Merge lp:~alexmurray/snappy-hub/update-for-snapd-2.51.6 into lp:~snappy-debug-developers/snappy-hub/snappy-debug
- update-for-snapd-2.51.6
- Merge into snappy-debug
Proposed by
Alex Murray
Status: | Merged |
---|---|
Merged at revision: | 206 |
Proposed branch: | lp:~alexmurray/snappy-hub/update-for-snapd-2.51.6 |
Merge into: | lp:~snappy-debug-developers/snappy-hub/snappy-debug |
Diff against target: |
645 lines (+197/-34) 28 files modified
data/policy/classic/16/apparmor/account-control (+1/-1) data/policy/classic/16/apparmor/block-devices (+1/-0) data/policy/classic/16/apparmor/camera (+1/-0) data/policy/classic/16/apparmor/dm-crypt (+18/-0) data/policy/classic/16/apparmor/docker-support (+10/-1) data/policy/classic/16/apparmor/greengrass-support (+11/-11) data/policy/classic/16/apparmor/hardware-observe (+1/-1) data/policy/classic/16/apparmor/kernel-module-control (+1/-1) data/policy/classic/16/apparmor/kernel-module-observe (+1/-1) data/policy/classic/16/apparmor/kubernetes-support (+7/-6) data/policy/classic/16/apparmor/modem-manager (+2/-2) data/policy/classic/16/apparmor/multipass-support (+1/-1) data/policy/classic/16/apparmor/network-control (+3/-3) data/policy/classic/16/apparmor/network-setup-control (+13/-0) data/policy/classic/16/apparmor/network-setup-observe (+14/-0) data/policy/classic/16/apparmor/ofono (+2/-2) data/policy/classic/16/apparmor/opengl (+4/-1) data/policy/classic/16/apparmor/ppp (+1/-1) data/policy/classic/16/apparmor/raw-input (+13/-0) data/policy/classic/16/apparmor/sd-control (+6/-0) data/policy/classic/16/apparmor/system-observe (+1/-0) data/policy/classic/16/apparmor/tee (+9/-0) data/policy/classic/16/apparmor/time-control (+1/-1) data/policy/classic/16/seccomp/dm-crypt (+6/-0) data/policy/classic/16/seccomp/greengrass-support (+1/-1) data/policy/classic/16/seccomp/raw-input (+6/-0) policy-app/test-snapd-policy-app-consumer/meta/snap.yaml (+54/-0) policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml (+8/-0) |
To merge this branch: | bzr merge lp:~alexmurray/snappy-hub/update-for-snapd-2.51.6 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
The snappy-debug snap developers | Pending | ||
Review via email: mp+407651@code.launchpad.net |
Commit message
Description of the change
To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote : | # |
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === modified file 'data/policy/classic/16/apparmor/account-control' |
2 | --- data/policy/classic/16/apparmor/account-control 2021-03-24 13:55:25 +0000 |
3 | +++ data/policy/classic/16/apparmor/account-control 2021-08-25 03:55:24 +0000 |
4 | @@ -14,7 +14,7 @@ |
5 | /etc/pam.d/{,*} r, |
6 | |
7 | # Needed by chpasswd |
8 | -/lib/@{multiarch}/security/* ixr, |
9 | +/{,usr/}lib/@{multiarch}/security/* ixr, |
10 | |
11 | # Useradd needs netlink |
12 | network netlink raw, |
13 | |
14 | === modified file 'data/policy/classic/16/apparmor/block-devices' |
15 | --- data/policy/classic/16/apparmor/block-devices 2021-03-24 13:55:25 +0000 |
16 | +++ data/policy/classic/16/apparmor/block-devices 2021-08-25 03:55:24 +0000 |
17 | @@ -4,6 +4,7 @@ |
18 | /run/udev/data/b[0-9]*:[0-9]* r, |
19 | /sys/block/ r, |
20 | /sys/devices/**/block/** r, |
21 | +/sys/devices/platform/soc/**/mmc_host/** r, |
22 | |
23 | # Access to raw devices, not individual partitions |
24 | /dev/hd[a-t] rw, # IDE, MFM, RLL |
25 | |
26 | === modified file 'data/policy/classic/16/apparmor/camera' |
27 | --- data/policy/classic/16/apparmor/camera 2021-03-24 13:55:25 +0000 |
28 | +++ data/policy/classic/16/apparmor/camera 2021-08-25 03:55:24 +0000 |
29 | @@ -17,4 +17,5 @@ |
30 | /run/udev/data/+usb:* r, |
