Merge lp:~alexmurray/snappy-hub/update-for-snapd-2.51.6 into lp:~snappy-debug-developers/snappy-hub/snappy-debug

Proposed by Alex Murray
Status: Merged
Merged at revision: 206
Proposed branch: lp:~alexmurray/snappy-hub/update-for-snapd-2.51.6
Merge into: lp:~snappy-debug-developers/snappy-hub/snappy-debug
Diff against target: 645 lines (+197/-34)
28 files modified
data/policy/classic/16/apparmor/account-control (+1/-1)
data/policy/classic/16/apparmor/block-devices (+1/-0)
data/policy/classic/16/apparmor/camera (+1/-0)
data/policy/classic/16/apparmor/dm-crypt (+18/-0)
data/policy/classic/16/apparmor/docker-support (+10/-1)
data/policy/classic/16/apparmor/greengrass-support (+11/-11)
data/policy/classic/16/apparmor/hardware-observe (+1/-1)
data/policy/classic/16/apparmor/kernel-module-control (+1/-1)
data/policy/classic/16/apparmor/kernel-module-observe (+1/-1)
data/policy/classic/16/apparmor/kubernetes-support (+7/-6)
data/policy/classic/16/apparmor/modem-manager (+2/-2)
data/policy/classic/16/apparmor/multipass-support (+1/-1)
data/policy/classic/16/apparmor/network-control (+3/-3)
data/policy/classic/16/apparmor/network-setup-control (+13/-0)
data/policy/classic/16/apparmor/network-setup-observe (+14/-0)
data/policy/classic/16/apparmor/ofono (+2/-2)
data/policy/classic/16/apparmor/opengl (+4/-1)
data/policy/classic/16/apparmor/ppp (+1/-1)
data/policy/classic/16/apparmor/raw-input (+13/-0)
data/policy/classic/16/apparmor/sd-control (+6/-0)
data/policy/classic/16/apparmor/system-observe (+1/-0)
data/policy/classic/16/apparmor/tee (+9/-0)
data/policy/classic/16/apparmor/time-control (+1/-1)
data/policy/classic/16/seccomp/dm-crypt (+6/-0)
data/policy/classic/16/seccomp/greengrass-support (+1/-1)
data/policy/classic/16/seccomp/raw-input (+6/-0)
policy-app/test-snapd-policy-app-consumer/meta/snap.yaml (+54/-0)
policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml (+8/-0)
To merge this branch: bzr merge lp:~alexmurray/snappy-hub/update-for-snapd-2.51.6
Reviewer Review Type Date Requested Status
The snappy-debug snap developers Pending
Review via email: mp+407651@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

A comment inline in one place, but it applies to several similar segments. Thanks.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'data/policy/classic/16/apparmor/account-control'
--- data/policy/classic/16/apparmor/account-control 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/account-control 2021-08-25 03:55:24 +0000
@@ -14,7 +14,7 @@
14/etc/pam.d/{,*} r,14/etc/pam.d/{,*} r,
1515
16# Needed by chpasswd16# Needed by chpasswd
17/lib/@{multiarch}/security/* ixr,17/{,usr/}lib/@{multiarch}/security/* ixr,
1818
19# Useradd needs netlink19# Useradd needs netlink
20network netlink raw,20network netlink raw,
2121
=== modified file 'data/policy/classic/16/apparmor/block-devices'
--- data/policy/classic/16/apparmor/block-devices 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/block-devices 2021-08-25 03:55:24 +0000
@@ -4,6 +4,7 @@
4/run/udev/data/b[0-9]*:[0-9]* r,4/run/udev/data/b[0-9]*:[0-9]* r,
5/sys/block/ r,5/sys/block/ r,
6/sys/devices/**/block/** r,6/sys/devices/**/block/** r,
7/sys/devices/platform/soc/**/mmc_host/** r,
78
8# Access to raw devices, not individual partitions9# Access to raw devices, not individual partitions
9/dev/hd[a-t] rw, # IDE, MFM, RLL10/dev/hd[a-t] rw, # IDE, MFM, RLL
1011
=== modified file 'data/policy/classic/16/apparmor/camera'
--- data/policy/classic/16/apparmor/camera 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/camera 2021-08-25 03:55:24 +0000
@@ -17,4 +17,5 @@
17/run/udev/data/+usb:* r,17/run/udev/data/+usb:* r,
18/sys/class/video4linux/ r,18/sys/class/video4linux/ r,
19/sys/devices/pci**/usb*/**/video4linux/** r,19/sys/devices/pci**/usb*/**/video4linux/** r,
20/sys/devices/platform/**/usb*/**/video4linux/** r,
2021
2122
=== added file 'data/policy/classic/16/apparmor/dm-crypt'
--- data/policy/classic/16/apparmor/dm-crypt 1970-01-01 00:00:00 +0000
+++ data/policy/classic/16/apparmor/dm-crypt 2021-08-25 03:55:24 +0000
@@ -0,0 +1,18 @@
1# Allow mapper access
2/dev/mapper/control rw,
3/dev/dm-[0-9]* rw,
4# allow use of cryptsetup from core snap
5/{,usr/}sbin/cryptsetup ixr,
6# Mount points could be in /run/media/<user>/* or /media/<user>/*
7/run/systemd/seats/* r,
