· 6 years ago · Feb 14, 2020, 05:20 PM
1This is the default /var/lib/snapd/apparmor/profiles/snap.discord.discord file from a fresh insall of Discord via snap, including comments.
2
3---
4
5# Description: Allows access to app-specific directories and basic runtime
6# Usage: common
7
8# vim:syntax=apparmor
9
10#include <tunables/global>
11
12# snapd supports the concept of 'parallel installs' where snaps with the same
13# name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz
14# may all be installed on the system. To support this, SNAP_NAME is set to the
15# name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg
16# 'foo_bar'). The profile name and most rules therefore reference
17# SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime
18# environment so the snap doesn't have to be aware of the distinction (eg,
19# SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with
20# SNAP_NAME so the security policy will allow writing to both locations (since
21# they are equivalent).
22
23# This is a snap name without the instance key
24@{SNAP_NAME}="discord"
25# This is a snap name with instance key
26@{SNAP_INSTANCE_NAME}="discord"
27@{SNAP_COMMAND_NAME}="discord"
28@{SNAP_REVISION}="101"
29@{PROFILE_DBUS}="snap_2ediscord_2ediscord"
30@{INSTALL_DIR}="/{,var/lib/snapd/}snap"
31
32profile "snap.discord.discord" (attach_disconnected,mediate_deleted) {
33 #include <abstractions/base>
34 #include <abstractions/consoles>
35 #include <abstractions/openssl>
36
37 # While in later versions of the base abstraction, include this explicitly
38 # for series 16 and cross-distro
39 /etc/ld.so.preload r,
40
41 # The base abstraction doesn't yet have this
42 /etc/sysconfig/clock r,
43 /lib/terminfo/** rk,
44 /usr/share/terminfo/** k,
45 /usr/share/zoneinfo/** k,
46 owner @{PROC}/@{pid}/maps k,
47 # While the base abstraction has rules for encryptfs encrypted home and
48 # private directories, it is missing rules for directory read on the toplevel
49 # directory of the mount (LP: #1848919)
50 owner @{HOME}/.Private/ r,
51 owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
52
53 # for python apps/services
54 #include <abstractions/python>
55 /usr/bin/python{,2,2.[0-9]*,3,3.[0-9]*} ixr,
56 # additional accesses needed for newer pythons in later bases
57 /usr/lib{,32,64}/python3.[0-9]/**.{pyc,so} mr,
58 /usr/lib{,32,64}/python3.[0-9]/**.{egg,py,pth} r,
59 /usr/lib{,32,64}/python3.[0-9]/{site,dist}-packages/ r,
60 /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
61 /etc/python3.[0-9]/** r,
62 /usr/include/python3.[0-9]*/pyconfig.h r,
63
64 # explicitly deny noisy denials to read-only filesystems (see LP: #1496895
65 # for details)
66 deny /usr/lib/python3*/{,**/}__pycache__/ w,
67 deny /usr/lib/python3*/{,**/}__pycache__/**.pyc.[0-9]* w,
68 # bind mount used here (see 'parallel installs', above)
69 deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/ w,
70 deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/*.pyc.[0-9]* w,
71
72 # for perl apps/services
73 #include <abstractions/perl>
74 /usr/bin/perl{,5*} ixr,
75 # AppArmor <2.12 doesn't have rules for perl-base, so add them here
76 /usr/lib/@{multiarch}/perl{,5,-base}/** r,
77 /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr,
78
79 # Note: the following dangerous accesses should not be allowed in most
80 # policy, but we cannot explicitly deny since other trusted interfaces might
81 # add them.
82 # Explicitly deny ptrace for now since it can be abused to break out of the
83 # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823
84 #audit deny ptrace (trace),
85
86 # Explicitly deny capability mknod so apps can't create devices
87 #audit deny capability mknod,
88
89 # Explicitly deny mount, remount and umount so apps can't modify things in
90 # their namespace
91 #audit deny mount,
92 #audit deny remount,
93 #audit deny umount,
94
95 # End dangerous accesses
96
97 # Note: this potentially allows snaps to DoS other snaps via resource
98 # exhaustion but we can't sensibly mediate this today. In the future we may
99 # employ cgroup limits, AppArmor rlimit mlock rules or something else.
100 capability ipc_lock,
101
102 # for bash 'binaries' (do *not* use abstractions/bash)
103 # user-specific bash files
104 /{,usr/}bin/bash ixr,
105 /{,usr/}bin/dash ixr,
106 /etc/bash.bashrc r,
107
108 # user/group/seat lookups
109 /etc/{passwd,group,nsswitch.conf} r, # very common
110 /var/lib/extrausers/{passwd,group} r,
111 /run/systemd/users/[0-9]* r,
112 /etc/default/nss r,
113
114 /etc/libnl-3/{classid,pktloc} r, # apps that use libnl
115 /etc/profile r,
116 /etc/environment r,
117 /usr/share/terminfo/** r,
118 /etc/inputrc r,
119 # Common utilities for shell scripts
120 /{,usr/}bin/arch ixr,
121 /{,usr/}bin/{,g,m}awk ixr,
122 /{,usr/}bin/base32 ixr,
123 /{,usr/}bin/base64 ixr,
124 /{,usr/}bin/basename ixr,
125 /{,usr/}bin/bunzip2 ixr,
126 /{,usr/}bin/bzcat ixr,
127 /{,usr/}bin/bzdiff ixr,
128 /{,usr/}bin/bzgrep ixr,
129 /{,usr/}bin/bzip2 ixr,
130 /{,usr/}bin/cat ixr,
131 /{,usr/}bin/chgrp ixr,
132 /{,usr/}bin/chmod ixr,
133 /{,usr/}bin/chown ixr,
134 /{,usr/}bin/clear ixr,
135 /{,usr/}bin/cmp ixr,
136 /{,usr/}bin/cp ixr,
137 /{,usr/}bin/cpio ixr,
138 /{,usr/}bin/cut ixr,
139 /{,usr/}bin/date ixr,
140 /{,usr/}bin/dbus-daemon ixr,
141 /{,usr/}bin/dbus-run-session ixr,
142 /{,usr/}bin/dbus-send ixr,
143 /{,usr/}bin/dd ixr,
144 /{,usr/}bin/diff{,3} ixr,
145 /{,usr/}bin/dir ixr,
146 /{,usr/}bin/dirname ixr,
147 /{,usr/}bin/du ixr,
148 /{,usr/}bin/echo ixr,
149 /{,usr/}bin/{,e,f,r}grep ixr,
150 /{,usr/}bin/env ixr,
151 /{,usr/}bin/expr ixr,
152 /{,usr/}bin/false ixr,
153 /{,usr/}bin/find ixr,
154 /{,usr/}bin/flock ixr,
155 /{,usr/}bin/fmt ixr,
156 /{,usr/}bin/fold ixr,
157 /{,usr/}bin/getconf ixr,
158 /{,usr/}bin/getent ixr,
159 /{,usr/}bin/getopt ixr,
160 /{,usr/}bin/groups ixr,
161 /{,usr/}bin/gzip ixr,
162 /{,usr/}bin/head ixr,
163 /{,usr/}bin/hostname ixr,
164 /{,usr/}bin/id ixr,
165 /{,usr/}bin/igawk ixr,
166 /{,usr/}bin/infocmp ixr,
167 /{,usr/}bin/kill ixr,
168 /{,usr/}bin/ldd ixr,
169 /{usr/,}lib{,32,64}/ld{,32,64}-*.so ix,
170 /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so ix,
171 /{,usr/}bin/less{,file,pipe} ixr,
172 /{,usr/}bin/ln ixr,
173 /{,usr/}bin/line ixr,
174 /{,usr/}bin/link ixr,
175 /{,usr/}bin/locale ixr,
176 /{,usr/}bin/logger ixr,
177 /{,usr/}bin/ls ixr,
178 /{,usr/}bin/md5sum ixr,
179 /{,usr/}bin/mkdir ixr,
180 /{,usr/}bin/mkfifo ixr,
181 /{,usr/}bin/mknod ixr,
182 /{,usr/}bin/mktemp ixr,
183 /{,usr/}bin/more ixr,
184 /{,usr/}bin/mv ixr,
185 /{,usr/}bin/nice ixr,
186 /{,usr/}bin/nohup ixr,
187 /{,usr/}bin/od ixr,
188 /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial
189 /{,usr/}bin/paste ixr,
190 /{,usr/}bin/pgrep ixr,
191 /{,usr/}bin/printenv ixr,
192 /{,usr/}bin/printf ixr,
193 /{,usr/}bin/ps ixr,
194 /{,usr/}bin/pwd ixr,
195 /{,usr/}bin/readlink ixr,
196 /{,usr/}bin/realpath ixr,
197 /{,usr/}bin/rev ixr,
198 /{,usr/}bin/rm ixr,
199 /{,usr/}bin/rmdir ixr,
200 /{,usr/}bin/run-parts ixr,
201 /{,usr/}bin/sed ixr,
202 /{,usr/}bin/seq ixr,
203 /{,usr/}bin/sha{1,224,256,384,512}sum ixr,
204 /{,usr/}bin/shuf ixr,
205 /{,usr/}bin/sleep ixr,
206 /{,usr/}bin/sort ixr,
207 /{,usr/}bin/stat ixr,
208 /{,usr/}bin/stdbuf ixr,
209 /{,usr/}bin/stty ixr,
210 /{,usr/}bin/sync ixr,
211 /{,usr/}bin/systemd-cat ixr,
212 /{,usr/}bin/tac ixr,
213 /{,usr/}bin/tail ixr,
214 /{,usr/}bin/tar ixr,
215 /{,usr/}bin/tee ixr,
216 /{,usr/}bin/test ixr,
217 /{,usr/}bin/tempfile ixr,
218 /{,usr/}bin/tset ixr,
219 /{,usr/}bin/touch ixr,
220 /{,usr/}bin/tput ixr,
221 /{,usr/}bin/tr ixr,
222 /{,usr/}bin/true ixr,
223 /{,usr/}bin/tty ixr,
224 /{,usr/}bin/uname ixr,
225 /{,usr/}bin/uniq ixr,
226 /{,usr/}bin/unlink ixr,
227 /{,usr/}bin/unxz ixr,
228 /{,usr/}bin/unzip ixr,
229 /{,usr/}bin/vdir ixr,
230 /{,usr/}bin/wc ixr,
231 /{,usr/}bin/which ixr,
232 /{,usr/}bin/xargs ixr,
233 /{,usr/}bin/xz ixr,
234 /{,usr/}bin/yes ixr,
235 /{,usr/}bin/zcat ixr,
236 /{,usr/}bin/z{,e,f}grep ixr,
237 /{,usr/}bin/zip ixr,
238 /{,usr/}bin/zipgrep ixr,
239
240 # For snappy reexec on 4.8+ kernels
241 /usr/lib/snapd/snap-exec m,
242
243 # For gdb support
244 /usr/lib/snapd/snap-gdb-shim ixr,
245
246 # For in-snap tab completion
247 /etc/bash_completion.d/{,*} r,
248 /usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal)
249 /usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here
250
251 # For printing the cache (we don't allow updating the cache)
252 /{,usr/}sbin/ldconfig{,.real} ixr,
253
254 # uptime
255 /{,usr/}bin/uptime ixr,
256 @{PROC}/uptime r,
257 @{PROC}/loadavg r,
258
259 # lsb-release
260 /usr/bin/lsb_release ixr,
261 /usr/bin/ r,
262 /usr/share/distro-info/*.csv r,
263
264 # Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib
265 # which is allowed by the base abstraction, but on 14.04 it is an actual file
266 # so need to add it here. Also allow read locks on the file.
