← Back to branch summary

~snappy-dev/snappy-hub/snappy-examples 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

# Description: default AppArmor template
# Usage: common

# vim:syntax=apparmor

#include <tunables/global>

# Specified profile variables
###VAR###

###PROFILEATTACH### (attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/openssl>
  #include <abstractions/dbus-strict>

  # LP: #1449625 workaround
  /{,usr/}bin/uname ixr,

  # Allow requesting a connection name and also releasing it
  dbus (send)
     bus=system
     path=/org/freedesktop/DBus
     interface=org.freedesktop.DBus
     member={Request,Release}Name
     peer=(name=org.freedesktop.DBus),

  # Allow binding the service to the requested connection name
  dbus (bind)
    bus=system
    name="com.canonical.hello-dbus-fwk",

  # Allow receiving traffic to our path and interface with any method
  dbus (receive)
    bus=system
    path=/com/canonical/HelloDbusFramework/DbusSrv
    interface=com.canonical.HelloDbusFramework.DbusSrv,

  # user-specific bash files
  /bin/bash ixr,
  /bin/dash ixr,
  /etc/bash.bashrc r,
  /usr/share/terminfo/** r,
  /etc/inputrc r,
  deny @{HOME}/.inputrc r,

  # Read-only for the install directory
  @{CLICK_DIR}/@{APP_PKGNAME}/                   r,
  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/    r,
  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/**  mrklix,

  # Read-only home area for other versions
  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/                  r,
  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/   r,
  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/** mrkix,

  # Writable home area for this version.
  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/   w,
  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,

  # Read-only system area for other versions
  /var/lib/apps/@{APP_PKGNAME}/   r,
  /var/lib/apps/@{APP_PKGNAME}/** mrkix,

  # TODO: the write on these is needed in case they doesn't exist, but means an
  # app could adjust inode data and affect rollbacks.
  owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/         w,
  /var/lib/apps/@{APP_PKGNAME}/                  w,

  # Writable system area only for this version
  /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/   w,
  /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,

  # Writable temp area only for this version (launcher will create this
  # directory on our behalf so only allow readonly on parent).
  /tmp/snaps/@{APP_PKGNAME}/                  r,
  /tmp/snaps/@{APP_PKGNAME}/**                rk,
  /tmp/snaps/@{APP_PKGNAME}/@{APP_VERSION}/   rw,
  /tmp/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** mrwlkix,

  # Also do the same for shm
  /{dev,run}/shm/snaps/@{APP_PKGNAME}/                  r,
  /{dev,run}/shm/snaps/@{APP_PKGNAME}/**                rk,
  /{dev,run}/shm/snaps/@{APP_PKGNAME}/@{APP_VERSION}/   r,
  /{dev,run}/shm/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** mrwlkix,
}