mirror of
https://github.com/token2/snapd.git
synced 2026-03-13 11:15:47 -07:00
46 lines
1.2 KiB
Plaintext
46 lines
1.2 KiB
Plaintext
= Overview =
|
|
|
|
The ubuntu-core-launcher launches snappy applications to restrict
|
|
access. It uses apparmor and seccomp to do this.
|
|
|
|
Run with:
|
|
$ ubuntu-core-launcher /path/to/rootdir security-profile /path/to/binary additional args
|
|
|
|
== Apparmor ==
|
|
|
|
The apparmor part is similar to aa-exec -p, i.e. it will load the
|
|
given apparmor profile for the application.
|
|
|
|
|
|
== Seccomp ==
|
|
|
|
The seccomp filter profile in expected to be located in
|
|
/var/lib/snappy/seccomp/profiles
|
|
|
|
The filter file contains lines with syscall names, comments that start
|
|
with "#" or special directives that start with a "@".
|
|
|
|
The supported special directives are:
|
|
@unrestricted
|
|
|
|
The unrestricted profile looks like this:
|
|
"""
|
|
# Unrestricted profile
|
|
@unrestricted
|
|
"""
|
|
|
|
A very strict profile might look like this:
|
|
"""
|
|
# Super strict profile
|
|
read
|
|
write
|
|
"""
|
|
|
|
|
|
== devices cgroup ==
|
|
|
|
It works like this:
|
|
- on install of snaps with a special hardware:\n assign yaml udev rules are generated that add tags and properties to the matching hardware
|
|
- this launcher creates a device cgroup that is deny-all by default, then adds itself to the group and also adds all devices that match the given snappy-assign tag and the appname property
|
|
- the app is executed and now the normal device permissions/apparmor rules apply
|