MINI Sh3ll

# Description: Allows snap-update-ns to construct the mount namespace specific
# to a particular snap (see the name below). This specifically includes the
# precise locations of the layout elements.

# vim:syntax=apparmor

#include <tunables/global>

#include if exists "/etc/apparmor.d/tunables/home.d"

profile snap-update-ns.lxd (attach_disconnected) {
  # The next four rules mirror those above. We want to be able to read
  # and map snap-update-ns into memory but it may come from a variety of places.
  /usr/lib{,exec,64}/snapd/snap-update-ns mr,
  /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr,
  /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns mr,
  /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr,

  # Allow reading the dynamic linker cache.
  /etc/ld.so.cache r,
  # Allow reading, mapping and executing the dynamic linker.
  /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix,
  # Allow reading and mapping various parts of the standard library and
  # dynamically loaded nss modules and what not.
  /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr,
  /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr,

  # Common devices accesses
  /dev/null rw,
  /dev/full rw,
  /dev/zero rw,
  /dev/random r,
  /dev/urandom r,

  # golang runtime variables
  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  # glibc 2.27+ may poke this file to find out the number of CPUs
  # available in the system when creating a new arena for malloc, see
  # Golang issue 25628
  /sys/devices/system/cpu/online r,

  # Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code).
  owner @{PROC}/@{pid}/cmdline r,

  # Allow reading of own maps (Go runtime)
  owner @{PROC}/@{pid}/maps r,

  # Allow reading file descriptor paths
  owner @{PROC}/@{pid}/fd/* r,

  # Allow reading /proc/version. For release.go WSL detection.
  @{PROC}/version r,

  # Allow reading own cgroups
  owner @{PROC}/@{pid}/cgroup r,

  # Allow reading somaxconn, required in newer distro releases
  @{PROC}/sys/net/core/somaxconn r,
  # but silence noisy denial of inet/inet6
  deny network inet,
  deny network inet6,

  # Allow reading the os-release file (possibly a symlink to /usr/lib).
  /{etc/,usr/lib/}os-release r,

  # Allow creating/grabbing global and per-snap lock files.
  /run/snapd/lock/lxd.lock rwk,
  /run/snapd/lock/.lock rwk,

  # While the base abstraction has rules for encryptfs encrypted home and
  # private directories, it is missing rules for directory read on the toplevel
  # directory of the mount (LP: #1848919)
  owner @{HOME}/.Private/ r,
  owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,

  # Allow reading stored mount namespaces,
  /run/snapd/ns/ r,
  /run/snapd/ns/lxd.mnt r,

  # Allow reading per-snap desired mount profiles. Those are written by
  # snapd and represent the desired layout and content connections.
  /var/lib/snapd/mount/snap.lxd.fstab r,
  /var/lib/snapd/mount/snap.lxd.user-fstab r,

  # Allow reading and writing actual per-snap mount profiles. Note that
  # the wildcard in the rule to allow an atomic write + rename strategy.
  # Those files are written by snap-update-ns and represent the actual
  # mount profile at a given moment.
  /run/snapd/ns/snap.lxd.fstab{,.*} rw,

  # NOTE: at this stage the /snap directory is stable as we have called
  # pivot_root already.

  # Needed to perform mount/unmounts.
  capability sys_admin,
  # Needed for mimic construction.
  capability chown,
  # Needed for dropping to calling user when processing per-user mounts
  capability setuid,
  capability setgid,
  # Allow snap-update-ns to override file ownership and permission checks.
  # This is required because writable mimics now preserve the permissions
  # of the original and hence we may be asked to create a directory when the
  # parent is a tmpfs without DAC write access.
  capability dac_override,

  # Allow freezing and thawing the per-snap cgroup freezers
  # v1 hierarchy where we know the group name of all processes of
  # a given snap upfront
  /sys/fs/cgroup/freezer/snap.lxd/freezer.state rw,
  # v2 hierarchy, where we need to walk the tree to looking for the tracking
  # groups and act on each one
  /sys/fs/cgroup/ r,
  /sys/fs/cgroup/** r,
  /sys/fs/cgroup/**/snap.lxd.*.scope/cgroup.freeze rw,
  /sys/fs/cgroup/**/snap.lxd.*.service/cgroup.freeze rw,

  # Allow the content interface to bind fonts from the host filesystem
  mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/lxd/*/**,
  mount options=(rw private) -> /snap/lxd/*/**,
  umount /snap/lxd/*/**,

  # set up user mount namespace
  mount options=(rslave) -> /,

  # Allow traversing from the root directory and several well-known places.
  # Specific directory permissions are added by snippets below.
  / r,
  /etc/ r,
  /snap/ r,
  /tmp/ r,
  /usr/ r,
  /var/ r,
  /var/lib/ r,
  /var/lib/snapd/ r,
  /var/snap/ r,

  # Allow reading timezone data.
  /usr/share/zoneinfo/** r,

  # Don't allow anyone to touch /snap/bin
  audit deny mount /snap/bin/** -> /**,
  audit deny mount /** -> /snap/bin/**,

  # Don't allow bind mounts to /media which has special
  # sharing and propagates mount events outside of the snap namespace.
  audit deny mount -> /media,

  # Allow receiving signals from unconfined (eg, systemd)
  signal (receive) peer=unconfined,
  # Allow sending and receiving signals from ourselves.
  signal peer=@{profile_name},

  # Commonly needed permissions for writable mimics.
  /tmp/ r,
  /tmp/.snap/{,**} rw,

  # snapd logger.go checks /proc/cmdline
  @{PROC}/cmdline r,

  # snap checks if vendored apparmor parser should be used at startup
  /usr/lib/snapd/info r,
  /lib/apparmor/functions r,

  # Allow snap-update-ns to open home directory
  owner @{HOME}/ r,

  # Read-only access to /boot
  mount options=(bind,rw) /var/lib/snapd/hostfs/boot/ -> /boot/,
  mount options=(bind,remount,ro) -> /boot/,
  umount /boot/,

}