* interfaces/docker-support: make generic rules not conflict with snap-confine
The rules we inject into the profile to account for allowing devmode snaps to
execute other snaps are in conflict with these, meaning that the docker snap
(and the strictly confined microk8s snap) cannot be installed with devmode
confinement which sometimes needs to be done. So make these generic rules allow
anything except very specifically the transition rules which we inject that
have regular expression wildcards in them to get the policy to compile
properly.
Also adjust the spread test to ensure we are testing that the docker snap can
be installed with devmode, at least to the point where apparmor profiles are
compiled correctly.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/docker-support: re-word comments for clarity
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/docker-support: add additional missing exclusion rules
Thanks to Alex for spotting these being missing.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Allow more calls to systemd-resolved dBus interface from the
interfaces that can control network resources. These new calls are
being used now by NetworkManager in jammy. Also, point to more
up-to-date documenation for the interface.
/proc/sys/dev/i915/perf_stream_paranoid is used to allow toggling Intel
Graphics metrics collection to non-root users. The firefox snap (at
least) reads this during startup (but doesn't try to write to it) which
causes log noise but otherwise seems to work ok. Since the contents are
a simple integer value, there is nothing sensitive in the file, so allow
snaps that plug opengl to read the file.
References:
- https://github.com/intel/pti-gpu#prerequisites
In jammy, the full path for the dynamic linker has changed to
/usr/lib/{arch}-linux-gnu/ld-linux-{arch}.so.{1,2}
Change the related rule so things like ldd can work confined.
The base apparmor template already includes the various VarLink sockets but
is missing the one from systemd-machined. Support was recently added
upstream in https://gitlab.com/apparmor/apparmor/-/merge_requests/861 so
this change ensures we keep the base template up to date in this regard
too.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Currently the only place these rules are exposed is in the network-manager
slot, which is only intended to be slotted by network-manager itself, but there
are valid use cases to be able to call these D-Bus endpoints for a snap
managing the network that is not network-manager too, so add them here.
Fixes: https://bugs.launchpad.net/snapd/+bug/1962501
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Useradd can reach out to pam_tally2 to reset the login counter, in which case it
gets blocked by AppArmor with:
apparmor="DENIED" operation="exec" profile="snap.test.test"
name="/usr/sbin/pam_tally2" pid=5056 comm="useradd" requested_mask="x"
denied_mask="x" fsuid=0 ouid=0
Fixes: https://bugs.launchpad.net/snapd/+bug/1958640
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
This is needed for some kernels with the mentioned patch where individual
monitoring of CPU's can be achieved by these files.
See also ticket 00329266 and LP bug 1962447
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
