Merge lp:~alexmurray/snappy-hub/update-for-snapd-2.51.6 into lp:~snappy-debug-developers/snappy-hub/snappy-debug
- update-for-snapd-2.51.6
- Merge into snappy-debug
Proposed by
Alex Murray
Status: | Merged |
---|---|
Merged at revision: | 206 |
Proposed branch: | lp:~alexmurray/snappy-hub/update-for-snapd-2.51.6 |
Merge into: | lp:~snappy-debug-developers/snappy-hub/snappy-debug |
Diff against target: |
645 lines (+197/-34) 28 files modified
data/policy/classic/16/apparmor/account-control (+1/-1) data/policy/classic/16/apparmor/block-devices (+1/-0) data/policy/classic/16/apparmor/camera (+1/-0) data/policy/classic/16/apparmor/dm-crypt (+18/-0) data/policy/classic/16/apparmor/docker-support (+10/-1) data/policy/classic/16/apparmor/greengrass-support (+11/-11) data/policy/classic/16/apparmor/hardware-observe (+1/-1) data/policy/classic/16/apparmor/kernel-module-control (+1/-1) data/policy/classic/16/apparmor/kernel-module-observe (+1/-1) data/policy/classic/16/apparmor/kubernetes-support (+7/-6) data/policy/classic/16/apparmor/modem-manager (+2/-2) data/policy/classic/16/apparmor/multipass-support (+1/-1) data/policy/classic/16/apparmor/network-control (+3/-3) data/policy/classic/16/apparmor/network-setup-control (+13/-0) data/policy/classic/16/apparmor/network-setup-observe (+14/-0) data/policy/classic/16/apparmor/ofono (+2/-2) data/policy/classic/16/apparmor/opengl (+4/-1) data/policy/classic/16/apparmor/ppp (+1/-1) data/policy/classic/16/apparmor/raw-input (+13/-0) data/policy/classic/16/apparmor/sd-control (+6/-0) data/policy/classic/16/apparmor/system-observe (+1/-0) data/policy/classic/16/apparmor/tee (+9/-0) data/policy/classic/16/apparmor/time-control (+1/-1) data/policy/classic/16/seccomp/dm-crypt (+6/-0) data/policy/classic/16/seccomp/greengrass-support (+1/-1) data/policy/classic/16/seccomp/raw-input (+6/-0) policy-app/test-snapd-policy-app-consumer/meta/snap.yaml (+54/-0) policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml (+8/-0) |
To merge this branch: | bzr merge lp:~alexmurray/snappy-hub/update-for-snapd-2.51.6 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
The snappy-debug snap developers | Pending | ||
Review via email:
|
Commit message
Description of the change
To post a comment you must log in.
Revision history for this message
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Seth Arnold (seth-arnold) wrote : | # |
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === modified file 'data/policy/classic/16/apparmor/account-control' | |||
2 | --- data/policy/classic/16/apparmor/account-control 2021-03-24 13:55:25 +0000 | |||
3 | +++ data/policy/classic/16/apparmor/account-control 2021-08-25 03:55:24 +0000 | |||
4 | @@ -14,7 +14,7 @@ | |||
5 | 14 | /etc/pam.d/{,*} r, | 14 | /etc/pam.d/{,*} r, |
6 | 15 | 15 | ||
7 | 16 | # Needed by chpasswd | 16 | # Needed by chpasswd |
9 | 17 | /lib/@{multiarch}/security/* ixr, | 17 | /{,usr/}lib/@{multiarch}/security/* ixr, |
10 | 18 | 18 | ||
11 | 19 | # Useradd needs netlink | 19 | # Useradd needs netlink |
12 | 20 | network netlink raw, | 20 | network netlink raw, |
13 | 21 | 21 | ||
14 | === modified file 'data/policy/classic/16/apparmor/block-devices' | |||
15 | --- data/policy/classic/16/apparmor/block-devices 2021-03-24 13:55:25 +0000 | |||
16 | +++ data/policy/classic/16/apparmor/block-devices 2021-08-25 03:55:24 +0000 | |||
17 | @@ -4,6 +4,7 @@ | |||
18 | 4 | /run/udev/data/b[0-9]*:[0-9]* r, | 4 | /run/udev/data/b[0-9]*:[0-9]* r, |
19 | 5 | /sys/block/ r, | 5 | /sys/block/ r, |
20 | 6 | /sys/devices/**/block/** r, | 6 | /sys/devices/**/block/** r, |
21 | 7 | /sys/devices/platform/soc/**/mmc_host/** r, | ||
22 | 7 | 8 | ||
23 | 8 | # Access to raw devices, not individual partitions | 9 | # Access to raw devices, not individual partitions |
24 | 9 | /dev/hd[a-t] rw, # IDE, MFM, RLL | 10 | /dev/hd[a-t] rw, # IDE, MFM, RLL |
25 | 10 | 11 | ||
26 | === modified file 'data/policy/classic/16/apparmor/camera' | |||
27 | --- data/policy/classic/16/apparmor/camera 2021-03-24 13:55:25 +0000 | |||
28 | +++ data/policy/classic/16/apparmor/camera 2021-08-25 03:55:24 +0000 | |||
29 | @@ -17,4 +17,5 @@ | |||
30 | 17 | /run/udev/data/+usb:* r, | 17 | /run/udev/data/+usb:* r, |
31 | 18 | /sys/class/video4linux/ r, | 18 | /sys/class/video4linux/ r, |
32 | 19 | /sys/devices/pci**/usb*/**/video4linux/** r, | 19 | /sys/devices/pci**/usb*/**/video4linux/** r, |
33 | 20 | /sys/devices/platform/**/usb*/**/video4linux/** r, | ||
34 | 20 | 21 | ||
35 | 21 | 22 | ||
36 | === added file 'data/policy/classic/16/apparmor/dm-crypt' | |||
37 | --- data/policy/classic/16/apparmor/dm-crypt 1970-01-01 00:00:00 +0000 | |||
38 | +++ data/policy/classic/16/apparmor/dm-crypt 2021-08-25 03:55:24 +0000 | |||
39 | @@ -0,0 +1,18 @@ | |||
40 | 1 | # Allow mapper access | ||
41 | 2 | /dev/mapper/control rw, | ||
42 | 3 | /dev/dm-[0-9]* rw, | ||
43 | 4 | # allow use of cryptsetup from core snap | ||
44 | 5 | /{,usr/}sbin/cryptsetup ixr, | ||
45 | 6 | # Mount points could be in /run/media/<user>/* or /media/<user>/* | ||
46 | 7 | /run/systemd/seats/* r, | ||
47 | 8 | /{,run/}media/{,**} rw, | ||
48 | 9 | mount options=(ro,nosuid,nodev) /dev/dm-[0-9]* -> /{,run/}media/**, | ||