31 | /sys/class/video4linux/ r, |
32 | /sys/devices/pci**/usb*/**/video4linux/** r, |
33 | +/sys/devices/platform/**/usb*/**/video4linux/** r, |
34 | |
35 | |
36 | === added file 'data/policy/classic/16/apparmor/dm-crypt' |
37 | --- data/policy/classic/16/apparmor/dm-crypt 1970-01-01 00:00:00 +0000 |
38 | +++ data/policy/classic/16/apparmor/dm-crypt 2021-08-25 03:55:24 +0000 |
39 | @@ -0,0 +1,18 @@ |
40 | +# Allow mapper access |
41 | +/dev/mapper/control rw, |
42 | +/dev/dm-[0-9]* rw, |
43 | +# allow use of cryptsetup from core snap |
44 | +/{,usr/}sbin/cryptsetup ixr, |
45 | +# Mount points could be in /run/media/<user>/* or /media/<user>/* |
46 | +/run/systemd/seats/* r, |
47 | +/{,run/}media/{,**} rw, |
48 | +mount options=(ro,nosuid,nodev) /dev/dm-[0-9]* -> /{,run/}media/**, |
49 | +mount options=(rw,nosuid,nodev) /dev/dm-[0-9]* -> /{,run/}media/**, |
50 | + |
51 | +# exec mount/umount to do the actual operations |
52 | +/{,usr/}bin/mount ixr, |
53 | +/{,usr/}bin/umount ixr, |
54 | + |
55 | +# mount/umount (via libmount) track some mount info in these files |
56 | +/run/mount/utab* wrlk, |
57 | + |
58 | |
59 | === modified file 'data/policy/classic/16/apparmor/docker-support' |
60 | --- data/policy/classic/16/apparmor/docker-support 2021-03-24 13:55:25 +0000 |
61 | +++ data/policy/classic/16/apparmor/docker-support 2021-08-25 03:55:24 +0000 |
62 | @@ -86,7 +86,7 @@ |
63 | |
64 | # Docker needs to be able to create and load the profile it applies to |
65 | # containers ("docker-default") |
66 | -/sbin/apparmor_parser ixr, |
67 | +/{,usr/}sbin/apparmor_parser ixr, |
68 | /etc/apparmor.d/cache/ r, # apparmor 2.12 and below |
69 | /etc/apparmor.d/cache/.features r, |
70 | /etc/apparmor.d/{,cache/}docker* rw, |
71 | @@ -145,3 +145,12 @@ |
72 | # containerd to use this path for various account information for pods. |
73 | /run/secrets/kubernetes.io/{,**} rk, |
74 | |
75 | +# Allow using the 'autobind' feature of bind() (eg, for journald via go-systemd) |
76 | +# unix (bind) type=dgram addr=auto, |
77 | +# TODO: when snapd vendors in AppArmor userspace, then enable the new syntax |
78 | +# above which allows only "empty"/automatic addresses, for now we simply permit |
79 | +# all addresses with SOCK_DGRAM type, which leaks info for other addresses than |
80 | +# what docker tries to use |
81 | +# see https://bugs.launchpad.net/snapd/+bug/1867216 |
82 | +unix (bind) type=dgram, |
83 | + |
84 | |
85 | === modified file 'data/policy/classic/16/apparmor/greengrass-support' |
86 | --- data/policy/classic/16/apparmor/greengrass-support 2021-03-24 13:55:25 +0000 |
87 | +++ data/policy/classic/16/apparmor/greengrass-support 2021-08-25 03:55:24 +0000 |
88 | @@ -49,7 +49,7 @@ |
89 | |
90 | # cgroup accesses |
91 | # greengrassd extensively uses cgroups to confine it's containers (AKA lambdas) |
92 | -# and needs to read what cgroups are available; we allow reading any cgroup, |
93 | +# and needs to read what cgroups are available; we allow reading any cgroup, |
94 | # but limit writes below |
95 | # also note that currently greengrass is not implemented in such a way that it |
96 | # can stack it's cgroups inside the cgroup that snapd would normally enforce |
97 | @@ -75,10 +75,10 @@ |
98 | # specific rule for cpuset files |
99 | owner /old_rootfs/sys/fs/cgroup/cpuset/{,system.slice/}cpuset.{cpus,mems} rw, |
100 | |
101 | -# the wrapper scripts need to use mount/umount and pivot_root from the |
102 | +# the wrapper scripts need to use mount/umount and pivot_root from the |
103 | # core snap |
104 | -/bin/{,u}mount ixr, |
105 | -/sbin/pivot_root ixr, |
106 | +/{,usr/}bin/{,u}mount ixr, |
107 | +/{,usr/}sbin/pivot_root ixr, |