8/{,run/}media/{,**} rw,
9mount options=(ro,nosuid,nodev) /dev/dm-[0-9]* -> /{,run/}media/**,
10mount options=(rw,nosuid,nodev) /dev/dm-[0-9]* -> /{,run/}media/**,
11
12# exec mount/umount to do the actual operations
13/{,usr/}bin/mount ixr,
14/{,usr/}bin/umount ixr,
15
16# mount/umount (via libmount) track some mount info in these files
17/run/mount/utab* wrlk,
18
019
=== modified file 'data/policy/classic/16/apparmor/docker-support'
--- data/policy/classic/16/apparmor/docker-support 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/docker-support 2021-08-25 03:55:24 +0000
@@ -86,7 +86,7 @@
8686
87# Docker needs to be able to create and load the profile it applies to87# Docker needs to be able to create and load the profile it applies to
88# containers ("docker-default")88# containers ("docker-default")
89/sbin/apparmor_parser ixr,89/{,usr/}sbin/apparmor_parser ixr,
90/etc/apparmor.d/cache/ r, # apparmor 2.12 and below90/etc/apparmor.d/cache/ r, # apparmor 2.12 and below
91/etc/apparmor.d/cache/.features r,91/etc/apparmor.d/cache/.features r,
92/etc/apparmor.d/{,cache/}docker* rw,92/etc/apparmor.d/{,cache/}docker* rw,
@@ -145,3 +145,12 @@
145# containerd to use this path for various account information for pods.145# containerd to use this path for various account information for pods.
146/run/secrets/kubernetes.io/{,**} rk,146/run/secrets/kubernetes.io/{,**} rk,
147147
148# Allow using the 'autobind' feature of bind() (eg, for journald via go-systemd)
149# unix (bind) type=dgram addr=auto,
150# TODO: when snapd vendors in AppArmor userspace, then enable the new syntax
151# above which allows only "empty"/automatic addresses, for now we simply permit
152# all addresses with SOCK_DGRAM type, which leaks info for other addresses than
153# what docker tries to use
154# see https://bugs.launchpad.net/snapd/+bug/1867216
155unix (bind) type=dgram,
156
148157
=== modified file 'data/policy/classic/16/apparmor/greengrass-support'
--- data/policy/classic/16/apparmor/greengrass-support 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/greengrass-support 2021-08-25 03:55:24 +0000
@@ -49,7 +49,7 @@
4949
50# cgroup accesses50# cgroup accesses
51# greengrassd extensively uses cgroups to confine it's containers (AKA lambdas)51# greengrassd extensively uses cgroups to confine it's containers (AKA lambdas)
52# and needs to read what cgroups are available; we allow reading any cgroup, 52# and needs to read what cgroups are available; we allow reading any cgroup,
53# but limit writes below53# but limit writes below
54# also note that currently greengrass is not implemented in such a way that it54# also note that currently greengrass is not implemented in such a way that it
55# can stack it's cgroups inside the cgroup that snapd would normally enforce55# can stack it's cgroups inside the cgroup that snapd would normally enforce
@@ -75,10 +75,10 @@
75# specific rule for cpuset files75# specific rule for cpuset files
76owner /old_rootfs/sys/fs/cgroup/cpuset/{,system.slice/}cpuset.{cpus,mems} rw,76owner /old_rootfs/sys/fs/cgroup/cpuset/{,system.slice/}cpuset.{cpus,mems} rw,
7777
78# the wrapper scripts need to use mount/umount and pivot_root from the 78# the wrapper scripts need to use mount/umount and pivot_root from the
79# core snap79# core snap
80/bin/{,u}mount ixr,80/{,usr/}bin/{,u}mount ixr,
81/sbin/pivot_root ixr,81/{,usr/}sbin/pivot_root ixr,
8282
83# allow pivot_root'ing into the rootfs prepared for the greengrass daemon83# allow pivot_root'ing into the rootfs prepared for the greengrass daemon
84# parallel-installs: SNAP_{DATA,COMMON} are remapped, need to use SNAP_NAME, for84# parallel-installs: SNAP_{DATA,COMMON} are remapped, need to use SNAP_NAME, for
@@ -119,9 +119,9 @@
119# completeness allow SNAP_INSTANCE_NAME too119# completeness allow SNAP_INSTANCE_NAME too
120mount options=(rw, bind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** ,120mount options=(rw, bind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** ,
121mount options=(rw, rbind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** ,121mount options=(rw, rbind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** ,
122# also allow mounting new files anywhere underneath the rootfs of the target 122# also allow mounting new files anywhere underneath the rootfs of the target