267 /etc/os-release rk,
268 /usr/lib/os-release k,
269
270 # systemd native journal API (see sd_journal_print(4)). This should be in
271 # AppArmor's base abstraction, but until it is, include here.
272 /run/systemd/journal/socket w,
273 /run/systemd/journal/stdout rw, # 'r' shouldn't be needed, but journald
274 # doesn't leak anything so allow
275
276 # snapctl and its requirements
277 /usr/bin/snapctl ixr,
278 /usr/lib/snapd/snapctl ixr,
279 @{PROC}/sys/net/core/somaxconn r,
280 /run/snapd-snap.socket rw,
281
282 # Note: for now, don't explicitly deny this noisy denial so --devmode isn't
283 # broken but eventually we may conditionally deny this since it is an
284 # information leak.
285 #deny /{,var/}run/utmp r,
286
287 # java
288 @{PROC}/@{pid}/ r,
289 @{PROC}/@{pid}/fd/ r,
290 owner @{PROC}/@{pid}/auxv r,
291 @{PROC}/sys/vm/zone_reclaim_mode r,
292 /etc/lsb-release r,
293 /sys/devices/**/read_ahead_kb r,
294 /sys/devices/system/cpu/** r,
295 /sys/devices/system/node/node[0-9]*/* r,
296 /sys/kernel/mm/transparent_hugepage/enabled r,
297 /sys/kernel/mm/transparent_hugepage/defrag r,
298 # NOTE: this leaks running process but java seems to want it (even though it
299 # seems to operate ok without it) and SDL apps crash without it. Allow owner
300 # match until AppArmor kernel var is available to solve this properly (see
301 # LP: #1546825 for details). comm is a subset of cmdline, so allow it too.
302 owner @{PROC}/@{pid}/cmdline r,
303 owner @{PROC}/@{pid}/comm r,
304
305 # Per man(5) proc, the kernel enforces that a thread may only modify its comm
306 # value or those in its thread group.
307 owner @{PROC}/@{pid}/task/@{tid}/comm rw,
308
309 # Allow reading and writing to our file descriptors in /proc which, for
310 # example, allow access to /dev/std{in,out,err} which are all symlinks to
311 # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE)
312 # linkat() temporary file technique, allow all fds. Importantly, access to
313 # another's task's fd via this proc interface is mediated via 'ptrace (read)'
314 # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so
315 # this rule by itself doesn't allow opening another snap's fds via proc.
316 owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw,
317
318 # Miscellaneous accesses
319 /dev/{,u}random w,
320 /etc/machine-id r,
321 /etc/mime.types r,
322 @{PROC}/ r,
323 @{PROC}/version r,
324 @{PROC}/version_signature r,
325 /etc/{,writable/}hostname r,
326 /etc/{,writable/}localtime r,
327 /etc/{,writable/}mailname r,
328 /etc/{,writable/}timezone r,
329 owner @{PROC}/@{pid}/cgroup r,
330 @{PROC}/@{pid}/io r,
331 owner @{PROC}/@{pid}/limits r,
332 owner @{PROC}/@{pid}/loginuid r,
333 @{PROC}/@{pid}/smaps r,
334 @{PROC}/@{pid}/stat r,
335 @{PROC}/@{pid}/statm r,
336 @{PROC}/@{pid}/status r,
337 @{PROC}/@{pid}/task/ r,
338 @{PROC}/@{pid}/task/[0-9]*/smaps r,
339 @{PROC}/@{pid}/task/[0-9]*/stat r,
340 @{PROC}/@{pid}/task/[0-9]*/statm r,
341 @{PROC}/@{pid}/task/[0-9]*/status r,
342 @{PROC}/sys/fs/pipe-max-size r,
343 @{PROC}/sys/kernel/hostname r,
344 @{PROC}/sys/kernel/osrelease r,
345 @{PROC}/sys/kernel/ostype r,
346 @{PROC}/sys/kernel/yama/ptrace_scope r,
347 @{PROC}/sys/kernel/shmmax r,
348 @{PROC}/sys/fs/file-max r,
349 @{PROC}/sys/fs/inotify/max_* r,
350 @{PROC}/sys/kernel/pid_max r,
351 @{PROC}/sys/kernel/random/uuid r,
352 @{PROC}/sys/kernel/random/boot_id r,
353 /sys/devices/virtual/tty/{console,tty*}/active r,
354 /sys/fs/cgroup/memory/memory.limit_in_bytes r,
355 /sys/fs/cgroup/memory/snap.@{SNAP_INSTANCE_NAME}{,.*}/memory.limit_in_bytes r,
356 /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
357 /sys/module/apparmor/parameters/enabled r,
358 /{,usr/}lib/ r,
359
360 # Reads of oom_adj and oom_score_adj are safe
361 owner @{PROC}/@{pid}/oom_{,score_}adj r,
362
363 # Note: for now, don't explicitly deny write access so --devmode isn't broken
364 # but eventually we may conditionally deny this since it allows the process
365 # to increase the oom heuristic of other processes (make them more likely to
366 # be killed). Once AppArmor kernel var is available to solve this properly,
367 # this can safely be allowed since non-root processes won't be able to
368 # decrease the value and root processes will only be able to with
369 # 'capability sys_resource,' which we deny be default.
370 # deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
371
372 # Eases hardware assignment (doesn't give anything away)
373 /etc/udev/udev.conf r,
374 /sys/ r,
375 /sys/bus/ r,
376 /sys/class/ r,
377
378 # this leaks interface names and stats, but not in a way that is traceable
379 # to the user/device
380 @{PROC}/net/dev r,
381 @{PROC}/@{pid}/net/dev r,
382
383 # Read-only of this snap
384 /var/lib/snapd/snaps/@{SNAP_NAME}_*.snap r,
385
386 # Read-only for the install directory
387 # bind mount used here (see 'parallel installs', above)
388 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r,
389 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r,
390 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/** mrklix,
391
392 # Read-only install directory for other revisions to help with bugs like
393 # LP: #1616650 and LP: #1655992
394 @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix,
395
396 # Read-only home area for other versions
397 # bind mount *not* used here (see 'parallel installs', above)
398 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r,
399 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/** mrkix,
400
401 # Writable home area for this version.
402 # bind mount *not* used here (see 'parallel installs', above)
403 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/** wl,
404 owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/** wl,
405
406 # Read-only system area for other versions
407 # bind mount used here (see 'parallel installs', above)
408 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r,
409 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix,
410
411 # Writable system area only for this version
412 # bind mount used here (see 'parallel installs', above)
413 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/** wl,
414 /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/** wl,
415
416 # The ubuntu-core-launcher creates an app-specific private restricted /tmp
417 # and will fail to launch the app if something goes wrong. As such, we can
418 # simply allow full access to /tmp.
419 /tmp/ r,
420 /tmp/** mrwlkix,
421
422 # App-specific access to files and directories in /dev/shm. We allow file
423 # access in /dev/shm for shm_open() and files in subdirectories for open()
424 # bind mount *not* used here (see 'parallel installs', above)
425 /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix,
426 # Also allow app-specific access for sem_open()
427 /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk,
428
429 # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user
430 # bind mount *not* used here (see 'parallel installs', above)
431 owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/ rw,
432 owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/** mrwklix,
433
434 # Allow apps from the same package to communicate with each other via an
435 # abstract or anonymous socket
436 unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.**",
437 unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.*),
438
439 # Allow apps from the same package to communicate with each other via DBus.
440 # Note: this does not grant access to the DBus sockets of well known buses
441 # (will still need to use an appropriate interface for that).
442 dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.*),
443 # In addition to the above, dbus-run-session attempts reading these files
444 # from the snap base runtime.
