/snap-confine

Update apparmor profile for snap-confine #73

Merged
merged 10 commits into from Jul 8, 2016
Commits
Jump to file or symbol
Failed to load files and symbols.
+3 −7
Split
Viewing a subset of changes. View all
Prev Next

Constrain allowed locatios for mount profiles 

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
  • Loading branch information...
commit 24bbd4338d24e97330ccd20e3cb01cb714b5f08c @zyga zyga committed Jul 7, 2016
View
10 debian/usr.bin.snap-confine
@@ -116,13 +116,9 @@
mount options=(rw bind) /snap/ubuntu-core/*/usr/ -> /usr/,
mount options=(rw bind) /snap/ubuntu-core/*/etc/alternatives/ -> /etc/alternatives/,
- # This is a somewhat of a blank check for mount profiles. Mount profiles
- # are written by the trusted snapd to a root-writable location and
- # processed by snap-confine. Regardless of configuration options and
- # runtime factors they are processed after pivot_root (on classic systems)
- # so snap.rootfs is not a factor.
- mount options=(rw bind),
- mount options=(ro bind),
+ # Allow snaps to share content amongst themselves.
@jdstrand

jdstrand Jul 7, 2016
Edited 1 time

Contributor

Please change this to:

Support mount profiles via the content interface

@zyga

zyga Jul 8, 2016

Collaborator

Sorry for missing this earlier, changing now
+ mount options=(rw bind) /snap/*/** -> /snap/*/**,
+ mount options=(ro bind) /snap/*/** -> /snap/*/**,
@jdstrand

jdstrand Jul 7, 2016
Edited 1 time

Contributor

From IRC discussion (thanks @zyga for remembering the deny rules):

# but don't share /snap/bin
audit deny mount /snap/bin/** -> /**,
audit deny mount /** -> /snap/bin/**,
@zyga

zyga Jul 8, 2016

Collaborator

Done
# nvidia handling, glob needs /usr/** and the launcher must be
# able to bind mount the nvidia dir