1
# Author: Jamie Strandboge <jamie@canonical.com>
2
#include <tunables/global>
4
/usr/bin/ubuntu-core-launcher {
5
# We run privileged, so be fanatical about what we include and don't use
8
/lib/@{multiarch}/libapparmor.so* mr,
9
/lib/@{multiarch}/libc-*.so* mr,
10
/lib/@{multiarch}/libpthread-*.so* mr,
11
/lib/@{multiarch}/libudev.so* mr,
12
/usr/lib/@{multiarch}/libseccomp.so* mr,
16
capability dac_override,
17
/sys/fs/cgroup/devices/snappy.*/ w,
18
/sys/fs/cgroup/devices/snappy.*/tasks w,
19
/sys/fs/cgroup/devices/snappy.*/devices.{allow,deny} w,
22
/etc/udev/udev.conf r,
23
/sys/devices/**/uevent r,
24
/lib/udev/snappy-app-dev ixr, # drop
31
@{PROC}/[0-9]*/attr/exec w,
32
change_profile -> [^u/]**,
33
change_profile -> [^u/][^n]**,
34
change_profile -> [^u/][^n][^c]**,
35
change_profile -> [^u/][^n][^c][^o]**,
36
change_profile -> [^u/][^n][^c][^o][^n]**,
37
change_profile -> [^u/][^n][^c][^o][^n][^f]**,
38
change_profile -> [^u/][^n][^c][^o][^n][^f][^i]**,
39
change_profile -> [^u/][^n][^c][^o][^n][^f][^i][^n]**,
40
change_profile -> [^u/][^n][^c][^o][^n][^f][^i][^n][^e]**,
41
change_profile -> [^u/][^n][^c][^o][^n][^f][^i][^n][^e][^d]**,
42
# LP: #1446794 - when this bug is fixed, change the above to:
43
# deny change_profile -> {unconfined,/**},
44
# change_profile -> **,
46
# reading seccomp filters
47
/var/lib/snappy/seccomp/profiles/* r,
added
removed
debian/usr.bin.ubuntu-core-launcher