49 | 10 | mount options=(rw,nosuid,nodev) /dev/dm-[0-9]* -> /{,run/}media/**, | ||
50 | 11 | |||
51 | 12 | # exec mount/umount to do the actual operations | ||
52 | 13 | /{,usr/}bin/mount ixr, | ||
53 | 14 | /{,usr/}bin/umount ixr, | ||
54 | 15 | |||
55 | 16 | # mount/umount (via libmount) track some mount info in these files | ||
56 | 17 | /run/mount/utab* wrlk, | ||
57 | 18 | |||
58 | 0 | 19 | ||
59 | === modified file 'data/policy/classic/16/apparmor/docker-support' | |||
60 | --- data/policy/classic/16/apparmor/docker-support 2021-03-24 13:55:25 +0000 | |||
61 | +++ data/policy/classic/16/apparmor/docker-support 2021-08-25 03:55:24 +0000 | |||
62 | @@ -86,7 +86,7 @@ | |||
63 | 86 | 86 | ||
64 | 87 | # Docker needs to be able to create and load the profile it applies to | 87 | # Docker needs to be able to create and load the profile it applies to |
65 | 88 | # containers ("docker-default") | 88 | # containers ("docker-default") |
67 | 89 | /sbin/apparmor_parser ixr, | 89 | /{,usr/}sbin/apparmor_parser ixr, |
68 | 90 | /etc/apparmor.d/cache/ r, # apparmor 2.12 and below | 90 | /etc/apparmor.d/cache/ r, # apparmor 2.12 and below |
69 | 91 | /etc/apparmor.d/cache/.features r, | 91 | /etc/apparmor.d/cache/.features r, |
70 | 92 | /etc/apparmor.d/{,cache/}docker* rw, | 92 | /etc/apparmor.d/{,cache/}docker* rw, |
71 | @@ -145,3 +145,12 @@ | |||
72 | 145 | # containerd to use this path for various account information for pods. | 145 | # containerd to use this path for various account information for pods. |
73 | 146 | /run/secrets/kubernetes.io/{,**} rk, | 146 | /run/secrets/kubernetes.io/{,**} rk, |
74 | 147 | 147 | ||
75 | 148 | # Allow using the 'autobind' feature of bind() (eg, for journald via go-systemd) | ||
76 | 149 | # unix (bind) type=dgram addr=auto, | ||
77 | 150 | # TODO: when snapd vendors in AppArmor userspace, then enable the new syntax | ||
78 | 151 | # above which allows only "empty"/automatic addresses, for now we simply permit | ||
79 | 152 | # all addresses with SOCK_DGRAM type, which leaks info for other addresses than | ||
80 | 153 | # what docker tries to use | ||
81 | 154 | # see https://bugs.launchpad.net/snapd/+bug/1867216 | ||
82 | 155 | unix (bind) type=dgram, | ||
83 | 156 | |||
84 | 148 | 157 | ||
85 | === modified file 'data/policy/classic/16/apparmor/greengrass-support' | |||
86 | --- data/policy/classic/16/apparmor/greengrass-support 2021-03-24 13:55:25 +0000 | |||
87 | +++ data/policy/classic/16/apparmor/greengrass-support 2021-08-25 03:55:24 +0000 | |||
88 | @@ -49,7 +49,7 @@ | |||
89 | 49 | 49 | ||
90 | 50 | # cgroup accesses | 50 | # cgroup accesses |
91 | 51 | # greengrassd extensively uses cgroups to confine it's containers (AKA lambdas) | 51 | # greengrassd extensively uses cgroups to confine it's containers (AKA lambdas) |
93 | 52 | # and needs to read what cgroups are available; we allow reading any cgroup, | 52 | # and needs to read what cgroups are available; we allow reading any cgroup, |
94 | 53 | # but limit writes below | 53 | # but limit writes below |
95 | 54 | # also note that currently greengrass is not implemented in such a way that it | 54 | # also note that currently greengrass is not implemented in such a way that it |
96 | 55 | # can stack it's cgroups inside the cgroup that snapd would normally enforce | 55 | # can stack it's cgroups inside the cgroup that snapd would normally enforce |
97 | @@ -75,10 +75,10 @@ | |||
98 | 75 | # specific rule for cpuset files | 75 | # specific rule for cpuset files |
99 | 76 | owner /old_rootfs/sys/fs/cgroup/cpuset/{,system.slice/}cpuset.{cpus,mems} rw, | 76 | owner /old_rootfs/sys/fs/cgroup/cpuset/{,system.slice/}cpuset.{cpus,mems} rw, |
100 | 77 | 77 | ||
102 | 78 | # the wrapper scripts need to use mount/umount and pivot_root from the | 78 | # the wrapper scripts need to use mount/umount and pivot_root from the |
103 | 79 | # core snap | 79 | # core snap |
106 | 80 | /bin/{,u}mount ixr, | 80 | /{,usr/}bin/{,u}mount ixr, |
107 | 81 | /sbin/pivot_root ixr, | 81 | /{,usr/}sbin/pivot_root ixr, |
108 | 82 | 82 | ||
109 | 83 | # allow pivot_root'ing into the rootfs prepared for the greengrass daemon | 83 | # allow pivot_root'ing into the rootfs prepared for the greengrass daemon |
110 | 84 | # parallel-installs: SNAP_{DATA,COMMON} are remapped, need to use SNAP_NAME, for | 84 | # parallel-installs: SNAP_{DATA,COMMON} are remapped, need to use SNAP_NAME, for |
111 | @@ -119,9 +119,9 @@ | |||
112 | 119 | # completeness allow SNAP_INSTANCE_NAME too | 119 | # completeness allow SNAP_INSTANCE_NAME too |
113 | 120 | mount options=(rw, bind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** , | 120 | mount options=(rw, bind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** , |
114 | 121 | mount options=(rw, rbind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** , | 121 | mount options=(rw, rbind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** , |
116 | 122 | # also allow mounting new files anywhere underneath the rootfs of the target | 122 | # also allow mounting new files anywhere underneath the rootfs of the target |
117 | 123 | # overlayfs directory, which is the rootfs of the container | 123 | # overlayfs directory, which is the rootfs of the container |