108 | |
109 | # allow pivot_root'ing into the rootfs prepared for the greengrass daemon |
110 | # parallel-installs: SNAP_{DATA,COMMON} are remapped, need to use SNAP_NAME, for |
111 | @@ -119,9 +119,9 @@ |
112 | # completeness allow SNAP_INSTANCE_NAME too |
113 | mount options=(rw, bind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** , |
114 | mount options=(rw, rbind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** , |
115 | -# also allow mounting new files anywhere underneath the rootfs of the target |
116 | +# also allow mounting new files anywhere underneath the rootfs of the target |
117 | # overlayfs directory, which is the rootfs of the container |
118 | -# this is for allowing local resource access which first makes a mount at |
119 | +# this is for allowing local resource access which first makes a mount at |
120 | # the target destination and then a bind mount from the source to the destination |
121 | # the source destination mount will be allowed under the above rule |
122 | mount -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/**, |
123 | @@ -168,7 +168,7 @@ |
124 | mount options=(rw, bind) /run/ -> /run/, |
125 | |
126 | # mounts for resolv.conf inside the container |
127 | -# we have to manually do this otherwise the go DNS resolver fails to work, because it isn't configured to |
128 | +# we have to manually do this otherwise the go DNS resolver fails to work, because it isn't configured to |
129 | # use the system DNS server and attempts to do DNS resolution itself, manually inspecting /etc/resolv.conf |
130 | mount options=(ro, bind) /run/systemd/resolve/stub-resolv.conf -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/etc/resolv.conf, |
131 | mount options=(ro, bind) /run/resolvconf/resolv.conf -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/etc/resolv.conf, |
132 | @@ -177,7 +177,7 @@ |
133 | # pivot_root for the container initialization into the rootfs |
134 | # note that the actual syscall is pivotroot(".",".") |
135 | # so the oldroot is the same as the new root |
136 | -pivot_root |
137 | +pivot_root |
138 | oldroot=/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/ |
139 | /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/, |
140 | |
141 | @@ -213,12 +213,12 @@ |
142 | # and /run is explicitly disallowed for use by layouts |
143 | # also note that technically this access is post-pivot_root, but during the setup |
144 | # for the mount ns that the snap performs (not snapd), /var/run is bind mounted |
145 | -# from outside the pivot_root to inside the pivot_root, so this will always |
146 | +# from outside the pivot_root to inside the pivot_root, so this will always |
147 | # access the same files inside or outside the pivot_root |
148 | owner /{var/,}run/greengrassd.pid rw, |
149 | |
150 | -# all of the rest of the accesses are made by child containers and as such are |
151 | -# "post-pivot_root", meaning that they aren't accessing these files on the |
152 | +# all of the rest of the accesses are made by child containers and as such are |
153 | +# "post-pivot_root", meaning that they aren't accessing these files on the |
154 | # host root filesystem, but rather somewhere inside $SNAP_DATA/rootfs/ |
155 | # Note: eventually greengrass will gain the ability to specify child profiles |
156 | # for it's containers and include these rules in that profile so they won't |
157 | |
158 | === modified file 'data/policy/classic/16/apparmor/hardware-observe' |
159 | --- data/policy/classic/16/apparmor/hardware-observe 2021-03-24 13:55:25 +0000 |
160 | +++ data/policy/classic/16/apparmor/hardware-observe 2021-08-25 03:55:24 +0000 |
161 | @@ -11,7 +11,7 @@ |
