1
=== modified file 'data/policy/classic/16/apparmor/account-control'
2
--- data/policy/classic/16/apparmor/account-control	2021-03-24 13:55:25 +0000
3
+++ data/policy/classic/16/apparmor/account-control	2021-08-25 03:55:24 +0000
4
@@ -14,7 +14,7 @@
5
14
/etc/pam.d/{,*} r,
14
/etc/pam.d/{,*} r,
6
15
15
7
16
# Needed by chpasswd
16
# Needed by chpasswd
9
17
/lib/@{multiarch}/security/* ixr,
17
/{,usr/}lib/@{multiarch}/security/* ixr,
10
18
18
11
19
# Useradd needs netlink
19
# Useradd needs netlink
12
20
network netlink raw,
20
network netlink raw,
13
21
21
14
=== modified file 'data/policy/classic/16/apparmor/block-devices'
15
--- data/policy/classic/16/apparmor/block-devices	2021-03-24 13:55:25 +0000
16
+++ data/policy/classic/16/apparmor/block-devices	2021-08-25 03:55:24 +0000
17
@@ -4,6 +4,7 @@
18
4
/run/udev/data/b[0-9]*:[0-9]* r,
4
/run/udev/data/b[0-9]*:[0-9]* r,
19
5
/sys/block/ r,
5
/sys/block/ r,
20
6
/sys/devices/**/block/** r,
6
/sys/devices/**/block/** r,
21
7
/sys/devices/platform/soc/**/mmc_host/** r,
22
7
8
23
8
# Access to raw devices, not individual partitions
9
# Access to raw devices, not individual partitions
24
9
/dev/hd[a-t] rw,                                          # IDE, MFM, RLL
10
/dev/hd[a-t] rw,                                          # IDE, MFM, RLL
25
10
11
26
=== modified file 'data/policy/classic/16/apparmor/camera'
27
--- data/policy/classic/16/apparmor/camera	2021-03-24 13:55:25 +0000
28
+++ data/policy/classic/16/apparmor/camera	2021-08-25 03:55:24 +0000
29
@@ -17,4 +17,5 @@
30
17
/run/udev/data/+usb:* r,
17
/run/udev/data/+usb:* r,
31
18
/sys/class/video4linux/ r,
18
/sys/class/video4linux/ r,
32
19
/sys/devices/pci**/usb*/**/video4linux/** r,
19
/sys/devices/pci**/usb*/**/video4linux/** r,
33
20
/sys/devices/platform/**/usb*/**/video4linux/** r,
34
20
21
35
21
22
36
=== added file 'data/policy/classic/16/apparmor/dm-crypt'
37
--- data/policy/classic/16/apparmor/dm-crypt	1970-01-01 00:00:00 +0000
38
+++ data/policy/classic/16/apparmor/dm-crypt	2021-08-25 03:55:24 +0000
39
@@ -0,0 +1,18 @@
40
1
# Allow mapper access
41
2
/dev/mapper/control rw,
42
3
/dev/dm-[0-9]* rw,
43
4
# allow use of cryptsetup from core snap
44
5
/{,usr/}sbin/cryptsetup ixr,
45
6
# Mount points could be in /run/media/<user>/* or /media/<user>/*
46
7
/run/systemd/seats/* r,
47
8
/{,run/}media/{,**} rw,
48
9
mount options=(ro,nosuid,nodev) /dev/dm-[0-9]* -> /{,run/}media/**,
49
10
mount options=(rw,nosuid,nodev) /dev/dm-[0-9]* -> /{,run/}media/**,
50
11
51
12
#  exec mount/umount to do the actual operations
52
13
/{,usr/}bin/mount ixr,
53
14
/{,usr/}bin/umount ixr,
54
15
55
16
# mount/umount (via libmount) track some mount info in these files
56
17
/run/mount/utab* wrlk,
57
18
58
0
19
59
=== modified file 'data/policy/classic/16/apparmor/docker-support'