119 | 124 | # this is for allowing local resource access which first makes a mount at | 124 | # this is for allowing local resource access which first makes a mount at |
120 | 125 | # the target destination and then a bind mount from the source to the destination | 125 | # the target destination and then a bind mount from the source to the destination |
121 | 126 | # the source destination mount will be allowed under the above rule | 126 | # the source destination mount will be allowed under the above rule |
122 | 127 | mount -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/**, | 127 | mount -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/**, |
123 | @@ -168,7 +168,7 @@ | |||
124 | 168 | mount options=(rw, bind) /run/ -> /run/, | 168 | mount options=(rw, bind) /run/ -> /run/, |
125 | 169 | 169 | ||
126 | 170 | # mounts for resolv.conf inside the container | 170 | # mounts for resolv.conf inside the container |
128 | 171 | # we have to manually do this otherwise the go DNS resolver fails to work, because it isn't configured to | 171 | # we have to manually do this otherwise the go DNS resolver fails to work, because it isn't configured to |
129 | 172 | # use the system DNS server and attempts to do DNS resolution itself, manually inspecting /etc/resolv.conf | 172 | # use the system DNS server and attempts to do DNS resolution itself, manually inspecting /etc/resolv.conf |
130 | 173 | mount options=(ro, bind) /run/systemd/resolve/stub-resolv.conf -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/etc/resolv.conf, | 173 | mount options=(ro, bind) /run/systemd/resolve/stub-resolv.conf -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/etc/resolv.conf, |
131 | 174 | mount options=(ro, bind) /run/resolvconf/resolv.conf -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/etc/resolv.conf, | 174 | mount options=(ro, bind) /run/resolvconf/resolv.conf -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/etc/resolv.conf, |
132 | @@ -177,7 +177,7 @@ | |||
133 | 177 | # pivot_root for the container initialization into the rootfs | 177 | # pivot_root for the container initialization into the rootfs |
134 | 178 | # note that the actual syscall is pivotroot(".",".") | 178 | # note that the actual syscall is pivotroot(".",".") |
135 | 179 | # so the oldroot is the same as the new root | 179 | # so the oldroot is the same as the new root |
137 | 180 | pivot_root | 180 | pivot_root |
138 | 181 | oldroot=/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/ | 181 | oldroot=/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/ |
139 | 182 | /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/, | 182 | /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/, |
140 | 183 | 183 | ||
141 | @@ -213,12 +213,12 @@ | |||
142 | 213 | # and /run is explicitly disallowed for use by layouts | 213 | # and /run is explicitly disallowed for use by layouts |
143 | 214 | # also note that technically this access is post-pivot_root, but during the setup | 214 | # also note that technically this access is post-pivot_root, but during the setup |
144 | 215 | # for the mount ns that the snap performs (not snapd), /var/run is bind mounted | 215 | # for the mount ns that the snap performs (not snapd), /var/run is bind mounted |
146 | 216 | # from outside the pivot_root to inside the pivot_root, so this will always | 216 | # from outside the pivot_root to inside the pivot_root, so this will always |
147 | 217 | # access the same files inside or outside the pivot_root | 217 | # access the same files inside or outside the pivot_root |
148 | 218 | owner /{var/,}run/greengrassd.pid rw, | 218 | owner /{var/,}run/greengrassd.pid rw, |
149 | 219 | 219 | ||
152 | 220 | # all of the rest of the accesses are made by child containers and as such are | 220 | # all of the rest of the accesses are made by child containers and as such are |
153 | 221 | # "post-pivot_root", meaning that they aren't accessing these files on the | 221 | # "post-pivot_root", meaning that they aren't accessing these files on the |
154 | 222 | # host root filesystem, but rather somewhere inside $SNAP_DATA/rootfs/ | 222 | # host root filesystem, but rather somewhere inside $SNAP_DATA/rootfs/ |
155 | 223 | # Note: eventually greengrass will gain the ability to specify child profiles | 223 | # Note: eventually greengrass will gain the ability to specify child profiles |
156 | 224 | # for it's containers and include these rules in that profile so they won't | 224 | # for it's containers and include these rules in that profile so they won't |
157 | 225 | 225 | ||
158 | === modified file 'data/policy/classic/16/apparmor/hardware-observe' | |||
159 | --- data/policy/classic/16/apparmor/hardware-observe 2021-03-24 13:55:25 +0000 | |||
160 | +++ data/policy/classic/16/apparmor/hardware-observe 2021-08-25 03:55:24 +0000 | |||
161 | @@ -11,7 +11,7 @@ | |||
162 | 11 | # used by lspci | 11 | # used by lspci |
163 | 12 | capability sys_admin, | 12 | capability sys_admin, |
164 | 13 | /etc/modprobe.d/{,*} r, | 13 | /etc/modprobe.d/{,*} r, |
166 | 14 | /lib/modprobe.d/{,*} r, | 14 | /{,usr/}lib/modprobe.d/{,*} r, |
