#0x2525
Linux debian-2gb-nbg1 6.1.0-37-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64
  SOFT : Apache/2.4.62 (Debian) PHP : 8.2.28
/etc/apparmor.d/
162.55.61.15

 
[ NAME ] [ SIZE ] [ PERM ] [ DATE ] [ ACT ]
+FILE +DIR
abi dir drwxr-xr-x 2025-05-30 16:01 R D
abstractions dir drwxr-xr-x 2025-05-30 16:01 R D
disable dir drwxr-xr-x 2023-02-14 11:49 R D
force-complain dir drwxr-xr-x 2023-02-14 11:49 R D
local dir drwxr-xr-x 2025-07-01 17:07 R D
tunables dir drwxr-xr-x 2025-05-30 16:01 R D
lsb_release 1.347 KB -rw-r--r-- 2023-02-14 11:49 R E G D
nvidia_modprobe 1.161 KB -rw-r--r-- 2023-02-14 11:49 R E G D
sbin.dhclient 3.38 KB -rw-r--r-- 2023-03-30 09:02 R E G D
usr.bin.freshclam 1.112 KB -rw-r--r-- 2024-10-03 09:22 R E G D
usr.bin.man 3.367 KB -rw-r--r-- 2023-03-12 22:23 R E G D
usr.lib.snapd.snap-confine.real 27.818 KB -rw-r--r-- 2023-05-18 09:00 R E G D
usr.sbin.mariadbd 0.713 KB -rw-r--r-- 2025-02-19 00:56 R E G D
REQUEST EXIT
# Author: Jamie Strandboge #include /usr/lib/snapd/snap-confine (attach_disconnected) { # Include any additional files that snapd chose to generate. # - for $HOME on NFS # - for $HOME on encrypted media # # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor # and https://forum.snapcraft.io/t/snaps-and-nfs-home/ #include "/var/lib/snapd/apparmor/snap-confine" # We run privileged, so be fanatical about what we include and don't use # any abstractions /etc/ld.so.cache r, /etc/ld.so.preload r, # Do not assume that the interpreter is always named like # ld-linux-x86_64.so, as on some architectures there can be a version after # the .so suffix, eg. ld-linux-aarch64.so.1 /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld{-*,64}.so* mrix, # libc, you are funny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre{,2}{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr, # normal libs in order /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr, /usr/lib/snapd/snap-confine mr, # This rule is needed when executing from a "base: core" devmode snap on # UC18 and newer where the /usr/lib/snapd/snap-confine inside the # "base: core" mount namespace always comes from the snapd snap, and thus # we will execute snap-confine via this path, and thus need to be able to # read this path when executing. It's also necessary on classic where both # the snapd and the core snap are installed at the same time. # TODO: remove this rule when we stop supporting executing other snaps from # inside devmode snaps, ideally even in the short term we would only include # this rule on core only, and specifically uc18 and newer where we need it #@VERBATIM_LIBEXECDIR_SNAP_CONFINE@ mr, /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, /dev/pts/[0-9]* rw, /dev/tty rw, # cgroup: devices capability sys_admin, capability dac_read_search, capability dac_override, /sys/fs/cgroup/ r, /sys/fs/cgroup/devices/ r, /sys/fs/cgroup/devices/snap.*/ rw, /sys/fs/cgroup/devices/snap.*/cgroup.procs w, /sys/fs/cgroup/devices/snap.*/devices.{allow,deny} w, # cgroup: freezer # Allow creating per-snap cgroup freezers and adding snap command (task) # invocations to the freezer. This allows for reliably enumerating all # running processes for the snap. In addition, allow enumerating processes # in the cgroup to determine if it is occupied. /sys/fs/cgroup/freezer/ r, /sys/fs/cgroup/freezer/snap.*/ w, /sys/fs/cgroup/freezer/snap.*/cgroup.procs rw, /sys/fs/cgroup/ r, /sys/fs/cgroup/** r, # cgroup: reading own cgroup @{PROC}/@{pid}/cgroup r, # cgroup: manage bpf map for device cgroup /sys/fs/bpf/ r, /sys/fs/bpf/snap/ rw, /sys/fs/bpf/snap/* rw, # s-c may need to raise the memlock limit capability sys_resource, # querying udev /etc/udev/udev.conf r, /sys/**/uevent r, /run/udev/** rw, /{,usr/}bin/tr ixr, /usr/lib/locale/** r, /usr/lib/@{multiarch}/gconv/gconv-modules r, /usr/lib/@{multiarch}/gconv/gconv-modules.cache r, # priv dropping capability setuid, capability setgid, # changing profile @{PROC}/[0-9]*/attr/{,apparmor/}exec w, # Reading current profile @{PROC}/[0-9]*/attr/{,apparmor/}current r, # Reading available filesystems @{PROC}/filesystems r, # To find where apparmor is mounted @{PROC}/[0-9]*/mounts r, # To find if apparmor is enabled /sys/module/apparmor/parameters/enabled r, # Don't allow changing profile to unconfined or profiles that start with # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on # the environment for determining the capabilities of the architecture. # 'unsafe' is ok here because the kernel will have already cleared the # environment as part of launching snap-confine with CAP_SYS_ADMIN. This # does leave directories as configured by ld.so.preload as well as # LD_PRELOAD to be set to a library which is in a directory configured by # ld.so.conf, but access to those locations is mediated by this profile # (which requires rules for specific locations). change_profile unsafe /** -> [^u/]**, change_profile unsafe /** -> u[^n]**, change_profile unsafe /** -> un[^c]**, change_profile unsafe /** -> unc[^o]**, change_profile unsafe /** -> unco[^n]**, change_profile unsafe /** -> uncon[^f]**, change_profile unsafe /** -> unconf[^i]**, change_profile unsafe /** -> unconfi[^n]**, change_profile unsafe /** -> unconfin[^e]**, change_profile unsafe /** -> unconfine[^d]**, change_profile unsafe /** -> unconfined?