60
--- data/policy/classic/16/apparmor/docker-support	2021-03-24 13:55:25 +0000
61
+++ data/policy/classic/16/apparmor/docker-support	2021-08-25 03:55:24 +0000
62
@@ -86,7 +86,7 @@
63
86
86
64
87
# Docker needs to be able to create and load the profile it applies to
87
# Docker needs to be able to create and load the profile it applies to
65
88
# containers ("docker-default")
88
# containers ("docker-default")
67
89
/sbin/apparmor_parser ixr,
89
/{,usr/}sbin/apparmor_parser ixr,
68
90
/etc/apparmor.d/cache/ r,            # apparmor 2.12 and below
90
/etc/apparmor.d/cache/ r,            # apparmor 2.12 and below
69
91
/etc/apparmor.d/cache/.features r,
91
/etc/apparmor.d/cache/.features r,
70
92
/etc/apparmor.d/{,cache/}docker* rw,
92
/etc/apparmor.d/{,cache/}docker* rw,
71
@@ -145,3 +145,12 @@
72
145
# containerd to use this path for various account information for pods.
145
# containerd to use this path for various account information for pods.
73
146
/run/secrets/kubernetes.io/{,**} rk,
146
/run/secrets/kubernetes.io/{,**} rk,
74
147
147
75
148
# Allow using the 'autobind' feature of bind() (eg, for journald via go-systemd)
76
149
# unix (bind) type=dgram addr=auto,
77
150
# TODO: when snapd vendors in AppArmor userspace, then enable the new syntax
78
151
# above which allows only "empty"/automatic addresses, for now we simply permit
79
152
# all addresses with SOCK_DGRAM type, which leaks info for other addresses than
80
153
# what docker tries to use
81
154
# see https://bugs.launchpad.net/snapd/+bug/1867216
82
155
unix (bind) type=dgram,
83
156
84
148
157
85
=== modified file 'data/policy/classic/16/apparmor/greengrass-support'
86
--- data/policy/classic/16/apparmor/greengrass-support	2021-03-24 13:55:25 +0000
87
+++ data/policy/classic/16/apparmor/greengrass-support	2021-08-25 03:55:24 +0000
88
@@ -49,7 +49,7 @@
89
49
49
90
50
# cgroup accesses
50
# cgroup accesses
91
51
# greengrassd extensively uses cgroups to confine it's containers (AKA lambdas)
51
# greengrassd extensively uses cgroups to confine it's containers (AKA lambdas)
93
52
# and needs to read what cgroups are available; we allow reading any cgroup, 
52
# and needs to read what cgroups are available; we allow reading any cgroup,
94
53
# but limit writes below
53
# but limit writes below
95
54
# also note that currently greengrass is not implemented in such a way that it
54
# also note that currently greengrass is not implemented in such a way that it
96
55
# can stack it's cgroups inside the cgroup that snapd would normally enforce
55
# can stack it's cgroups inside the cgroup that snapd would normally enforce
97
@@ -75,10 +75,10 @@
98
75
# specific rule for cpuset files
75
# specific rule for cpuset files
99
76
owner /old_rootfs/sys/fs/cgroup/cpuset/{,system.slice/}cpuset.{cpus,mems} rw,
76
owner /old_rootfs/sys/fs/cgroup/cpuset/{,system.slice/}cpuset.{cpus,mems} rw,
100
77
77
102
78
# the wrapper scripts need to use mount/umount and pivot_root from the 
78
# the wrapper scripts need to use mount/umount and pivot_root from the
103
79
# core snap
79
# core snap
106
80
/bin/{,u}mount ixr,
80
/{,usr/}bin/{,u}mount ixr,
107
81
/sbin/pivot_root ixr,
81
/{,usr/}sbin/pivot_root ixr,
108
82
82
109
83
# allow pivot_root'ing into the rootfs prepared for the greengrass daemon
83
# allow pivot_root'ing into the rootfs prepared for the greengrass daemon
110
84
# parallel-installs: SNAP_{DATA,COMMON} are remapped, need to use SNAP_NAME, for
84
# parallel-installs: SNAP_{DATA,COMMON} are remapped, need to use SNAP_NAME, for
111
@@ -119,9 +119,9 @@
112
119
# completeness allow SNAP_INSTANCE_NAME too
119
# completeness allow SNAP_INSTANCE_NAME too
113
120
mount options=(rw, bind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** ,
120
mount options=(rw, bind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** ,
114
121
mount options=(rw, rbind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** ,
121
mount options=(rw, rbind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** ,
116
122
# also allow mounting new files anywhere underneath the rootfs of the target 
122
# also allow mounting new files anywhere underneath the rootfs of the target
117
123
# overlayfs directory, which is the rootfs of the container
123
# overlayfs directory, which is the rootfs of the container
119
124
# this is for allowing local resource access which first makes a mount at 
124
# this is for allowing local resource access which first makes a mount at
120
125
# the target destination and then a bind mount from the source to the destination
125
# the target destination and then a bind mount from the source to the destination
121
126
# the source destination mount will be allowed under the above rule
126
# the source destination mount will be allowed under the above rule
122
127
mount -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/**,
127
mount -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/**,
123
@@ -168,7 +168,7 @@
124
168
mount options=(rw, bind) /run/ -> /run/,
168
mount options=(rw, bind) /run/ -> /run/,
125
169
169
126
170
# mounts for resolv.conf inside the container
170
# mounts for resolv.conf inside the container
128
171
# we have to manually do this otherwise the go DNS resolver fails to work, because it isn't configured to 
171
# we have to manually do this otherwise the go DNS resolver fails to work, because it isn't configured to
129
172
# use the system DNS server and attempts to do DNS resolution itself, manually inspecting /etc/resolv.conf
172
# use the system DNS server and attempts to do DNS resolution itself, manually inspecting /etc/resolv.conf
130
173
mount options=(ro, bind) /run/systemd/resolve/stub-resolv.conf -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/etc/resolv.conf,
173
mount options=(ro, bind) /run/systemd/resolve/stub-resolv.conf -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/etc/resolv.conf,
131
174
mount options=(ro, bind) /run/resolvconf/resolv.conf -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/etc/resolv.conf,
174
mount options=(ro, bind) /run/resolvconf/resolv.conf -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/etc/resolv.conf,