167 | 15 | 15 | ||
168 | 16 | # files in /sys pertaining to hardware (eg, 'lspci -A linux-sysfs') | 16 | # files in /sys pertaining to hardware (eg, 'lspci -A linux-sysfs') |
169 | 17 | /sys/{block,bus,class,devices,firmware}/{,**} r, | 17 | /sys/{block,bus,class,devices,firmware}/{,**} r, |
170 | 18 | 18 | ||
171 | === modified file 'data/policy/classic/16/apparmor/kernel-module-control' | |||
172 | --- data/policy/classic/16/apparmor/kernel-module-control 2021-03-24 13:55:25 +0000 | |||
173 | +++ data/policy/classic/16/apparmor/kernel-module-control 2021-08-25 03:55:24 +0000 | |||
174 | @@ -18,5 +18,5 @@ | |||
175 | 18 | # Allow reading information about loaded kernel modules | 18 | # Allow reading information about loaded kernel modules |
176 | 19 | /sys/module/{,**} r, | 19 | /sys/module/{,**} r, |
177 | 20 | /etc/modprobe.d/{,**} r, | 20 | /etc/modprobe.d/{,**} r, |
179 | 21 | /lib/modprobe.d/{,**} r, | 21 | /{,usr/}lib/modprobe.d/{,**} r, |
180 | 22 | 22 | ||
181 | 23 | 23 | ||
182 | === modified file 'data/policy/classic/16/apparmor/kernel-module-observe' | |||
183 | --- data/policy/classic/16/apparmor/kernel-module-observe 2021-03-24 13:55:25 +0000 | |||
184 | +++ data/policy/classic/16/apparmor/kernel-module-observe 2021-08-25 03:55:24 +0000 | |||
185 | @@ -12,5 +12,5 @@ | |||
186 | 12 | # Allow reading information about loaded kernel modules | 12 | # Allow reading information about loaded kernel modules |
187 | 13 | /sys/module/{,**} r, | 13 | /sys/module/{,**} r, |
188 | 14 | /etc/modprobe.d/{,**} r, | 14 | /etc/modprobe.d/{,**} r, |
190 | 15 | /lib/modprobe.d/{,**} r, | 15 | /{,usr/}lib/modprobe.d/{,**} r, |
191 | 16 | 16 | ||
192 | 17 | 17 | ||
193 | === modified file 'data/policy/classic/16/apparmor/kubernetes-support' | |||
194 | --- data/policy/classic/16/apparmor/kubernetes-support 2021-03-24 13:55:25 +0000 | |||
195 | +++ data/policy/classic/16/apparmor/kubernetes-support 2021-08-25 03:55:24 +0000 | |||
196 | @@ -169,11 +169,12 @@ | |||
197 | 169 | /sys/module/ip_vs_sh/initstate r, | 169 | /sys/module/ip_vs_sh/initstate r, |
198 | 170 | /sys/module/ip_vs_wrr/initstate r, | 170 | /sys/module/ip_vs_wrr/initstate r, |
199 | 171 | 171 | ||
206 | 172 | # Allow using the 'autobind' feature of bind() (eg, for journald). | 172 | # Allow using the 'autobind' feature of bind() (eg, for journald via go-systemd) |
207 | 173 | #unix (bind) type=dgram addr=none, | 173 | # unix (bind) type=dgram addr=auto, |
208 | 174 | # Due to LP: 1867216, we cannot use the above rule and must instead use this | 174 | # TODO: when snapd vendors in AppArmor userspace, then enable the new syntax |
209 | 175 | # less specific rule that allows bind() to arbitrary SOCK_DGRAM abstract socket | 175 | # above which allows only "empty"/automatic addresses, for now we simply permit |
210 | 176 | # names (separate send and receive rules are still required for communicating | 176 | # all addresses with SOCK_DGRAM type, which leaks info for other addresses than |
211 | 177 | # over the socket). | 177 | # what docker tries to use |
212 | 178 | # see https://bugs.launchpad.net/snapd/+bug/1867216 | ||
213 | 178 | unix (bind) type=dgram, | 179 | unix (bind) type=dgram, |
214 | 179 | 180 | ||
215 | 180 | 181 | ||
216 | === modified file 'data/policy/classic/16/apparmor/modem-manager' | |||
217 | --- data/policy/classic/16/apparmor/modem-manager 2021-03-24 13:55:25 +0000 | |||
218 | +++ data/policy/classic/16/apparmor/modem-manager 2021-08-25 03:55:24 +0000 | |||
219 | @@ -33,10 +33,10 @@ | |||
220 | 33 | bus=system | 33 | bus=system |
221 | 34 | path=/org/freedesktop/ModemManager1{,/**} | 34 | path=/org/freedesktop/ModemManager1{,/**} |
222 | 35 | interface=org.freedesktop.ModemManager1* | 35 | interface=org.freedesktop.ModemManager1* |
224 | 36 | peer=(label="snap.core."), | 36 | peer=(label="snap.snapd.*"), |
225 | 37 | dbus (receive, send) | 37 | dbus (receive, send) |
226 | 38 | bus=system | 38 | bus=system |
227 | 39 | path=/org/freedesktop/ModemManager1{,/**} | 39 | path=/org/freedesktop/ModemManager1{,/**} |
228 | 40 | interface=org.freedesktop.DBus.* | 40 | interface=org.freedesktop.DBus.* |
230 | 41 | peer=(label="snap.core."), | 41 | peer=(label="snap.snapd.*"), |
231 | 42 | 42 | ||
232 | 43 | 43 | ||
233 | === modified file 'data/policy/classic/16/apparmor/multipass-support' | |||
234 | --- data/policy/classic/16/apparmor/multipass-support 2021-03-24 13:55:25 +0000 | |||
235 | +++ data/policy/classic/16/apparmor/multipass-support 2021-08-25 03:55:24 +0000 | |||
236 | @@ -1,6 +1,6 @@ | |||
237 | 1 | # Description: this policy intentionally allows the Multipass daemon to configure AppArmor | 1 | # Description: this policy intentionally allows the Multipass daemon to configure AppArmor |
238 | 2 | # as Multipass generates AppArmor profiles for the utility processes it spawns. | 2 | # as Multipass generates AppArmor profiles for the utility processes it spawns. |
240 | 3 | /sbin/apparmor_parser ixr, | 3 | /{,usr/}sbin/apparmor_parser ixr, |
241 | 4 | /etc/apparmor{,.d}/{,**} r, | 4 | /etc/apparmor{,.d}/{,**} r, |
242 | 5 | /sys/kernel/security/apparmor/{,**} r, | 5 | /sys/kernel/security/apparmor/{,**} r, |
