snappy-hub

Merge lp:~mvo/snappy-hub/snappy-examples-snap-yaml into lp:~snappy-dev/snappy-hub/snappy-examples

snappy-examples-snap-yaml
Merge into snappy-examples

Proposed by Michael Vogt on 2016-01-26

Status:	Merged
Merged at revision:	88
Proposed branch:	lp:~mvo/snappy-hub/snappy-examples-snap-yaml
Merge into:	lp:~snappy-dev/snappy-hub/snappy-examples
Diff against target:	1726 lines (+139/-1415) 26 files modified config-example-bash/meta/readme.md (+0/-9) config-example-bash/meta/snap.yaml (+17/-5) config-example/meta/readme.md (+0/-9) config-example/meta/snap.yaml (+18/-5) framework-template/bin/cli (+0/-28) framework-template/bin/svc (+0/-23) framework-template/meta/framework-policy/apparmor/policygroups/client (+0/-18) framework-template/meta/framework-policy/seccomp/policygroups/client (+0/-16) framework-template/meta/package.yaml (+0/-18) framework-template/meta/readme.md (+0/-26) framework-template/meta/svc.apparmor (+0/-59) framework-template/meta/svc.apparmor.boilerplate (+0/-196) framework-template/meta/svc.apparmor.unconfined (+0/-32) framework-template/meta/svc.seccomp (+0/-459) framework-template/meta/svc.seccomp.boilerplate (+0/-435) framework-template/meta/svc.seccomp.unconfined (+0/-4) go-example-webserver/meta/readme.md (+0/-3) go-example-webserver/meta/snap.yaml (+16/-10) hello-dbus/package-dir-app/meta/readme.md (+0/-3) hello-dbus/package-dir-app/meta/snap.yaml (+14/-9) hello-dbus/package-dir-fwk/meta/snap.yaml (+17/-11) hello-world/meta/readme.md (+0/-3) hello-world/meta/snap.yaml (+27/-15) licensed/meta/readme.md (+0/-3) licensed/meta/snap.yaml (+13/-6) python-xkcd-webserver/meta/snap.yaml (+17/-10)
To merge this branch:	bzr merge lp:~mvo/snappy-hub/snappy-examples-snap-yaml
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Snappy Developers		2016-01-26	Pending
Review via email: mp+283960@code.launchpad.net

Description of the change

Update for the new snap.yaml format.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Michael Vogt