132
@@ -177,7 +177,7 @@
133
177
# pivot_root for the container initialization into the rootfs
177
# pivot_root for the container initialization into the rootfs
134
178
# note that the actual syscall is pivotroot(".",".")
178
# note that the actual syscall is pivotroot(".",".")
135
179
# so the oldroot is the same as the new root
179
# so the oldroot is the same as the new root
137
180
pivot_root 
180
pivot_root
138
181
	oldroot=/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/
181
	oldroot=/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/
139
182
	/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/,
182
	/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/,
140
183
183
141
@@ -213,12 +213,12 @@
142
213
# and /run is explicitly disallowed for use by layouts
213
# and /run is explicitly disallowed for use by layouts
143
214
# also note that technically this access is post-pivot_root, but during the setup
214
# also note that technically this access is post-pivot_root, but during the setup
144
215
# for the mount ns that the snap performs (not snapd), /var/run is bind mounted
215
# for the mount ns that the snap performs (not snapd), /var/run is bind mounted
146
216
# from outside the pivot_root to inside the pivot_root, so this will always 
216
# from outside the pivot_root to inside the pivot_root, so this will always
147
217
# access the same files inside or outside the pivot_root
217
# access the same files inside or outside the pivot_root
148
218
owner /{var/,}run/greengrassd.pid rw,
218
owner /{var/,}run/greengrassd.pid rw,
149
219
219
152
220
# all of the rest of the accesses are made by child containers and as such are 
220
# all of the rest of the accesses are made by child containers and as such are
153
221
# "post-pivot_root", meaning that they aren't accessing these files on the 
221
# "post-pivot_root", meaning that they aren't accessing these files on the
154
222
# host root filesystem, but rather somewhere inside $SNAP_DATA/rootfs/
222
# host root filesystem, but rather somewhere inside $SNAP_DATA/rootfs/
155
223
# Note: eventually greengrass will gain the ability to specify child profiles
223
# Note: eventually greengrass will gain the ability to specify child profiles
156
224
# for it's containers and include these rules in that profile so they won't
224
# for it's containers and include these rules in that profile so they won't
157
225
225
158
=== modified file 'data/policy/classic/16/apparmor/hardware-observe'
159
--- data/policy/classic/16/apparmor/hardware-observe	2021-03-24 13:55:25 +0000
160
+++ data/policy/classic/16/apparmor/hardware-observe	2021-08-25 03:55:24 +0000
161
@@ -11,7 +11,7 @@
162
11
# used by lspci
11
# used by lspci
163
12
capability sys_admin,
12
capability sys_admin,
164
13
/etc/modprobe.d/{,*} r,
13
/etc/modprobe.d/{,*} r,
166
14
/lib/modprobe.d/{,*} r,
14
/{,usr/}lib/modprobe.d/{,*} r,
167
15
15
168
16
# files in /sys pertaining to hardware (eg, 'lspci -A linux-sysfs')
16
# files in /sys pertaining to hardware (eg, 'lspci -A linux-sysfs')
169
17
/sys/{block,bus,class,devices,firmware}/{,**} r,
17
/sys/{block,bus,class,devices,firmware}/{,**} r,
170
18
18
171
=== modified file 'data/policy/classic/16/apparmor/kernel-module-control'
172
--- data/policy/classic/16/apparmor/kernel-module-control	2021-03-24 13:55:25 +0000
173
+++ data/policy/classic/16/apparmor/kernel-module-control	2021-08-25 03:55:24 +0000
174
@@ -18,5 +18,5 @@
175
18
# Allow reading information about loaded kernel modules
18
# Allow reading information about loaded kernel modules
176
19
/sys/module/{,**} r,
19
/sys/module/{,**} r,
177
20
/etc/modprobe.d/{,**} r,
20
/etc/modprobe.d/{,**} r,
179
21
/lib/modprobe.d/{,**} r,
21
/{,usr/}lib/modprobe.d/{,**} r,
180
22
22
181
23
23
182
=== modified file 'data/policy/classic/16/apparmor/kernel-module-observe'
183
--- data/policy/classic/16/apparmor/kernel-module-observe	2021-03-24 13:55:25 +0000
184
+++ data/policy/classic/16/apparmor/kernel-module-observe	2021-08-25 03:55:24 +0000
185
@@ -12,5 +12,5 @@
186
12
# Allow reading information about loaded kernel modules
12
# Allow reading information about loaded kernel modules
187
13
/sys/module/{,**} r,
13
/sys/module/{,**} r,
188
14
/etc/modprobe.d/{,**} r,
14
/etc/modprobe.d/{,**} r,
190
15
/lib/modprobe.d/{,**} r,
15
/{,usr/}lib/modprobe.d/{,**} r,
191
16
16
192
17
17
193
=== modified file 'data/policy/classic/16/apparmor/kubernetes-support'