243 | 6 | /sys/kernel/security/apparmor/.remove w, | 6 | /sys/kernel/security/apparmor/.remove w, |
244 | 7 | 7 | ||
245 | === modified file 'data/policy/classic/16/apparmor/network-control' | |||
246 | --- data/policy/classic/16/apparmor/network-control 2021-03-24 13:55:25 +0000 | |||
247 | +++ data/policy/classic/16/apparmor/network-control 2021-08-25 03:55:24 +0000 | |||
248 | @@ -128,13 +128,13 @@ | |||
249 | 128 | /etc/hosts w, | 128 | /etc/hosts w, |
250 | 129 | 129 | ||
251 | 130 | # resolvconf | 130 | # resolvconf |
253 | 131 | /sbin/resolvconf ixr, | 131 | /{,usr/}sbin/resolvconf ixr, |
254 | 132 | /run/resolvconf/{,**} rk, | 132 | /run/resolvconf/{,**} rk, |
255 | 133 | /run/resolvconf/** w, | 133 | /run/resolvconf/** w, |
256 | 134 | /etc/resolvconf/{,**} r, | 134 | /etc/resolvconf/{,**} r, |
258 | 135 | /lib/resolvconf/* ix, | 135 | /{,usr/}lib/resolvconf/* ix, |
259 | 136 | # Required by resolvconf | 136 | # Required by resolvconf |
261 | 137 | /bin/run-parts ixr, | 137 | /{,usr/}bin/run-parts ixr, |
262 | 138 | /etc/resolvconf/update.d/* ix, | 138 | /etc/resolvconf/update.d/* ix, |
263 | 139 | 139 | ||
264 | 140 | # wpa_suplicant | 140 | # wpa_suplicant |
265 | 141 | 141 | ||
266 | === modified file 'data/policy/classic/16/apparmor/network-setup-control' | |||
267 | --- data/policy/classic/16/apparmor/network-setup-control 2021-03-24 13:55:25 +0000 | |||
268 | +++ data/policy/classic/16/apparmor/network-setup-control 2021-08-25 03:55:24 +0000 | |||
269 | @@ -1,5 +1,18 @@ | |||
270 | 1 | # Description: Can read/write netplan configuration files | 1 | # Description: Can read/write netplan configuration files |
271 | 2 | 2 | ||
272 | 3 | # Allow use of the netplan binary from the base snap. With this interface, this | ||
273 | 4 | # is expected to be able to apply and generate new network configuration, as | ||
274 | 5 | # well as get information about the current network configuration. | ||
275 | 6 | /usr/sbin/netplan ixr, | ||
276 | 7 | # core18+ has /usr/sbin/netplan as a symlink to this script | ||
277 | 8 | /usr/share/netplan/netplan.script ixr, | ||
278 | 9 | # netplan related files | ||
279 | 10 | /usr/share/netplan/ r, | ||
280 | 11 | /usr/share/netplan/** r, | ||
281 | 12 | |||
282 | 13 | # Netplan uses busctl internally, so allow using that as well | ||
283 | 14 | /usr/bin/busctl ixr, | ||
284 | 15 | |||
285 | 3 | /etc/netplan/{,**} rw, | 16 | /etc/netplan/{,**} rw, |
286 | 4 | /etc/network/{,**} rw, | 17 | /etc/network/{,**} rw, |
287 | 5 | /etc/systemd/network/{,**} rw, | 18 | /etc/systemd/network/{,**} rw, |
288 | 6 | 19 | ||
289 | === modified file 'data/policy/classic/16/apparmor/network-setup-observe' | |||
290 | --- data/policy/classic/16/apparmor/network-setup-observe 2021-03-24 13:55:25 +0000 | |||
291 | +++ data/policy/classic/16/apparmor/network-setup-observe 2021-08-25 03:55:24 +0000 | |||
292 | @@ -1,5 +1,19 @@ | |||
293 | 1 | # Description: Can read netplan configuration files | 1 | # Description: Can read netplan configuration files |
294 | 2 | 2 | ||
295 | 3 | # Allow use of the netplan binary from the base snap. With this interface, this | ||
296 | 4 | # is expected to be able to only get information about the current network | ||
297 | 5 | # configuration and not generate or apply it like is allowed with | ||
298 | 6 | # network-setup-control. | ||
299 | 7 | /usr/sbin/netplan ixr, | ||
300 | 8 | # core18+ has /usr/sbin/netplan as a symlink to this script | ||
301 | 9 | /usr/share/netplan/netplan.script ixr, | ||
302 | 10 | # netplan related files | ||
303 | 11 | /usr/share/netplan/ r, | ||
304 | 12 | /usr/share/netplan/** r, | ||
305 | 13 | |||
306 | 14 | # Netplan uses busctl internally, so allow using that as well | ||
307 | 15 | /usr/bin/busctl ixr, | ||
308 | 16 | |||
309 | 3 | /etc/netplan/{,**} r, | 17 | /etc/netplan/{,**} r, |
310 | 4 | /etc/network/{,**} r, | 18 | /etc/network/{,**} r, |
311 | 5 | /etc/systemd/network/{,**} r, | 19 | /etc/systemd/network/{,**} r, |
312 | 6 | 20 | ||
313 | === modified file 'data/policy/classic/16/apparmor/ofono' | |||
314 | --- data/policy/classic/16/apparmor/ofono 2021-03-24 13:55:25 +0000 | |||
315 | +++ data/policy/classic/16/apparmor/ofono 2021-08-25 03:55:24 +0000 | |||
316 | @@ -25,7 +25,7 @@ | |||
317 | 25 | bus=system | 25 | bus=system |
318 | 26 | path=/{,**} | 26 | path=/{,**} |
319 | 27 | interface=org.ofono.* | 27 | interface=org.ofono.* |
321 | 28 | peer=(label="snap.core."), | 28 | peer=(label="snap.snapd.*"), |
322 | 29 | 29 | ||
323 | 30 | # Allow clients to introspect the service on non-classic (due to the path, | 30 | # Allow clients to introspect the service on non-classic (due to the path, |
324 | 31 | # allowing on classic would reveal too much for unconfined) | 31 | # allowing on classic would reveal too much for unconfined) |
325 | @@ -34,5 +34,5 @@ | |||
326 | 34 | path=/ | 34 | path=/ |
327 | 35 | interface=org.freedesktop.DBus.Introspectable | 35 | interface=org.freedesktop.DBus.Introspectable |
328 | 36 | member=Introspect | 36 | member=Introspect |
330 | 37 | peer=(label="snap.core."), | 37 | peer=(label="snap.snapd.*"), |
331 | 38 | 38 | ||
332 | 39 | 39 | ||
333 | === modified file 'data/policy/classic/16/apparmor/opengl' | |||