445 /usr/share/dbus-1/services/{,*} r,
446 /usr/share/dbus-1/system-services/{,*} r,
447
448 # Allow apps from the same package to signal each other via signals
449 signal peer=snap.@{SNAP_INSTANCE_NAME}.*,
450
451 # Allow receiving signals from all snaps (and focus on mediating sending of
452 # signals)
453 signal (receive) peer=snap.*,
454
455 # Allow receiving signals from unconfined (eg, systemd)
456 signal (receive) peer=unconfined,
457
458 # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign'
459 /{,s}bin/udevadm ixr,
460 /etc/udev/udev.conf r,
461 /{,var/}run/udev/tags/snappy-assign/ r,
462 @{PROC}/cmdline r,
463 /sys/devices/**/uevent r,
464
465 # LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above
466 # requires:
467 # /run/udev/data/* r,
468 # but that reveals too much about the system and cannot be granted to apps
469 # by default at this time.
470
471 # For convenience, allow apps to see what is in /dev even though cgroups
472 # will block most access
473 /dev/ r,
474 /dev/**/ r,
475
476 # Allow setting up pseudoterminal via /dev/pts system. This is safe because
477 # the launcher uses a per-app devpts newinstance.
478 /dev/ptmx rw,
479
480 # Do the same with /sys/devices and /sys/class to help people using hw-assign
481 /sys/devices/ r,
482 /sys/devices/**/ r,
483 /sys/class/ r,
484 /sys/class/**/ r,
485
486 # Allow all snaps to chroot
487 capability sys_chroot,
488 /{,usr/}sbin/chroot ixr,
489
490 # Lttng tracing is very noisy and should not be allowed by confined apps. Can
491 # safely deny for the normal case (LP: #1260491). If/when an lttng-trace
492 # interface is needed, we can rework this.
493 deny /{dev,run,var/run}/shm/lttng-ust-* rw,
494
495 # Allow read-access on /home/ for navigating to other parts of the
496 # filesystem. While this allows enumerating users, this is already allowed
497 # via /etc/passwd and getent.
498 @{HOMEDIRS}/ r,
499
500 # Allow read-access to / for navigating to other parts of the filesystem.
501 / r,
502
503 # Snap-specific run directory. Bind mount *not* used here
504 # (see 'parallel installs', above)
505 /run/snap.@{SNAP_INSTANCE_NAME}/ rw,
506 /run/snap.@{SNAP_INSTANCE_NAME}/** mrwklix,
507
508
509# Allow access to the Wayland compositor server socket
510owner /run/user/[0-9]*/wayland-[0-9]* rw,
511
512# Needed when using QT_QPA_PLATFORM=wayland-egl (MESA dri config)
513/etc/drirc r,
514
515
516# Allow communicating with pulseaudio service for playback and, on some
517# distributions, recording.
518/{run,dev}/shm/pulse-shm-* mrwk,
519
520owner /{,var/}run/pulse/ r,
521owner /{,var/}run/pulse/native rwk,
522owner /run/user/[0-9]*/ r,
523owner /run/user/[0-9]*/pulse/ rw,
524
525/run/udev/data/c116:[0-9]* r,
526/run/udev/data/+sound:card[0-9]* r,
527
528
529# Description: Can access Unity7. Note, Unity 7 runs on X and requires access
530# to various DBus services and this environment does not prevent eavesdropping
531# or apps interfering with one another.
532
533#include <abstractions/dbus-strict>
534#include <abstractions/dbus-session-strict>
535
536# Allow finding the DBus session bus id (eg, via dbus_bus_get_id())
537dbus (send)
538 bus=session
539 path=/org/freedesktop/DBus
540 interface=org.freedesktop.DBus
541 member=GetId
542 peer=(name=org.freedesktop.DBus, label=unconfined),
543
544#include <abstractions/X>
545
546#include <abstractions/fonts>
547owner @{HOME}/.local/share/fonts/{,**} r,
548/var/cache/fontconfig/ r,
549/var/cache/fontconfig/** mr,
550
551# subset of gnome abstraction
552/etc/gnome/defaults.list r,
553/usr/share/gnome/applications/ r,
554/usr/share/applications/mimeinfo.cache r,
555
556/etc/gtk-*/* r,
557/usr/lib{,32,64}/gtk-*/** mr,
558/usr/lib{,32,64}/gdk-pixbuf-*/** mr,
559/usr/lib/@{multiarch}/gtk-*/** mr,
560/usr/lib/@{multiarch}/gdk-pixbuf-*/** mr,
561
562/etc/pango/* r,
563/usr/lib{,32,64}/pango/** mr,
564/usr/lib/@{multiarch}/pango/** mr,
565
566/usr/share/icons/ r,
567/usr/share/icons/** r,
568/usr/share/icons/*/index.theme rk,
569/usr/share/pixmaps/ r,
570/usr/share/pixmaps/** r,
571/usr/share/unity/icons/** r,
572/usr/share/thumbnailer/icons/** r,
573/usr/share/themes/** r,
574
575# The snapcraft desktop part may look for schema files in various locations, so
576# allow reading system installed schemas.
577/usr/share/glib*/schemas/{,*} r,
578/usr/share/gnome/glib*/schemas/{,*} r,
579/usr/share/ubuntu/glib*/schemas/{,*} r,
580
581# Snappy's 'xdg-open' talks to the snapd-xdg-open service which currently works
582# only in environments supporting dbus-send (eg, X11). In the future once
583# snappy's xdg-open supports all snaps images, this access may move to another
584# interface.
585/usr/bin/xdg-open ixr,
586/usr/share/applications/{,*} r,
587
588# This allow access to the first version of the snapd-xdg-open
589# version which was shipped outside of snapd
590dbus (send)
591 bus=session
592 path=/
593 interface=com.canonical.SafeLauncher
594 member=OpenURL
595 peer=(label=unconfined),
596# ... and this allows access to the new xdg-open service which
597# is now part of snapd itself.
598dbus (send)
599 bus=session
600 path=/io/snapcraft/Launcher
601 interface=io.snapcraft.Launcher
602 member={OpenURL,OpenFile}
603 peer=(label=unconfined),
604
605# Allow use of snapd's internal 'xdg-settings'
606/usr/bin/xdg-settings ixr,
607dbus (send)
608 bus=session
609 path=/io/snapcraft/Settings
610 interface=io.snapcraft.Settings
611 member={Check,Get,Set}
612 peer=(label=unconfined),
613
614# input methods (ibus)
615# subset of ibus abstraction
616/usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
617owner @{HOME}/.config/ibus/ r,
618owner @{HOME}/.config/ibus/bus/ r,
619owner @{HOME}/.config/ibus/bus/* r,
620
621# allow communicating with ibus-daemon (this allows sniffing key events)
622unix (connect, receive, send)
623 type=stream
624 peer=(addr="@/tmp/ibus/dbus-*"),
625
626
627# input methods (mozc)
628# allow communicating with mozc server (TODO: investigate if allows sniffing)
629unix (connect, receive, send)
630 type=stream
631 peer=(addr="@tmp/.mozc.*"),
632
633
634# input methods (fcitx)
635# allow communicating with fcitx dbus service
636dbus send
637 bus=fcitx
638 path=/org/freedesktop/DBus
639 interface=org.freedesktop.DBus
640 member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
641 peer=(name=org.freedesktop.DBus),
642
643owner @{HOME}/.config/fcitx/dbus/* r,
644
645# allow creating an input context
646dbus send
647 bus={fcitx,session}
648 path=/inputmethod
649 interface=org.fcitx.Fcitx.InputMethod
650 member=CreateIC*
651 peer=(label=unconfined),
652
653# allow setting up and tearing down the input context
654dbus send
655 bus={fcitx,session}
656 path=/inputcontext_[0-9]*
657 interface=org.fcitx.Fcitx.InputContext
658 member="{Close,Destroy,Enable}IC"
659 peer=(label=unconfined),
660
661dbus send
662 bus={fcitx,session}
663 path=/inputcontext_[0-9]*
664 interface=org.fcitx.Fcitx.InputContext
665 member=Reset
666 peer=(label=unconfined),
667
668# allow service to send us signals
669dbus receive
670 bus=fcitx
671 peer=(label=unconfined),
672
673dbus receive
674 bus=session
675 interface=org.fcitx.Fcitx.*
676 peer=(label=unconfined),
677
678# use the input context
679dbus send
680 bus={fcitx,session}
681 path=/inputcontext_[0-9]*
682 interface=org.fcitx.Fcitx.InputContext
683 member="Focus{In,Out}"
684 peer=(label=unconfined),
685
686dbus send
687 bus={fcitx,session}
688 path=/inputcontext_[0-9]*
689 interface=org.fcitx.Fcitx.InputContext
690 member="{CommitPreedit,Set*}"
691 peer=(label=unconfined),
692
693# this is an information leak and allows key and mouse sniffing. If the input
694# context path were tied to the process' security label, this would not be an
695# issue.
696dbus send
697 bus={fcitx,session}
698 path=/inputcontext_[0-9]*
699 interface=org.fcitx.Fcitx.InputContext
700 member="{MouseEvent,ProcessKeyEvent}"
701 peer=(label=unconfined),
702
703# this method does not exist with the sunpinyin backend (at least), so allow
704# it for other input methods. This may consitute an information leak (which,
705# again, could be avoided if the path were tied to the process' security
706# label).
707dbus send
708 bus={fcitx,session}
709 path=/inputcontext_[0-9]*
710 interface=org.freedesktop.DBus.Properties
711 member=GetAll
712 peer=(label=unconfined),
713
714# Needed by QtSystems on X to detect mouse and keyboard. Note, the 'netlink
715# raw' rule is not finely mediated by apparmor so we mediate with seccomp arg
716# filtering.