162 | # used by lspci |
163 | capability sys_admin, |
164 | /etc/modprobe.d/{,*} r, |
165 | -/lib/modprobe.d/{,*} r, |
166 | +/{,usr/}lib/modprobe.d/{,*} r, |
167 | |
168 | # files in /sys pertaining to hardware (eg, 'lspci -A linux-sysfs') |
169 | /sys/{block,bus,class,devices,firmware}/{,**} r, |
170 | |
171 | === modified file 'data/policy/classic/16/apparmor/kernel-module-control' |
172 | --- data/policy/classic/16/apparmor/kernel-module-control 2021-03-24 13:55:25 +0000 |
173 | +++ data/policy/classic/16/apparmor/kernel-module-control 2021-08-25 03:55:24 +0000 |
174 | @@ -18,5 +18,5 @@ |
175 | # Allow reading information about loaded kernel modules |
176 | /sys/module/{,**} r, |
177 | /etc/modprobe.d/{,**} r, |
178 | -/lib/modprobe.d/{,**} r, |
179 | +/{,usr/}lib/modprobe.d/{,**} r, |
180 | |
181 | |
182 | === modified file 'data/policy/classic/16/apparmor/kernel-module-observe' |
183 | --- data/policy/classic/16/apparmor/kernel-module-observe 2021-03-24 13:55:25 +0000 |
184 | +++ data/policy/classic/16/apparmor/kernel-module-observe 2021-08-25 03:55:24 +0000 |
185 | @@ -12,5 +12,5 @@ |
186 | # Allow reading information about loaded kernel modules |
187 | /sys/module/{,**} r, |
188 | /etc/modprobe.d/{,**} r, |
189 | -/lib/modprobe.d/{,**} r, |
190 | +/{,usr/}lib/modprobe.d/{,**} r, |
191 | |
192 | |
193 | === modified file 'data/policy/classic/16/apparmor/kubernetes-support' |
194 | --- data/policy/classic/16/apparmor/kubernetes-support 2021-03-24 13:55:25 +0000 |
195 | +++ data/policy/classic/16/apparmor/kubernetes-support 2021-08-25 03:55:24 +0000 |
196 | @@ -169,11 +169,12 @@ |
197 | /sys/module/ip_vs_sh/initstate r, |
198 | /sys/module/ip_vs_wrr/initstate r, |
199 | |
200 | -# Allow using the 'autobind' feature of bind() (eg, for journald). |
201 | -#unix (bind) type=dgram addr=none, |
202 | -# Due to LP: 1867216, we cannot use the above rule and must instead use this |
203 | -# less specific rule that allows bind() to arbitrary SOCK_DGRAM abstract socket |
204 | -# names (separate send and receive rules are still required for communicating |
205 | -# over the socket). |
206 | +# Allow using the 'autobind' feature of bind() (eg, for journald via go-systemd) |
207 | +# unix (bind) type=dgram addr=auto, |
208 | +# TODO: when snapd vendors in AppArmor userspace, then enable the new syntax |
209 | +# above which allows only "empty"/automatic addresses, for now we simply permit |
210 | +# all addresses with SOCK_DGRAM type, which leaks info for other addresses than |
211 | +# what docker tries to use |
212 | +# see https://bugs.launchpad.net/snapd/+bug/1867216 |
213 | unix (bind) type=dgram, |
214 | |
215 | |
216 | === modified file 'data/policy/classic/16/apparmor/modem-manager' |
217 | --- data/policy/classic/16/apparmor/modem-manager 2021-03-24 13:55:25 +0000 |
218 | +++ data/policy/classic/16/apparmor/modem-manager 2021-08-25 03:55:24 +0000 |
219 | @@ -33,10 +33,10 @@ |
220 | bus=system |
221 | path=/org/freedesktop/ModemManager1{,/**} |
222 | interface=org.freedesktop.ModemManager1* |
223 | - peer=(label="snap.core."), |
224 | + peer=(label="snap.snapd.*"), |
225 | dbus (receive, send) |
226 | bus=system |
227 | path=/org/freedesktop/ModemManager1{,/**} |
228 | interface=org.freedesktop.DBus.* |
229 | - peer=(label="snap.core."), |
230 | + peer=(label="snap.snapd.*"), |
231 | |
232 | |
233 | === modified file 'data/policy/classic/16/apparmor/multipass-support' |
234 | --- data/policy/classic/16/apparmor/multipass-support 2021-03-24 13:55:25 +0000 |
235 | +++ data/policy/classic/16/apparmor/multipass-support 2021-08-25 03:55:24 +0000 |
236 | @@ -1,6 +1,6 @@ |