Snappy Developers

Zach Villers

 === renamed file 'config-example-bash/meta/hello.png' => 'config-example-bash/meta/icon.png'
 === removed file 'config-example-bash/meta/readme.md'
 --- config-example-bash/meta/readme.md	2015-05-29 08:24:53 +0000
 +++ config-example-bash/meta/readme.md	1970-01-01 00:00:00 +0000
@@ -1,9 +0,0 @@
--Configuration example
--
--This is a simple example to how how to write a configure hook with bash.
--
--Run:
--
-- config-example-bash.hello
--
--for usage instructions.
 === renamed file 'config-example-bash/meta/package.yaml' => 'config-example-bash/meta/snap.yaml'
 --- config-example-bash/meta/package.yaml	2016-01-14 07:36:50 +0000
 +++ config-example-bash/meta/snap.yaml	2016-01-26 14:09:34 +0000
@@ -1,7 +1,19 @@
  name: config-example-bash
--version: 2.0
--vendor: Michael Vogt <mvo@ubuntu.com>
--icon: meta/hello.png
--binaries:
-- - name: bin/hello
++version: 3.0
++summary: Configuration example
++description: |
++ This is a simple example to how how to write a configure hook with bash.
++
++ Run:
++
++   config-example-bash.hello
++
++ for usage instructions.
++apps:
++ hello:
++  command: bin/hello
++  uses: [hello]
++uses:
++ hello:
++  type: migration-skill
 === removed file 'config-example/meta/readme.md'
 --- config-example/meta/readme.md	2015-05-29 08:24:53 +0000
 +++ config-example/meta/readme.md	1970-01-01 00:00:00 +0000
@@ -1,9 +0,0 @@
--Configuration example
--
--This is a simple example to how how to write a configure hook.
--
--Run:
--
-- config-example.hello
--
--for usage instructions.
 === renamed file 'config-example/meta/package.yaml' => 'config-example/meta/snap.yaml'
 --- config-example/meta/package.yaml	2016-01-14 07:36:50 +0000
 +++ config-example/meta/snap.yaml	2016-01-26 14:09:34 +0000
@@ -1,7 +1,20 @@
  name: config-example
--version: 2.0
--vendor: Michael Vogt <mvo@ubuntu.com>
--icon: meta/hello.png
--binaries:
-- - name: bin/hello
++version: 3.0
++summary: Configuration example
++description: |
++ This is a simple example to how how to write a configure hook.
++
++ Run:
++
++   config-example.hello
++
++ for usage instructions.
++apps:
++ hello:
++  command: bin/hello
++  uses: [hello]
++uses:
++ hello:
++  type: migration-skill
++
 === removed directory 'framework-template'
 === removed directory 'framework-template/bin'
 === removed file 'framework-template/bin/cli'
 --- framework-template/bin/cli	2015-08-20 23:40:09 +0000
 +++ framework-template/bin/cli	1970-01-01 00:00:00 +0000
@@ -1,28 +0,0 @@
--#!/usr/bin/python3
--
--import sys
--import socket
--
--sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
--fn = "\0fwk-name.sock"
--try:
--    sock.connect(fn)
--except socket.error as e:
--    print(e)
--    sys.exit(1)
--
--try:
--    preamble = "Received: "
--    message = "hi there!"
--    sock.sendall(bytes(message, 'utf-8'))
--    amount_received = 0
--    amount_expected = len(preamble) + len(message)
--
--    s = ""
--    while amount_received < amount_expected:
--        data = sock.recv(16)
--        amount_received += len(data)
--        s += data.decode('ascii')
--    print(s)
--finally:
--    sock.close()
 === removed file 'framework-template/bin/svc'
 --- framework-template/bin/svc	2015-08-20 23:40:09 +0000
 +++ framework-template/bin/svc	1970-01-01 00:00:00 +0000
@@ -1,23 +0,0 @@
--#!/usr/bin/python3
--
--import socket
--import sys
--import os
--
--fn = "\0fwk-name.sock"
--
--sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
--sock.bind(fn)
--sock.listen(1)
--
--while True:
--    connection, client_address = sock.accept()
--    try:
--        data = connection.recv(16)
--        if data:
--            connection.sendall(bytes("Received: %s" % data.decode('ascii'),
--                                     'utf-8'))
--        else:
--            break
--    finally:
--        connection.close()
 === removed directory 'framework-template/meta'
 === removed directory 'framework-template/meta/framework-policy'
 === removed directory 'framework-template/meta/framework-policy/apparmor'
 === removed directory 'framework-template/meta/framework-policy/apparmor/policygroups'
 === removed file 'framework-template/meta/framework-policy/apparmor/policygroups/client'
 --- framework-template/meta/framework-policy/apparmor/policygroups/client	2015-08-20 23:48:09 +0000
 +++ framework-template/meta/framework-policy/apparmor/policygroups/client	1970-01-01 00:00:00 +0000
@@ -1,18 +0,0 @@
--# Description: allow using fwk-name
--# Usage: common
--
--# Add any AppArmor rules here needed to access your framework
--
--# Eg, dbus rule
--# dbus (send)
--#   bus=system
--#   path=/com/vendor/FwkName/Svc
--#   interface=com.vendor.FwkName.Svc
--#   member=Method
--#   peer=(label=fwk-name_src_*),
--
--# Eg, named socket/file rule
--# /var/lib/apps/fwk-name/*/svc.sock rw,
--
--# Eg, abstract socket rule (the below works with the example code)
--unix (connect, send, receive) peer=(label=fwk-name_svc_*),
 === removed directory 'framework-template/meta/framework-policy/seccomp'
 === removed directory 'framework-template/meta/framework-policy/seccomp/policygroups'
 === removed file 'framework-template/meta/framework-policy/seccomp/policygroups/client'
 --- framework-template/meta/framework-policy/seccomp/policygroups/client	2015-08-20 23:48:09 +0000
 +++ framework-template/meta/framework-policy/seccomp/policygroups/client	1970-01-01 00:00:00 +0000
@@ -1,16 +0,0 @@
--# Description: allow using fwk-name
--# Usage: common
--
--# Add any additional syscalls needed to access your framework