717network netlink raw,
718/run/udev/data/c13:[0-9]* r,
719/run/udev/data/+input:* r,
720
721# subset of freedesktop.org
722/usr/share/mime/** r,
723owner @{HOME}/.local/share/mime/** r,
724owner @{HOME}/.config/user-dirs.* r,
725
726/etc/xdg/user-dirs.conf r,
727/etc/xdg/user-dirs.defaults r,
728
729# gtk settings (subset of gnome abstraction)
730owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini r,
731owner @{HOME}/.config/gtk-3.0/settings.ini r,
732# Note: this leaks directory names that wouldn't otherwise be known to the snap
733owner @{HOME}/.config/gtk-3.0/bookmarks r,
734
735# accessibility
736#include <abstractions/dbus-accessibility-strict>
737dbus (send)
738 bus=session
739 path=/org/a11y/bus
740 interface=org.a11y.Bus
741 member=GetAddress
742 peer=(label=unconfined),
743dbus (send)
744 bus=session
745 path=/org/a11y/bus
746 interface=org.freedesktop.DBus.Properties
747 member=Get{,All}
748 peer=(label=unconfined),
749
750# unfortunate, but org.a11y.atspi is not designed for separation
751dbus (receive, send)
752 bus=accessibility
753 path=/org/a11y/atspi/**
754 peer=(label=unconfined),
755
756# org.freedesktop.Accounts
757dbus (send)
758 bus=system
759 path=/org/freedesktop/Accounts
760 interface=org.freedesktop.DBus.Introspectable
761 member=Introspect
762 peer=(label=unconfined),
763
764dbus (send)
765 bus=system
766 path=/org/freedesktop/Accounts
767 interface=org.freedesktop.Accounts
768 member=FindUserById
769 peer=(label=unconfined),
770
771# Get() is an information leak
772# TODO: verify what it is leaking
773dbus (receive, send)
774 bus=system
775 path=/org/freedesktop/Accounts/User[0-9]*
776 interface=org.freedesktop.DBus.Properties
777 member={Get,PropertiesChanged}
778 peer=(label=unconfined),
779
780# gmenu
781# Note: the gmenu DBus api was not designed for application isolation and apps
782# may specify anything as their 'path'. For example, these work in the many
783# cases:
784# - /org/gtk/Application/anonymous{,/**}
785# - /com/canonical/unity/gtk/window/[0-9]*
786# but libreoffice does:
787# - /org/libreoffice{,/**}
788# As such, cannot mediate by DBus path so we'll be as strict as we can in the
789# other mediated parts
790dbus (send)
791 bus=session
792 interface=org.gtk.Actions
793 member=Changed
794 peer=(name=org.freedesktop.DBus, label=unconfined),
795
796dbus (receive)
797 bus=session
798 interface=org.gtk.Actions
799 member={Activate,DescribeAll,SetState}
800 peer=(label=unconfined),
801
802dbus (receive)
803 bus=session
804 interface=org.gtk.Menus
805 member={Start,End}
806 peer=(label=unconfined),
807
808dbus (send)
809 bus=session
810 interface=org.gtk.Menus
811 member=Changed
812 peer=(name=org.freedesktop.DBus, label=unconfined),
813
814# Ubuntu menus
815dbus (send)
816 bus=session
817 path="/com/ubuntu/MenuRegistrar"
818 interface="com.ubuntu.MenuRegistrar"
819 member="{Register,Unregister}{App,Surface}Menu"
820 peer=(label=unconfined),
821
822# url helper
823dbus (send)
824 bus=session
825 interface=com.canonical.SafeLauncher.OpenURL
826 peer=(label=unconfined),
827# new url helper (part of snap userd)
828dbus (send)
829 bus=session
830 interface=io.snapcraft.Launcher.OpenURL
831 peer=(label=unconfined),
832
833# dbusmenu
834dbus (send)
835 bus=session
836 path=/{MenuBar{,/[0-9A-F]*},com/canonical/menu/[0-9A-F]*}
837 interface=com.canonical.dbusmenu
838 member="{LayoutUpdated,ItemsPropertiesUpdated}"
839 peer=(name=org.freedesktop.DBus, label=unconfined),
840
841dbus (receive)
842 bus=session
843 path=/{MenuBar{,/[0-9A-F]*},com/canonical/menu/[0-9A-F]*}
844 interface="{com.canonical.dbusmenu,org.freedesktop.DBus.Properties}"
845 member=Get*
846 peer=(label=unconfined),
847
848dbus (receive)
849 bus=session
850 path=/{MenuBar{,/[0-9A-F]*},com/canonical/menu/[0-9A-F]*}
851 interface=com.canonical.dbusmenu
852 member="{AboutTo*,Event*}"
853 peer=(label=unconfined),
854
855dbus (receive)
856 bus=session
857 path=/{MenuBar{,/[0-9A-F]*},com/canonical/menu/[0-9A-F]*}
858 interface=org.freedesktop.DBus.Introspectable
859 member=Introspect
860 peer=(label=unconfined),
861
862# app-indicators
863dbus (send)
864 bus=session
865 path=/StatusNotifierWatcher
866 interface=org.freedesktop.DBus.Introspectable
867 member=Introspect
868 peer=(name=org.kde.StatusNotifierWatcher, label=unconfined),
869
870dbus (send)
871 bus=session
872 path=/org/freedesktop/DBus
873 interface=org.freedesktop.DBus
874 member="{GetConnectionUnixProcessID,RequestName,ReleaseName}"
875 peer=(name=org.freedesktop.DBus, label=unconfined),
876
877dbus (bind)
878 bus=session
879 name=org.kde.StatusNotifierItem-[0-9]*,
880
881dbus (send)
882 bus=session
883 path=/StatusNotifierWatcher
884 interface=org.freedesktop.DBus.Properties
885 member=Get
886 peer=(name=org.kde.StatusNotifierWatcher, label=unconfined),
887
888dbus (send)
889 bus=session
890 path=/{StatusNotifierWatcher,org/ayatana/NotificationItem/*}
891 interface=org.kde.StatusNotifierWatcher
892 member=RegisterStatusNotifierItem
893 peer=(label=unconfined),
894
895dbus (send)
896 bus=session
897 path=/{StatusNotifierItem,org/ayatana/NotificationItem/*}
898 interface=org.kde.StatusNotifierItem
899 member="New{AttentionIcon,Icon,IconThemePath,OverlayIcon,Status,Title,ToolTip}"
900 peer=(name=org.freedesktop.DBus, label=unconfined),
901
902dbus (receive)
903 bus=session
904 path=/{StatusNotifierItem,org/ayatana/NotificationItem/*}
905 interface=org.kde.StatusNotifierItem
906 member={Activate,ContextMenu,Scroll,SecondaryActivate,XAyatanaSecondaryActivate}
907 peer=(label=unconfined),
908
909dbus (send)
910 bus=session
911 path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu}
912 interface=com.canonical.dbusmenu
913 member="{LayoutUpdated,ItemsPropertiesUpdated}"
914 peer=(name=org.freedesktop.DBus, label=unconfined),
915
916dbus (receive)
917 bus=session
918 path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**}
919 interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu}
920 member={Get*,AboutTo*,Event*}
921 peer=(label=unconfined),
922
923# notifications
924dbus (send)
925 bus=session
926 path=/org/freedesktop/Notifications
927 interface=org.freedesktop.Notifications
928 member="{GetCapabilities,GetServerInformation,Notify,CloseNotification}"
929 peer=(label=unconfined),
930
931dbus (receive)
932 bus=session
933 path=/org/freedesktop/Notifications
934 interface=org.freedesktop.Notifications
935 member={ActionInvoked,NotificationClosed}
936 peer=(label=unconfined),
937
938dbus (send)
939 bus=session
940 path=/org/ayatana/NotificationItem/*
941 interface=org.kde.StatusNotifierItem
942 member=XAyatanaNew*
943 peer=(name=org.freedesktop.DBus, label=unconfined),
944
945# unity launcher
946dbus (send)
947 bus=session
948 path=/com/canonical/unity/launcherentry/[0-9]*
949 interface=com.canonical.Unity.LauncherEntry
950 member=Update
951 peer=(name=org.freedesktop.DBus, label=unconfined),
952
953dbus (send)
954 bus=session
955 path=/com/canonical/unity/launcherentry/[0-9]*
956 interface=com.canonical.dbusmenu
957 member="{LayoutUpdated,ItemsPropertiesUpdated}"
958 peer=(name=org.freedesktop.DBus, label=unconfined),
959
960dbus (receive)
961 bus=session
962 path=/com/canonical/unity/launcherentry/[0-9]*
963 interface="{com.canonical.dbusmenu,org.freedesktop.DBus.Properties}"
964 member=Get*
965 peer=(label=unconfined),
966
967# unity messaging menu
968# first, allow finding the desktop file
969/usr/share/applications/ r,
970# this leaks the names of snaps with desktop files
971/var/lib/snapd/desktop/applications/ r,
972/var/lib/snapd/desktop/applications/mimeinfo.cache r,
973# Support BAMF_DESKTOP_FILE_HINT by allowing reading our desktop files
974# parallel-installs: when @{SNAP_INSTANCE_NAME} == @{SNAP_NAME},
975# this leaks read access to desktop files of parallel installs of the snap
976/var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_NAME}_*.desktop r,
977
978# then allow talking to Unity DBus service
979dbus (send)
980 bus=session
981 interface=org.freedesktop.DBus.Properties
982 path=/com/canonical/indicator/messages/service
983 member=GetAll
984 peer=(label=unconfined),
985
986dbus (send)
987 bus=session
988 path=/com/canonical/indicator/messages/service
989 interface=com.canonical.indicator.messages.service
990 member={Register,Unregister}Application
991 peer=(label=unconfined),
992
993# When @{SNAP_NAME} == @{SNAP_INSTANCE_NAME}, this rule
994# allows the snap to access parallel installs of this snap.
995dbus (receive)
996 bus=session
997 interface=org.freedesktop.DBus.Properties
998 path=/com/canonical/indicator/messages/discord_*_desktop
999 member=GetAll
1000 peer=(label=unconfined),
1001
1002# When @{SNAP_NAME} == @{SNAP_INSTANCE_NAME}, this rule
1003# allows the snap to access parallel installs of this snap.