194
--- data/policy/classic/16/apparmor/kubernetes-support	2021-03-24 13:55:25 +0000
195
+++ data/policy/classic/16/apparmor/kubernetes-support	2021-08-25 03:55:24 +0000
196
@@ -169,11 +169,12 @@
197
169
/sys/module/ip_vs_sh/initstate r,
169
/sys/module/ip_vs_sh/initstate r,
198
170
/sys/module/ip_vs_wrr/initstate r,
170
/sys/module/ip_vs_wrr/initstate r,
199
171
171
206
172
# Allow using the 'autobind' feature of bind() (eg, for journald).
172
# Allow using the 'autobind' feature of bind() (eg, for journald via go-systemd)
207
173
#unix (bind) type=dgram addr=none,
173
# unix (bind) type=dgram addr=auto,
208
174
# Due to LP: 1867216, we cannot use the above rule and must instead use this
174
# TODO: when snapd vendors in AppArmor userspace, then enable the new syntax
209
175
# less specific rule that allows bind() to arbitrary SOCK_DGRAM abstract socket
175
# above which allows only "empty"/automatic addresses, for now we simply permit
210
176
# names (separate send and receive rules are still required for communicating
176
# all addresses with SOCK_DGRAM type, which leaks info for other addresses than
211
177
# over the socket).
177
# what docker tries to use
212
178
# see https://bugs.launchpad.net/snapd/+bug/1867216
213
178
unix (bind) type=dgram,
179
unix (bind) type=dgram,
214
179
180
215
180
181
216
=== modified file 'data/policy/classic/16/apparmor/modem-manager'
217
--- data/policy/classic/16/apparmor/modem-manager	2021-03-24 13:55:25 +0000
218
+++ data/policy/classic/16/apparmor/modem-manager	2021-08-25 03:55:24 +0000
219
@@ -33,10 +33,10 @@
220
33
    bus=system
33
    bus=system
221
34
    path=/org/freedesktop/ModemManager1{,/**}
34
    path=/org/freedesktop/ModemManager1{,/**}
222
35
    interface=org.freedesktop.ModemManager1*
35
    interface=org.freedesktop.ModemManager1*
224
36
    peer=(label="snap.core."),
36
    peer=(label="snap.snapd.*"),
225
37
dbus (receive, send)
37
dbus (receive, send)
226
38
    bus=system
38
    bus=system
227
39
    path=/org/freedesktop/ModemManager1{,/**}
39
    path=/org/freedesktop/ModemManager1{,/**}
228
40
    interface=org.freedesktop.DBus.*
40
    interface=org.freedesktop.DBus.*
230
41
    peer=(label="snap.core."),
41
    peer=(label="snap.snapd.*"),
231
42
42
232
43
43
233
=== modified file 'data/policy/classic/16/apparmor/multipass-support'
234
--- data/policy/classic/16/apparmor/multipass-support	2021-03-24 13:55:25 +0000
235
+++ data/policy/classic/16/apparmor/multipass-support	2021-08-25 03:55:24 +0000
236
@@ -1,6 +1,6 @@
237
1
# Description: this policy intentionally allows the Multipass daemon to configure AppArmor
1
# Description: this policy intentionally allows the Multipass daemon to configure AppArmor
238
2
# as Multipass generates AppArmor profiles for the utility processes it spawns.
2
# as Multipass generates AppArmor profiles for the utility processes it spawns.
240
3
/sbin/apparmor_parser ixr,
3
/{,usr/}sbin/apparmor_parser ixr,
241
4
/etc/apparmor{,.d}/{,**} r,
4
/etc/apparmor{,.d}/{,**} r,
242
5
/sys/kernel/security/apparmor/{,**} r,
5
/sys/kernel/security/apparmor/{,**} r,
243
6
/sys/kernel/security/apparmor/.remove w,
6
/sys/kernel/security/apparmor/.remove w,
244
7
7
245
=== modified file 'data/policy/classic/16/apparmor/network-control'
246
--- data/policy/classic/16/apparmor/network-control	2021-03-24 13:55:25 +0000
247
+++ data/policy/classic/16/apparmor/network-control	2021-08-25 03:55:24 +0000
248
@@ -128,13 +128,13 @@
249
128
/etc/hosts w,
128
/etc/hosts w,
250
129
129
251
130
# resolvconf
130
# resolvconf
253
131
/sbin/resolvconf ixr,
131
/{,usr/}sbin/resolvconf ixr,
254
132
/run/resolvconf/{,**} rk,
132
/run/resolvconf/{,**} rk,
255
133
/run/resolvconf/** w,
133
/run/resolvconf/** w,
256
134
/etc/resolvconf/{,**} r,
134
/etc/resolvconf/{,**} r,
258
135
/lib/resolvconf/* ix,
135
/{,usr/}lib/resolvconf/* ix,
259
136
# Required by resolvconf
136
# Required by resolvconf
261
137
/bin/run-parts ixr,
137
/{,usr/}bin/run-parts ixr,
262
138
/etc/resolvconf/update.d/* ix,
138
/etc/resolvconf/update.d/* ix,
263
139
139
264
140
# wpa_suplicant
140
# wpa_suplicant
265
141
141
266
=== modified file 'data/policy/classic/16/apparmor/network-setup-control'
267
--- data/policy/classic/16/apparmor/network-setup-control	2021-03-24 13:55:25 +0000
268
+++ data/policy/classic/16/apparmor/network-setup-control	2021-08-25 03:55:24 +0000
269
@@ -1,5 +1,18 @@
270
1
# Description: Can read/write netplan configuration files
1
# Description: Can read/write netplan configuration files
271
2
2
272
3
# Allow use of the netplan binary from the base snap. With this interface, this 
273
4
# is expected to be able to apply and generate new network configuration, as 
274
5
# well as get information about the current network configuration.
275
6
/usr/sbin/netplan ixr,
276
7
# core18+ has /usr/sbin/netplan as a symlink to this script
277
8
/usr/share/netplan/netplan.script ixr,
278
9
# netplan related files
279
10
/usr/share/netplan/ r,
280
11
/usr/share/netplan/** r,
281
12
282
13
# Netplan uses busctl internally, so allow using that as well
283
14
/usr/bin/busctl ixr,
284
15
285
3
/etc/netplan/{,**} rw,
16
/etc/netplan/{,**} rw,
286
4
/etc/network/{,**} rw,
17
/etc/network/{,**} rw,
287
5
/etc/systemd/network/{,**} rw,
18
/etc/systemd/network/{,**} rw,
288
6
19
289
=== modified file 'data/policy/classic/16/apparmor/network-setup-observe'
290
--- data/policy/classic/16/apparmor/network-setup-observe	2021-03-24 13:55:25 +0000
291
+++ data/policy/classic/16/apparmor/network-setup-observe	2021-08-25 03:55:24 +0000