--
--# Eg, can communicate with fwk-name_svc abstract socket (this works with the
--# example code)
--connect
--getsockname
--recv
--recvmsg
--send
--sendto
--sendmsg
--socket
--socketpair
 === removed file 'framework-template/meta/hello.png'
 Binary files framework-template/meta/hello.png	2015-08-20 22:51:29 +0000 and framework-template/meta/hello.png	1970-01-01 00:00:00 +0000 differ
 === removed file 'framework-template/meta/package.yaml'
 --- framework-template/meta/package.yaml	2015-08-20 23:40:09 +0000
 +++ framework-template/meta/package.yaml	1970-01-01 00:00:00 +0000
@@ -1,18 +0,0 @@
--name: fwk-name
--version: 0.0.1
--vendor: Your Name <your.name@vendor.com>
--icon: meta/hello.png
--type: framework
--services:
-- - name: svc
--   start: bin/svc
--   description: "Example service"
--   security-policy:
--     apparmor: meta/svc.apparmor
--     seccomp: meta/svc.seccomp
--binaries:
-- - name: cli
--   exec: bin/cli
--   description: "Example command that uses the above service"
--   caps:
--    - fwk-name_client
 === removed file 'framework-template/meta/readme.md'
 --- framework-template/meta/readme.md	2015-08-20 23:48:09 +0000
 +++ framework-template/meta/readme.md	1970-01-01 00:00:00 +0000
@@ -1,26 +0,0 @@
--fwk-name test service and framework-policy
--
--This packaging can be used as boilerplate. The example code provides a simple
--UNIX abstract socket server and a cli command to access it.
--
--For strict confinement that works with the example code, use:
--  security-policy:
--    apparmor: meta/svc.apparmor
--    seccomp: meta/svc.seccomp
--
--For strict confinement for new projeccts, use (adjusting as necessary):
--  security-policy:
--    apparmor: meta/svc.apparmor.boilerplate
--    seccomp: meta/svc.seccomp.boilerplate
--
--To use permissive confinement (for testing purposes only):
--  security-policy:
--    apparmor: meta/svc.apparmor.unconfined
--    seccomp: meta/svc.seccomp.unconfined
--
--For more information, see:
-- * https://developer.ubuntu.com/en/snappy/guides/security-policy/
-- * https://developer.ubuntu.com/en/snappy/guides/filesystem-layout/
-- * https://developer.ubuntu.com/en/snappy/guides/frameworks/
-- * https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement
-- * https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement/DevelopingFrameworkPolicy
 === removed file 'framework-template/meta/svc.apparmor'
 --- framework-template/meta/svc.apparmor	2015-08-20 23:40:09 +0000
 +++ framework-template/meta/svc.apparmor	1970-01-01 00:00:00 +0000
@@ -1,59 +0,0 @@
--#
--# AppArmor confinement for fwk-name_svc
--#
--
--#include <tunables/global>
--
--# Specified profile variables
--###VAR###
--
--###PROFILEATTACH### (attach_disconnected) {
--  #include <abstractions/base>
--  #include <abstractions/openssl>
--
--  # Explicitly deny ptrace for now since it can be abused to break out of the
--  # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823
--  audit deny ptrace (trace),
--
--  # Explicitly deny mount, remount and umount
--  audit deny mount,
--  audit deny remount,
--  audit deny umount,
--
--  # Read-only for the install directory
--  @{CLICK_DIR}/@{APP_PKGNAME}/                   r,
--  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/    r,
--  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/**  mrklix,
--
--  # Read-only home area for other versions
--  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/                  r,
--  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/   r,
--  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/** mrkix,
--
--  # Writable home area for this version.
--  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/   w,
--  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
--
--  # Read-only system area for other versions
--  /var/lib/apps/@{APP_PKGNAME}/   r,
--  /var/lib/apps/@{APP_PKGNAME}/** mrkix,
--
--  # Writable system area only for this version
--  /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/   w,
--  /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
--
--  # The ubuntu-core-launcher creates an app-specific private restricted /tmp
--  # and will fail to launch the app if something goes wrong. As such, we can
--  # simply allow full access to /tmp.
--  /tmp/   r,
--  /tmp/** mrwlkix,
--
--  # Framework service/binary specific rules below this line
--  #include <abstractions/python>
--  /usr/bin/python3* ixr,
--  /etc/passwd r,
--  /etc/group r,
--  /etc/nsswitch.conf r,
--  unix type=stream addr="@fwk-name.sock",
--
--}
 === removed file 'framework-template/meta/svc.apparmor.boilerplate'
 --- framework-template/meta/svc.apparmor.boilerplate	2015-09-25 14:40:25 +0000
 +++ framework-template/meta/svc.apparmor.boilerplate	1970-01-01 00:00:00 +0000
@@ -1,196 +0,0 @@
--#
--# AppArmor confinement for fwk-name_svc
--#
--
--#include <tunables/global>
--
--# Specified profile variables
--###VAR###
--
--###PROFILEATTACH### (attach_disconnected) {
--  #include <abstractions/base>
--  #include <abstractions/openssl>
--
--  # Explicitly deny ptrace for now since it can be abused to break out of the
--  # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823
--  audit deny ptrace (trace),
--
--  # Explicitly deny mount, remount and umount
--  audit deny mount,
--  audit deny remount,
--  audit deny umount,
--
--  # Read-only for the install directory
--  @{CLICK_DIR}/@{APP_PKGNAME}/                   r,
--  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/    r,