1004dbus (receive, send)
1005 bus=session
1006 interface=com.canonical.indicator.messages.application
1007 path=/com/canonical/indicator/messages/discord_*_desktop
1008 peer=(label=unconfined),
1009
1010# This rule is meant to be covered by abstractions/dbus-session-strict but
1011# the unity launcher code has a typo that uses /org/freedesktop/dbus as the
1012# path instead of /org/freedesktop/DBus, so we need to all it here.
1013dbus (send)
1014 bus=session
1015 path=/org/freedesktop/dbus
1016 interface=org.freedesktop.DBus
1017 member=NameHasOwner
1018 peer=(name=org.freedesktop.DBus, label=unconfined),
1019
1020# appmenu
1021dbus (send)
1022 bus=session
1023 path=/org/freedesktop/DBus
1024 interface=org.freedesktop.DBus
1025 member=ListNames
1026 peer=(name=org.freedesktop.DBus, label=unconfined),
1027
1028dbus (send)
1029 bus=session
1030 path=/com/canonical/AppMenu/Registrar
1031 interface=com.canonical.AppMenu.Registrar
1032 member="{RegisterWindow,UnregisterWindow}"
1033 peer=(label=unconfined),
1034
1035dbus (send)
1036 bus=session
1037 path=/com/canonical/AppMenu/Registrar
1038 interface=com.canonical.dbusmenu
1039 member=UnregisterWindow
1040 peer=(label=unconfined),
1041
1042dbus (receive)
1043 bus=session
1044 path=/com/canonical/menu/[0-9]*
1045 interface="{org.freedesktop.DBus.Properties,com.canonical.dbusmenu}"
1046 member="{GetAll,GetLayout}"
1047 peer=(label=unconfined),
1048
1049# Allow requesting interest in receiving media key events. This tells Gnome
1050# settings that our application should be notified when key events we are
1051# interested in are pressed, and allows us to receive those events.
1052dbus (receive, send)
1053 bus=session
1054 interface=org.gnome.SettingsDaemon.MediaKeys
1055 path=/org/gnome/SettingsDaemon/MediaKeys
1056 peer=(label=unconfined),
1057dbus (send)
1058 bus=session
1059 interface=org.freedesktop.DBus.Properties
1060 path=/org/gnome/SettingsDaemon/MediaKeys
1061 member="Get{,All}"
1062 peer=(label=unconfined),
1063
1064# Allow checking status, activating and locking the screensaver
1065# mate
1066dbus (send)
1067 bus=session
1068 path="/{,org/mate/}ScreenSaver"
1069 interface=org.mate.ScreenSaver
1070 member="{GetActive,GetActiveTime,Lock,SetActive}"
1071 peer=(label=unconfined),
1072
1073dbus (receive)
1074 bus=session
1075 path="/{,org/mate/}ScreenSaver"
1076 interface=org.mate.ScreenSaver
1077 member=ActiveChanged
1078 peer=(label=unconfined),
1079
1080# Unity
1081dbus (send)
1082 bus=session
1083 interface=com.canonical.Unity.Session
1084 path=/com/canonical/Unity/Session
1085 member="{ActivateScreenSaver,IsLocked,Lock}"
1086 peer=(label=unconfined),
1087
1088# Allow unconfined to introspect us
1089dbus (receive)
1090 bus=session
1091 interface=org.freedesktop.DBus.Introspectable
1092 member=Introspect
1093 peer=(label=unconfined),
1094
1095# gtk2/gvfs gtk_show_uri()
1096dbus (send)
1097 bus=session
1098 path=/org/gtk/vfs/mounttracker
1099 interface=org.gtk.vfs.MountTracker
1100 member=ListMountableInfo,
1101dbus (send)
1102 bus=session
1103 path=/org/gtk/vfs/mounttracker
1104 interface=org.gtk.vfs.MountTracker
1105 member=LookupMount,
1106
1107
1108# Description: Can access basic graphical desktop resources. To be used with
1109# other interfaces (eg, wayland).
1110
1111#include <abstractions/dbus-strict>
1112#include <abstractions/dbus-session-strict>
1113
1114# Allow finding the DBus session bus id (eg, via dbus_bus_get_id())
1115dbus (send)
1116 bus=session
1117 path=/org/freedesktop/DBus
1118 interface=org.freedesktop.DBus
1119 member=GetId
1120 peer=(name=org.freedesktop.DBus, label=unconfined),
1121
1122#include <abstractions/fonts>
1123owner @{HOME}/.local/share/fonts/{,**} r,
1124/var/cache/fontconfig/ r,
1125/var/cache/fontconfig/** mr,
1126
1127# subset of gnome abstraction
1128/etc/gtk-3.0/settings.ini r,
1129owner @{HOME}/.config/gtk-3.0/settings.ini r,
1130# Note: this leaks directory names that wouldn't otherwise be known to the snap
1131owner @{HOME}/.config/gtk-3.0/bookmarks r,
1132
1133/usr/share/icons/ r,
1134/usr/share/icons/** r,
1135/usr/share/icons/*/index.theme rk,
1136/usr/share/pixmaps/ r,
1137/usr/share/pixmaps/** r,
1138/usr/share/unity/icons/** r,
1139/usr/share/thumbnailer/icons/** r,
1140/usr/share/themes/** r,
1141
1142# The snapcraft desktop part may look for schema files in various locations, so
1143# allow reading system installed schemas.
1144/usr/share/glib*/schemas/{,*} r,
1145/usr/share/gnome/glib*/schemas/{,*} r,
1146/usr/share/ubuntu/glib*/schemas/{,*} r,
1147
1148# subset of freedesktop.org
1149owner @{HOME}/.local/share/mime/** r,
1150owner @{HOME}/.config/user-dirs.* r,
1151
1152/etc/xdg/user-dirs.conf r,
1153/etc/xdg/user-dirs.defaults r,
1154
1155# gmenu
1156dbus (send)
1157 bus=session
1158 interface=org.gtk.Actions
1159 member=Changed
1160 peer=(name=org.freedesktop.DBus, label=unconfined),
1161
1162# notifications
1163dbus (send)
1164 bus=session
1165 path=/org/freedesktop/Notifications
1166 interface=org.freedesktop.Notifications
1167 member="{GetCapabilities,GetServerInformation,Notify,CloseNotification}"
1168 peer=(label=unconfined),
1169
1170dbus (receive)
1171 bus=session
1172 path=/org/freedesktop/Notifications
1173 interface=org.freedesktop.Notifications
1174 member={ActionInvoked,NotificationClosed}
1175 peer=(label=unconfined),
1176
1177# DesktopAppInfo Launched
1178dbus (send)
1179 bus=session
1180 path=/org/gtk/gio/DesktopAppInfo
1181 interface=org.gtk.gio.DesktopAppInfo
1182 member=Launched
1183 peer=(label=unconfined),
1184
1185# Allow requesting interest in receiving media key events. This tells Gnome
1186# settings that our application should be notified when key events we are
1187# interested in are pressed, and allows us to receive those events.
1188dbus (receive, send)
1189 bus=session
1190 interface=org.gnome.SettingsDaemon.MediaKeys
1191 path=/org/gnome/SettingsDaemon/MediaKeys
1192 peer=(label=unconfined),
1193dbus (send)
1194 bus=session
1195 interface=org.freedesktop.DBus.Properties
1196 path=/org/gnome/SettingsDaemon/MediaKeys
1197 member="Get{,All}"
1198 peer=(label=unconfined),
1199
1200# Allow use of snapd's internal 'xdg-open'
1201/usr/bin/xdg-open ixr,
1202/usr/share/applications/{,*} r,
1203dbus (send)
1204 bus=session
1205 path=/
1206 interface=com.canonical.SafeLauncher
1207 member=OpenURL
1208 peer=(label=unconfined),
1209# ... and this allows access to the new xdg-open service which
1210# is now part of snapd itself.
1211dbus (send)
1212 bus=session
1213 path=/io/snapcraft/Launcher
1214 interface=io.snapcraft.Launcher
1215 member={OpenURL,OpenFile}
1216 peer=(label=unconfined),
1217
1218# Allow checking status, activating and locking the screensaver
1219# gnome/kde/freedesktop.org
1220dbus (send)
1221 bus=session
1222 path="/{,org/freedesktop/,org/gnome/}ScreenSaver"
1223 interface="org.{freedesktop,gnome}.ScreenSaver"
1224 member="{GetActive,GetActiveTime,Lock,SetActive}"
1225 peer=(label=unconfined),
1226
1227dbus (receive)
1228 bus=session
1229 path="/{,org/freedesktop/,org/gnome/}ScreenSaver"
1230 interface="org.{freedesktop,gnome}.ScreenSaver"
1231 member=ActiveChanged
1232 peer=(label=unconfined),
1233
1234# Allow unconfined to introspect us
1235dbus (receive)
1236 bus=session
1237 interface=org.freedesktop.DBus.Introspectable
1238 member=Introspect
1239 peer=(label=unconfined),
1240
1241# Allow use of snapd's internal 'xdg-settings'
1242/usr/bin/xdg-settings ixr,
1243dbus (send)
1244 bus=session
1245 path=/io/snapcraft/Settings
1246 interface=io.snapcraft.Settings
1247 member={Check,Get,Set}
1248 peer=(label=unconfined),
1249
1250## Allow access to xdg-document-portal file system. Access control is
1251## handled by bind mounting a snap-specific sub-tree to this location.