292
@@ -1,5 +1,19 @@
293
1
# Description: Can read netplan configuration files
1
# Description: Can read netplan configuration files
294
2
2
295
3
# Allow use of the netplan binary from the base snap. With this interface, this 
296
4
# is expected to be able to only get information about the current network 
297
5
# configuration and not generate or apply it like is allowed with 
298
6
# network-setup-control.
299
7
/usr/sbin/netplan ixr,
300
8
# core18+ has /usr/sbin/netplan as a symlink to this script
301
9
/usr/share/netplan/netplan.script ixr,
302
10
# netplan related files
303
11
/usr/share/netplan/ r,
304
12
/usr/share/netplan/** r,
305
13
306
14
# Netplan uses busctl internally, so allow using that as well
307
15
/usr/bin/busctl ixr,
308
16
309
3
/etc/netplan/{,**} r,
17
/etc/netplan/{,**} r,
310
4
/etc/network/{,**} r,
18
/etc/network/{,**} r,
311
5
/etc/systemd/network/{,**} r,
19
/etc/systemd/network/{,**} r,
312
6
20
313
=== modified file 'data/policy/classic/16/apparmor/ofono'
314
--- data/policy/classic/16/apparmor/ofono	2021-03-24 13:55:25 +0000
315
+++ data/policy/classic/16/apparmor/ofono	2021-08-25 03:55:24 +0000
316
@@ -25,7 +25,7 @@
317
25
    bus=system
25
    bus=system
318
26
    path=/{,**}
26
    path=/{,**}
319
27
    interface=org.ofono.*
27
    interface=org.ofono.*
321
28
    peer=(label="snap.core."),
28
    peer=(label="snap.snapd.*"),
322
29
29
323
30
# Allow clients to introspect the service on non-classic (due to the path,
30
# Allow clients to introspect the service on non-classic (due to the path,
324
31
# allowing on classic would reveal too much for unconfined)
31
# allowing on classic would reveal too much for unconfined)
325
@@ -34,5 +34,5 @@
326
34
    path=/
34
    path=/
327
35
    interface=org.freedesktop.DBus.Introspectable
35
    interface=org.freedesktop.DBus.Introspectable
328
36
    member=Introspect
36
    member=Introspect
330
37
    peer=(label="snap.core."),
37
    peer=(label="snap.snapd.*"),
331
38
38
332
39
39
333
=== modified file 'data/policy/classic/16/apparmor/opengl'
334
--- data/policy/classic/16/apparmor/opengl	2021-03-24 13:55:25 +0000
335
+++ data/policy/classic/16/apparmor/opengl	2021-08-25 03:55:24 +0000
336
@@ -81,7 +81,10 @@
337
81
81
338
82
# Xilinx zocl DRM driver
82
# Xilinx zocl DRM driver
339
83
# https://github.com/Xilinx/XRT/tree/master/src/runtime_src/core/edge/drm
83
# https://github.com/Xilinx/XRT/tree/master/src/runtime_src/core/edge/drm
341
84
/sys/devices/platform/amba_pl@[0-9]*/amba_pl@[0-9]*:zyxclmm_drm/* r,
84
/sys/devices/platform/amba{,_pl@[0-9]*}/amba{,_pl@[0-9]*}:zyxclmm_drm/* r,
342
85
343
86
# Imagination PowerVR driver
344
87
/dev/pvr_sync rw,
345
85
88
346
86
# OpenCL ICD files
89
# OpenCL ICD files
347
87
/etc/OpenCL/vendors/ r,
90
/etc/OpenCL/vendors/ r,
348
88
91
349
=== modified file 'data/policy/classic/16/apparmor/ppp'
350
--- data/policy/classic/16/apparmor/ppp	2021-03-24 13:55:25 +0000
351
+++ data/policy/classic/16/apparmor/ppp	2021-08-25 03:55:24 +0000
352
@@ -10,7 +10,7 @@
353
10
/run/ppp* rwk,
10
/run/ppp* rwk,
354
11
/var/run/ppp* rwk,
11
/var/run/ppp* rwk,
355
12
/var/log/ppp* rw,
12
/var/log/ppp* rw,
357
13
/bin/run-parts ix,
13
/{,usr/}bin/run-parts ix,
358
14
@{PROC}/@{pid}/loginuid r,
14
@{PROC}/@{pid}/loginuid r,
359
15
capability setgid,
15
capability setgid,
360
16
capability setuid,
16
capability setuid,
361
17
17
362
=== added file 'data/policy/classic/16/apparmor/raw-input'
363
--- data/policy/classic/16/apparmor/raw-input	1970-01-01 00:00:00 +0000
364
+++ data/policy/classic/16/apparmor/raw-input	2021-08-25 03:55:24 +0000
365
@@ -0,0 +1,13 @@
366
1
# Description: Allow reading and writing to raw input devices
367
2
368
3
/dev/input/* rw,
369
4
370
5
# Allow reading for supported event reports for all input devices. See
371
6
# https://www.kernel.org/doc/Documentation/input/event-codes.txt
372
7
/sys/devices/**/input[0-9]*/capabilities/* r,
373
8
374
9
# For using udev
375
10
network netlink raw,
376
11
/run/udev/data/c13:[0-9]* r,
377
12
/run/udev/data/+input:input[0-9]* r,
378
13
379
0
14
380
=== added file 'data/policy/classic/16/apparmor/sd-control'