**, # allow changing to a few not caught above change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, # LP: #1446794 - when this bug is fixed, change the above to: # deny change_profile unsafe /** -> {unconfined,/**}, # change_profile unsafe /** -> **, # reading seccomp filters /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r, # adding a missing bpf mount mount fstype=bpf options=(rw) bpf -> /sys/fs/bpf/, # LP: #1668659 and parallel instaces of classic snaps mount options=(rw rbind) /snap/ -> /snap/, mount options=(rw rshared) -> /snap/, mount options=(rw rbind) /var/lib/snapd/snap/ -> /var/lib/snapd/snap/, mount options=(rw rshared) -> /var/lib/snapd/snap/, # boostrapping the mount namespace /tmp/snap.rootfs_*/ rw, mount options=(rw rshared) -> /, mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/, mount options=(rw unbindable) -> /tmp/snap.rootfs_*/, # the next line is for classic system mount options=(rw rbind) /snap/*/*/ -> /tmp/snap.rootfs_*/, # the next line is for core system mount options=(rw rbind) / -> /tmp/snap.rootfs_*/, # all of the constructed rootfs is a rslave mount options=(rw rslave) -> /tmp/snap.rootfs_*/, # bidirectional mounts (for both classic and core) # NOTE: this doesn't capture the MERGED_USR configuration option so that # when a distro with merged /usr and / that uses apparmor shows up it # should be handled here. /{,run/}media/ w, mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_*/{,run/}media/, /run/netns/ w, mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/, # unidirectional mounts (only for classic system) mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/dev/, mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/etc/, mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/home/, mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/root/, mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/proc/, mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/sys/, mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/, mount options=(rw rbind) /var/lib/dhcp/ -> /tmp/snap.rootfs_*/var/lib/dhcp/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/dhcp/, mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/, mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_*/var/snap/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/snap/, mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_*/var/tmp/, # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups mount options=(rw rbind) /var/volatile/tmp/ -> /tmp/snap.rootfs_*/var/tmp/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/tmp/, mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/, mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_*/var/lib/extrausers/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/extrausers/, mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/firmware/ -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/, mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/, mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/, # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups mount options=(rw rbind) /var/volatile/log/ -> /tmp/snap.rootfs_*/var/log/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/log/, mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/, mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_*/mnt/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/mnt/, # allow making host snap-exec available inside base snaps mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/, # allow making re-execed host snap-exec available inside base snaps mount options=(ro bind) /snap/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, # allow making snapd snap tools available inside base snaps mount options=(ro bind) /snap/snapd/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/, mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl, mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl, # /etc/alternatives (classic and normal mode) mount options=(rw bind) /snap/*/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, mount options=(rw bind) /snap/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/, mount options=(rw bind) /snap/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf, mount options=(rw bind) /snap/*/*/etc/apparmor/ -> /tmp/snap.rootfs_*/etc/apparmor/, mount options=(rw bind) /snap/*/*/etc/apparmor.d/ -> /tmp/snap.rootfs_*/etc/apparmor.d/, # /etc/alternatives (core/legacy mode) mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, # making all those directories slave shared. mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/, mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/, mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/nsswitch.conf, mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/apparmor/, mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/apparmor.d/, # the /snap directory mount options=(rw rbind) /snap/ -> /tmp/snap.rootfs_*/snap/, mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/, # pivot_root preparation and execution mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, # pivot_root mediation in AppArmor is not complete. See LP: #1791711. # However, we can mediate the new_root and put_old to be what we expect, # and then deny directory creation within old_root to prevent trivial # pivoting into a whitelisted path. pivot_root oldroot=/tmp/snap.rootfs_*/var/lib/snapd/hostfs/ /tmp/snap.rootfs_*/, # Explicitly deny creating the old_root directory in case it is # inadvertently added somewhere else. While this doesn't resolve # LP: #1791711, it provides some hardening. audit deny /tmp/snap.rootfs_*/{var/,var/lib/,var/lib/snapd/,var/lib/snapd/hostfs/} w, # cleanup umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/, umount /var/lib/snapd/hostfs/sys/, umount /var/lib/snapd/hostfs/dev/, umount /var/lib/snapd/hostfs/proc/, mount options=(rw rsla