334 | --- data/policy/classic/16/apparmor/opengl 2021-03-24 13:55:25 +0000 | |||
335 | +++ data/policy/classic/16/apparmor/opengl 2021-08-25 03:55:24 +0000 | |||
336 | @@ -81,7 +81,10 @@ | |||
337 | 81 | 81 | ||
338 | 82 | # Xilinx zocl DRM driver | 82 | # Xilinx zocl DRM driver |
339 | 83 | # https://github.com/Xilinx/XRT/tree/master/src/runtime_src/core/edge/drm | 83 | # https://github.com/Xilinx/XRT/tree/master/src/runtime_src/core/edge/drm |
341 | 84 | /sys/devices/platform/amba_pl@[0-9]*/amba_pl@[0-9]*:zyxclmm_drm/* r, | 84 | /sys/devices/platform/amba{,_pl@[0-9]*}/amba{,_pl@[0-9]*}:zyxclmm_drm/* r, |
342 | 85 | |||
343 | 86 | # Imagination PowerVR driver | ||
344 | 87 | /dev/pvr_sync rw, | ||
345 | 85 | 88 | ||
346 | 86 | # OpenCL ICD files | 89 | # OpenCL ICD files |
347 | 87 | /etc/OpenCL/vendors/ r, | 90 | /etc/OpenCL/vendors/ r, |
348 | 88 | 91 | ||
349 | === modified file 'data/policy/classic/16/apparmor/ppp' | |||
350 | --- data/policy/classic/16/apparmor/ppp 2021-03-24 13:55:25 +0000 | |||
351 | +++ data/policy/classic/16/apparmor/ppp 2021-08-25 03:55:24 +0000 | |||
352 | @@ -10,7 +10,7 @@ | |||
353 | 10 | /run/ppp* rwk, | 10 | /run/ppp* rwk, |
354 | 11 | /var/run/ppp* rwk, | 11 | /var/run/ppp* rwk, |
355 | 12 | /var/log/ppp* rw, | 12 | /var/log/ppp* rw, |
357 | 13 | /bin/run-parts ix, | 13 | /{,usr/}bin/run-parts ix, |
358 | 14 | @{PROC}/@{pid}/loginuid r, | 14 | @{PROC}/@{pid}/loginuid r, |
359 | 15 | capability setgid, | 15 | capability setgid, |
360 | 16 | capability setuid, | 16 | capability setuid, |
361 | 17 | 17 | ||
362 | === added file 'data/policy/classic/16/apparmor/raw-input' | |||
363 | --- data/policy/classic/16/apparmor/raw-input 1970-01-01 00:00:00 +0000 | |||
364 | +++ data/policy/classic/16/apparmor/raw-input 2021-08-25 03:55:24 +0000 | |||
365 | @@ -0,0 +1,13 @@ | |||
366 | 1 | # Description: Allow reading and writing to raw input devices | ||
367 | 2 | |||
368 | 3 | /dev/input/* rw, | ||
369 | 4 | |||
370 | 5 | # Allow reading for supported event reports for all input devices. See | ||
371 | 6 | # https://www.kernel.org/doc/Documentation/input/event-codes.txt | ||
372 | 7 | /sys/devices/**/input[0-9]*/capabilities/* r, | ||
373 | 8 | |||
374 | 9 | # For using udev | ||
375 | 10 | network netlink raw, | ||
376 | 11 | /run/udev/data/c13:[0-9]* r, | ||
377 | 12 | /run/udev/data/+input:input[0-9]* r, | ||
378 | 13 | |||
379 | 0 | 14 | ||
380 | === added file 'data/policy/classic/16/apparmor/sd-control' | |||
381 | --- data/policy/classic/16/apparmor/sd-control 1970-01-01 00:00:00 +0000 | |||
382 | +++ data/policy/classic/16/apparmor/sd-control 2021-08-25 03:55:24 +0000 | |||
383 | @@ -0,0 +1,6 @@ | |||
384 | 1 | # Description: can manage and control the SD cards using the DualSD driver. | ||
385 | 2 | |||
386 | 3 | # The main DualSD device node is used to control certain aspects of SD cards on | ||
387 | 4 | # the system. | ||
388 | 5 | /dev/DualSD rw, | ||
389 | 6 | |||
390 | 0 | 7 | ||
391 | === modified file 'data/policy/classic/16/apparmor/system-observe' | |||
392 | --- data/policy/classic/16/apparmor/system-observe 2021-03-24 13:55:25 +0000 | |||
393 | +++ data/policy/classic/16/apparmor/system-observe 2021-08-25 03:55:24 +0000 | |||
394 | @@ -22,6 +22,7 @@ | |||
395 | 22 | @{PROC}/modules r, | 22 | @{PROC}/modules r, |
396 | 23 | @{PROC}/stat r, | 23 | @{PROC}/stat r, |
397 | 24 | @{PROC}/vmstat r, | 24 | @{PROC}/vmstat r, |
398 | 25 | @{PROC}/zoneinfo r, | ||
399 | 25 | @{PROC}/diskstats r, | 26 | @{PROC}/diskstats r, |
400 | 26 | @{PROC}/kallsyms r, | 27 | @{PROC}/kallsyms r, |
401 | 27 | @{PROC}/partitions r, | 28 | @{PROC}/partitions r, |
402 | 28 | 29 | ||
403 | === added file 'data/policy/classic/16/apparmor/tee' | |||
404 | --- data/policy/classic/16/apparmor/tee 1970-01-01 00:00:00 +0000 | |||
405 | +++ data/policy/classic/16/apparmor/tee 2021-08-25 03:55:24 +0000 | |||
406 | @@ -0,0 +1,9 @@ | |||
407 | 1 | # Description: for those who need to talk to the TEE subsystem over | ||
408 | 2 | # /dev/tee[0-9]* and/or /dev/teepriv[0-0]* | ||
409 | 3 | |||
410 | 4 | /dev/tee[0-9]* rw, | ||
411 | 5 | /dev/teepriv[0-9]* rw, | ||
412 | 6 | |||
413 | 7 | # Qualcomm equivalent qseecom (Qualcomm Secure Execution Environment Communicator) | ||
414 | 8 | /dev/qseecom rw, | ||
415 | 9 | |||
416 | 0 | 10 | ||
417 | === modified file 'data/policy/classic/16/apparmor/time-control' | |||
418 | --- data/policy/classic/16/apparmor/time-control 2021-03-24 13:55:25 +0000 | |||
419 | +++ data/policy/classic/16/apparmor/time-control 2021-08-25 03:55:24 +0000 | |||
420 | @@ -67,5 +67,5 @@ | |||
421 | 67 | # write to the audit subsystem. We omit 'capability audit_write' | 67 | # write to the audit subsystem. We omit 'capability audit_write' |
422 | 68 | # and 'capability net_admin' here. Applications requiring audit | 68 | # and 'capability net_admin' here. Applications requiring audit |
423 | 69 | # logging should plug 'netlink-audit'. | 69 | # logging should plug 'netlink-audit'. |
425 | 70 | /sbin/hwclock ixr, | 70 | /{,usr/}sbin/hwclock ixr, |
426 | 71 | 71 | ||
427 | 72 | 72 | ||
428 | === added file 'data/policy/classic/16/seccomp/dm-crypt' | |||