123# overlayfs directory, which is the rootfs of the container123# overlayfs directory, which is the rootfs of the container
124# this is for allowing local resource access which first makes a mount at 124# this is for allowing local resource access which first makes a mount at
125# the target destination and then a bind mount from the source to the destination125# the target destination and then a bind mount from the source to the destination
126# the source destination mount will be allowed under the above rule126# the source destination mount will be allowed under the above rule
127mount -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/**,127mount -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/**,
@@ -168,7 +168,7 @@
168mount options=(rw, bind) /run/ -> /run/,168mount options=(rw, bind) /run/ -> /run/,
169169
170# mounts for resolv.conf inside the container170# mounts for resolv.conf inside the container
171# we have to manually do this otherwise the go DNS resolver fails to work, because it isn't configured to 171# we have to manually do this otherwise the go DNS resolver fails to work, because it isn't configured to
172# use the system DNS server and attempts to do DNS resolution itself, manually inspecting /etc/resolv.conf172# use the system DNS server and attempts to do DNS resolution itself, manually inspecting /etc/resolv.conf
173mount options=(ro, bind) /run/systemd/resolve/stub-resolv.conf -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/etc/resolv.conf,173mount options=(ro, bind) /run/systemd/resolve/stub-resolv.conf -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/etc/resolv.conf,
174mount options=(ro, bind) /run/resolvconf/resolv.conf -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/etc/resolv.conf,174mount options=(ro, bind) /run/resolvconf/resolv.conf -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/etc/resolv.conf,
@@ -177,7 +177,7 @@
177# pivot_root for the container initialization into the rootfs177# pivot_root for the container initialization into the rootfs
178# note that the actual syscall is pivotroot(".",".")178# note that the actual syscall is pivotroot(".",".")
179# so the oldroot is the same as the new root179# so the oldroot is the same as the new root
180pivot_root 180pivot_root
181 oldroot=/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/181 oldroot=/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/
182 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/,182 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/ggc-writable/packages/*/rootfs/merged/,
183183
@@ -213,12 +213,12 @@
213# and /run is explicitly disallowed for use by layouts213# and /run is explicitly disallowed for use by layouts
214# also note that technically this access is post-pivot_root, but during the setup214# also note that technically this access is post-pivot_root, but during the setup
215# for the mount ns that the snap performs (not snapd), /var/run is bind mounted215# for the mount ns that the snap performs (not snapd), /var/run is bind mounted
216# from outside the pivot_root to inside the pivot_root, so this will always 216# from outside the pivot_root to inside the pivot_root, so this will always
217# access the same files inside or outside the pivot_root217# access the same files inside or outside the pivot_root
218owner /{var/,}run/greengrassd.pid rw,218owner /{var/,}run/greengrassd.pid rw,
219219
220# all of the rest of the accesses are made by child containers and as such are 220# all of the rest of the accesses are made by child containers and as such are
221# "post-pivot_root", meaning that they aren't accessing these files on the 221# "post-pivot_root", meaning that they aren't accessing these files on the
222# host root filesystem, but rather somewhere inside $SNAP_DATA/rootfs/222# host root filesystem, but rather somewhere inside $SNAP_DATA/rootfs/
223# Note: eventually greengrass will gain the ability to specify child profiles223# Note: eventually greengrass will gain the ability to specify child profiles
224# for it's containers and include these rules in that profile so they won't224# for it's containers and include these rules in that profile so they won't
225225
=== modified file 'data/policy/classic/16/apparmor/hardware-observe'