237 | # Description: this policy intentionally allows the Multipass daemon to configure AppArmor |
238 | # as Multipass generates AppArmor profiles for the utility processes it spawns. |
239 | -/sbin/apparmor_parser ixr, |
240 | +/{,usr/}sbin/apparmor_parser ixr, |
241 | /etc/apparmor{,.d}/{,**} r, |
242 | /sys/kernel/security/apparmor/{,**} r, |
243 | /sys/kernel/security/apparmor/.remove w, |
244 | |
245 | === modified file 'data/policy/classic/16/apparmor/network-control' |
246 | --- data/policy/classic/16/apparmor/network-control 2021-03-24 13:55:25 +0000 |
247 | +++ data/policy/classic/16/apparmor/network-control 2021-08-25 03:55:24 +0000 |
248 | @@ -128,13 +128,13 @@ |
249 | /etc/hosts w, |
250 | |
251 | # resolvconf |
252 | -/sbin/resolvconf ixr, |
253 | +/{,usr/}sbin/resolvconf ixr, |
254 | /run/resolvconf/{,**} rk, |
255 | /run/resolvconf/** w, |
256 | /etc/resolvconf/{,**} r, |
257 | -/lib/resolvconf/* ix, |
258 | +/{,usr/}lib/resolvconf/* ix, |
259 | # Required by resolvconf |
260 | -/bin/run-parts ixr, |
261 | +/{,usr/}bin/run-parts ixr, |
262 | /etc/resolvconf/update.d/* ix, |
263 | |
264 | # wpa_suplicant |
265 | |
266 | === modified file 'data/policy/classic/16/apparmor/network-setup-control' |
267 | --- data/policy/classic/16/apparmor/network-setup-control 2021-03-24 13:55:25 +0000 |
268 | +++ data/policy/classic/16/apparmor/network-setup-control 2021-08-25 03:55:24 +0000 |
269 | @@ -1,5 +1,18 @@ |
270 | # Description: Can read/write netplan configuration files |
271 | |
272 | +# Allow use of the netplan binary from the base snap. With this interface, this |
273 | +# is expected to be able to apply and generate new network configuration, as |
274 | +# well as get information about the current network configuration. |
275 | +/usr/sbin/netplan ixr, |
276 | +# core18+ has /usr/sbin/netplan as a symlink to this script |
277 | +/usr/share/netplan/netplan.script ixr, |
278 | +# netplan related files |
279 | +/usr/share/netplan/ r, |
280 | +/usr/share/netplan/** r, |
281 | + |
282 | +# Netplan uses busctl internally, so allow using that as well |
283 | +/usr/bin/busctl ixr, |
284 | + |
285 | /etc/netplan/{,**} rw, |
286 | /etc/network/{,**} rw, |
287 | /etc/systemd/network/{,**} rw, |
288 | |
289 | === modified file 'data/policy/classic/16/apparmor/network-setup-observe' |
290 | --- data/policy/classic/16/apparmor/network-setup-observe 2021-03-24 13:55:25 +0000 |
291 | +++ data/policy/classic/16/apparmor/network-setup-observe 2021-08-25 03:55:24 +0000 |
292 | @@ -1,5 +1,19 @@ |
293 | # Description: Can read netplan configuration files |
294 | |
295 | +# Allow use of the netplan binary from the base snap. With this interface, this |
296 | +# is expected to be able to only get information about the current network |
297 | +# configuration and not generate or apply it like is allowed with |
298 | +# network-setup-control. |
299 | +/usr/sbin/netplan ixr, |
300 | +# core18+ has /usr/sbin/netplan as a symlink to this script |
301 | +/usr/share/netplan/netplan.script ixr, |
302 | +# netplan related files |
303 | +/usr/share/netplan/ r, |
304 | +/usr/share/netplan/** r, |
305 | + |
306 | +# Netplan uses busctl internally, so allow using that as well |
307 | +/usr/bin/busctl ixr, |
308 | + |
309 | /etc/netplan/{,**} r, |
310 | /etc/network/{,**} r, |
311 | /etc/systemd/network/{,**} r, |
312 | |
313 | === modified file 'data/policy/classic/16/apparmor/ofono' |
314 | --- data/policy/classic/16/apparmor/ofono 2021-03-24 13:55:25 +0000 |
315 | +++ data/policy/classic/16/apparmor/ofono 2021-08-25 03:55:24 +0000 |
316 | @@ -25,7 +25,7 @@ |
317 | bus=system |
318 | path=/{,**} |
319 | interface=org.ofono.* |
320 | - peer=(label="snap.core."), |
