usr/}bin/uptime ixr, /{,usr/}bin/vdir ixr, /{,usr/}bin/wc ixr, /{,usr/}bin/which{,.debianutils} ixr, /{,usr/}bin/xargs ixr, /{,usr/}bin/xz ixr, /{,usr/}bin/yes ixr, /{,usr/}bin/zcat ixr, /{,usr/}bin/z{,e,f}grep ixr, /{,usr/}bin/zip ixr, /{,usr/}bin/zipgrep ixr, # lsb-release /usr/bin/lsb_release ixr, /usr/bin/ r, /usr/share/distro-info/*.csv r, # For printing the cache (we don't allow updating the cache) /{,usr/}sbin/ldconfig{,.real} ixr, # Allow all snaps to chroot /{,usr/}sbin/chroot ixr, # Description: Can access basic graphical desktop resources. To be used with # other interfaces (eg, wayland). #include <abstractions/dbus-strict> #include <abstractions/dbus-session-strict> # Allow finding the DBus session bus id (eg, via dbus_bus_get_id()) dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetId peer=(name=org.freedesktop.DBus, label=unconfined), #include <abstractions/fonts> owner @{HOME}/.local/share/fonts/{,**} r, /var/cache/fontconfig/ r, /var/cache/fontconfig/** mr, # some applications are known to mmap fonts /usr/{,local/}share/fonts/** m, # Allow access to xdg-document-portal file system. Access control is # handled by bind mounting a snap-specific sub-tree to this location # (ie, this is /run/user/<uid>/doc/by-app/snap.@{SNAP_INSTANCE_NAME} # on the host). owner /run/user/[0-9]*/doc/{,*/} r, # Allow rw access without owner match to the documents themselves since # the user guided the access and can specify anything DAC allows. /run/user/[0-9]*/doc/*/** rw, # Allow access to xdg-desktop-portal and xdg-document-portal dbus (receive, send) bus=session interface=org.freedesktop.portal.* path=/org/freedesktop/portal/{desktop,documents}{,/**} peer=(label=unconfined), dbus (receive, send) bus=session interface=org.freedesktop.DBus.Properties path=/org/freedesktop/portal/{desktop,documents}{,/**} peer=(label=unconfined), # The portals service is normally running and newer versions of # xdg-desktop-portal include AssumedAppArmor=unconfined. Since older # systems don't have this and because gtkfilechoosernativeportal.c relies on # service activation, allow sends to peer=(name=org.freedesktop.portal.{Desktop,Documents}) # for service activation. dbus (send) bus=session interface=org.freedesktop.portal.* path=/org/freedesktop/portal/desktop{,/**} peer=(name=org.freedesktop.portal.Desktop), dbus (send) bus=session interface=org.freedesktop.DBus.Properties path=/org/freedesktop/portal/desktop{,/**} peer=(name=org.freedesktop.portal.Desktop), dbus (send) bus=session interface=org.freedesktop.portal.* path=/org/freedesktop/portal/documents{,/**} peer=(name=org.freedesktop.portal.Documents), dbus (send) bus=session interface=org.freedesktop.DBus.Properties path=/org/freedesktop/portal/documents{,/**} peer=(name=org.freedesktop.portal.Documents), # Allow to get the current idle time only from Mutter dbus (send) bus=session path="/org/gnome/Mutter/IdleMonitor/Core" interface="org.gnome.Mutter.IdleMonitor" member="GetIdletime" peer=(label=unconfined), # Description: Can access specific personal files or directories in the # users's home directory. # This is restricted because it gives file access to arbitrary locations. owner "@{HOME}/.mozilla/firefox{,/,/**}" rk, # Description: Can access specific system files or directories. # This is restricted because it gives file access to arbitrary locations. "/etc/firefox{,/,/**}" rk, # In addition to the bind mount, add any AppArmor rules so that # snaps may directly access the slot implementation's files # read-only. "/snap/gnome-42-2204/176/**" mrkix, # In addition to the bind mount, add any AppArmor rules so that # snaps may directly access the slot implementation's files # read-only. "/snap/gtk-common-themes/1535/share/icons/default/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Adwaita/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/hicolor/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/HighContrast/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Humanity/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Humanity-Dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/ubuntu-mono-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/ubuntu-mono-light/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/DMZ-Black/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/DMZ-White/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-bark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-blue/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-magenta/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-olive/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-prussiangreen/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-purple/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-red/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-sage/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-viridian/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-bark-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-blue-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-magenta-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-olive-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-prussiangreen-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-purple-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-red-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-sage-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-viridian-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/elementary/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Ambiant-MATE/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Radiant-MATE/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-MATE-light/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-MATE-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