--- data/policy/classic/16/apparmor/hardware-observe 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/hardware-observe 2021-08-25 03:55:24 +0000
@@ -11,7 +11,7 @@
11# used by lspci11# used by lspci
12capability sys_admin,12capability sys_admin,
13/etc/modprobe.d/{,*} r,13/etc/modprobe.d/{,*} r,
14/lib/modprobe.d/{,*} r,14/{,usr/}lib/modprobe.d/{,*} r,
1515
16# files in /sys pertaining to hardware (eg, 'lspci -A linux-sysfs')16# files in /sys pertaining to hardware (eg, 'lspci -A linux-sysfs')
17/sys/{block,bus,class,devices,firmware}/{,**} r,17/sys/{block,bus,class,devices,firmware}/{,**} r,
1818
=== modified file 'data/policy/classic/16/apparmor/kernel-module-control'
--- data/policy/classic/16/apparmor/kernel-module-control 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/kernel-module-control 2021-08-25 03:55:24 +0000
@@ -18,5 +18,5 @@
18# Allow reading information about loaded kernel modules18# Allow reading information about loaded kernel modules
19/sys/module/{,**} r,19/sys/module/{,**} r,
20/etc/modprobe.d/{,**} r,20/etc/modprobe.d/{,**} r,
21/lib/modprobe.d/{,**} r,21/{,usr/}lib/modprobe.d/{,**} r,
2222
2323
=== modified file 'data/policy/classic/16/apparmor/kernel-module-observe'
--- data/policy/classic/16/apparmor/kernel-module-observe 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/kernel-module-observe 2021-08-25 03:55:24 +0000
@@ -12,5 +12,5 @@
12# Allow reading information about loaded kernel modules12# Allow reading information about loaded kernel modules
13/sys/module/{,**} r,13/sys/module/{,**} r,
14/etc/modprobe.d/{,**} r,14/etc/modprobe.d/{,**} r,
15/lib/modprobe.d/{,**} r,15/{,usr/}lib/modprobe.d/{,**} r,
1616
1717
=== modified file 'data/policy/classic/16/apparmor/kubernetes-support'
--- data/policy/classic/16/apparmor/kubernetes-support 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/kubernetes-support 2021-08-25 03:55:24 +0000
@@ -169,11 +169,12 @@
169/sys/module/ip_vs_sh/initstate r,169/sys/module/ip_vs_sh/initstate r,
170/sys/module/ip_vs_wrr/initstate r,170/sys/module/ip_vs_wrr/initstate r,
171171
172# Allow using the 'autobind' feature of bind() (eg, for journald).172# Allow using the 'autobind' feature of bind() (eg, for journald via go-systemd)
173#unix (bind) type=dgram addr=none,173# unix (bind) type=dgram addr=auto,
174# Due to LP: 1867216, we cannot use the above rule and must instead use this174# TODO: when snapd vendors in AppArmor userspace, then enable the new syntax
175# less specific rule that allows bind() to arbitrary SOCK_DGRAM abstract socket175# above which allows only "empty"/automatic addresses, for now we simply permit
176# names (separate send and receive rules are still required for communicating176# all addresses with SOCK_DGRAM type, which leaks info for other addresses than
177# over the socket).177# what docker tries to use
178# see https://bugs.launchpad.net/snapd/+bug/1867216
178unix (bind) type=dgram,179unix (bind) type=dgram,
179180
180181
=== modified file 'data/policy/classic/16/apparmor/modem-manager'
--- data/policy/classic/16/apparmor/modem-manager 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/modem-manager 2021-08-25 03:55:24 +0000
@@ -33,10 +33,10 @@
33 bus=system33 bus=system
34 path=/org/freedesktop/ModemManager1{,/**}34 path=/org/freedesktop/ModemManager1{,/**}
35 interface=org.freedesktop.ModemManager1*35 interface=org.freedesktop.ModemManager1*
36 peer=(label="snap.core."),36 peer=(label="snap.snapd.*"),
37dbus (receive, send)37dbus (receive, send)
38 bus=system38 bus=system
39 path=/org/freedesktop/ModemManager1{,/**}39 path=/org/freedesktop/ModemManager1{,/**}
40 interface=org.freedesktop.DBus.*40 interface=org.freedesktop.DBus.*
41 peer=(label="snap.core."),41 peer=(label="snap.snapd.*"),
4242
4343
=== modified file 'data/policy/classic/16/apparmor/multipass-support'
--- data/policy/classic/16/apparmor/multipass-support 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/multipass-support 2021-08-25 03:55:24 +0000
@@ -1,6 +1,6 @@
1# Description: this policy intentionally allows the Multipass daemon to configure AppArmor1# Description: this policy intentionally allows the Multipass daemon to configure AppArmor
2# as Multipass generates AppArmor profiles for the utility processes it spawns.2# as Multipass generates AppArmor profiles for the utility processes it spawns.