381
--- data/policy/classic/16/apparmor/sd-control	1970-01-01 00:00:00 +0000
382
+++ data/policy/classic/16/apparmor/sd-control	2021-08-25 03:55:24 +0000
383
@@ -0,0 +1,6 @@
384
1
# Description: can manage and control the SD cards using the DualSD driver.
385
2
386
3
# The main DualSD device node is used to control certain aspects of SD cards on
387
4
# the system.
388
5
/dev/DualSD rw,
389
6
390
0
7
391
=== modified file 'data/policy/classic/16/apparmor/system-observe'
392
--- data/policy/classic/16/apparmor/system-observe	2021-03-24 13:55:25 +0000
393
+++ data/policy/classic/16/apparmor/system-observe	2021-08-25 03:55:24 +0000
394
@@ -22,6 +22,7 @@
395
22
@{PROC}/modules r,
22
@{PROC}/modules r,
396
23
@{PROC}/stat r,
23
@{PROC}/stat r,
397
24
@{PROC}/vmstat r,
24
@{PROC}/vmstat r,
398
25
@{PROC}/zoneinfo r,
399
25
@{PROC}/diskstats r,
26
@{PROC}/diskstats r,
400
26
@{PROC}/kallsyms r,
27
@{PROC}/kallsyms r,
401
27
@{PROC}/partitions r,
28
@{PROC}/partitions r,
402
28
29
403
=== added file 'data/policy/classic/16/apparmor/tee'
404
--- data/policy/classic/16/apparmor/tee	1970-01-01 00:00:00 +0000
405
+++ data/policy/classic/16/apparmor/tee	2021-08-25 03:55:24 +0000
406
@@ -0,0 +1,9 @@
407
1
# Description: for those who need to talk to the TEE subsystem over
408
2
# /dev/tee[0-9]* and/or /dev/teepriv[0-0]*
409
3
410
4
/dev/tee[0-9]* rw,
411
5
/dev/teepriv[0-9]* rw,
412
6
413
7
# Qualcomm equivalent qseecom (Qualcomm Secure Execution Environment Communicator)
414
8
/dev/qseecom rw,
415
9
416
0
10
417
=== modified file 'data/policy/classic/16/apparmor/time-control'
418
--- data/policy/classic/16/apparmor/time-control	2021-03-24 13:55:25 +0000
419
+++ data/policy/classic/16/apparmor/time-control	2021-08-25 03:55:24 +0000
420
@@ -67,5 +67,5 @@
421
67
# write to the audit subsystem. We omit 'capability audit_write'
67
# write to the audit subsystem. We omit 'capability audit_write'
422
68
# and 'capability net_admin' here. Applications requiring audit
68
# and 'capability net_admin' here. Applications requiring audit
423
69
# logging should plug 'netlink-audit'.
69
# logging should plug 'netlink-audit'.
425
70
/sbin/hwclock ixr,
70
/{,usr/}sbin/hwclock ixr,
426
71
71
427
72
72
428
=== added file 'data/policy/classic/16/seccomp/dm-crypt'
429
--- data/policy/classic/16/seccomp/dm-crypt	1970-01-01 00:00:00 +0000
430
+++ data/policy/classic/16/seccomp/dm-crypt	2021-08-25 03:55:24 +0000
431
@@ -0,0 +1,6 @@
432
1
# Description: Allow kernel keyring manipulation
433
2
add_key
434
3
keyctl
435
4
request_key
436
5
437
6
438
0
7
439
=== modified file 'data/policy/classic/16/seccomp/greengrass-support'
440
--- data/policy/classic/16/seccomp/greengrass-support	2019-11-26 19:16:08 +0000
441
+++ data/policy/classic/16/seccomp/greengrass-support	2021-08-25 03:55:24 +0000
442
@@ -32,7 +32,7 @@
443
32
# by greengrassd.
32
# by greengrassd.
444
33
keyctl
33
keyctl
445
34
34
447
35
# special character device creation is necessary for creating the overlayfs 
35
# special character device creation is necessary for creating the overlayfs
448
36
# mounts
36
# mounts
449
37
# Unfortunately this grants device ownership to the snap.
37
# Unfortunately this grants device ownership to the snap.
450
38
mknod - |S_IFCHR -
38
mknod - |S_IFCHR -
451
39
39
452
=== added file 'data/policy/classic/16/seccomp/raw-input'
