# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib}

@{exec_path} = @{lib_dirs}/snapd/snap-update-ns
@{att} = ""
profile snap-update-ns /{{,usr/}lib{,exec,32,64}/snapd/snap-update-ns,snap/{snapd,core}/{,x}[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}/{,usr/}lib{,exec,32,64}/snapd/snap-update-ns} flags=(complain) {
  include <abstractions/base-strict>

  capability dac_override,
  capability sys_admin,
  capability sys_chroot,

  network netlink raw,

  mount -> @{efi}/,
  mount -> /snap/**,
  mount -> /tmp/.snap/**,
  mount -> /usr/**,
  mount -> /var/lib/dhcp/,

  umount @{lib}/@{multiarch}/webkit2gtk-@{version}/,
  umount /snap/**,
  umount /tmp/.snap/**,
  umount /usr/share/xml/iso-codes/,
  umount /var/lib/dhcp/,

  @{exec_path} mr,
  @{lib_dirs}/**.so* mr,

  @{lib}/@{multiarch}/webkit2gtk-@{version}/ w,

  /usr/share/xml/ r,
  /usr/share/xml/iso-codes/ rw,

  /var/lib/snapd/mount/{,*} r,

  / r,
  /tmp/ r,
  @{lib}/ r,
  /usr/ r,
  /usr/local/ r,
  /usr/local/share/ r,
  /usr/local/share/doc/ rw,
  /usr/local/share/fonts/ rw,
  /usr/share/ r,
  /usr/share/drirc.d w,
  /usr/share/X11/ r,
  /usr/share/X11/XErrorDB w,

  owner /snap/{,**} rw,

  owner /var/ rw,
  owner /var/lib/ rw,
  owner /var/lib/snapd/ rw,
  owner /var/snap/ rw,
  owner /var/snap/**/ rw,

  owner @{tmp}/.snap/{,**} rwk,

  @{run}/snapd/lock/*.lock rwk,
  @{run}/snapd/ns/{,**} rw,

  @{sys}/fs/cgroup/{,**/} r,
  @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.scope/cgroup.freeze rw,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw,

  @{PROC}/@{pids}/cgroup r,
  @{PROC}/cmdline r,
  @{PROC}/version r,

  include if exists <local/snap-update-ns>
}

# vim:syntax=apparmor