--  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/**  mrklix,
--
--  # Read-only home area for other versions
--  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/                  r,
--  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/   r,
--  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/** mrkix,
--
--  # Writable home area for this version.
--  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/   w,
--  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
--
--  # Read-only system area for other versions
--  /var/lib/apps/@{APP_PKGNAME}/   r,
--  /var/lib/apps/@{APP_PKGNAME}/** mrkix,
--
--  # Writable system area only for this version
--  /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/   w,
--  /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
--
--  # The ubuntu-core-launcher creates an app-specific private restricted /tmp
--  # and will fail to launch the app if something goes wrong. As such, we can
--  # simply allow full access to /tmp.
--  /tmp/   r,
--  /tmp/** mrwlkix,
--
--  # Miscellaneous accesses
--  /etc/mime.types r,
--  @{PROC}/ r,
--  /etc/{,writable/}hostname r,
--  /etc/{,writable/}localtime r,
--  /etc/{,writable/}timezone r,
--  @{PROC}/sys/kernel/hostname r,
--  @{PROC}/sys/kernel/osrelease r,
--  @{PROC}/sys/fs/file-max r,
--  @{PROC}/sys/kernel/pid_max r,
--  # this leaks interface names and stats, but not in a way that is traceable
--  # to the user/device
--  @{PROC}/net/dev r,
--
--  #
--  # Various accesses that may or may not be required for your framework.
--  # Adjust as necessary for your services.
--  #
--
--  # Python
--  #include <abstractions/python>
--  /usr/bin/python{,2,2.[0-9]*,3,3.[0-9]*} ixr,
--  deny /usr/lib/python3*/{,**/}__pycache__/ w,              # noisy
--  deny /usr/lib/python3*/{,**/}__pycache__/**.pyc.[0-9]* w,
--
--  # Perl
--  #include <abstractions/perl>
--  /usr/bin/perl{,5*} ixr,
--
--  # Shell (do not usually need abstractions/bash)
--  #include <abstractions/consoles>
--  /bin/bash ixr,
--  /bin/dash ixr,
--  /etc/bash.bashrc r,
--  /usr/share/terminfo/** r,
--  /etc/inputrc r,
--  deny @{HOME}/.inputrc r,
--  # Common utilities for shell scripts
--  /{,usr/}bin/{,g,m}awk ixr,
--  /{,usr/}bin/basename ixr,
--  /{,usr/}bin/bunzip2 ixr,
--  /{,usr/}bin/bzcat ixr,
--  /{,usr/}bin/bzdiff ixr,
--  /{,usr/}bin/bzgrep ixr,
--  /{,usr/}bin/bzip2 ixr,
--  /{,usr/}bin/cat ixr,
--  /{,usr/}bin/chmod ixr,
--  /{,usr/}bin/cmp ixr,
--  /{,usr/}bin/cp ixr,
--  /{,usr/}bin/cpio ixr,
--  /{,usr/}bin/cut ixr,
--  /{,usr/}bin/date ixr,
--  /{,usr/}bin/dd ixr,
--  /{,usr/}bin/diff{,3} ixr,
--  /{,usr/}bin/dir ixr,
--  /{,usr/}bin/dirname ixr,
--  /{,usr/}bin/echo ixr,
--  /{,usr/}bin/{,e,f,r}grep ixr,
--  /{,usr/}bin/env ixr,
--  /{,usr/}bin/expr ixr,
--  /{,usr/}bin/false ixr,
--  /{,usr/}bin/find ixr,
--  /{,usr/}bin/fmt ixr,
--  /{,usr/}bin/getopt ixr,
--  /{,usr/}bin/head ixr,
--  /{,usr/}bin/hostname ixr,
--  /{,usr/}bin/id ixr,
--  /{,usr/}bin/igawk ixr,
--  /{,usr/}bin/kill ixr,
--  /{,usr/}bin/ldd ixr,
--  /{,usr/}bin/ln ixr,
--  /{,usr/}bin/line ixr,
--  /{,usr/}bin/link ixr,
--  /{,usr/}bin/logger ixr,
--  /{,usr/}bin/ls ixr,
--  /{,usr/}bin/md5sum ixr,
--  /{,usr/}bin/mkdir ixr,
--  /{,usr/}bin/mktemp ixr,
--  /{,usr/}bin/mv ixr,
--  /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial
--  /{,usr/}bin/pgrep ixr,
--  /{,usr/}bin/printenv ixr,
--  /{,usr/}bin/printf ixr,
--  /{,usr/}bin/ps ixr,
--  /{,usr/}bin/pwd ixr,
--  /{,usr/}bin/readlink ixr,
--  /{,usr/}bin/realpath ixr,
--  /{,usr/}bin/rev ixr,
--  /{,usr/}bin/rm ixr,
--  /{,usr/}bin/rmdir ixr,
--  /{,usr/}bin/sed ixr,
--  /{,usr/}bin/seq ixr,
--  /{,usr/}bin/sleep ixr,
--  /{,usr/}bin/sort ixr,
--  /{,usr/}bin/stat ixr,
--  /{,usr/}bin/tac ixr,
--  /{,usr/}bin/tail ixr,
--  /{,usr/}bin/tar ixr,
--  /{,usr/}bin/tee ixr,
--  /{,usr/}bin/test ixr,
--  /{,usr/}bin/tempfile ixr,
--  /{,usr/}bin/touch ixr,
--  /{,usr/}bin/tr ixr,
--  /{,usr/}bin/true ixr,
--  /{,usr/}bin/uname ixr,
--  /{,usr/}bin/uniq ixr,
--  /{,usr/}bin/unlink ixr,
--  /{,usr/}bin/unxz ixr,
--  /{,usr/}bin/unzip ixr,
--  /{,usr/}bin/vdir ixr,
--  /{,usr/}bin/wc ixr,
--  /{,usr/}bin/which ixr,
--  /{,usr/}bin/xargs ixr,
--  /{,usr/}bin/xz ixr,
--  /{,usr/}bin/yes ixr,
--  /{,usr/}bin/zcat ixr,
--  /{,usr/}bin/z{,e,f}grep ixr,
--  /{,usr/}bin/zip ixr,
--  /{,usr/}bin/zipgrep ixr,
--  /{,usr/}bin/uptime ixr,
--  @{PROC}/uptime r,
--  @{PROC}/loadavg r,
--  #deny /{,var/}run/utmp r, # information leak
--
--  # Java
--  @{PROC}/@{pid}/ r,
--  @{PROC}/@{pid}/fd/ r,
--  owner @{PROC}/@{pid}/auxv r,
--  @{PROC}/@{pid}/version_signature r,
--  @{PROC}/@{pid}/version r,
--  @{PROC}/sys/vm/zone_reclaim_mode r,
--  /etc/lsb-release r,
--  /sys/devices/**/read_ahead_kb r,
--  /sys/devices/system/cpu/** r,
--  /sys/kernel/mm/transparent_hugepage/enabled r,
--  /sys/kernel/mm/transparent_hugepage/defrag r,
--  # NOTE: this leaks running process and java seems to want it, but operates
--  # ok without it. Deny for now to silence the denial but we could allow
--  # owner match until AppArmor kernel var is available to solve this properly.
--  deny @{PROC}/@{pid}/cmdline r,
--  #owner @{PROC}/@{pid}/cmdline r,
--
--  #
--  # Framework service/binary specific rules below here
--  #
--}
 === removed file 'framework-template/meta/svc.apparmor.unconfined'
 --- framework-template/meta/svc.apparmor.unconfined	2015-09-30 17:23:06 +0000
 +++ framework-template/meta/svc.apparmor.unconfined	1970-01-01 00:00:00 +0000
@@ -1,32 +0,0 @@
--#
