= Overview =

The ubuntu-core-launcher launches snappy applications to restrict
access. It uses apparmor and seccomp to do this.

Run with:
$ ubuntu-core-launcher /path/to/rootdir security-profile /path/to/binary additional args

== Apparmor ==

The apparmor part is similar to aa-exec -p, i.e. it will load the
given apparmor profile for the application.


== Seccomp ==

The seccomp filter profile in expected to be located in
/var/lib/snappy/seccomp/profiles

The filter file contains lines with syscall names, comments that start
with "#" or special directives that start with a "@".

The supported special directives are:
@unrestricted

The unrestricted profile looks like this:
"""
# Unrestricted profile
@unrestricted
"""

A very strict profile might look like this:
"""
# Super strict profile
read
write
"""


== devices cgroup ==

It works like this:
- on install of snaps with a special hardware:\n assign yaml udev rules are generated that add tags and properties to the matching hardware
- this launcher creates a device cgroup that is deny-all by default, then adds itself to the group and also adds all devices that match the given snappy-assign tag and the appname property
- the app is executed and now the normal device permissions/apparmor rules apply