mirror of
https://github.com/token2/snapd.git
synced 2026-03-13 11:15:47 -07:00
41 lines
819 B
Plaintext
41 lines
819 B
Plaintext
= Overview =
|
|
|
|
The ubuntu-core-launcher launches snappy applications to restrict
|
|
access. It uses apparmor and seccomp to do this.
|
|
|
|
Run with:
|
|
$ ubuntu-core-launcher /path/to/rootdir security-profile /path/to/binary additional args
|
|
|
|
== Apparmor ==
|
|
|
|
The apparmor part is similar to aa-exec -p, i.e. it will load the
|
|
given apparmor profile for the application.
|
|
|
|
|
|
== Seccomp ==
|
|
|
|
The seccomp filter profile in expected to be located in
|
|
/var/lib/snappy/seccomp/profiles
|
|
|
|
The filter file contains lines with syscall names, comments that start
|
|
with "#" or special directives that start with a "@".
|
|
|
|
The supported special directives are:
|
|
@unrestricted
|
|
|
|
The unrestricted profile looks like this:
|
|
"""
|
|
# Unrestricted profile
|
|
@unrestricted
|
|
"""
|
|
|
|
A very strict profile might look like this:
|
|
"""
|
|
# Super strict profile
|
|
read
|
|
write
|
|
"""
|
|
|
|
|
|
|