--# Unrestricted AppArmor policy for fwk-name_svc
--#
--
--#include <tunables/global>
--
--# Specified profile variables
--###VAR###
--
--# This profile offers no protection at all and is provided to ease initial
--# framework packaging until something based on svc.apparmor can be used
--# instead.
--###PROFILEATTACH### (attach_disconnected) {
--  capability,
--  network,
--  / rwkl,
--  /** rwlkm,
--  # Ubuntu Core is a minimal system so don't use 'pix' here. There are few
--  # profiles to transition to, and those that exist either won't work right
--  # anyway (eg, ubuntu-core-launcher) or would need to be modified to work
--  # with snaps (dhclient).
--  /** ix,
--
--  mount,
--  remount,
--  umount,
--  pivot_root,
--  dbus,
--  signal,
--  ptrace,
--  unix,
--}
 === removed file 'framework-template/meta/svc.seccomp'
 --- framework-template/meta/svc.seccomp	2015-09-29 20:07:00 +0000
 +++ framework-template/meta/svc.seccomp	1970-01-01 00:00:00 +0000
@@ -1,459 +0,0 @@
--#
--# Seccomp policy for fwk-name_svc
--#
--
--# Dangerous syscalls that we don't ever want to allow
--
--# kexec
--deny kexec_load
--
--# kernel modules
--deny create_module
--deny init_module
--deny finit_module
--deny delete_module
--
--# these have a history of vulnerabilities, are not widely used, and
--# open_by_handle_at has been used to break out of docker containers by brute
--# forcing the handle value: http://stealth.openwall.net/xSports/shocker.c
--deny name_to_handle_at
--deny open_by_handle_at
--
--# Explicitly deny ptrace since it can be abused to break out of the seccomp
--# sandbox
--deny ptrace
--
--# Explicitly deny capability mknod so apps can't create devices
--deny mknod
--deny mknodat
--
--# Explicitly deny (u)mount so apps can't change mounts in their namespace
--deny mount
--deny umount
--deny umount2
--
--# Explicitly deny kernel keyring access
--deny add_key
--deny keyctl
--deny request_key
--
--# end dangerous syscalls
--
--access
--faccessat
--
--alarm
--brk
--
--# ARM private syscalls
--breakpoint
--cacheflush
--set_tls
--usr26
--usr32
--
--capget
--
--chdir
--fchdir
--
--# We can't effectively block file perms due to open() with O_CREAT, so allow
--# chmod until we have syscall arg filtering (LP: #1446748)
--chmod
--fchmod
--fchmodat
--
--# snappy doesn't currently support per-app UID/GIDs so don't allow chown. To
--# properly support chown, we need to have syscall arg filtering (LP: #1446748)
--# and per-app UID/GIDs.
--#chown
--#chown32
--#fchown
--#fchown32
--#fchownat
--#lchown
--#lchown32
--
--clock_getres
--clock_gettime
--clock_nanosleep
--clone
--close
--creat
--dup
--dup2
--dup3
--epoll_create
--epoll_create1
--epoll_ctl
--epoll_ctl_old
--epoll_pwait
--epoll_wait
--epoll_wait_old
--eventfd
--eventfd2
--execve
--execveat
--_exit
--exit
--exit_group
--fallocate
--
--# requires CAP_SYS_ADMIN
--#fanotify_init
--#fanotify_mark
--
--fcntl
--fcntl64
--flock
--fork
--ftime
--futex
--get_mempolicy
--get_robust_list
--get_thread_area
--getcpu
--getcwd
--getdents
--getdents64
--getegid
--getegid32
--geteuid
--geteuid32
--getgid
--getgid32
--getgroups
--getgroups32
--getitimer
--getpgid
--getpgrp
--getpid
--getppid
--getpriority
--getrandom
--getresgid
--getresgid32
--getresuid
--getresuid32
--
--getrlimit
--ugetrlimit
--
--getrusage
--getsid
--gettid
--gettimeofday
--getuid
--getuid32
--
--getxattr
--fgetxattr
--lgetxattr
--
--inotify_add_watch
--inotify_init
--inotify_init1
--inotify_rm_watch
--
--# Needed by shell
--ioctl
--
--io_cancel
--io_destroy
--io_getevents
--io_setup
--io_submit
--ioprio_get
--# affects other processes, requires CAP_SYS_ADMIN. Potentially allow with
--# syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748)
--#ioprio_set
--
--ipc
--kill
--link
--linkat
--
--listxattr
--llistxattr
--flistxattr
--
--lseek
--llseek
--_llseek
--lstat
--lstat64
--
--madvise
--fadvise64
--fadvise64_64
--arm_fadvise64_64
--
--mbind
--mincore
--mkdir
--mkdirat
--mlock
--mlockall
--mmap
--mmap2
--mprotect
--
--# LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now
--#mq_getsetattr
--#mq_notify
--#mq_open
--#mq_timedreceive
--#mq_timedsend
--#mq_unlink
--
--mremap
--msgctl
--msgget
--msgrcv
--msgsnd
--msync
--munlock
--munlockall
--munmap
--
--nanosleep
--
--# LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set
--# RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value
--# and allow this call
--#nice
--
--# LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT
--open
--
--openat
--pause
--pipe
--pipe2
--poll
--ppoll
--
--# LP: #1446748 - support syscall arg filtering
--prctl
--arch_prctl
--
--read
--pread
--pread64
--preadv
--readv
--
--readahead
--readdir
--readlink
--readlinkat
--remap_file_pages
--
--removexattr
--fremovexattr
--lremovexattr
--
--rename
--renameat
--renameat2
--
--# The man page says this shouldn't be needed, but we've seen denials for it
--# in the wild
--restart_syscall
--
--rmdir
--rt_sigaction
--rt_sigpending
--rt_sigprocmask
--rt_sigqueueinfo
--rt_sigreturn
--rt_sigsuspend
--rt_sigtimedwait
--rt_tgsigqueueinfo
--sched_getaffinity
--sched_getattr
--sched_getparam
--sched_get_priority_max
--sched_get_priority_min
--sched_getscheduler
--sched_rr_get_interval
--# LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the
--# app may only change its own scheduler
--sched_setscheduler
--
--sched_yield
--
--select
--_newselect
--pselect
--pselect6
--
--semctl
--semget
--semop
--semtimedop
--sendfile
--sendfile64
--
--# snappy doesn't currently support per-app UID/GIDs so don't allow this family