321 | + peer=(label="snap.snapd.*"), |
322 | |
323 | # Allow clients to introspect the service on non-classic (due to the path, |
324 | # allowing on classic would reveal too much for unconfined) |
325 | @@ -34,5 +34,5 @@ |
326 | path=/ |
327 | interface=org.freedesktop.DBus.Introspectable |
328 | member=Introspect |
329 | - peer=(label="snap.core."), |
330 | + peer=(label="snap.snapd.*"), |
331 | |
332 | |
333 | === modified file 'data/policy/classic/16/apparmor/opengl' |
334 | --- data/policy/classic/16/apparmor/opengl 2021-03-24 13:55:25 +0000 |
335 | +++ data/policy/classic/16/apparmor/opengl 2021-08-25 03:55:24 +0000 |
336 | @@ -81,7 +81,10 @@ |
337 | |
338 | # Xilinx zocl DRM driver |
339 | # https://github.com/Xilinx/XRT/tree/master/src/runtime_src/core/edge/drm |
340 | -/sys/devices/platform/amba_pl@[0-9]*/amba_pl@[0-9]*:zyxclmm_drm/* r, |
341 | +/sys/devices/platform/amba{,_pl@[0-9]*}/amba{,_pl@[0-9]*}:zyxclmm_drm/* r, |
342 | + |
343 | +# Imagination PowerVR driver |
344 | +/dev/pvr_sync rw, |
345 | |
346 | # OpenCL ICD files |
347 | /etc/OpenCL/vendors/ r, |
348 | |
349 | === modified file 'data/policy/classic/16/apparmor/ppp' |
350 | --- data/policy/classic/16/apparmor/ppp 2021-03-24 13:55:25 +0000 |
351 | +++ data/policy/classic/16/apparmor/ppp 2021-08-25 03:55:24 +0000 |
352 | @@ -10,7 +10,7 @@ |
353 | /run/ppp* rwk, |
354 | /var/run/ppp* rwk, |
355 | /var/log/ppp* rw, |
356 | -/bin/run-parts ix, |
357 | +/{,usr/}bin/run-parts ix, |
358 | @{PROC}/@{pid}/loginuid r, |
359 | capability setgid, |
360 | capability setuid, |
361 | |
362 | === added file 'data/policy/classic/16/apparmor/raw-input' |
363 | --- data/policy/classic/16/apparmor/raw-input 1970-01-01 00:00:00 +0000 |
364 | +++ data/policy/classic/16/apparmor/raw-input 2021-08-25 03:55:24 +0000 |
365 | @@ -0,0 +1,13 @@ |
366 | +# Description: Allow reading and writing to raw input devices |
367 | + |
368 | +/dev/input/* rw, |
369 | + |
370 | +# Allow reading for supported event reports for all input devices. See |
371 | +# https://www.kernel.org/doc/Documentation/input/event-codes.txt |
372 | +/sys/devices/**/input[0-9]*/capabilities/* r, |
373 | + |
374 | +# For using udev |
375 | +network netlink raw, |
376 | +/run/udev/data/c13:[0-9]* r, |
377 | +/run/udev/data/+input:input[0-9]* r, |
378 | + |
379 | |
380 | === added file 'data/policy/classic/16/apparmor/sd-control' |
381 | --- data/policy/classic/16/apparmor/sd-control 1970-01-01 00:00:00 +0000 |
382 | +++ data/policy/classic/16/apparmor/sd-control 2021-08-25 03:55:24 +0000 |
383 | @@ -0,0 +1,6 @@ |
384 | +# Description: can manage and control the SD cards using the DualSD driver. |
385 | + |
386 | +# The main DualSD device node is used to control certain aspects of SD cards on |
387 | +# the system. |
388 | +/dev/DualSD rw, |
389 | + |
390 | |
391 | === modified file 'data/policy/classic/16/apparmor/system-observe' |
392 | --- data/policy/classic/16/apparmor/system-observe 2021-03-24 13:55:25 +0000 |
393 | +++ data/policy/classic/16/apparmor/system-observe 2021-08-25 03:55:24 +0000 |
394 | @@ -22,6 +22,7 @@ |
395 | @{PROC}/modules r, |
396 | @{PROC}/stat r, |
397 | @{PROC}/vmstat r, |
398 | +@{PROC}/zoneinfo r, |
399 | @{PROC}/diskstats r, |
400 | @{PROC}/kallsyms r, |
401 | @{PROC}/partitions r, |
402 | |
403 | === added file 'data/policy/classic/16/apparmor/tee' |
404 | --- data/policy/classic/16/apparmor/tee 1970-01-01 00:00:00 +0000 |
405 | +++ data/policy/classic/16/apparmor/tee 2021-08-25 03:55:24 +0000 |
406 | @@ -0,0 +1,9 @@ |
407 | +# Description: for those who need to talk to the TEE subsystem over |
408 | +# /dev/tee[0-9]* and/or /dev/teepriv[0-0]* |
409 | + |