1252owner /run/user/[0-9]*/doc/ r,
1253owner /run/user/[0-9]*/doc/** rw,
1254
1255# Allow access to xdg-desktop-portal and xdg-document-portal
1256dbus (receive, send)
1257 bus=session
1258 interface=org.freedesktop.portal.*
1259 path=/org/freedesktop/portal/{desktop,documents}{,/**}
1260 peer=(label=unconfined),
1261
1262dbus (receive, send)
1263 bus=session
1264 interface=org.freedesktop.DBus.Properties
1265 path=/org/freedesktop/portal/{desktop,documents}{,/**}
1266 peer=(label=unconfined),
1267
1268# These accesses are noisy and applications can't do anything with the found
1269# icon files, so explicitly deny to silence the denials
1270deny /var/lib/snapd/desktop/icons/ r,
1271
1272
1273# Description: Can access common desktop legacy methods. This gives privileged
1274# access to the user's input.
1275
1276# accessibility (a11y)
1277#include <abstractions/dbus-session-strict>
1278dbus (send)
1279 bus=session
1280 path=/org/a11y/bus
1281 interface=org.a11y.Bus
1282 member=GetAddress
1283 peer=(label=unconfined),
1284
1285#include <abstractions/dbus-accessibility-strict>
1286
1287# Allow the accessibility services in the user session to send us any events
1288dbus (receive)
1289 bus=accessibility
1290 peer=(label=unconfined),
1291
1292# Allow querying for capabilities and registering
1293dbus (send)
1294 bus=accessibility
1295 path="/org/a11y/atspi/accessible/root"
1296 interface="org.a11y.atspi.Socket"
1297 member="Embed"
1298 peer=(name=org.a11y.atspi.Registry, label=unconfined),
1299dbus (send)
1300 bus=accessibility
1301 path="/org/a11y/atspi/registry"
1302 interface="org.a11y.atspi.Registry"
1303 member="GetRegisteredEvents"
1304 peer=(name=org.a11y.atspi.Registry, label=unconfined),
1305dbus (send)
1306 bus=accessibility
1307 path="/org/a11y/atspi/registry/deviceeventcontroller"
1308 interface="org.a11y.atspi.DeviceEventController"
1309 member="Get{DeviceEvent,Keystroke}Listeners"
1310 peer=(name=org.a11y.atspi.Registry, label=unconfined),
1311dbus (send)
1312 bus=accessibility
1313 path="/org/a11y/atspi/registry/deviceeventcontroller"
1314 interface="org.a11y.atspi.DeviceEventController"
1315 member="NotifyListenersSync"
1316 peer=(name=org.a11y.atspi.Registry, label=unconfined),
1317
1318# org.a11y.atspi is not designed for application isolation and these rules
1319# can be used to send change events for other processes.
1320dbus (send)
1321 bus=accessibility
1322 path="/org/a11y/atspi/accessible/root"
1323 interface="org.a11y.atspi.Event.Object"
1324 member="ChildrenChanged"
1325 peer=(name=org.freedesktop.DBus, label=unconfined),
1326dbus (send)
1327 bus=accessibility
1328 path="/org/a11y/atspi/accessible/root"
1329 interface="org.a11y.atspi.Accessible"
1330 member="Get*"
1331 peer=(label=unconfined),
1332dbus (send)
1333 bus=accessibility
1334 path="/org/a11y/atspi/accessible/[0-9]*"
1335 interface="org.a11y.atspi.Event.Object"
1336 member="{ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved}"
1337 peer=(name=org.freedesktop.DBus, label=unconfined),
1338dbus (send)
1339 bus=accessibility
1340 path="/org/a11y/atspi/accessible/[0-9]*"
1341 interface="org.freedesktop.DBus.Properties"
1342 member="Get{,All}"
1343 peer=(label=unconfined),
1344
1345dbus (send)
1346 bus=accessibility
1347 path="/org/a11y/atspi/cache"
1348 interface="org.a11y.atspi.Cache"
1349 member="{Add,Remove}Accessible"
1350 peer=(name=org.freedesktop.DBus, label=unconfined),
1351
1352
1353# ibus
1354# subset of ibus abstraction
1355/usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
1356owner @{HOME}/.config/ibus/ r,
1357owner @{HOME}/.config/ibus/bus/ r,
1358owner @{HOME}/.config/ibus/bus/* r,
1359
1360# allow communicating with ibus-daemon (this allows sniffing key events)
1361unix (connect, receive, send)
1362 type=stream
1363 peer=(addr="@/tmp/ibus/dbus-*"),
1364
1365
1366# mozc
1367# allow communicating with mozc server
1368unix (connect, receive, send)
1369 type=stream
1370 peer=(addr="@tmp/.mozc.*"),
1371
1372
1373# fcitx
1374# allow communicating with fcitx dbus service
1375dbus send
1376 bus=fcitx
1377 path=/org/freedesktop/DBus
1378 interface=org.freedesktop.DBus
1379 member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
1380 peer=(name=org.freedesktop.DBus),
1381
1382owner @{HOME}/.config/fcitx/dbus/* r,
1383
1384# allow creating an input context
1385dbus send
1386 bus={fcitx,session}
1387 path=/inputmethod
1388 interface=org.fcitx.Fcitx.InputMethod
1389 member=CreateIC*
1390 peer=(label=unconfined),
1391
1392# allow setting up and tearing down the input context
1393dbus send
1394 bus={fcitx,session}
1395 path=/inputcontext_[0-9]*
1396 interface=org.fcitx.Fcitx.InputContext
1397 member="{Close,Destroy,Enable}IC"
1398 peer=(label=unconfined),
1399
1400dbus send
1401 bus={fcitx,session}
1402 path=/inputcontext_[0-9]*
1403 interface=org.fcitx.Fcitx.InputContext
1404 member=Reset
1405 peer=(label=unconfined),
1406
1407# allow service to send us signals
1408dbus receive
1409 bus=fcitx
1410 peer=(label=unconfined),
1411
1412dbus receive
1413 bus=session
1414 interface=org.fcitx.Fcitx.*
1415 peer=(label=unconfined),
1416
1417# use the input context
1418dbus send
1419 bus={fcitx,session}
1420 path=/inputcontext_[0-9]*
1421 interface=org.fcitx.Fcitx.InputContext
1422 member="Focus{In,Out}"
1423 peer=(label=unconfined),
1424
1425dbus send
1426 bus={fcitx,session}
1427 path=/inputcontext_[0-9]*
1428 interface=org.fcitx.Fcitx.InputContext
1429 member="{CommitPreedit,Set*}"
1430 peer=(label=unconfined),
1431
1432# this is an information leak and allows key and mouse sniffing. If the input
1433# context path were tied to the process' security label, this would not be an
1434# issue.
1435dbus send
1436 bus={fcitx,session}
1437 path=/inputcontext_[0-9]*
1438 interface=org.fcitx.Fcitx.InputContext
1439 member="{MouseEvent,ProcessKeyEvent}"
1440 peer=(label=unconfined),
1441
1442# this method does not exist with the sunpinyin backend (at least), so allow
1443# it for other input methods. This may consitute an information leak (which,
1444# again, could be avoided if the path were tied to the process' security
1445# label).
1446dbus send
1447 bus={fcitx,session}
1448 path=/inputcontext_[0-9]*
1449 interface=org.freedesktop.DBus.Properties
1450 member=GetAll
1451 peer=(label=unconfined),
1452
1453# gtk2/gvfs gtk_show_uri()
1454dbus (send)
1455 bus=session
1456 path=/org/gtk/vfs/mounttracker
1457 interface=org.gtk.vfs.MountTracker
1458 member=ListMountableInfo,
1459dbus (send)
1460 bus=session
1461 path=/org/gtk/vfs/mounttracker
1462 interface=org.gtk.vfs.MountTracker
1463 member=LookupMount,
1464
1465# This leaks the names of snaps with desktop files
1466/var/lib/snapd/desktop/applications/ r,
1467/var/lib/snapd/desktop/applications/mimeinfo.cache r,
1468# Support BAMF_DESKTOP_FILE_HINT by allowing reading our desktop files
1469# parallel-installs: this leaks read access to desktop files owned by keyed
1470# instances of @{SNAP_NAME} to @{SNAP_NAME} snap
1471/var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_NAME}_*.desktop r,
1472
1473
1474# Description: Can access global gsettings of the user's session. Restricted
1475# because this gives privileged access to sensitive information stored in
1476# gsettings and allows adjusting settings of other applications.
1477
1478#include <abstractions/dbus-session-strict>
1479
1480#include <abstractions/dconf>
1481owner /{,var/}run/user/*/dconf/user w,
1482owner @{HOME}/.config/dconf/user w,
1483dbus (receive, send)
1484 bus=session
1485 interface="ca.desrt.dconf.Writer"
1486 peer=(label=unconfined),
1487
1488
1489# Description: Can access non-hidden files in user's $HOME. This is restricted
1490# because it gives file access to all of the user's $HOME.
1491
1492# Note, @{HOME} is the user's $HOME, not the snap's $HOME
1493
1494# Allow read access to toplevel $HOME for the user
1495owner @{HOME}/ r,
1496
1497# Allow read/write access to all files in @{HOME}, except snap application
1498# data in @{HOME}/snap and toplevel hidden directories in @{HOME}.
1499owner @{HOME}/[^s.]** rwklix,
1500owner @{HOME}/s[^n]** rwklix,
1501owner @{HOME}/sn[^a]** rwklix,
1502owner @{HOME}/sna[^p]** rwklix,
1503owner @{HOME}/snap[^/]** rwklix,
1504
1505# Allow creating a few files not caught above
1506owner @{HOME}/{s,sn,sna}{,/} rwklix,
1507
1508# Allow access to @{HOME}/snap/ to allow directory traversals from
1509# @{HOME}/snap/@{SNAP_INSTANCE_NAME} through @{HOME}/snap to @{HOME}.
1510# While this leaks snap names, it fixes usability issues for snaps
1511# that require this transitional interface.
1512owner @{HOME}/snap/ r,
1513
1514# Allow access to gvfs mounts for files owned by the user (including hidden
1515# files; only allow writes to files, not the mount point).