-mate/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Yaru-mate-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Papirus-Adapta-Maia/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Papirus-Adapta-Nokto-Maia/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Papirus-Dark-Maia/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Papirus-Light-Maia/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Papirus-Maia/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/breeze_cursors/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/Breeze_Snow/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/elementary-xfce/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/elementary-xfce-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/elementary-xfce-darker/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/elementary-xfce-darkest/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/handhelds/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/redglass/**" mrkix, "/snap/gtk-common-themes/1535/share/icons/whiteglass/**" mrkix, # In addition to the bind mount, add any AppArmor rules so that # snaps may directly access the slot implementation's files # read-only. "/snap/gtk-common-themes/1535/share/sounds/Yaru/**" mrkix, "/snap/gtk-common-themes/1535/share/sounds/freedesktop/**" mrkix, # In addition to the bind mount, add any AppArmor rules so that # snaps may directly access the slot implementation's files # read-only. "/snap/gtk-common-themes/1535/share/themes/Adwaita/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Adwaita-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/HighContrast/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Ambiance/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Radiance/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Arc/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Arc-Dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Arc-Darker/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Breeze/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Breeze-Dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-light/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-bark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-blue/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-magenta/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-olive/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-prussiangreen/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-purple/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-red/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-sage/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-viridian/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-bark-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-blue-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-magenta-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-olive-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-prussiangreen-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-purple-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-red-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-sage-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-viridian-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/elementary/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Ambiant-MATE/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Ambiant-MATE-Dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Radiant-MATE/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-MATE-light/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-MATE-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-mate/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Yaru-mate-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Matcha-aliz/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Matcha-azul/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Matcha-dark-aliz/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Matcha-dark-azul/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Matcha-dark-sea/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Matcha-sea/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Greybird/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Greybird-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Materia/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Materia-compact/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Materia-dark/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Materia-dark-compact/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Materia-light/**" mrkix, "/snap/gtk-common-themes/1535/share/themes/Materia-light-compact/**" mrkix, # subset of gnome abstraction /etc/gtk-3.0/settings.ini r, owner @{HOME}/.config/gtk-3.0/settings.ini r, owner @{HOME}/.config/gtk-3.0/*.css r, # Note: this leaks directory names that wouldn't otherwise be known to the snap owner @{HOME}/.config/gtk-3.0/bookmarks r, /usr/share/icons/ r, /usr/share/icons/** r, /usr/share/icons/*/index.theme rk, /usr/share/pixmaps/ r, /usr/share/pixmaps/** r, /usr/share/unity/icons/** r, /usr/share/thumbnailer/icons/** r, /usr/share/themes/** r, # The snapcraft desktop part may look for schema files in various locations, so # allow reading system installed schemas. /usr/share/glib*/schemas/{,*} r, /usr/share/gnome/glib*/schemas/{,*} r, /usr/share/ubuntu/glib*/schemas/{,*} r, # subset of freedesktop.org owner @{HOME}/.local/share/mime/** r, owner @{HOME}/.config/user-dirs.