429 | --- data/policy/classic/16/seccomp/dm-crypt 1970-01-01 00:00:00 +0000 | |||
430 | +++ data/policy/classic/16/seccomp/dm-crypt 2021-08-25 03:55:24 +0000 | |||
431 | @@ -0,0 +1,6 @@ | |||
432 | 1 | # Description: Allow kernel keyring manipulation | ||
433 | 2 | add_key | ||
434 | 3 | keyctl | ||
435 | 4 | request_key | ||
436 | 5 | |||
437 | 6 | |||
438 | 0 | 7 | ||
439 | === modified file 'data/policy/classic/16/seccomp/greengrass-support' | |||
440 | --- data/policy/classic/16/seccomp/greengrass-support 2019-11-26 19:16:08 +0000 | |||
441 | +++ data/policy/classic/16/seccomp/greengrass-support 2021-08-25 03:55:24 +0000 | |||
442 | @@ -32,7 +32,7 @@ | |||
443 | 32 | # by greengrassd. | 32 | # by greengrassd. |
444 | 33 | keyctl | 33 | keyctl |
445 | 34 | 34 | ||
447 | 35 | # special character device creation is necessary for creating the overlayfs | 35 | # special character device creation is necessary for creating the overlayfs |
448 | 36 | # mounts | 36 | # mounts |
449 | 37 | # Unfortunately this grants device ownership to the snap. | 37 | # Unfortunately this grants device ownership to the snap. |
450 | 38 | mknod - |S_IFCHR - | 38 | mknod - |S_IFCHR - |
451 | 39 | 39 | ||
452 | === added file 'data/policy/classic/16/seccomp/raw-input' | |||
453 | --- data/policy/classic/16/seccomp/raw-input 1970-01-01 00:00:00 +0000 | |||
454 | +++ data/policy/classic/16/seccomp/raw-input 2021-08-25 03:55:24 +0000 | |||
455 | @@ -0,0 +1,6 @@ | |||
456 | 1 | # Description: Allow handling input devices. | ||
457 | 2 | # for udev | ||
458 | 3 | bind | ||
459 | 4 | socket AF_NETLINK - NETLINK_KOBJECT_UEVENT | ||
460 | 5 | |||
461 | 6 | |||
462 | 0 | 7 | ||
463 | === modified file 'policy-app/test-snapd-policy-app-consumer/meta/snap.yaml' | |||
464 | --- policy-app/test-snapd-policy-app-consumer/meta/snap.yaml 2020-03-18 18:33:59 +0000 | |||
465 | +++ policy-app/test-snapd-policy-app-consumer/meta/snap.yaml 2021-08-25 03:55:24 +0000 | |||
466 | @@ -11,6 +11,9 @@ | |||
467 | 11 | adb-support: | 11 | adb-support: |
468 | 12 | command: bin/run | 12 | command: bin/run |
469 | 13 | plugs: [ adb-support ] | 13 | plugs: [ adb-support ] |
470 | 14 | allegro-vcu: | ||
471 | 15 | command: bin/run | ||
472 | 16 | plugs: [ allegro-vcu ] | ||
473 | 14 | alsa: | 17 | alsa: |
474 | 15 | command: bin/run | 18 | command: bin/run |
475 | 16 | plugs: [ alsa ] | 19 | plugs: [ alsa ] |
476 | @@ -74,6 +77,9 @@ | |||
477 | 74 | cpu-control: | 77 | cpu-control: |
478 | 75 | command: bin/run | 78 | command: bin/run |
479 | 76 | plugs: [ cpu-control ] | 79 | plugs: [ cpu-control ] |
480 | 80 | cups: | ||
481 | 81 | command: bin/run | ||
482 | 82 | plugs: [ cups ] | ||
483 | 77 | cups-control: | 83 | cups-control: |
484 | 78 | command: bin/run | 84 | command: bin/run |
485 | 79 | plugs: [ cups-control ] | 85 | plugs: [ cups-control ] |
486 | @@ -98,12 +104,21 @@ | |||
487 | 98 | display-control: | 104 | display-control: |
488 | 99 | command: bin/run | 105 | command: bin/run |
489 | 100 | plugs: [ display-control ] | 106 | plugs: [ display-control ] |
490 | 107 | dm-crypt: | ||
491 | 108 | command: bin/run | ||
492 | 109 | plugs: [ dm-crypt ] | ||
493 | 101 | docker: | 110 | docker: |
494 | 102 | command: bin/run | 111 | command: bin/run |
495 | 103 | plugs: [ docker ] | 112 | plugs: [ docker ] |
496 | 104 | docker-support: | 113 | docker-support: |
497 | 105 | command: bin/run | 114 | command: bin/run |
498 | 106 | plugs: [ docker-support ] | 115 | plugs: [ docker-support ] |
499 | 116 | dsp-control: | ||
500 | 117 | command: bin/run | ||
501 | 118 | plugs: [ dsp-control ] | ||
502 | 119 | fpga: | ||
503 | 120 | command: bin/run | ||
504 | 121 | plugs: [ fpga ] | ||
505 | 107 | system-files: | 122 | system-files: |
506 | 108 | command: bin/run | 123 | command: bin/run |
507 | 109 | plugs: [ system-files ] | 124 | plugs: [ system-files ] |
508 | @@ -128,6 +143,9 @@ | |||
509 | 128 | accounts-service: | 143 | accounts-service: |
510 | 129 | command: bin/run | 144 | command: bin/run |
511 | 130 | plugs: [ accounts-service ] | 145 | plugs: [ accounts-service ] |
512 | 146 | gconf: | ||
513 | 147 | command: bin/run | ||
514 | 148 | plugs: [ gconf ] | ||
515 | 131 | gpg-keys: | 149 | gpg-keys: |
516 | 132 | command: bin/run | 150 | command: bin/run |
517 | 133 | plugs: [ gpg-keys ] | 151 | plugs: [ gpg-keys ] |
518 | @@ -158,9 +176,18 @@ | |||
519 | 158 | home: | 176 | home: |
520 | 159 | command: bin/run | 177 | command: bin/run |
521 | 160 | plugs: [ home ] | 178 | plugs: [ home ] |
522 | 179 | system-packages-doc: | ||
523 | 180 | command: bin/run | ||
524 | 181 | plugs: [ system-packages-doc ] | ||
525 | 182 | system-source-code: | ||
526 | 183 | command: bin/run | ||
527 | 184 | plugs: [ system-source-code ] | ||
528 | 161 | hostname-control: | 185 | hostname-control: |
529 | 162 | command: bin/run | 186 | command: bin/run |
530 | 163 | plugs: [ hostname-control ] | 187 | plugs: [ hostname-control ] |
531 | 188 | hugepages-control: | ||
532 | 189 | command: bin/run | ||
533 | 190 | plugs: [ hugepages-control ] | ||
534 | 164 | intel-mei: | 191 | intel-mei: |
535 | 165 | command: bin/run | 192 | command: bin/run |
536 | 166 | plugs: [ intel-mei ] | 193 | plugs: [ intel-mei ] |