453
--- data/policy/classic/16/seccomp/raw-input	1970-01-01 00:00:00 +0000
454
+++ data/policy/classic/16/seccomp/raw-input	2021-08-25 03:55:24 +0000
455
@@ -0,0 +1,6 @@
456
1
# Description: Allow handling input devices.
457
2
# for udev
458
3
bind
459
4
socket AF_NETLINK - NETLINK_KOBJECT_UEVENT
460
5
461
6
462
0
7
463
=== modified file 'policy-app/test-snapd-policy-app-consumer/meta/snap.yaml'
464
--- policy-app/test-snapd-policy-app-consumer/meta/snap.yaml	2020-03-18 18:33:59 +0000
465
+++ policy-app/test-snapd-policy-app-consumer/meta/snap.yaml	2021-08-25 03:55:24 +0000
466
@@ -11,6 +11,9 @@
467
11
  adb-support:
11
  adb-support:
468
12
    command: bin/run
12
    command: bin/run
469
13
    plugs: [ adb-support ]
13
    plugs: [ adb-support ]
470
14
  allegro-vcu:
471
15
    command: bin/run
472
16
    plugs: [ allegro-vcu ]
473
14
  alsa:
17
  alsa:
474
15
    command: bin/run
18
    command: bin/run
475
16
    plugs: [ alsa ]
19
    plugs: [ alsa ]
476
@@ -74,6 +77,9 @@
477
74
  cpu-control:
77
  cpu-control:
478
75
    command: bin/run
78
    command: bin/run
479
76
    plugs: [ cpu-control ]
79
    plugs: [ cpu-control ]
480
80
  cups:
481
81
    command: bin/run
482
82
    plugs: [ cups ]
483
77
  cups-control:
83
  cups-control:
484
78
    command: bin/run
84
    command: bin/run
485
79
    plugs: [ cups-control ]
85
    plugs: [ cups-control ]
486
@@ -98,12 +104,21 @@
487
98
  display-control:
104
  display-control:
488
99
    command: bin/run
105
    command: bin/run
489
100
    plugs: [ display-control ]
106
    plugs: [ display-control ]
490
107
  dm-crypt:
491
108
    command: bin/run
492
109
    plugs: [ dm-crypt ]
493
101
  docker:
110
  docker:
494
102
    command: bin/run
111
    command: bin/run
495
103
    plugs: [ docker ]
112
    plugs: [ docker ]
496
104
  docker-support:
113
  docker-support:
497
105
    command: bin/run
114
    command: bin/run
498
106
    plugs: [ docker-support ]
115
    plugs: [ docker-support ]
499
116
  dsp-control:
500
117
    command: bin/run
501
118
    plugs: [ dsp-control ]
502
119
  fpga:
503
120
    command: bin/run
504
121
    plugs: [ fpga ]
505
107
  system-files:
122
  system-files:
506
108
    command: bin/run
123
    command: bin/run
507
109
    plugs: [ system-files ]
124
    plugs: [ system-files ]
508
@@ -128,6 +143,9 @@
509
128
  accounts-service:
143
  accounts-service:
510
129
    command: bin/run
144
    command: bin/run
511
130
    plugs: [ accounts-service ]
145
    plugs: [ accounts-service ]
512
146
  gconf:
513
147
    command: bin/run
514
148
    plugs: [ gconf ]
515
131
  gpg-keys:
149
  gpg-keys:
516
132
    command: bin/run
150
    command: bin/run
517
133
    plugs: [ gpg-keys ]
151
    plugs: [ gpg-keys ]
518
@@ -158,9 +176,18 @@
519
158
  home:
176
  home:
520
159
    command: bin/run
177
    command: bin/run
521
160
    plugs: [ home ]
178
    plugs: [ home ]
522
179
  system-packages-doc:
523
180
    command: bin/run
524
181
    plugs: [ system-packages-doc ]
525
182
  system-source-code:
526
183
    command: bin/run
527
184
    plugs: [ system-source-code ]
528
161
  hostname-control:
185
  hostname-control:
529
162
    command: bin/run
186
    command: bin/run
530
163
    plugs: [ hostname-control ]
187
    plugs: [ hostname-control ]
531
188
  hugepages-control:
532
189
    command: bin/run
533
190
    plugs: [ hugepages-control ]
534
164
  intel-mei:
191
  intel-mei:
535
165
    command: bin/run
192
    command: bin/run
536
166
    plugs: [ intel-mei ]
193
    plugs: [ intel-mei ]
537
@@ -176,6 +203,9 @@
538
176
  juju-client-observe:
203
  juju-client-observe:
539
177
    command: bin/run
204
    command: bin/run
540
178
    plugs: [ juju-client-observe ]
205
    plugs: [ juju-client-observe ]
541
206
  kernel-crypto-api:
542
207
    command: bin/run
543
208
    plugs: [ kernel-crypto-api ]
544
179
  kernel-module-control:
209
  kernel-module-control:
545
180
    command: bin/run
210
    command: bin/run
546
181
    plugs: [ kernel-module-control ]
211
    plugs: [ kernel-module-control ]
547
@@ -218,6 +248,9 @@
548
218
  maliit:
248
  maliit:
549
219
    command: bin/run
249
    command: bin/run
550
220
    plugs: [ maliit ]
250
    plugs: [ maliit ]
551
251
  media-control:
552
252
    command: bin/run
553
253
    plugs: [ media-control ]
554
221
  media-hub:
254
  media-hub:
555
222
    command: bin/run
255
    command: bin/run
556
223
    plugs: [ media-hub ]
256
    plugs: [ media-hub ]
557
@@ -308,9 +341,15 @@
558
308
  process-control:
341
  process-control:
559
309
    command: bin/run
342
    command: bin/run
560
310
    plugs: [ process-control ]
343
    plugs: [ process-control ]
561
344
  ptp:
562
345
    command: bin/run
563
346
    plugs: [ ptp ]
564
311
  pulseaudio:
347
  pulseaudio:
565
312
    command: bin/run
348
    command: bin/run
566
313
    plugs: [ pulseaudio ]
349
    plugs: [ pulseaudio ]
567
350
  raw-input:
568
351
    command: bin/run
569
352
    plugs: [ raw-input ]
570
314
  raw-usb:
353
  raw-usb:
571
315
    command: bin/run
354
    command: bin/run
572
316
