File: /var/lib/snapd/apparmor/profiles/snap-update-ns.network-manager
# Description: Allows snap-update-ns to construct the mount namespace specific
# to a particular snap (see the name below). This specifically includes the
# precise locations of the layout elements.
# vim:syntax=apparmor
#include <tunables/global>
#include if exists "/etc/apparmor.d/tunables/home.d"
profile snap-update-ns.network-manager (attach_disconnected) {
# The next four rules mirror those above. We want to be able to read
# and map snap-update-ns into memory but it may come from a variety of places.
/usr/lib{,exec,64}/snapd/snap-update-ns mr,
/var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr,
/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns mr,
/var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr,
# Allow reading the dynamic linker cache.
/etc/ld.so.cache r,
# Allow reading, mapping and executing the dynamic linker.
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix,
# Allow reading and mapping various parts of the standard library and
# dynamically loaded nss modules and what not.
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr,
# Common devices accesses
/dev/null rw,
/dev/full rw,
/dev/zero rw,
/dev/random r,
/dev/urandom r,
# golang runtime variables
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# glibc 2.27+ may poke this file to find out the number of CPUs
# available in the system when creating a new arena for malloc, see
# Golang issue 25628
/sys/devices/system/cpu/online r,
# Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code).
owner @{PROC}/@{pid}/cmdline r,
# Allow reading of own maps (Go runtime)
owner @{PROC}/@{pid}/maps r,
# Allow reading file descriptor paths
owner @{PROC}/@{pid}/fd/* r,
# Allow reading /proc/version. For release.go WSL detection.
@{PROC}/version r,
# Allow reading own cgroups
owner @{PROC}/@{pid}/cgroup r,
# Allow reading own mountinfo (Go runtime 1.25+)
owner @{PROC}/@{pid}/mountinfo r,
# Allow reading somaxconn, required in newer distro releases
@{PROC}/sys/net/core/somaxconn r,
# but silence noisy denial of inet/inet6
deny network inet,
deny network inet6,
# Allow reading the os-release file (possibly a symlink to /usr/lib).
/{etc/,usr/lib/}os-release r,
# Allow creating/grabbing global and per-snap lock files.
/run/snapd/lock/network-manager.lock rwk,
/run/snapd/lock/.lock rwk,
# While the base abstraction has rules for encryptfs encrypted home and
# private directories, it is missing rules for directory read on the toplevel
# directory of the mount (LP: #1848919)
owner @{HOME}/.Private/ r,
owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
# Allow reading stored mount namespaces,
/run/snapd/ns/ r,
/run/snapd/ns/network-manager.mnt r,
# Allow reading per-snap desired mount profiles. Those are written by
# snapd and represent the desired layout and content connections.
/var/lib/snapd/mount/snap.network-manager.fstab r,
/var/lib/snapd/mount/snap.network-manager.user-fstab r,
# Allow reading and writing actual per-snap mount profiles. Note that
# the wildcard in the rule to allow an atomic write + rename strategy.
# Those files are written by snap-update-ns and represent the actual
# mount profile at a given moment.
/run/snapd/ns/snap.network-manager.fstab{,.*} rw,
# Allow writing to a log file for both per-snap and per-snap-and-user log files.
/run/snapd/ns/snap.network-manager.log w,
/run/snapd/ns/snap.network-manager.user.*.log w,
# NOTE: at this stage the /snap directory is stable as we have called
# pivot_root already.
# Needed to perform mount/unmounts.
capability sys_admin,