537 | @@ -176,6 +203,9 @@ | |||
538 | 176 | juju-client-observe: | 203 | juju-client-observe: |
539 | 177 | command: bin/run | 204 | command: bin/run |
540 | 178 | plugs: [ juju-client-observe ] | 205 | plugs: [ juju-client-observe ] |
541 | 206 | kernel-crypto-api: | ||
542 | 207 | command: bin/run | ||
543 | 208 | plugs: [ kernel-crypto-api ] | ||
544 | 179 | kernel-module-control: | 209 | kernel-module-control: |
545 | 180 | command: bin/run | 210 | command: bin/run |
546 | 181 | plugs: [ kernel-module-control ] | 211 | plugs: [ kernel-module-control ] |
547 | @@ -218,6 +248,9 @@ | |||
548 | 218 | maliit: | 248 | maliit: |
549 | 219 | command: bin/run | 249 | command: bin/run |
550 | 220 | plugs: [ maliit ] | 250 | plugs: [ maliit ] |
551 | 251 | media-control: | ||
552 | 252 | command: bin/run | ||
553 | 253 | plugs: [ media-control ] | ||
554 | 221 | media-hub: | 254 | media-hub: |
555 | 222 | command: bin/run | 255 | command: bin/run |
556 | 223 | plugs: [ media-hub ] | 256 | plugs: [ media-hub ] |
557 | @@ -308,9 +341,15 @@ | |||
558 | 308 | process-control: | 341 | process-control: |
559 | 309 | command: bin/run | 342 | command: bin/run |
560 | 310 | plugs: [ process-control ] | 343 | plugs: [ process-control ] |
561 | 344 | ptp: | ||
562 | 345 | command: bin/run | ||
563 | 346 | plugs: [ ptp ] | ||
564 | 311 | pulseaudio: | 347 | pulseaudio: |
565 | 312 | command: bin/run | 348 | command: bin/run |
566 | 313 | plugs: [ pulseaudio ] | 349 | plugs: [ pulseaudio ] |
567 | 350 | raw-input: | ||
568 | 351 | command: bin/run | ||
569 | 352 | plugs: [ raw-input ] | ||
570 | 314 | raw-usb: | 353 | raw-usb: |
571 | 315 | command: bin/run | 354 | command: bin/run |
572 | 316 | plugs: [ raw-usb ] | 355 | plugs: [ raw-usb ] |
573 | @@ -338,6 +377,9 @@ | |||
574 | 338 | can-bus: | 377 | can-bus: |
575 | 339 | command: bin/run | 378 | command: bin/run |
576 | 340 | plugs: [ can-bus ] | 379 | plugs: [ can-bus ] |
577 | 380 | sd-control: | ||
578 | 381 | command: bin/run | ||
579 | 382 | plugs: [ sd-control ] | ||
580 | 341 | ssh-keys: | 383 | ssh-keys: |
581 | 342 | command: bin/run | 384 | command: bin/run |
582 | 343 | plugs: [ ssh-keys ] | 385 | plugs: [ ssh-keys ] |
583 | @@ -359,6 +401,9 @@ | |||
584 | 359 | dummy: | 401 | dummy: |
585 | 360 | command: bin/run | 402 | command: bin/run |
586 | 361 | plugs: [ dummy ] | 403 | plugs: [ dummy ] |
587 | 404 | tee: | ||
588 | 405 | command: bin/run | ||
589 | 406 | plugs: [ tee ] | ||
590 | 362 | thumbnailer-service: | 407 | thumbnailer-service: |
591 | 363 | command: bin/run | 408 | command: bin/run |
592 | 364 | plugs: [ thumbnailer-service ] | 409 | plugs: [ thumbnailer-service ] |
593 | @@ -386,6 +431,9 @@ | |||
594 | 386 | uhid: | 431 | uhid: |
595 | 387 | command: bin/run | 432 | command: bin/run |
596 | 388 | plugs: [ uhid ] | 433 | plugs: [ uhid ] |
597 | 434 | uinput: | ||
598 | 435 | command: bin/run | ||
599 | 436 | plugs: [ uinput ] | ||
600 | 389 | uio: | 437 | uio: |
601 | 390 | command: bin/run | 438 | command: bin/run |
602 | 391 | plugs: [ uio ] | 439 | plugs: [ uio ] |
603 | @@ -404,6 +452,9 @@ | |||
604 | 404 | upower-observe: | 452 | upower-observe: |
605 | 405 | command: bin/run | 453 | command: bin/run |
606 | 406 | plugs: [ upower-observe ] | 454 | plugs: [ upower-observe ] |
607 | 455 | vcio: | ||
608 | 456 | command: bin/run | ||
609 | 457 | plugs: [ vcio ] | ||
610 | 407 | wayland: | 458 | wayland: |
611 | 408 | command: bin/run | 459 | command: bin/run |
612 | 409 | plugs: [ wayland ] | 460 | plugs: [ wayland ] |
613 | @@ -437,3 +488,6 @@ | |||
614 | 437 | write: [$HOME/dir1] | 488 | write: [$HOME/dir1] |
615 | 438 | dummy: | 489 | dummy: |
616 | 439 | interface: dummy | 490 | interface: dummy |
617 | 491 | sd-control: | ||
618 | 492 | interface: sd-control | ||
619 | 493 | flavor: dual-sd | ||
620 | 440 | 494 | ||
621 | === modified file 'policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml' | |||
622 | --- policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml 2020-03-18 18:33:59 +0000 | |||
623 | +++ policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml 2021-08-25 03:55:24 +0000 | |||
624 | @@ -15,6 +15,8 @@ | |||
625 | 15 | content: test-content | 15 | content: test-content |
626 | 16 | read: | 16 | read: |
627 | 17 | - $SNAP/content | 17 | - $SNAP/content |
628 | 18 | cups: null | ||
629 | 19 | cups-control: null | ||
630 | 18 | dbus-session: | 20 | dbus-session: |
631 | 19 | interface: dbus | 21 | interface: dbus |
632 | 20 | bus: session | 22 | bus: session |
633 | @@ -67,6 +69,12 @@ | |||
634 | 67 | content-read: | 69 | content-read: |
635 | 68 | command: bin/run | 70 | command: bin/run |
636 | 69 | slots: [ content-read ] | 71 | slots: [ content-read ] |
637 | 72 | cups: | ||
638 | 73 | command: bin/run | ||
639 | 74 | slots: [ cups ] | ||
640 | 75 | cups-control: | ||
641 | 76 | command: bin/run | ||
642 | 77 | slots: [ cups-control ] | ||
643 | 70 | dbus-session: | 78 | dbus-session: |
644 | 71 | command: bin/run | 79 | command: bin/run |
645 | 72 | slots: [ dbus-session ] | 80 | slots: [ dbus-session ] |
A comment inline in one place, but it applies to several similar segments. Thanks.