    plugs: [ raw-usb ]
355
    plugs: [ raw-usb ]
573
@@ -338,6 +377,9 @@
574
338
  can-bus:
377
  can-bus:
575
339
    command: bin/run
378
    command: bin/run
576
340
    plugs: [ can-bus ]
379
    plugs: [ can-bus ]
577
380
  sd-control:
578
381
    command: bin/run
579
382
    plugs: [ sd-control ]
580
341
  ssh-keys:
383
  ssh-keys:
581
342
    command: bin/run
384
    command: bin/run
582
343
    plugs: [ ssh-keys ]
385
    plugs: [ ssh-keys ]
583
@@ -359,6 +401,9 @@
584
359
  dummy:
401
  dummy:
585
360
    command: bin/run
402
    command: bin/run
586
361
    plugs: [ dummy ]
403
    plugs: [ dummy ]
587
404
  tee:
588
405
    command: bin/run
589
406
    plugs: [ tee ]
590
362
  thumbnailer-service:
407
  thumbnailer-service:
591
363
    command: bin/run
408
    command: bin/run
592
364
    plugs: [ thumbnailer-service ]
409
    plugs: [ thumbnailer-service ]
593
@@ -386,6 +431,9 @@
594
386
  uhid:
431
  uhid:
595
387
    command: bin/run
432
    command: bin/run
596
388
    plugs: [ uhid ]
433
    plugs: [ uhid ]
597
434
  uinput:
598
435
    command: bin/run
599
436
    plugs: [ uinput ]
600
389
  uio:
437
  uio:
601
390
    command: bin/run
438
    command: bin/run
602
391
    plugs: [ uio ]
439
    plugs: [ uio ]
603
@@ -404,6 +452,9 @@
604
404
  upower-observe:
452
  upower-observe:
605
405
    command: bin/run
453
    command: bin/run
606
406
    plugs: [ upower-observe ]
454
    plugs: [ upower-observe ]
607
455
  vcio:
608
456
    command: bin/run
609
457
    plugs: [ vcio ]
610
407
  wayland:
458
  wayland:
611
408
    command: bin/run
459
    command: bin/run
612
409
    plugs: [ wayland ]
460
    plugs: [ wayland ]
613
@@ -437,3 +488,6 @@
614
437
    write: [$HOME/dir1]
488
    write: [$HOME/dir1]
615
438
  dummy:
489
  dummy:
616
439
    interface: dummy
490
    interface: dummy
617
491
  sd-control:
618
492
    interface: sd-control
619
493
    flavor: dual-sd
620
440
494
621
=== modified file 'policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml'
622
--- policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml	2020-03-18 18:33:59 +0000
623
+++ policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml	2021-08-25 03:55:24 +0000
624
@@ -15,6 +15,8 @@
625
15
    content: test-content
15
    content: test-content
626
16
    read:
16
    read:
627
17
    - $SNAP/content
17
    - $SNAP/content
628
18
  cups: null
629
19
  cups-control: null
630
18
  dbus-session:
20
  dbus-session:
631
19
    interface: dbus
21
    interface: dbus
632
20
    bus: session
22
    bus: session
633
@@ -67,6 +69,12 @@
634
67
  content-read:
69
  content-read:
635
68
    command: bin/run
70
    command: bin/run
636
69
    slots: [ content-read ]
71
    slots: [ content-read ]
637
72
  cups:
638
73
    command: bin/run
639
74
    slots: [ cups ]
640
75
  cups-control:
641
76
    command: bin/run
642
77
    slots: [ cups-control ]
643
70
  dbus-session:
78
  dbus-session:
644
71
    command: bin/run
79
    command: bin/run
645
72
    slots: [ dbus-session ]
80
    slots: [ dbus-session ]
Status:	Merged
Merged at revision:	206
Proposed branch:	lp:~alexmurray/snappy-hub/update-for-snapd-2.51.6
Merge into:	lp:~snappy-debug-developers/snappy-hub/snappy-debug
Diff against target:	645 lines (+197/-34) 28 files modified data/policy/classic/16/apparmor/account-control (+1/-1) data/policy/classic/16/apparmor/block-devices (+1/-0) data/policy/classic/16/apparmor/camera (+1/-0) data/policy/classic/16/apparmor/dm-crypt (+18/-0) data/policy/classic/16/apparmor/docker-support (+10/-1) data/policy/classic/16/apparmor/greengrass-support (+11/-11) data/policy/classic/16/apparmor/hardware-observe (+1/-1) data/policy/classic/16/apparmor/kernel-module-control (+1/-1) data/policy/classic/16/apparmor/kernel-module-observe (+1/-1) data/policy/classic/16/apparmor/kubernetes-support (+7/-6) data/policy/classic/16/apparmor/modem-manager (+2/-2) data/policy/classic/16/apparmor/multipass-support (+1/-1) data/policy/classic/16/apparmor/network-control (+3/-3) data/policy/classic/16/apparmor/network-setup-control (+13/-0) data/policy/classic/16/apparmor/network-setup-observe (+14/-0) data/policy/classic/16/apparmor/ofono (+2/-2) data/policy/classic/16/apparmor/opengl (+4/-1) data/policy/classic/16/apparmor/ppp (+1/-1) data/policy/classic/16/apparmor/raw-input (+13/-0) data/policy/classic/16/apparmor/sd-control (+6/-0) data/policy/classic/16/apparmor/system-observe (+1/-0) data/policy/classic/16/apparmor/tee (+9/-0) data/policy/classic/16/apparmor/time-control (+1/-1) data/policy/classic/16/seccomp/dm-crypt (+6/-0) data/policy/classic/16/seccomp/greengrass-support (+1/-1) data/policy/classic/16/seccomp/raw-input (+6/-0) policy-app/test-snapd-policy-app-consumer/meta/snap.yaml (+54/-0) policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml (+8/-0)
To merge this branch:	bzr merge lp:~alexmurray/snappy-hub/update-for-snapd-2.51.6
Related bugs:	Link a bug report
Reviewer	Review Type	Date Requested	Status
The snappy-debug snap developers		2021-08-25	Pending
Review via email: mp+407651@code.launchpad.net