# Needed for mimic construction.
capability chown,
# Needed for dropping to calling user when processing per-user mounts
capability setuid,
capability setgid,
# Allow snap-update-ns to override file ownership and permission checks.
# This is required because writable mimics now preserve the permissions
# of the original and hence we may be asked to create a directory when the
# parent is a tmpfs without DAC write access.
capability dac_override,
# Allow freezing and thawing the per-snap cgroup freezers
# v1 hierarchy where we know the group name of all processes of
# a given snap upfront
/sys/fs/cgroup/freezer/snap.network-manager/freezer.state rw,
# v2 hierarchy, where we need to walk the tree to looking for the tracking
# groups and act on each one
/sys/fs/cgroup/ r,
/sys/fs/cgroup/** r,
/sys/fs/cgroup/**/snap.network-manager.*.scope/cgroup.freeze rw,
/sys/fs/cgroup/**/snap.network-manager.*.service/cgroup.freeze rw,
# Allow the content interface to bind fonts from the host filesystem
mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/network-manager/*/**,
mount options=(rw private) -> /snap/network-manager/*/**,
umount /snap/network-manager/*/**,
# set up user mount namespace
mount options=(rslave) -> /,
# Allow traversing from the root directory and several well-known places.
# Specific directory permissions are added by snippets below.
/ r,
/etc/ r,
/snap/ r,
/tmp/ r,
/usr/ r,
/var/ r,
/var/lib/ r,
/var/lib/snapd/ r,
/var/snap/ r,
# Allow reading timezone data.
/usr/share/zoneinfo/** r,
# Don't allow anyone to touch /snap/bin
audit deny mount /snap/bin/** -> /**,
audit deny mount /** -> /snap/bin/**,
# Don't allow bind mounts to /media which has special
# sharing and propagates mount events outside of the snap namespace.
audit deny mount -> /media,
# Allow receiving signals from unconfined (eg, systemd)
signal (receive) peer=unconfined,
# Allow sending and receiving signals from ourselves.
signal peer=@{profile_name},
# Commonly needed permissions for writable mimics.
/tmp/ r,
/tmp/.snap/{,**} rw,
# snapd logger.go checks /proc/cmdline
@{PROC}/cmdline r,
# snap checks if vendored apparmor parser should be used at startup
/usr/lib/snapd/info r,
/lib/apparmor/functions r,
# Allow snap-update-ns to open home directory
owner @{HOME}/ r,
/var/ r,
/var/lib/ r,
/var/lib/snapd/ r,
/var/lib/snapd/hostfs/ r,
/var/lib/snapd/hostfs/var/ r,
/var/lib/snapd/hostfs/var/lib/ r,
/var/lib/snapd/hostfs/var/lib/dhcp/ r,
/var/lib/dhcp/ r,
mount options=(rw bind) /var/lib/snapd/hostfs/var/lib/dhcp/ -> /var/lib/dhcp/,
umount /var/lib/dhcp/,
# Layout /etc/NetworkManager: bind $SNAP_DATA/conf
mount options=(rbind, rw) "/var/snap/network-manager/981/conf/" -> "/etc/NetworkManager/",
mount options=(rprivate) -> "/etc/NetworkManager/",
umount "/etc/NetworkManager/",
# Writable mimic /etc
# .. permissions for traversing the prefix that is assumed to exist
"/" r,
# .. variant with mimic at /etc/
# Allow reading the mimic directory, it must exist in the first place.
"/etc/" r,
# Allow setting the read-only directory aside via a bind mount.
"/tmp/.snap/etc/" rw,
mount options=(rbind, rw) "/etc/" -> "/tmp/.snap/etc/",
# Allow mounting tmpfs over the read-only directory.
mount fstype=tmpfs options=(rw) tmpfs -> "/etc/",
# Allow creating empty files and directories for bind mounting things
# to reconstruct the now-writable parent directory.
"/tmp/.snap/etc/*/" rw,
"/etc/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/etc/*/" -> "/etc/*/",
"/tmp/.snap/etc/*" rw,
"/etc/*" rw,
mount options=(bind, rw) "/tmp/.snap/etc/*" -> "/etc/*",
# Allow unmounting the auxiliary directory.
# TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
mount options=(rprivate) -> "/tmp/.snap/etc/",
umount "/tmp/.snap/etc/",
# Allow unmounting the destination directory as well as anything
# inside. This lets us perform the undo plan in case the writable
# mimic fails.
mount options=(rprivate) -> "/etc/",
mount options=(rprivate) -> "/etc/*",
mount options=(rprivate) -> "/etc/*/",
umount "/etc/",
umount "/etc/*",
umount "/etc/*/",
# Writable directory /var/snap/network-manager/981/conf
"/var/snap/network-manager/981/conf/" rw,
"/var/snap/network-manager/981/" rw,
"/var/snap/network-manager/" rw,
# Layout /usr/lib/NetworkManager: bind $SNAP/usr/lib/NetworkManager
mount options=(rbind, rw) "/snap/network-manager/981/usr/lib/NetworkManager/" -> "/usr/lib/NetworkManager/",
mount options=(rprivate) -> "/usr/lib/NetworkManager/",
umount "/usr/lib/NetworkManager/",
# Writable mimic /usr/lib
# .. variant with mimic at /usr/
"/usr/" r,
"/tmp/.snap/usr/" rw,
mount options=(rbind, rw) "/usr/" -> "/tmp/.snap/usr/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/",
"/tmp/.snap/usr/*/" rw,
"/usr/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/*/" -> "/usr/*/",
"/tmp/.snap/usr/*" rw,
"/usr/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/*" -> "/usr/*",
mount options=(rprivate) -> "/tmp/.snap/usr/",
umount "/tmp/.snap/usr/",
mount options=(rprivate) -> "/usr/",
mount options=(rprivate) -> "/usr/*",
mount options=(rprivate) -> "/usr/*/",
umount "/usr/",
umount "/usr/*",
umount "/usr/*/",
# .. variant with mimic at /usr/lib/
"/usr/lib/" r,
"/tmp/.snap/usr/lib/" rw,
mount options=(rbind, rw) "/usr/lib/" -> "/tmp/.snap/usr/lib/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/lib/",
"/tmp/.snap/usr/lib/*/" rw,
"/usr/lib/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/lib/*/" -> "/usr/lib/*/",
"/tmp/.snap/usr/lib/*" rw,
"/usr/lib/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/lib/*" -> "/usr/lib/*",
mount options=(rprivate) -> "/tmp/.snap/usr/lib/",
umount "/tmp/.snap/usr/lib/",
mount options=(rprivate) -> "/usr/lib/",
mount options=(rprivate) -> "/usr/lib/*",
mount options=(rprivate) -> "/usr/lib/*/",
umount "/usr/lib/",
umount "/usr/lib/*",
umount "/usr/lib/*/",
# Writable mimic /snap/network-manager/981/usr/lib
"/snap/" r,
"/snap/network-manager/" r,
# .. variant with mimic at /snap/network-manager/981/
"/snap/network-manager/981/" r,
"/tmp/.snap/snap/network-manager/981/" rw,
mount options=(rbind, rw) "/snap/network-manager/981/" -> "/tmp/.snap/snap/network-manager/981/",
mount fstype=tmpfs options=(rw) tmpfs -> "/snap/network-manager/981/",
"/tmp/.snap/snap/network-manager/981/*/" rw,
"/snap/network-manager/981/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/snap/network-manager/981/*/" -> "/snap/network-manager/981/*/",
"/tmp/.snap/snap/network-manager/981/*" rw,
"/snap/network-manager/981/*" rw,
mount options=(bind, rw) "/tmp/.snap/snap/network-manager/981/*" -> "/snap/network-manager/981/*",
mount options=(rprivate) -> "/tmp/.snap/snap/network-manager/981/",
umount "/tmp/.snap/snap/network-manager/981/",
mount options=(rprivate) -> "/snap/network-manager/981/",
mount options=(rprivate) -> "/snap/network-manager/981/*",
mount options=(rprivate) -> "/snap/network-manager/981/*/",
umount "/snap/network-manager/981/",
umount "/snap/network-manager/981/*",
umount "/snap/network-manager/981/*/",
# .. variant with mimic at /snap/network-manager/981/usr/
"/snap/network-manager/981/usr/" r,
"/tmp/.snap/snap/network-manager/981/usr/" rw,
mount options=(rbind, rw) "/snap/network-manager/981/usr/" -> "/tmp/.snap/snap/network-manager/981/usr/",
mount fstype=tmpfs options=(rw) tmpfs -> "/snap/network-manager/981/usr/",
"/tmp/.snap/snap/network-manager/981/usr/*/" rw,
"/snap/network-manager/981/usr/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/snap/network-manager/981/usr/*/" -> "/snap/network-manager/981/usr/*/",
"/tmp/.snap/snap/network-manager/981/usr/*" rw,
"/snap/network-manager/981/usr/*" rw,
mount options=(bind, rw) "/tmp/.snap/snap/network-manager/981/usr/*" -> "/snap/network-manager/981/usr/*",
mount options=(rprivate) -> "/tmp/.snap/snap/network-manager/981/usr/",
umount "/tmp/.snap/snap/network-manager/981/usr/",
mount options=(rprivate) -> "/snap/network-manager/981/usr/",
mount options=(rprivate) -> "/snap/network-manager/981/usr/*",
mount options=(rprivate) -> "/snap/network-manager/981/usr/*/",
umount "/snap/network-manager/981/usr/",
umount "/snap/network-manager/981/usr/*",
umount "/snap/network-manager/981/usr/*/",
# .. variant with mimic at /snap/network-manager/981/usr/lib/
"/snap/network-manager/981/usr/lib/" r,
"/tmp/.snap/snap/network-manager/981/usr/lib/" rw,
mount options=(rbind, rw) "/snap/network-manager/981/usr/lib/" -> "/tmp/.snap/snap/network-manager/981/usr/lib/",
mount fstype=tmpfs options=(rw) tmpfs -> "/snap/network-manager/981/usr/lib/",
"/tmp/.snap/snap/network-manager/981/usr/lib/*/" rw,
"/snap/network-manager/981/usr/lib/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/snap/network-manager/981/usr/lib/*/" -> "/snap/network-manager/981/usr/lib/*/",
"/tmp/.snap/snap/network-manager/981/usr/lib/*" rw,
"/snap/network-manager/981/usr/lib/*" rw,
mount options=(bind, rw) "/tmp/.snap/snap/network-manager/981/usr/lib/*" -> "/snap/network-manager/981/usr/lib/*",
mount options=(rprivate) -> "/tmp/.snap/snap/network-manager/981/usr/lib/",
umount "/tmp/.snap/snap/network-manager/981/usr/lib/",
mount options=(rprivate) -> "/snap/network-manager/981/usr/lib/",
mount options=(rprivate) -> "/snap/network-manager/981/usr/lib/*",
mount options=(rprivate) -> "/snap/network-manager/981/usr/lib/*/",
umount "/snap/network-manager/981/usr/lib/",
umount "/snap/network-manager/981/usr/lib/*",
umount "/snap/network-manager/981/usr/lib/*/",
# Layout /usr/lib/libnm.so.0: symlink $SNAP/usr/lib/libnm.so.0
"/usr/lib/libnm.so.0" rw,
# Layout /usr/sbin/openvpn: symlink $SNAP/usr/sbin/openvpn
"/usr/sbin/openvpn" rw,
# Writable mimic /usr/sbin
# .. variant with mimic at /usr/sbin/
"/usr/sbin/" r,
"/tmp/.snap/usr/sbin/" rw,
mount options=(rbind, rw) "/usr/sbin/" -> "/tmp/.snap/usr/sbin/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/sbin/",
"/tmp/.snap/usr/sbin/*/" rw,
"/usr/sbin/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/sbin/*/" -> "/usr/sbin/*/",
"/tmp/.snap/usr/sbin/*" rw,
"/usr/sbin/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/sbin/*" -> "/usr/sbin/*",
mount options=(rprivate) -> "/tmp/.snap/usr/sbin/",
umount "/tmp/.snap/usr/sbin/",
mount options=(rprivate) -> "/usr/sbin/",
mount options=(rprivate) -> "/usr/sbin/*",
mount options=(rprivate) -> "/usr/sbin/*/",
umount "/usr/sbin/",
umount "/usr/sbin/*",
umount "/usr/sbin/*/",
# Layout /var/lib/NetworkManager: bind $SNAP_DATA/var/lib/NetworkManager
mount options=(rbind, rw) "/var/snap/network-manager/981/var/lib/NetworkManager/" -> "/var/lib/NetworkManager/",
mount options=(rprivate) -> "/var/lib/NetworkManager/",
umount "/var/lib/NetworkManager/",
# Writable mimic /var/lib
# .. variant with mimic at /var/
"/var/" r,
"/tmp/.snap/var/" rw,
mount options=(rbind, rw) "/var/" -> "/tmp/.snap/var/",
mount fstype=tmpfs options=(rw) tmpfs -> "/var/",
"/tmp/.snap/var/*/" rw,
"/var/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/var/*/" -> "/var/*/",
"/tmp/.snap/var/*" rw,
"/var/*" rw,
mount options=(bind, rw) "/tmp/.snap/var/*" -> "/var/*",
mount options=(rprivate) -> "/tmp/.snap/var/",
umount "/tmp/.snap/var/",
mount options=(rprivate) -> "/var/",
mount options=(rprivate) -> "/var/*",
mount options=(rprivate) -> "/var/*/",
umount "/var/",
umount "/var/*",
umount "/var/*/",
# .. variant with mimic at /var/lib/
"/var/lib/" r,
"/tmp/.snap/var/lib/" rw,
mount options=(rbind, rw) "/var/lib/" -> "/tmp/.snap/var/lib/",
mount fstype=tmpfs options=(rw) tmpfs -> "/var/lib/",
"/tmp/.snap/var/lib/*/" rw,
"/var/lib/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/var/lib/*/" -> "/var/lib/*/",
"/tmp/.snap/var/lib/*" rw,
"/var/lib/*" rw,
mount options=(bind, rw) "/tmp/.snap/var/lib/*" -> "/var/lib/*",
mount options=(rprivate) -> "/tmp/.snap/var/lib/",
umount "/tmp/.snap/var/lib/",
mount options=(rprivate) -> "/var/lib/",
mount options=(rprivate) -> "/var/lib/*",
mount options=(rprivate) -> "/var/lib/*/",
umount "/var/lib/",
umount "/var/lib/*",
umount "/var/lib/*/",
# Writable directory /var/snap/network-manager/981/var/lib/NetworkManager
"/var/snap/network-manager/981/var/lib/NetworkManager/" rw,
"/var/snap/network-manager/981/var/lib/" rw,
"/var/snap/network-manager/981/var/" rw,
}