--# of syscalls. To properly support these, we need to have syscall arg filtering
--# (LP: #1446748) and per-app UID/GIDs.
--#setgid
--#setgid32
--#setgroups
--#setgroups32
--#setregid
--#setregid32
--#setresgid
--#setresgid32
--#setresuid
--#setresuid32
--#setreuid
--#setreuid32
--#setuid
--#setuid32
--
--# These break isolation but are common and can't be mediated at the seccomp
--# level with arg filtering
--setpgid
--setpgrp
--
--set_thread_area
--setitimer
--
--# apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard
--# limits
--setrlimit
--prlimit64
--
--set_mempolicy
--set_robust_list
--setsid
--set_tid_address
--
--setxattr
--fsetxattr
--lsetxattr
--
--shmat
--shmctl
--shmdt
--shmget
--signal
--sigaction
--signalfd
--signalfd4
--sigaltstack
--sigpending
--sigprocmask
--sigreturn
--sigsuspend
--sigtimedwait
--sigwaitinfo
--
--# Per man page, on Linux this is limited to only AF_UNIX so it is ok to have
--# in the default template
--socketpair
--
--splice
--
--stat
--stat64
--fstat
--fstat64
--fstatat64
--lstat
--newfstatat
--oldfstat
--oldlstat
--oldstat
--
--statfs
--statfs64
--fstatfs
--fstatfs64
--statvfs
--fstatvfs
--ustat
--
--symlink
--symlinkat
--
--sync
--sync_file_range
--sync_file_range2
--arm_sync_file_range
--fdatasync
--fsync
--syncfs
--sysinfo
--syslog
--tee
--tgkill
--time
--timer_create
--timer_delete
--timer_getoverrun
--timer_gettime
--timer_settime
--timerfd_create
--timerfd_gettime
--timerfd_settime
--times
--tkill
--
--truncate
--truncate64
--ftruncate
--ftruncate64
--
--umask
--
--uname
--olduname
--oldolduname
--
--unlink
--unlinkat
--
--utime
--utimensat
--utimes
--futimesat
--
--vfork
--vmsplice
--wait4
--oldwait4
--waitpid
--waitid
--
--write
--writev
--pwrite
--pwrite64
--pwritev
--
--# Can create and listen on UNIX abstract sockets
--accept
--accept4
--bind
--connect
--getpeername
--getsockname
--getsockopt
--listen
--recv
--recvfrom
--recvmmsg
--recvmsg
--send
--sendmmsg
--sendmsg
--sendto
--setsockopt
--shutdown
--
--# LP: #1446748 - limit this to AF_INET/AF_INET6 and possibly others not
--# included in network-client
--socket
 === removed file 'framework-template/meta/svc.seccomp.boilerplate'
 --- framework-template/meta/svc.seccomp.boilerplate	2015-09-29 20:07:00 +0000
 +++ framework-template/meta/svc.seccomp.boilerplate	1970-01-01 00:00:00 +0000
@@ -1,435 +0,0 @@
--#
--# Seccomp policy for fwk-name_svc
--#
--
--# Dangerous syscalls that we don't ever want to allow
--
--# kexec
--deny kexec_load
--
--# kernel modules
--deny create_module
--deny init_module
--deny finit_module
--deny delete_module
--
--# these have a history of vulnerabilities, are not widely used, and
--# open_by_handle_at has been used to break out of docker containers by brute
--# forcing the handle value: http://stealth.openwall.net/xSports/shocker.c
--deny name_to_handle_at
--deny open_by_handle_at
--
--# Explicitly deny ptrace since it can be abused to break out of the seccomp
--# sandbox
--deny ptrace
--
--# Explicitly deny capability mknod so apps can't create devices
--deny mknod
--deny mknodat
--
--# Explicitly deny (u)mount so apps can't change mounts in their namespace
--deny mount
--deny umount
--deny umount2
--
--# Explicitly deny kernel keyring access
--deny add_key
--deny keyctl
--deny request_key
--
--# end dangerous syscalls
--
--access
--faccessat
--
--alarm
--brk
--
--# ARM private syscalls
--breakpoint
--cacheflush
--set_tls
--usr26
--usr32
--
--capget
--
--chdir
--fchdir
--
--# We can't effectively block file perms due to open() with O_CREAT, so allow
--# chmod until we have syscall arg filtering (LP: #1446748)
--chmod
--fchmod
--fchmodat
--
--# snappy doesn't currently support per-app UID/GIDs so don't allow chown. To
--# properly support chown, we need to have syscall arg filtering (LP: #1446748)
--# and per-app UID/GIDs.
--#chown
--#chown32
--#fchown
--#fchown32
--#fchownat
--#lchown
--#lchown32
--
--clock_getres
--clock_gettime
--clock_nanosleep
--clone
--close
--creat
--dup
--dup2
--dup3
--epoll_create
--epoll_create1
--epoll_ctl
--epoll_ctl_old
--epoll_pwait
--epoll_wait
--epoll_wait_old
--eventfd
--eventfd2
--execve
--execveat
--_exit
--exit
--exit_group
--fallocate
--
--# requires CAP_SYS_ADMIN
--#fanotify_init
--#fanotify_mark
--
--fcntl
--fcntl64
--flock
--fork
--ftime
--futex
--get_mempolicy
--get_robust_list
--get_thread_area
--getcpu
--getcwd
--getdents
--getdents64
--getegid
--getegid32
--geteuid
--geteuid32
--getgid
--getgid32
--getgroups
--getgroups32
--getitimer
--getpgid
--getpgrp
--getpid
--getppid
--getpriority
--getrandom
--getresgid
--getresgid32
--getresuid
--getresuid32
--
--getrlimit
--ugetrlimit
--
--getrusage
--getsid
--gettid
--gettimeofday
--getuid
--getuid32
--
--getxattr
--fgetxattr
--lgetxattr
--
--inotify_add_watch
--inotify_init
--inotify_init1
--inotify_rm_watch
--
--# Needed by shell
--ioctl
--
--io_cancel
--io_destroy
--io_getevents
--io_setup
--io_submit
--ioprio_get
--# affects other processes, requires CAP_SYS_ADMIN. Potentially allow with
--# syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748)
--#ioprio_set
--
--ipc
--kill
--link
--linkat
--
--listxattr
--llistxattr
--flistxattr
--
--lseek
--llseek
--_llseek
--lstat
--lstat64
--
--madvise
--fadvise64
--fadvise64_64
--arm_fadvise64_64
--
--mbind
--mincore
--mkdir
--mkdirat
--mlock
--mlockall
--mmap
--mmap2
--mprotect
--
--# LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now
--#mq_getsetattr
--#mq_notify
--#mq_open
--#mq_timedreceive
--#mq_timedsend
--#mq_unlink
--
--mremap