3/sbin/apparmor_parser ixr,3/{,usr/}sbin/apparmor_parser ixr,
4/etc/apparmor{,.d}/{,**} r,4/etc/apparmor{,.d}/{,**} r,
5/sys/kernel/security/apparmor/{,**} r,5/sys/kernel/security/apparmor/{,**} r,
6/sys/kernel/security/apparmor/.remove w,6/sys/kernel/security/apparmor/.remove w,
77
=== modified file 'data/policy/classic/16/apparmor/network-control'
--- data/policy/classic/16/apparmor/network-control 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/network-control 2021-08-25 03:55:24 +0000
@@ -128,13 +128,13 @@
128/etc/hosts w,128/etc/hosts w,
129129
130# resolvconf130# resolvconf
131/sbin/resolvconf ixr,131/{,usr/}sbin/resolvconf ixr,
132/run/resolvconf/{,**} rk,132/run/resolvconf/{,**} rk,
133/run/resolvconf/** w,133/run/resolvconf/** w,
134/etc/resolvconf/{,**} r,134/etc/resolvconf/{,**} r,
135/lib/resolvconf/* ix,135/{,usr/}lib/resolvconf/* ix,
136# Required by resolvconf136# Required by resolvconf
137/bin/run-parts ixr,137/{,usr/}bin/run-parts ixr,
138/etc/resolvconf/update.d/* ix,138/etc/resolvconf/update.d/* ix,
139139
140# wpa_suplicant140# wpa_suplicant
141141
=== modified file 'data/policy/classic/16/apparmor/network-setup-control'
--- data/policy/classic/16/apparmor/network-setup-control 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/network-setup-control 2021-08-25 03:55:24 +0000
@@ -1,5 +1,18 @@
1# Description: Can read/write netplan configuration files1# Description: Can read/write netplan configuration files
22
3# Allow use of the netplan binary from the base snap. With this interface, this
4# is expected to be able to apply and generate new network configuration, as
5# well as get information about the current network configuration.
6/usr/sbin/netplan ixr,
7# core18+ has /usr/sbin/netplan as a symlink to this script
8/usr/share/netplan/netplan.script ixr,
9# netplan related files
10/usr/share/netplan/ r,
11/usr/share/netplan/** r,
12
13# Netplan uses busctl internally, so allow using that as well
14/usr/bin/busctl ixr,
15
3/etc/netplan/{,**} rw,16/etc/netplan/{,**} rw,
4/etc/network/{,**} rw,17/etc/network/{,**} rw,
5/etc/systemd/network/{,**} rw,18/etc/systemd/network/{,**} rw,
619
=== modified file 'data/policy/classic/16/apparmor/network-setup-observe'
--- data/policy/classic/16/apparmor/network-setup-observe 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/network-setup-observe 2021-08-25 03:55:24 +0000
@@ -1,5 +1,19 @@
1# Description: Can read netplan configuration files1# Description: Can read netplan configuration files
22
3# Allow use of the netplan binary from the base snap. With this interface, this
4# is expected to be able to only get information about the current network
5# configuration and not generate or apply it like is allowed with
6# network-setup-control.
7/usr/sbin/netplan ixr,
8# core18+ has /usr/sbin/netplan as a symlink to this script
9/usr/share/netplan/netplan.script ixr,
10# netplan related files
11/usr/share/netplan/ r,
12/usr/share/netplan/** r,
13
14# Netplan uses busctl internally, so allow using that as well
15/usr/bin/busctl ixr,
16
3/etc/netplan/{,**} r,17/etc/netplan/{,**} r,
4/etc/network/{,**} r,18/etc/network/{,**} r,
5/etc/systemd/network/{,**} r,19/etc/systemd/network/{,**} r,
620
=== modified file 'data/policy/classic/16/apparmor/ofono'
--- data/policy/classic/16/apparmor/ofono 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/ofono 2021-08-25 03:55:24 +0000
@@ -25,7 +25,7 @@
25 bus=system25 bus=system
26 path=/{,**}26 path=/{,**}
27 interface=org.ofono.*27 interface=org.ofono.*
28 peer=(label="snap.core."),28 peer=(label="snap.snapd.*"),
2929
30# Allow clients to introspect the service on non-classic (due to the path,30# Allow clients to introspect the service on non-classic (due to the path,
31# allowing on classic would reveal too much for unconfined)31# allowing on classic would reveal too much for unconfined)
@@ -34,5 +34,5 @@
34 path=/34 path=/
35 interface=org.freedesktop.DBus.Introspectable35 interface=org.freedesktop.DBus.Introspectable
