CasperSecurity
# Description: Allows snap-update-ns to construct the mount namespace specific
# to a particular snap (see the name below). This specifically includes the
# precise locations of the layout elements.
# vim:syntax=apparmor
#include <tunables/global>
#include if exists "/etc/apparmor.d/tunables/home.d"
profile snap-update-ns.certbot (attach_disconnected) {
# The next four rules mirror those above. We want to be able to read
# and map snap-update-ns into memory but it may come from a variety of places.
/usr/lib{,exec,64}/snapd/snap-update-ns mr,
/var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr,
/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns mr,
/var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr,
# Allow reading the dynamic linker cache.
/etc/ld.so.cache r,
# Allow reading, mapping and executing the dynamic linker.
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix,
# Allow reading and mapping various parts of the standard library and
# dynamically loaded nss modules and what not.
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr,
# Common devices accesses
/dev/null rw,
/dev/full rw,
/dev/zero rw,
/dev/random r,
/dev/urandom r,
# golang runtime variables
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# glibc 2.27+ may poke this file to find out the number of CPUs
# available in the system when creating a new arena for malloc, see
# Golang issue 25628
/sys/devices/system/cpu/online r,
# Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code).
owner @{PROC}/@{pid}/cmdline r,
# Allow reading of own maps (Go runtime)
owner @{PROC}/@{pid}/maps r,
# Allow reading file descriptor paths
owner @{PROC}/@{pid}/fd/* r,
# Allow reading /proc/version. For release.go WSL detection.
@{PROC}/version r,
# Allow reading own cgroups
owner @{PROC}/@{pid}/cgroup r,
# Allow reading own mountinfo (Go runtime 1.25+)
owner @{PROC}/@{pid}/mountinfo r,
# Allow reading somaxconn, required in newer distro releases
@{PROC}/sys/net/core/somaxconn r,
# but silence noisy denial of inet/inet6
deny network inet,
deny network inet6,
# Allow reading the os-release file (possibly a symlink to /usr/lib).
/{etc/,usr/lib/}os-release r,
# Allow creating/grabbing global and per-snap lock files.
/run/snapd/lock/certbot.lock rwk,
/run/snapd/lock/.lock rwk,
# While the base abstraction has rules for encryptfs encrypted home and
# private directories, it is missing rules for directory read on the toplevel
# directory of the mount (LP: #1848919)
owner @{HOME}/.Private/ r,
owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
# Allow reading stored mount namespaces,
/run/snapd/ns/ r,
/run/snapd/ns/certbot.mnt r,
# Allow reading per-snap desired mount profiles. Those are written by
# snapd and represent the desired layout and content connections.
/var/lib/snapd/mount/snap.certbot.fstab r,
/var/lib/snapd/mount/snap.certbot.user-fstab r,
# Allow reading and writing actual per-snap mount profiles. Note that
# the wildcard in the rule to allow an atomic write + rename strategy.
# Those files are written by snap-update-ns and represent the actual
# mount profile at a given moment.
/run/snapd/ns/snap.certbot.fstab{,.*} rw,
# Allow writing to a log file for both per-snap and per-snap-and-user log files.
/run/snapd/ns/snap.certbot.log w,
/run/snapd/ns/snap.certbot.user.*.log w,
# NOTE: at this stage the /snap directory is stable as we have called
# pivot_root already.
# Needed to perform mount/unmounts.
capability sys_admin,
# Needed for mimic construction.
capability chown,
# Needed for dropping to calling user when processing per-user mounts
capability setuid,
capability setgid,
# Allow snap-update-ns to override file ownership and permission checks.
# This is required because writable mimics now preserve the permissions
# of the original and hence we may be asked to create a directory when the
# parent is a tmpfs without DAC write access.
capability dac_override,
# Allow freezing and thawing the per-snap cgroup freezers
# v1 hierarchy where we know the group name of all processes of
# a given snap upfront
/sys/fs/cgroup/freezer/snap.certbot/freezer.state rw,
# v2 hierarchy, where we need to walk the tree to looking for the tracking
# groups and act on each one
/sys/fs/cgroup/ r,
/sys/fs/cgroup/** r,
/sys/fs/cgroup/**/snap.certbot.*.scope/cgroup.freeze rw,
/sys/fs/cgroup/**/snap.certbot.*.service/cgroup.freeze rw,
# Allow the content interface to bind fonts from the host filesystem
mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/certbot/*/**,
mount options=(rw private) -> /snap/certbot/*/**,
umount /snap/certbot/*/**,
# set up user mount namespace
mount options=(rslave) -> /,
# Allow traversing from the root directory and several well-known places.
# Specific directory permissions are added by snippets below.
/ r,
/etc/ r,
/snap/ r,
/tmp/ r,
/usr/ r,
/var/ r,
/var/lib/ r,
/var/lib/snapd/ r,
/var/snap/ r,
# Allow reading timezone data.
/usr/share/zoneinfo/** r,
# Don't allow anyone to touch /snap/bin
audit deny mount /snap/bin/** -> /**,
audit deny mount /** -> /snap/bin/**,
# Don't allow bind mounts to /media which has special
# sharing and propagates mount events outside of the snap namespace.
audit deny mount -> /media,
# Allow receiving signals from unconfined (eg, systemd)
signal (receive) peer=unconfined,
# Allow sending and receiving signals from ourselves.
signal peer=@{profile_name},
# Commonly needed permissions for writable mimics.
/tmp/ r,
/tmp/.snap/{,**} rw,
# snapd logger.go checks /proc/cmdline
@{PROC}/cmdline r,
# snap checks if vendored apparmor parser should be used at startup
/usr/lib/snapd/info r,
/lib/apparmor/functions r,
# Allow snap-update-ns to open home directory
owner @{HOME}/ r,
}