410 | +/dev/tee[0-9]* rw, |
411 | +/dev/teepriv[0-9]* rw, |
412 | + |
413 | +# Qualcomm equivalent qseecom (Qualcomm Secure Execution Environment Communicator) |
414 | +/dev/qseecom rw, |
415 | + |
416 | |
417 | === modified file 'data/policy/classic/16/apparmor/time-control' |
418 | --- data/policy/classic/16/apparmor/time-control 2021-03-24 13:55:25 +0000 |
419 | +++ data/policy/classic/16/apparmor/time-control 2021-08-25 03:55:24 +0000 |
420 | @@ -67,5 +67,5 @@ |
421 | # write to the audit subsystem. We omit 'capability audit_write' |
422 | # and 'capability net_admin' here. Applications requiring audit |
423 | # logging should plug 'netlink-audit'. |
424 | -/sbin/hwclock ixr, |
425 | +/{,usr/}sbin/hwclock ixr, |
426 | |
427 | |
428 | === added file 'data/policy/classic/16/seccomp/dm-crypt' |
429 | --- data/policy/classic/16/seccomp/dm-crypt 1970-01-01 00:00:00 +0000 |
430 | +++ data/policy/classic/16/seccomp/dm-crypt 2021-08-25 03:55:24 +0000 |
431 | @@ -0,0 +1,6 @@ |
432 | +# Description: Allow kernel keyring manipulation |
433 | +add_key |
434 | +keyctl |
435 | +request_key |
436 | + |
437 | + |
438 | |
439 | === modified file 'data/policy/classic/16/seccomp/greengrass-support' |
440 | --- data/policy/classic/16/seccomp/greengrass-support 2019-11-26 19:16:08 +0000 |
441 | +++ data/policy/classic/16/seccomp/greengrass-support 2021-08-25 03:55:24 +0000 |
442 | @@ -32,7 +32,7 @@ |
443 | # by greengrassd. |
444 | keyctl |
445 | |
446 | -# special character device creation is necessary for creating the overlayfs |
447 | +# special character device creation is necessary for creating the overlayfs |
448 | # mounts |
449 | # Unfortunately this grants device ownership to the snap. |
450 | mknod - |S_IFCHR - |
451 | |
452 | === added file 'data/policy/classic/16/seccomp/raw-input' |
453 | --- data/policy/classic/16/seccomp/raw-input 1970-01-01 00:00:00 +0000 |
454 | +++ data/policy/classic/16/seccomp/raw-input 2021-08-25 03:55:24 +0000 |
455 | @@ -0,0 +1,6 @@ |
456 | +# Description: Allow handling input devices. |
457 | +# for udev |
458 | +bind |
459 | +socket AF_NETLINK - NETLINK_KOBJECT_UEVENT |
460 | + |
461 | + |
462 | |
463 | === modified file 'policy-app/test-snapd-policy-app-consumer/meta/snap.yaml' |
464 | --- policy-app/test-snapd-policy-app-consumer/meta/snap.yaml 2020-03-18 18:33:59 +0000 |
465 | +++ policy-app/test-snapd-policy-app-consumer/meta/snap.yaml 2021-08-25 03:55:24 +0000 |
466 | @@ -11,6 +11,9 @@ |
467 | adb-support: |
468 | command: bin/run |
469 | plugs: [ adb-support ] |
470 | + allegro-vcu: |
471 | + command: bin/run |
472 | + plugs: [ allegro-vcu ] |
473 | alsa: |
474 | command: bin/run |
475 | plugs: [ alsa ] |
476 | @@ -74,6 +77,9 @@ |
477 | cpu-control: |
478 | command: bin/run |
479 | plugs: [ cpu-control ] |
480 | + cups: |
481 | + command: bin/run |
482 | + plugs: [ cups ] |
483 | cups-control: |
484 | command: bin/run |
485 | plugs: [ cups-control ] |
486 | @@ -98,12 +104,21 @@ |
487 | display-control: |
488 | command: bin/run |
489 | plugs: [ display-control ] |
490 | + dm-crypt: |
491 | + command: bin/run |
492 | + plugs: [ dm-crypt ] |
493 | docker: |
494 | command: bin/run |
495 | plugs: [ docker ] |
496 | docker-support: |
497 | command: bin/run |
498 | plugs: [ docker-support ] |
499 | + dsp-control: |
500 | + command: bin/run |
501 | + plugs: [ dsp-control ] |
502 | + fpga: |
503 | + command: bin/run |
504 | + plugs: [ fpga ] |
505 | system-files: |
506 | command: bin/run |
507 | plugs: [ system-files ] |
508 | @@ -128,6 +143,9 @@ |
509 | accounts-service: |
510 | command: bin/run |
511 | plugs: [ accounts-service ] |
512 | + gconf: |
513 | + command: bin/run |
514 | + plugs: [ gconf ] |
515 | gpg-keys: |
516 | command: bin/run |
517 | plugs: [ gpg-keys ] |
518 | @@ -158,9 +176,18 @@ |
519 | home: |
520 | command: bin/run |
521 | plugs: [ home ] |
522 | + system-packages-doc: |
523 | + command: bin/run |
524 | + plugs: [ system-packages-doc ] |
525 | + system-source-code: |
526 | + command: bin/run |
527 | + plugs: [ system-source-code ] |
528 | hostname-control: |
529 | command: bin/run |
530 | plugs: [ hostname-control ] |
531 | + hugepages-control: |
532 | + command: bin/run |
533 | + plugs: [ hugepages-control ] |
534 | intel-mei: |
535 | command: bin/run |
536 | plugs: [ intel-mei ] |
537 | @@ -176,6 +203,9 @@ |
538 | juju-client-observe: |
539 | command: bin/run |
540 | plugs: [ juju-client-observe ] |
541 | + kernel-crypto-api: |
542 | + command: bin/run |
543 | + plugs: [ kernel-crypto-api ] |
544 | kernel-module-control: |
545 | command: bin/run |
546 | plugs: [ kernel-module-control ] |
547 | @@ -218,6 +248,9 @@ |
548 | maliit: |
549 | command: bin/run |
550 | plugs: [ maliit ] |
551 | + media-control: |
552 | + command: bin/run |
553 | + plugs: [ media-control ] |
554 | media-hub: |
555 | command: bin/run |
556 | plugs: [ media-hub ] |
557 | @@ -308,9 +341,15 @@ |
558 | process-control: |
559 | command: bin/run |
560 | plugs: [ process-control ] |
561 | + ptp: |
562 | + command: bin/run |
563 | + plugs: [ ptp ] |
564 | pulseaudio: |
565 | command: bin/run |
566 | plugs: [ pulseaudio ] |
567 | + raw-input: |
568 | + command: bin/run |
569 | + plugs: [ raw-input ] |
570 | raw-usb: |
571 | command: bin/run |
572 | plugs: [ raw-usb ] |
573 | @@ -338,6 +377,9 @@ |
574 | can-bus: |
575 | command: bin/run |
576 | plugs: [ can-bus ] |
577 | + sd-control: |
578 | + command: bin/run |
579 | + plugs: [ sd-control ] |
580 | ssh-keys: |
581 | command: bin/run |
582 | plugs: [ ssh-keys ] |
583 | @@ -359,6 +401,9 @@ |
584 | dummy: |
585 | command: bin/run |
586 | plugs: [ dummy ] |
587 | + tee: |
588 | + command: bin/run |
589 | + plugs: [ tee ] |
590 | thumbnailer-service: |
591 | command: bin/run |
592 | plugs: [ thumbnailer-service ] |
593 | @@ -386,6 +431,9 @@ |
594 | uhid: |
595 | command: bin/run |
596 | plugs: [ uhid ] |
597 | + uinput: |
598 | + command: bin/run |
599 | + plugs: [ uinput ] |
600 | uio: |
601 | command: bin/run |
602 | plugs: [ uio ] |
603 | @@ -404,6 +452,9 @@ |
604 | upower-observe: |
605 | command: bin/run |
606 | plugs: [ upower-observe ] |
607 | + vcio: |
608 | + command: bin/run |
609 | + plugs: [ vcio ] |
610 | wayland: |
611 | command: bin/run |
612 | plugs: [ wayland ] |
613 | @@ -437,3 +488,6 @@ |
614 | write: [$HOME/dir1] |
615 | dummy: |
616 | interface: dummy |
617 | + sd-control: |
618 | + interface: sd-control |
619 | + flavor: dual-sd |
620 | |
621 | === modified file 'policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml' |
622 | --- policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml 2020-03-18 18:33:59 +0000 |
623 | +++ policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml 2021-08-25 03:55:24 +0000 |
624 | @@ -15,6 +15,8 @@ |
625 | content: test-content |
626 | read: |
627 | - $SNAP/content |
628 | + cups: null |
629 | + cups-control: null |
630 | dbus-session: |
631 | interface: dbus |
632 | bus: session |
633 | @@ -67,6 +69,12 @@ |
634 | content-read: |
635 | command: bin/run |
636 | slots: [ content-read ] |
637 | + cups: |
638 | + command: bin/run |
639 | + slots: [ cups ] |
640 | + cups-control: |
641 | + command: bin/run |
642 | + slots: [ cups-control ] |
643 | dbus-session: |
644 | command: bin/run |
645 | slots: [ dbus-session ] |
A comment inline in one place, but it applies to several similar segments. Thanks.