36 member=Introspect36 member=Introspect
37 peer=(label="snap.core."),37 peer=(label="snap.snapd.*"),
3838
3939
=== modified file 'data/policy/classic/16/apparmor/opengl'
--- data/policy/classic/16/apparmor/opengl 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/opengl 2021-08-25 03:55:24 +0000
@@ -81,7 +81,10 @@
8181
82# Xilinx zocl DRM driver82# Xilinx zocl DRM driver
83# https://github.com/Xilinx/XRT/tree/master/src/runtime_src/core/edge/drm83# https://github.com/Xilinx/XRT/tree/master/src/runtime_src/core/edge/drm
84/sys/devices/platform/amba_pl@[0-9]*/amba_pl@[0-9]*:zyxclmm_drm/* r,84/sys/devices/platform/amba{,_pl@[0-9]*}/amba{,_pl@[0-9]*}:zyxclmm_drm/* r,
85
86# Imagination PowerVR driver
87/dev/pvr_sync rw,
8588
86# OpenCL ICD files89# OpenCL ICD files
87/etc/OpenCL/vendors/ r,90/etc/OpenCL/vendors/ r,
8891
=== modified file 'data/policy/classic/16/apparmor/ppp'
--- data/policy/classic/16/apparmor/ppp 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/ppp 2021-08-25 03:55:24 +0000
@@ -10,7 +10,7 @@
10/run/ppp* rwk,10/run/ppp* rwk,
11/var/run/ppp* rwk,11/var/run/ppp* rwk,
12/var/log/ppp* rw,12/var/log/ppp* rw,
13/bin/run-parts ix,13/{,usr/}bin/run-parts ix,
14@{PROC}/@{pid}/loginuid r,14@{PROC}/@{pid}/loginuid r,
15capability setgid,15capability setgid,
16capability setuid,16capability setuid,
1717
=== added file 'data/policy/classic/16/apparmor/raw-input'
--- data/policy/classic/16/apparmor/raw-input 1970-01-01 00:00:00 +0000
+++ data/policy/classic/16/apparmor/raw-input 2021-08-25 03:55:24 +0000
@@ -0,0 +1,13 @@
1# Description: Allow reading and writing to raw input devices
2
3/dev/input/* rw,
4
5# Allow reading for supported event reports for all input devices. See
6# https://www.kernel.org/doc/Documentation/input/event-codes.txt
7/sys/devices/**/input[0-9]*/capabilities/* r,
8
9# For using udev
10network netlink raw,
11/run/udev/data/c13:[0-9]* r,
12/run/udev/data/+input:input[0-9]* r,
13
014
=== added file 'data/policy/classic/16/apparmor/sd-control'
--- data/policy/classic/16/apparmor/sd-control 1970-01-01 00:00:00 +0000
+++ data/policy/classic/16/apparmor/sd-control 2021-08-25 03:55:24 +0000
@@ -0,0 +1,6 @@
1# Description: can manage and control the SD cards using the DualSD driver.
2
3# The main DualSD device node is used to control certain aspects of SD cards on
4# the system.
5/dev/DualSD rw,
6
07
=== modified file 'data/policy/classic/16/apparmor/system-observe'
--- data/policy/classic/16/apparmor/system-observe 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/system-observe 2021-08-25 03:55:24 +0000
@@ -22,6 +22,7 @@
22@{PROC}/modules r,22@{PROC}/modules r,
23@{PROC}/stat r,23@{PROC}/stat r,
24@{PROC}/vmstat r,24@{PROC}/vmstat r,
25@{PROC}/zoneinfo r,
25@{PROC}/diskstats r,26@{PROC}/diskstats r,
26@{PROC}/kallsyms r,27@{PROC}/kallsyms r,
27@{PROC}/partitions r,28@{PROC}/partitions r,
2829
=== added file 'data/policy/classic/16/apparmor/tee'
--- data/policy/classic/16/apparmor/tee 1970-01-01 00:00:00 +0000
+++ data/policy/classic/16/apparmor/tee 2021-08-25 03:55:24 +0000
@@ -0,0 +1,9 @@
1# Description: for those who need to talk to the TEE subsystem over
2# /dev/tee[0-9]* and/or /dev/teepriv[0-0]*
3
4/dev/tee[0-9]* rw,
5/dev/teepriv[0-9]* rw,
6
7# Qualcomm equivalent qseecom (Qualcomm Secure Execution Environment Communicator)
8/dev/qseecom rw,
9
010
=== modified file 'data/policy/classic/16/apparmor/time-control'
--- data/policy/classic/16/apparmor/time-control 2021-03-24 13:55:25 +0000
+++ data/policy/classic/16/apparmor/time-control 2021-08-25 03:55:24 +0000
@@ -67,5 +67,5 @@
67# write to the audit subsystem. We omit 'capability audit_write'67# write to the audit subsystem. We omit 'capability audit_write'
68# and 'capability net_admin' here. Applications requiring audit68# and 'capability net_admin' here. Applications requiring audit
69# logging should plug 'netlink-audit'.69# logging should plug 'netlink-audit'.