* r, /etc/xdg/user-dirs.conf r, /etc/xdg/user-dirs.defaults r, # gmenu dbus (send) bus=session interface=org.gtk.Actions member=Changed peer=(label=unconfined), # notifications dbus (send) bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.Notifications member="{GetCapabilities,GetServerInformation,Notify,CloseNotification}" peer=(label="{plasmashell,unconfined}"), dbus (receive) bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.Notifications member={ActionInvoked,NotificationClosed,NotificationReplied} peer=(label="{plasmashell,unconfined}"), # KDE Plasma's Inhibited property indicating "do not disturb" mode # https://invent.kde.org/plasma/plasma-workspace/-/blob/master/libnotificationmanager/dbus/org.freedesktop.Notifications.xml#L42 dbus (send) bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties member="Get{,All}" peer=(label="{plasmashell,unconfined}"), dbus (receive) bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(label="{plasmashell,unconfined}"), # DesktopAppInfo Launched dbus (send) bus=session path=/org/gtk/gio/DesktopAppInfo interface=org.gtk.gio.DesktopAppInfo member=Launched peer=(label=unconfined), # Allow requesting interest in receiving media key events. This tells Gnome # settings that our application should be notified when key events we are # interested in are pressed, and allows us to receive those events. dbus (receive, send) bus=session interface=org.gnome.SettingsDaemon.MediaKeys path=/org/gnome/SettingsDaemon/MediaKeys peer=(label=unconfined), dbus (send) bus=session interface=org.freedesktop.DBus.Properties path=/org/gnome/SettingsDaemon/MediaKeys member="Get{,All}" peer=(label=unconfined), # Allow accessing the GNOME crypto services prompt APIs as used by # applications using libgcr (such as pinentry-gnome3) for secure pin # entry to unlock GPG keys etc. See: # https://developer.gnome.org/gcr/unstable/GcrPrompt.html # https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html dbus (send) bus=session path=/org/gnome/keyring/Prompter interface=org.gnome.keyring.internal.Prompter member="{BeginPrompting,PerformPrompt,StopPrompting}" peer=(label=unconfined), # While the DBus path is not snap-specific, by the time an application # registers the prompt path via DBus, Gcr will check that it isn't # already in use and send the client an error if it is. See: # https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 dbus (receive) bus=session path=/org/gnome/keyring/Prompt/p[0-9]* interface=org.gnome.keyring.internal.Prompter.Callback member="{PromptReady,PromptDone}" peer=(label=unconfined), # Allow use of snapd's internal 'xdg-open' /usr/bin/xdg-open ixr, # While /usr/share/applications comes from the base runtime of the snap, it # has some things that snaps actually need, so allow access to those and deny # access to the others /usr/share/applications/ r, /usr/share/applications/mimeapps.list r, /usr/share/applications/xdg-open.desktop r, # silence noisy denials from desktop files in core* snaps that aren't usable by # snaps deny /usr/share/applications/python*.desktop r, deny /usr/share/applications/vim.desktop r, deny /usr/share/applications/snap-handle-link.desktop r, # core16 dbus (send) bus=session path=/ interface=com.canonical.SafeLauncher member=OpenURL peer=(label=unconfined), # ... and this allows access to the new xdg-open service which # is now part of snapd itself. dbus (send) bus=session path=/io/snapcraft/Launcher interface=io.snapcraft.Launcher member={OpenURL,OpenFile} peer=(label=unconfined), # Allow checking status, activating and locking the screensaver # gnome/kde/freedesktop.org dbus (send) bus=session path="/{,org/freedesktop/,org/gnome/}ScreenSaver" interface="org.{freedesktop,gnome}.ScreenSaver" member="{GetActive,GetActiveTime,Lock,SetActive}" peer=(label=unconfined), dbus (receive) bus=session path="/{,org/freedesktop/,org/gnome/}ScreenSaver" interface="org.{freedesktop,gnome}.ScreenSaver" member=ActiveChanged peer=(label=unconfined), # Allow unconfined to introspect us dbus (receive) bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), # Allow use of snapd's internal 'xdg-settings' /usr/bin/xdg-settings ixr, dbus (send) bus=session path=/io/snapcraft/Settings interface=io.snapcraft.Settings member={Check,CheckSub,Get,GetSub,Set,SetSub} peer=(label=unconfined), # These accesses are noisy and applications can't do anything with the found # icon files, so explicitly deny to silence the denials deny /var/lib/snapd/desktop/icons/{,**/} r, # These accesses occur when flatpaks are on the system since it updates # XDG_DATA_DIRS to contain $HOME/.local/share/flatpak/exports/share. Until # we have better XDG_DATA_DIRS handling, silence these noisy denials. # https://github.com/snapcrafters/discord/issues/23#issuecomment-637607843 deny @{HOME}/.local/share/flatpak/exports/share/** r, # Allow access to the IBus portal (IBUS_USE_PORTAL=1) dbus (send) bus=session path=/org/freedesktop/IBus interface=org.freedesktop.IBus.Portal member=CreateInputContext peer=(name=org.freedesktop.portal.IBus), dbus (send, receive) bus=session path=/org/freedesktop/IBus/InputContext_[0-9]* interface=org.freedesktop.IBus.InputContext peer=(label=unconfined), # Allow access to the Fcitx portal, supported by fcitx/fcitx5 dbus (send) bus=session path=/{,org/freedesktop/portal/}inputmethod interface=org.fcitx.Fcitx.InputMethod1 member={CreateInputContext,Version} peer=(name=org.freedesktop.portal.Fcitx), dbus (send, receive) bus=session path=/{,org/freedesktop/portal/}inputcontext/** interface=org.fcitx.Fcitx.InputContext1 peer=(label=unconfined), # Layout path: /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0 "/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0{,/**}" mrwklix, # Layout path: /usr/lib/x86_64-linux-gnu/webkit2gtk-4.1 "/usr/lib/x86_64-linux-gnu/webkit2gtk-4.1{,/**}" mrwklix, # Layout path: /usr/share/alsa "/usr/share/alsa{,/**}" mrwklix, # Layout path: /usr/share/libdrm "/usr/share/libdrm{,/**}" mrwklix, # Layout path: /usr/share/xml/iso-codes "/usr/share/xml/iso-codes{,/**}" mrwklix, }