1516owner /run/user/[0-9]*/gvfs/{,**} r,
1517owner /run/user/[0-9]*/gvfs/*/** w,
1518
1519# Disallow writes to the well-known directory included in
1520# the user's PATH on several distributions
1521audit deny @{HOME}/bin/{,**} wl,
1522
1523
1524# Description: Can access opengl.
1525
1526# specific gl libs
1527/var/lib/snapd/lib/gl{,32}/ r,
1528/var/lib/snapd/lib/gl{,32}/** rm,
1529
1530# Bi-arch distribution nvidia support
1531/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcuda*.so{,.*} rm,
1532/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvidia*.so{,.*} rm,
1533/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}tls/libnvidia*.so{,.*} rm,
1534/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvcuvid.so{,.*} rm,
1535/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}lib{GL,GLESv1_CM,GLESv2,EGL}*nvidia.so{,.*} rm,
1536/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libGLdispatch.so{,.*} rm,
1537/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}vdpau/libvdpau_nvidia.so{,.*} rm,
1538
1539# Support reading the Vulkan ICD files
1540/var/lib/snapd/lib/vulkan/ r,
1541/var/lib/snapd/lib/vulkan/** r,
1542/var/lib/snapd/hostfs/usr/share/vulkan/icd.d/*nvidia*.json r,
1543
1544# Support reading the GLVND EGL vendor files
1545/var/lib/snapd/lib/glvnd/ r,
1546/var/lib/snapd/lib/glvnd/** r,
1547/var/lib/snapd/hostfs/usr/share/glvnd/egl_vendor.d/*nvidia*.json r,
1548
1549# Main bi-arch GL libraries
1550/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}{,nvidia*/}lib{GL,GLU,GLESv1_CM,GLESv2,EGL,GLX}.so{,.*} rm,
1551
1552/dev/dri/ r,
1553/dev/dri/card0 rw,
1554
1555# nvidia
1556/etc/vdpau_wrapper.cfg r,
1557@{PROC}/driver/nvidia/params r,
1558@{PROC}/modules r,
1559/dev/nvidia* rw,
1560unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
1561
1562# VideoCore/EGL (shared device with VideoCore camera)
1563/dev/vchiq rw,
1564
1565# va-api
1566/dev/dri/renderD[0-9]* rw,
1567
1568# cuda
1569@{PROC}/sys/vm/mmap_min_addr r,
1570@{PROC}/devices r,
1571/sys/devices/system/memory/block_size_bytes r,
1572/sys/module/tegra_fuse/parameters/tegra_* r,
1573unix (bind,listen) type=seqpacket addr="@cuda-uvmfd-[0-9a-f]*",
1574/{dev,run}/shm/cuda.* rw,
1575/dev/nvhost-* rw,
1576/dev/nvmap rw,
1577
1578# Tegra display driver
1579/dev/tegra_dc_ctrl rw,
1580/dev/tegra_dc_[0-9]* rw,
1581
1582# OpenCL ICD files
1583/etc/OpenCL/vendors/ r,
1584/etc/OpenCL/vendors/** r,
1585
1586# Parallels guest tools 3D acceleration (video toolgate)
1587@{PROC}/driver/prl_vtg rw,
1588
1589# /sys/devices
1590/sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/config r,
1591/sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/revision r,
1592/sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/{,subsystem_}class r,
1593/sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/{,subsystem_}device r,
1594/sys/devices/{,*pcie-controller/}pci[0-9a-f]*/**/{,subsystem_}vendor r,
1595/sys/devices/**/drm{,_dp_aux_dev}/** r,
1596
1597# FIXME: this is an information leak and snapd should instead query udev for
1598# the specific accesses associated with the above devices.
1599/sys/bus/pci/devices/ r,
1600/sys/bus/platform/devices/soc:gpu/ r,
1601/run/udev/data/+drm:card* r,
1602/run/udev/data/+pci:[0-9a-f]* r,
1603/run/udev/data/+platform:soc:gpu* r,
1604
1605# FIXME: for each device in /dev that this policy references, lookup the
1606# device type, major and minor and create rules of this form:
1607# /run/udev/data/<type><major>:<minor> r,
1608# For now, allow 'c'haracter devices and 'b'lock devices based on
1609# https://www.kernel.org/doc/Documentation/devices.txt
1610/run/udev/data/c226:[0-9]* r, # 226 drm
1611
1612
1613# Description: Can access the X server. Restricted because X does not prevent
1614# eavesdropping or apps interfering with one another.
1615
1616# The X abstraction doesn't check the peer label, but in this case that's
1617# ok because x11ConnectedSlotAppArmor will limit which clients can connect
1618# to the slot implementation.
1619#include <abstractions/X>
1620#include <abstractions/fonts>
1621owner @{HOME}/.local/share/fonts/{,**} r,
1622/var/cache/fontconfig/ r,
1623/var/cache/fontconfig/** mr,
1624
1625# Allow access to the user specific copy of the xauth file specified
1626# in the XAUTHORITY environment variable, that "snap run" creates on
1627# startup.
1628owner /run/user/[0-9]*/.Xauthority r,
1629
1630# Allow reading an Xwayland Xauth file
1631# (see https://gitlab.gnome.org/GNOME/mutter/merge_requests/626)
1632owner /run/user/[0-9]*/.mutter-Xwaylandauth.* r,
1633owner /run/user/[0-9]*/mutter/Xauthority r,
1634
1635
1636# Needed by QtSystems on X to detect mouse and keyboard. Note, the 'netlink
1637# raw' rule is not finely mediated by apparmor so we mediate with seccomp arg
1638# filtering.
1639network netlink raw,
1640/run/udev/data/c13:[0-9]* r,
1641/run/udev/data/+input:* r,
1642
1643
1644# Description: Can access the network as a client.
1645#include <abstractions/nameservice>
1646/run/systemd/resolve/stub-resolv.conf r,
1647
1648# systemd-resolved (not yet included in nameservice abstraction)
1649#
1650# Allow access to the safe members of the systemd-resolved D-Bus API:
1651#
1652# https://www.freedesktop.org/wiki/Software/systemd/resolved/
1653#
1654# This API may be used directly over the D-Bus system bus or it may be used
1655# indirectly via the nss-resolve plugin:
1656#
1657# https://www.freedesktop.org/software/systemd/man/nss-resolve.html
1658#
1659#include <abstractions/dbus-strict>
1660dbus send
1661 bus=system
1662 path="/org/freedesktop/resolve1"
1663 interface="org.freedesktop.resolve1.Manager"
1664 member="Resolve{Address,Hostname,Record,Service}"
1665 peer=(name="org.freedesktop.resolve1"),
1666
1667#include <abstractions/ssl_certs>
1668
1669@{PROC}/sys/net/core/somaxconn r,
1670@{PROC}/sys/net/ipv4/tcp_fastopen r,
1671
1672# Allow using netcat as client
1673/{,usr/}bin/nc{,.openbsd} ixr,
1674
1675
1676# Description: Can access various APIs needed by modern browsers (eg, Google
1677# Chrome/Chromium and Mozilla) and file paths they expect. This interface is
1678# transitional and is only in place while upstream's work to change their paths
1679# and snappy is updated to properly mediate the APIs.
1680
1681# This allows raising the OOM score of other processes owned by the user.
1682owner @{PROC}/@{pid}/oom_score_adj rw,
1683
1684# Chrome/Chromium should be fixed to honor TMPDIR or the snap packaging
1685# adjusted to use LD_PRELOAD technique from LP: #1577514
1686/var/tmp/ r,
1687owner /var/tmp/etilqs_* rw,
1688
1689# Chrome/Chromium should be modified to use snap.$SNAP_INSTANCE_NAME.* or
1690# the snap packaging adjusted to use LD_PRELOAD technique from LP: #1577514
1691owner /{dev,run}/shm/{,.}org.chromium.* mrw,
1692owner /{dev,run}/shm/{,.}com.google.Chrome.* mrw,
1693owner /{dev,run}/shm/.io.nwjs.* mrw,
1694
1695# Chrome's Singleton API sometimes causes an ouid/fsuid mismatch denial, so
1696# for now, allow non-owner read on the singleton socket (LP: #1731012). See
1697# https://forum.snapcraft.io/t/electron-snap-killed-when-using-app-makesingleinstance-api/2667/20
1698# parallel-installs: $XDG_RUNTIME_DIR is not remapped, need to use SNAP_INSTANCE_NAME
1699/run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/{,.}org.chromium.*/SS r,
1700/run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/{,.}com.google.Chrome.*/SS r,
1701
1702# Allow reading platform files
1703/run/udev/data/+platform:* r,
1704
1705# miscellaneous accesses
1706@{PROC}/vmstat r,
1707
1708# Chromium content api sometimes queries about huge pages. Allow status of
1709# hugepages and transparent_hugepage, but not the pages themselves.
1710/sys/kernel/mm/{hugepages,transparent_hugepage}/{,**} r,
1711
1712# Chromium content api in gnome-shell reads this
1713/etc/opt/chrome/{,**} r,
1714/etc/chromium/{,**} r,
1715
1716# Chrome/Chromium should be adjusted to not use gconf. It is only used with
1717# legacy systems that don't have snapd
1718deny dbus (send)
1719 bus=session
1720 interface="org.gnome.GConf.Server",
1721
1722# webbrowser-app/webapp-container tries to read this file to determine if it is
1723# confined or not, so explicitly deny to avoid noise in the logs.
1724deny @{PROC}/@{pid}/attr/current r,
1725
1726# This is an information leak but disallowing it leads to developer confusion
1727# when using the chromium content api file chooser due to a (harmless) glib
1728# warning and the noisy AppArmor denial.