70/sbin/hwclock ixr,70/{,usr/}sbin/hwclock ixr,
7171
7272
=== added file 'data/policy/classic/16/seccomp/dm-crypt'
--- data/policy/classic/16/seccomp/dm-crypt 1970-01-01 00:00:00 +0000
+++ data/policy/classic/16/seccomp/dm-crypt 2021-08-25 03:55:24 +0000
@@ -0,0 +1,6 @@
1# Description: Allow kernel keyring manipulation
2add_key
3keyctl
4request_key
5
6
07
=== modified file 'data/policy/classic/16/seccomp/greengrass-support'
--- data/policy/classic/16/seccomp/greengrass-support 2019-11-26 19:16:08 +0000
+++ data/policy/classic/16/seccomp/greengrass-support 2021-08-25 03:55:24 +0000
@@ -32,7 +32,7 @@
32# by greengrassd.32# by greengrassd.
33keyctl33keyctl
3434
35# special character device creation is necessary for creating the overlayfs 35# special character device creation is necessary for creating the overlayfs
36# mounts36# mounts
37# Unfortunately this grants device ownership to the snap.37# Unfortunately this grants device ownership to the snap.
38mknod - |S_IFCHR -38mknod - |S_IFCHR -
3939
=== added file 'data/policy/classic/16/seccomp/raw-input'
--- data/policy/classic/16/seccomp/raw-input 1970-01-01 00:00:00 +0000
+++ data/policy/classic/16/seccomp/raw-input 2021-08-25 03:55:24 +0000
@@ -0,0 +1,6 @@
1# Description: Allow handling input devices.
2# for udev
3bind
4socket AF_NETLINK - NETLINK_KOBJECT_UEVENT
5
6
07
=== modified file 'policy-app/test-snapd-policy-app-consumer/meta/snap.yaml'
--- policy-app/test-snapd-policy-app-consumer/meta/snap.yaml 2020-03-18 18:33:59 +0000
+++ policy-app/test-snapd-policy-app-consumer/meta/snap.yaml 2021-08-25 03:55:24 +0000
@@ -11,6 +11,9 @@
11 adb-support:11 adb-support:
12 command: bin/run12 command: bin/run
13 plugs: [ adb-support ]13 plugs: [ adb-support ]
14 allegro-vcu:
15 command: bin/run
16 plugs: [ allegro-vcu ]
14 alsa:17 alsa:
15 command: bin/run18 command: bin/run
16 plugs: [ alsa ]19 plugs: [ alsa ]
@@ -74,6 +77,9 @@
74 cpu-control:77 cpu-control:
75 command: bin/run78 command: bin/run
76 plugs: [ cpu-control ]79 plugs: [ cpu-control ]
80 cups:
81 command: bin/run
82 plugs: [ cups ]
77 cups-control:83 cups-control:
78 command: bin/run84 command: bin/run
79 plugs: [ cups-control ]85 plugs: [ cups-control ]
@@ -98,12 +104,21 @@
98 display-control:104 display-control:
99 command: bin/run105 command: bin/run
100 plugs: [ display-control ]106 plugs: [ display-control ]
107 dm-crypt:
108 command: bin/run
109 plugs: [ dm-crypt ]
101 docker:110 docker:
102 command: bin/run111 command: bin/run
103 plugs: [ docker ]112 plugs: [ docker ]
104 docker-support:113 docker-support:
105 command: bin/run114 command: bin/run
106 plugs: [ docker-support ]115 plugs: [ docker-support ]
116 dsp-control:
117 command: bin/run
118 plugs: [ dsp-control ]
119 fpga:
120 command: bin/run
121 plugs: [ fpga ]
107 system-files:122 system-files:
108 command: bin/run123 command: bin/run
109 plugs: [ system-files ]124 plugs: [ system-files ]
@@ -128,6 +143,9 @@
128 accounts-service:143 accounts-service:
129 command: bin/run144 command: bin/run
130 plugs: [ accounts-service ]145 plugs: [ accounts-service ]
146 gconf:
147 command: bin/run
148 plugs: [ gconf ]
131 gpg-keys:149 gpg-keys:
132 command: bin/run150 command: bin/run
133 plugs: [ gpg-keys ]151 plugs: [ gpg-keys ]
@@ -158,9 +176,18 @@
158 home:176 home:
159 command: bin/run177 command: bin/run
160 plugs: [ home ]178 plugs: [ home ]
179 system-packages-doc:
180 command: bin/run
181 plugs: [ system-packages-doc ]
182 system-source-code:
183 command: bin/run
184 plugs: [ system-source-code ]
161 hostname-control:185 hostname-control:
162 command: bin/run186 command: bin/run
163 plugs: [ hostname-control ]187 plugs: [ hostname-control ]
188 hugepages-control:
189 command: bin/run
190 plugs: [ hugepages-control ]