--msgctl
--msgget
--msgrcv
--msgsnd
--msync
--munlock
--munlockall
--munmap
--
--nanosleep
--
--# LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set
--# RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value
--# and allow this call
--#nice
--
--# LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT
--open
--
--openat
--pause
--pipe
--pipe2
--poll
--ppoll
--
--# LP: #1446748 - support syscall arg filtering
--prctl
--arch_prctl
--
--read
--pread
--pread64
--preadv
--readv
--
--readahead
--readdir
--readlink
--readlinkat
--remap_file_pages
--
--removexattr
--fremovexattr
--lremovexattr
--
--rename
--renameat
--renameat2
--
--# The man page says this shouldn't be needed, but we've seen denials for it
--# in the wild
--restart_syscall
--
--rmdir
--rt_sigaction
--rt_sigpending
--rt_sigprocmask
--rt_sigqueueinfo
--rt_sigreturn
--rt_sigsuspend
--rt_sigtimedwait
--rt_tgsigqueueinfo
--sched_getaffinity
--sched_getattr
--sched_getparam
--sched_get_priority_max
--sched_get_priority_min
--sched_getscheduler
--sched_rr_get_interval
--# LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the
--# app may only change its own scheduler
--sched_setscheduler
--
--sched_yield
--
--select
--_newselect
--pselect
--pselect6
--
--semctl
--semget
--semop
--semtimedop
--sendfile
--sendfile64
--
--# snappy doesn't currently support per-app UID/GIDs so don't allow this family
--# of syscalls. To properly support these, we need to have syscall arg filtering
--# (LP: #1446748) and per-app UID/GIDs.
--#setgid
--#setgid32
--#setgroups
--#setgroups32
--#setregid
--#setregid32
--#setresgid
--#setresgid32
--#setresuid
--#setresuid32
--#setreuid
--#setreuid32
--#setuid
--#setuid32
--
--# These break isolation but are common and can't be mediated at the seccomp
--# level with arg filtering
--setpgid
--setpgrp
--
--set_thread_area
--setitimer
--
--# apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard
--# limits
--setrlimit
--prlimit64
--
--set_mempolicy
--set_robust_list
--setsid
--set_tid_address
--
--setxattr
--fsetxattr
--lsetxattr
--
--shmat
--shmctl
--shmdt
--shmget
--signal
--sigaction
--signalfd
--signalfd4
--sigaltstack
--sigpending
--sigprocmask
--sigreturn
--sigsuspend
--sigtimedwait
--sigwaitinfo
--
--# Per man page, on Linux this is limited to only AF_UNIX so it is ok to have
--# in the default template
--socketpair
--
--splice
--
--stat
--stat64
--fstat
--fstat64
--fstatat64
--lstat
--newfstatat
--oldfstat
--oldlstat
--oldstat
--
--statfs
--statfs64
--fstatfs
--fstatfs64
--statvfs
--fstatvfs
--ustat
--
--symlink
--symlinkat
--
--sync
--sync_file_range
--sync_file_range2
--arm_sync_file_range
--fdatasync
--fsync
--syncfs
--sysinfo
--syslog
--tee
--tgkill
--time
--timer_create
--timer_delete
--timer_getoverrun
--timer_gettime
--timer_settime
--timerfd_create
--timerfd_gettime
--timerfd_settime
--times
--tkill
--
--truncate
--truncate64
--ftruncate
--ftruncate64
--
--umask
--
--uname
--olduname
--oldolduname
--
--unlink
--unlinkat
--
--utime
--utimensat
--utimes
--futimesat
--
--vfork
--vmsplice
--wait4
--oldwait4
--waitpid
--waitid
--
--write
--writev
--pwrite
--pwrite64
--pwritev
 === removed file 'framework-template/meta/svc.seccomp.unconfined'
 --- framework-template/meta/svc.seccomp.unconfined	2015-08-20 22:51:29 +0000
 +++ framework-template/meta/svc.seccomp.unconfined	1970-01-01 00:00:00 +0000
@@ -1,4 +0,0 @@
--#
--# Unrestricted seccomp policy for fwk-name_svc
--#
--@unrestricted
 === renamed file 'go-example-webserver/meta/go.png' => 'go-example-webserver/meta/icon.png'
 === removed file 'go-example-webserver/meta/readme.md'
 --- go-example-webserver/meta/readme.md	2015-03-27 10:00:35 +0000
 +++ go-example-webserver/meta/readme.md	1970-01-01 00:00:00 +0000
@@ -1,3 +0,0 @@
--Minimal Golang webserver for snappy
--
--Mostly a example to show how to build a binary webserver for snappy.
 \ No newline at end of file
 === renamed file 'go-example-webserver/meta/package.yaml' => 'go-example-webserver/meta/snap.yaml'
 --- go-example-webserver/meta/package.yaml	2016-01-14 07:36:50 +0000
 +++ go-example-webserver/meta/snap.yaml	2016-01-26 14:09:34 +0000
@@ -1,13 +1,19 @@
  name: go-example-webserver
--vendor: Alexander Sack <asac@canonical.com>
++version: 3.0
++summary: Minimal Golang webserver for snappy
++description: |
++ Mostly a example to show how to build a binary webserver for snappy.
  architectures: [amd64, armhf]
--icon: meta/go.png
--version: 2.0
--services:
-- - name: webserver
++apps:
++ webserver:
++   command: ./magic-bin/go-example-webserver
++   daemon: simple
     description: "snappy example: golang mini webserver"
--   start: ./magic-bin/go-example-webserver
--   caps:
--    - network-client
--    - network-service
--
++   uses: [webserver]
++uses:
++ webserver:
++  type: migration-skill
++  caps:
++   - network-client
++   - network-service
++
 === renamed file 'hello-dbus/package-dir-app/meta/hello.png' => 'hello-dbus/package-dir-app/meta/icon.png'
 === removed file 'hello-dbus/package-dir-app/meta/readme.md'
 --- hello-dbus/package-dir-app/meta/readme.md	2015-04-28 20:53:10 +0000
 +++ hello-dbus/package-dir-app/meta/readme.md	1970-01-01 00:00:00 +0000
@@ -1,3 +0,0 @@
--hello-dbus-app test client
--
--This is a simple dbus framework app example.
 === renamed file 'hello-dbus/package-dir-app/meta/package.yaml' => 'hello-dbus/package-dir-app/meta/snap.yaml'
 --- hello-dbus/package-dir-app/meta/package.yaml	2016-01-14 07:36:50 +0000
 +++ hello-dbus/package-dir-app/meta/snap.yaml	2016-01-26 14:09:34 +0000
@@ -1,16 +1,21 @@
  name: hello-dbus-app
--version: 2.0
++version: 3.0
  architectures:
    - amd64
    - armhf
    - i386
--vendor: Snappy Developers <snappy-devel@lists.ubuntu.com>
--icon: meta/hello.png
++summary: hello-dbus-app test client
++description: |
++ This is a simple dbus framework app example.
  frameworks:
    - hello-dbus-fwk
--binaries:
--  - name: client
--    exec: bin/dbus_message.client
--    description: "hello-dbus-fwk test client"
--    caps:
--      - hello-dbus-fwk_client
++apps:
++ client:
++  command: bin/dbus_message.client
++  description: "hello-dbus-fwk test client"
++  uses: [client]
++uses:
++ client:
++  type: migration-skill
++  caps:
++   - hello-dbus-fwk_client
 === renamed file 'hello-dbus/package-dir-fwk/meta/hello.png' => 'hello-dbus/package-dir-fwk/meta/icon.png'
 === renamed file 'hello-dbus/package-dir-fwk/meta/package.yaml' => 'hello-dbus/package-dir-fwk/meta/snap.yaml'
 --- hello-dbus/package-dir-fwk/meta/package.yaml	2016-01-14 07:36:50 +0000
 +++ hello-dbus/package-dir-fwk/meta/snap.yaml	2016-01-26 14:09:34 +0000
@@ -1,17 +1,23 @@
  name: hello-dbus-fwk
--version: 2.0
++version: 3.0
++summary: hello-dbus-fwk test service and framework-policy
++description: |
++ This is a simple dbus framework example.
  architectures:
    - amd64
    - armhf
    - i386
--vendor: Snappy Developers <snappy-devel@lists.ubuntu.com>
--icon: meta/hello.png
  type: framework
--services:
-- - name: srv
--   start: bin/dbus_service.start
--   description: "hello-dbus-fwk test service"
--   bus-name: "com.canonical.hello-dbus-fwk"
--   security-policy:
--     apparmor: meta/svc.apparmor
--     seccomp: meta/svc.seccomp
++apps:
++ srv:
++  command: bin/dbus_service.start
++  daemon: simple
++  description: "hello-dbus-fwk test service"
++  bus-name: "com.canonical.hello-dbus-fwk"
++  uses: [srv]
++uses:
++ srv:
++  type: migration-skill
++  security-policy:
++   apparmor: meta/svc.apparmor
++   seccomp: meta/svc.seccomp
 === renamed file 'hello-world/meta/hello.png' => 'hello-world/meta/icon.png'
 === removed file 'hello-world/meta/readme.md'
 --- hello-world/meta/readme.md	2014-12-02 13:55:30 +0000
 +++ hello-world/meta/readme.md	1970-01-01 00:00:00 +0000
@@ -1,3 +0,0 @@
--Hello world example
--
--This is a simple hello world example.
 \ No newline at end of file
 === renamed file 'hello-world/meta/package.yaml' => 'hello-world/meta/snap.yaml'
 --- hello-world/meta/package.yaml	2016-01-14 07:36:50 +0000
 +++ hello-world/meta/snap.yaml	2016-01-26 14:09:34 +0000
@@ -1,17 +1,29 @@
  name: hello-world
--version: 2.0
--vendor: Snappy Developers <snappy-devel@lists.ubuntu.com>
++version: 3.0
++summary: Hello world example
++description: |
++ This is a simple hello world example.
  icon: meta/hello.png
--binaries:
-- - name: bin/echo
--   caps: []
-- - name: bin/env
--   caps: []
-- - name: bin/evil
--   caps: []
-- - name: bin/showdev
--   caps: []
-- - name: bin/usehw
--   caps: []
-- - name: bin/sh
--   caps: []
++apps:
++ echo:
++  command: bin/echo
++  uses: [nothing]
++ env:
++  command: bin/env
++  uses: [nothing]
++ evil:
++  command: bin/evil
++  uses: [nothing]
++ showdev:
++  command: bin/showdev
++  uses: [nothing]
++ usehw:
++  command: bin/usehw
++  uses: [nothing]
++ sh:
++  command: bin/sh
++  uses: [nothing]
++uses:
++ nothing:
++  type: migration-skill
++  caps: []
 === removed file 'licensed/meta/readme.md'
 --- licensed/meta/readme.md	2015-04-08 11:10:42 +0000
 +++ licensed/meta/readme.md	1970-01-01 00:00:00 +0000
@@ -1,3 +0,0 @@
--Licensed example
--
--This is a simple example with a license that needs accepting.
 === renamed file 'licensed/meta/package.yaml' => 'licensed/meta/snap.yaml'
 --- licensed/meta/package.yaml	2016-01-14 07:36:50 +0000
 +++ licensed/meta/snap.yaml	2016-01-26 14:09:34 +0000
@@ -1,8 +1,15 @@
  name: licensed
--icon: meta/icon.png
--version: 2.0
--vendor: John R. Lenton <john.lenton@canonical.com>
--binaries:
-- - name: bin/printenv
--explicit-license-agreement: Y
++version: 3.0
++summary: Licensed example
++description: |
++ This is a simple example with a license that needs accepting.
++license-agreement: explicit
++apps:
++ printenv:
++  command: bin/printenv
++  uses: [printenv]
++uses:
++ printenv:
++  type: migration-skill
++
 === renamed file 'python-xkcd-webserver/meta/xkcd.png' => 'python-xkcd-webserver/meta/icon.png'
 === renamed file 'python-xkcd-webserver/meta/package.yaml' => 'python-xkcd-webserver/meta/snap.yaml'
 --- python-xkcd-webserver/meta/package.yaml	2016-01-14 07:36:50 +0000
 +++ python-xkcd-webserver/meta/snap.yaml	2016-01-26 14:09:34 +0000
@@ -1,11 +1,18 @@
  name: xkcd-webserver
--version: 2.0
--vendor: Snappy Developers <snappy-devel@lists.ubuntu.com>
--icon: meta/xkcd.png
--services:
-- - name: xkcd-webserver
--   start: ./bin/xkcd-webserver
--   description: A fun webserver
--   caps:
--    - network-client
--    - network-service
++version: 3.0
++summary: Python based example webserver
++description: |
++ Show random XKCD comic via a build-in webserver
++ This is meant as a fun example for a snappy package.
++apps:
++ xkcd-webserver:
++  command: ./bin/xkcd-webserver
++  daemon: simple
++  description: A fun webserver
++  uses: [xkcd-webserver]
++uses:
++ xkcd-webserver:
++  type: migration-skill
++  caps:
++   - network-client
++   - network-service

snappy-hub

Merge lp:~mvo/snappy-hub/snappy-examples-snap-yaml into lp:~snappy-dev/snappy-hub/snappy-examples

Commit message

Description of the change

Preview Diff

Subscribers