1729owner @{PROC}/@{pid}/mounts r,
1730owner @{PROC}/@{pid}/mountinfo r,
1731
1732# Since snapd still uses SECCOMP_RET_KILL, we have added a workaround rule to
1733# allow mknod on character devices since chromium unconditionally performs
1734# a mknod() to create the /dev/nvidiactl device, regardless of if it exists or
1735# not or if the process has CAP_MKNOD or not. Since we don't want to actually
1736# grant the ability to create character devices, explicitly deny the
1737# capability. When snapd uses SECCOMP_RET_ERRNO, we can remove this rule.
1738# https://forum.snapcraft.io/t/call-for-testing-chromium-62-0-3202-62/2569/46
1739deny capability mknod,
1740
1741
1742# Description: Can inhibit and uninhibit screen savers in desktop sessions.
1743#include <abstractions/dbus-session-strict>
1744#include <abstractions/dbus-strict>
1745
1746# gnome-session
1747dbus (send)
1748 bus=session
1749 path=/org/gnome/SessionManager
1750 interface=org.gnome.SessionManager
1751 member={Inhibit,Uninhibit}
1752 peer=(label=unconfined),
1753
1754# unity screen API
1755dbus (send)
1756 bus=system
1757 interface="org.freedesktop.DBus.Introspectable"
1758 path="/com/canonical/Unity/Screen"
1759 member="Introspect"
1760 peer=(label=unconfined),
1761dbus (send)
1762 bus=system
1763 interface="com.canonical.Unity.Screen"
1764 path="/com/canonical/Unity/Screen"
1765 member={keepDisplayOn,removeDisplayOnRequest}
1766 peer=(label=unconfined),
1767
1768# freedesktop.org ScreenSaver
1769# compatibility rule
1770dbus (send)
1771 bus=session
1772 path=/Screensaver
1773 interface=org.freedesktop.ScreenSaver
1774 member={Inhibit,UnInhibit,SimulateUserActivity}
1775 peer=(label=unconfined),
1776
1777# API rule
1778dbus (send)
1779 bus=session
1780 path=/{,org/freedesktop/,org/gnome/}ScreenSaver
1781 interface=org.{freedesktop,gnome}.ScreenSaver
1782 member={Inhibit,UnInhibit,SimulateUserActivity}
1783 peer=(label=unconfined),
1784
1785# gnome, kde and cinnamon screensaver
1786dbus (send)
1787 bus=session
1788 path=/{,ScreenSaver}
1789 interface=org.{gnome.ScreenSaver,kde.screensaver,cinnamon.ScreenSaver}
1790 member=SimulateUserActivity
1791 peer=(label=unconfined),
1792
1793
1794# In addition to the bind mount, add any AppArmor rules so that
1795# snaps may directly access the slot implementation's files
1796# read-only.
1797/snap/gnome-3-26-1604/98/** mrkix,
1798
1799
1800# In addition to the bind mount, add any AppArmor rules so that
1801# snaps may directly access the slot implementation's files
1802# read-only.
1803/snap/gtk-common-themes/1440/share/icons/Adwaita/** mrkix,
1804/snap/gtk-common-themes/1440/share/icons/hicolor/** mrkix,
1805/snap/gtk-common-themes/1440/share/icons/HighContrast/** mrkix,
1806/snap/gtk-common-themes/1440/share/icons/Humanity/** mrkix,
1807/snap/gtk-common-themes/1440/share/icons/Humanity-Dark/** mrkix,
1808/snap/gtk-common-themes/1440/share/icons/ubuntu-mono-dark/** mrkix,
1809/snap/gtk-common-themes/1440/share/icons/ubuntu-mono-light/** mrkix,
1810/snap/gtk-common-themes/1440/share/icons/DMZ-Black/** mrkix,
1811/snap/gtk-common-themes/1440/share/icons/DMZ-White/** mrkix,
1812/snap/gtk-common-themes/1440/share/icons/communitheme/** mrkix,
1813/snap/gtk-common-themes/1440/share/icons/Suru/** mrkix,
1814/snap/gtk-common-themes/1440/share/icons/Yaru/** mrkix,
1815/snap/gtk-common-themes/1440/share/icons/elementary/** mrkix,
1816/snap/gtk-common-themes/1440/share/icons/Ambiant-MATE/** mrkix,
1817/snap/gtk-common-themes/1440/share/icons/Radiant-MATE/** mrkix,
1818/snap/gtk-common-themes/1440/share/icons/Papirus-Adapta-Maia/** mrkix,
1819/snap/gtk-common-themes/1440/share/icons/Papirus-Adapta-Nokto-Maia/** mrkix,
1820/snap/gtk-common-themes/1440/share/icons/Papirus-Dark-Maia/** mrkix,
1821/snap/gtk-common-themes/1440/share/icons/Papirus-Light-Maia/** mrkix,
1822/snap/gtk-common-themes/1440/share/icons/Papirus-Maia/** mrkix,
1823/snap/gtk-common-themes/1440/share/icons/breeze_cursors/** mrkix,
1824/snap/gtk-common-themes/1440/share/icons/Breeze_Snow/** mrkix,
1825
1826
1827# In addition to the bind mount, add any AppArmor rules so that
1828# snaps may directly access the slot implementation's files
1829# read-only.
1830/snap/gtk-common-themes/1440/share/sounds/communitheme/** mrkix,
1831/snap/gtk-common-themes/1440/share/sounds/Yaru/** mrkix,
1832
1833
1834# In addition to the bind mount, add any AppArmor rules so that
1835# snaps may directly access the slot implementation's files
1836# read-only.
1837/snap/gtk-common-themes/1440/share/themes/Adwaita/** mrkix,
1838/snap/gtk-common-themes/1440/share/themes/Adwaita-dark/** mrkix,
1839/snap/gtk-common-themes/1440/share/themes/HighContrast/** mrkix,
1840/snap/gtk-common-themes/1440/share/themes/Ambiance/** mrkix,
1841/snap/gtk-common-themes/1440/share/themes/Radiance/** mrkix,
1842/snap/gtk-common-themes/1440/share/themes/Arc/** mrkix,
1843/snap/gtk-common-themes/1440/share/themes/Arc-Dark/** mrkix,
1844/snap/gtk-common-themes/1440/share/themes/Arc-Darker/** mrkix,
1845/snap/gtk-common-themes/1440/share/themes/Breeze/** mrkix,
1846/snap/gtk-common-themes/1440/share/themes/Breeze-Dark/** mrkix,
1847/snap/gtk-common-themes/1440/share/themes/Communitheme/** mrkix,
1848/snap/gtk-common-themes/1440/share/themes/Communitheme-dark/** mrkix,
1849/snap/gtk-common-themes/1440/share/themes/Communitheme-light/** mrkix,
1850/snap/gtk-common-themes/1440/share/themes/Yaru/** mrkix,
1851/snap/gtk-common-themes/1440/share/themes/Yaru-dark/** mrkix,
1852/snap/gtk-common-themes/1440/share/themes/Yaru-light/** mrkix,
1853/snap/gtk-common-themes/1440/share/themes/elementary/** mrkix,
1854/snap/gtk-common-themes/1440/share/themes/Ambiant-MATE/** mrkix,
1855/snap/gtk-common-themes/1440/share/themes/Ambiant-MATE-Dark/** mrkix,
1856/snap/gtk-common-themes/1440/share/themes/Radiant-MATE/** mrkix,
1857/snap/gtk-common-themes/1440/share/themes/Matcha-aliz/** mrkix,
1858/snap/gtk-common-themes/1440/share/themes/Matcha-azul/** mrkix,
1859/snap/gtk-common-themes/1440/share/themes/Matcha-dark-aliz/** mrkix,
1860/snap/gtk-common-themes/1440/share/themes/Matcha-dark-azul/** mrkix,
1861/snap/gtk-common-themes/1440/share/themes/Matcha-dark-sea/** mrkix,
1862/snap/gtk-common-themes/1440/share/themes/Matcha-sea/** mrkix,
1863
1864
1865# Only on desktop do we need access to /etc/pulse for any PulseAudio client
1866# to read available client side configuration settings. On an Ubuntu Core
1867# device those things will be stored inside the snap directory.
1868/etc/pulse/ r,
1869/etc/pulse/** r,
1870owner @{HOME}/.pulse-cookie rk,
1871owner @{HOME}/.config/pulse/cookie rk,
1872owner /{,var/}run/user/*/pulse/ rwk,
1873owner /{,var/}run/user/*/pulse/native rwk,
1874
1875
1876# Until we have proper device assignment, allow access to all cameras
1877/dev/video[0-9]* rw,
1878
1879# VideoCore cameras (shared device with VideoCore/EGL)
1880/dev/vchiq rw,
1881
1882# Allow detection of cameras. Leaks plugged in USB device info
1883/sys/bus/usb/devices/ r,
1884/sys/devices/pci**/usb*/**/busnum r,
1885/sys/devices/pci**/usb*/**/devnum r,
1886/sys/devices/pci**/usb*/**/idVendor r,
1887/sys/devices/pci**/usb*/**/idProduct r,
1888/sys/devices/pci**/usb*/**/interface r,
1889/sys/devices/pci**/usb*/**/modalias r,
1890/sys/devices/pci**/usb*/**/speed r,
1891/run/udev/data/c81:[0-9]* r, # video4linux (/dev/video*, etc)
1892/run/udev/data/+usb:* r,
1893/sys/class/video4linux/ r,
1894/sys/devices/pci**/usb*/**/video4linux/** r,
1895
1896# While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc
1897# trigger a 'ptrace (trace)' denial, they aren't actually tracing other
1898# processes. Unfortunately, the kernel overloads trace such that the LSMs are
1899# unable to distinguish between tracing other processes and other accesses.
1900# ptrace (trace) can be used to break out of the seccomp sandbox unless the
1901# kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd
1902# has full ptrace support conditional on kernel support, explicitly deny to
1903# silence noisy denials/avoid confusion and accidentally giving away this
1904# dangerous access frivolously.
1905deny ptrace (trace),
1906deny capability sys_ptrace,
1907
1908}