164 intel-mei:191 intel-mei:
165 command: bin/run192 command: bin/run
166 plugs: [ intel-mei ]193 plugs: [ intel-mei ]
@@ -176,6 +203,9 @@
176 juju-client-observe:203 juju-client-observe:
177 command: bin/run204 command: bin/run
178 plugs: [ juju-client-observe ]205 plugs: [ juju-client-observe ]
206 kernel-crypto-api:
207 command: bin/run
208 plugs: [ kernel-crypto-api ]
179 kernel-module-control:209 kernel-module-control:
180 command: bin/run210 command: bin/run
181 plugs: [ kernel-module-control ]211 plugs: [ kernel-module-control ]
@@ -218,6 +248,9 @@
218 maliit:248 maliit:
219 command: bin/run249 command: bin/run
220 plugs: [ maliit ]250 plugs: [ maliit ]
251 media-control:
252 command: bin/run
253 plugs: [ media-control ]
221 media-hub:254 media-hub:
222 command: bin/run255 command: bin/run
223 plugs: [ media-hub ]256 plugs: [ media-hub ]
@@ -308,9 +341,15 @@
308 process-control:341 process-control:
309 command: bin/run342 command: bin/run
310 plugs: [ process-control ]343 plugs: [ process-control ]
344 ptp:
345 command: bin/run
346 plugs: [ ptp ]
311 pulseaudio:347 pulseaudio:
312 command: bin/run348 command: bin/run
313 plugs: [ pulseaudio ]349 plugs: [ pulseaudio ]
350 raw-input:
351 command: bin/run
352 plugs: [ raw-input ]
314 raw-usb:353 raw-usb:
315 command: bin/run354 command: bin/run
316 plugs: [ raw-usb ]355 plugs: [ raw-usb ]
@@ -338,6 +377,9 @@
338 can-bus:377 can-bus:
339 command: bin/run378 command: bin/run
340 plugs: [ can-bus ]379 plugs: [ can-bus ]
380 sd-control:
381 command: bin/run
382 plugs: [ sd-control ]
341 ssh-keys:383 ssh-keys:
342 command: bin/run384 command: bin/run
343 plugs: [ ssh-keys ]385 plugs: [ ssh-keys ]
@@ -359,6 +401,9 @@
359 dummy:401 dummy:
360 command: bin/run402 command: bin/run
361 plugs: [ dummy ]403 plugs: [ dummy ]
404 tee:
405 command: bin/run
406 plugs: [ tee ]
362 thumbnailer-service:407 thumbnailer-service:
363 command: bin/run408 command: bin/run
364 plugs: [ thumbnailer-service ]409 plugs: [ thumbnailer-service ]
@@ -386,6 +431,9 @@
386 uhid:431 uhid:
387 command: bin/run432 command: bin/run
388 plugs: [ uhid ]433 plugs: [ uhid ]
434 uinput:
435 command: bin/run
436 plugs: [ uinput ]
389 uio:437 uio:
390 command: bin/run438 command: bin/run
391 plugs: [ uio ]439 plugs: [ uio ]
@@ -404,6 +452,9 @@
404 upower-observe:452 upower-observe:
405 command: bin/run453 command: bin/run
406 plugs: [ upower-observe ]454 plugs: [ upower-observe ]
455 vcio:
456 command: bin/run
457 plugs: [ vcio ]
407 wayland:458 wayland:
408 command: bin/run459 command: bin/run
409 plugs: [ wayland ]460 plugs: [ wayland ]
@@ -437,3 +488,6 @@
437 write: [$HOME/dir1]488 write: [$HOME/dir1]
438 dummy:489 dummy:
439 interface: dummy490 interface: dummy
491 sd-control:
492 interface: sd-control
493 flavor: dual-sd
440494
=== modified file 'policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml'
--- policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml 2020-03-18 18:33:59 +0000
+++ policy-app/test-snapd-policy-app-provider-core/meta/snap.yaml 2021-08-25 03:55:24 +0000
@@ -15,6 +15,8 @@
15 content: test-content15 content: test-content
16 read:16 read:
17 - $SNAP/content17 - $SNAP/content
18 cups: null
19 cups-control: null
18 dbus-session:20 dbus-session:
19 interface: dbus21 interface: dbus
20 bus: session22 bus: session
@@ -67,6 +69,12 @@
67 content-read:69 content-read:
68 command: bin/run70 command: bin/run
69 slots: [ content-read ]71 slots: [ content-read ]
72 cups:
73 command: bin/run
74 slots: [ cups ]
75 cups-control:
76 command: bin/run
77 slots: [ cups-control ]
70 dbus-session:78 dbus-session:
71 command: bin/run79 command: bin/run
72 slots: [ dbus-session ]80 slots: [ dbus-session ]

Subscribers

People subscribed via source and target branches

to all changes: