- Oct 3, 2022
- 556
Apparmor profile for Chrome 124 for Ubuntu 24.04 LTS
Save the code as 'opt.google.chrome.chrome' . And place it into '/etc/apparmor.d/' . Then reboot machine.
Apparmor restricts a program to the absolute necessary libraries, and linux resources so that an exploit has less chance to succeed. Additionally, any exploit that successfully attacks the program will not be able to gain persistance because the places where it can save itself does not allow execution. But it depends on a correctly specified profile.
Save the code as 'opt.google.chrome.chrome' . And place it into '/etc/apparmor.d/' . Then reboot machine.
Apparmor restricts a program to the absolute necessary libraries, and linux resources so that an exploit has less chance to succeed. Additionally, any exploit that successfully attacks the program will not be able to gain persistance because the places where it can save itself does not allow execution. But it depends on a correctly specified profile.
#include <tunables/global>
profile /opt/google/chrome/chrome {
abi <abi/3.0>,
#include <abstractions/dbus-accessibility-strict>
#include <abstractions/fonts>
#include <abstractions/base>
# #include <abstractions/ubuntu-browsers.d/chromium-browser>
#include <abstractions/ubuntu-browsers.d/ubuntu-integration>
#include <abstractions/ubuntu-browsers.d/ubuntu-integration-xul>
#include <abstractions/ubuntu-browsers.d/multimedia>
#include <abstractions/ubuntu-browsers.d/productivity>
#include <abstractions/openssl>
#include <abstractions/gnome>
#include <abstractions/audio>
# #include <abstractions/cups-client>
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
#include <abstractions/dconf>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/p11-kit>
#include <abstractions/ubuntu-unity7-base>
#include <abstractions/ubuntu-unity7-launcher>
@{HOME}/Downloads/ r,
@{HOME}/Downloads/** r,
owner @{HOME}/Downloads/** rw,
# Do not allow read and/or write to particularly sensitive/problematic files
include <abstractions/private-files>
audit deny @{HOME}/.ssh/{,**} mrwkl,
audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
audit deny @{HOME}/.local/share/kwalletd/{,**} mrwkl,
# Comment this out if using gpg plugin/addons
audit deny @{HOME}/.gnupg/{,**} mrwkl,
# Allow read to all files user has DAC access to and write for files the user
# owns on removable media and filesystems.
# /media/** r,
# /mnt/** r,
# /srv/** r,
# /net/** r,
# owner /media/** w,
# owner /mnt/** w,
# owner /srv/** w,
capability sys_admin ,
capability sys_chroot,
capability sys_ptrace,
network inet stream,
# network inet6 stream,
network inet dgram,
# network inet6 dgram,
network inet seqpacket,
# network inet6 seqpacket,
ptrace ,
# ptrace (trace) peer=@{profile_name},
###############
# Borrowed from snap firefox To make Yubikeys and Passkeys work.
##############
## #include <tunables/global>
## #include if exists "/etc/apparmor.d/tunables/home.d"
#include if exists "/var/lib/snapd/apparmor/snap-tuning"
# snapd supports the concept of 'parallel installs' where snaps with the same
# name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz
# may all be installed on the system. To support this, SNAP_NAME is set to the
# name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg
# 'foo_bar'). The profile name and most rules therefore reference
# SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime
# environment so the snap doesn't have to be aware of the distinction (eg,
# SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with
# SNAP_NAME so the security policy will allow writing to both locations (since
# they are equivalent).
# This is a snap name without the instance key
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/openssl>
# While in later versions of the base abstraction, include this explicitly
# for series 16 and cross-distro
### MY CHANGE
# /etc/ld.so.preload r,
# The base abstraction doesn't yet have this
/etc/sysconfig/clock r,
owner @{PROC}/@{pid}/maps k,
# /proc/XXXX/map_files contains the same info than /proc/XXXX/maps, but
# in a format that is simpler to manage, because it doesn't require to
# parse the text data inside a file, but just reading the contents of
# a directory.
# Reading /proc/XXXX/maps is already allowed in the base template
# via <abstractions/base>. Also, only the owner can read it, and the
# kernel limits access to it by requiring 'ptrace' enabled, so allowing
# to access /proc/XXXX/map_files can be considered secure too.
owner @{PROC}/@{pid}/map_files/ r,
# While the base abstraction has rules for encryptfs encrypted home and
# private directories, it is missing rules for directory read on the toplevel
# directory of the mount (LP: #1848919)
owner @{HOME}/.Private/ r,
owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
# for python apps/services
#include <abstractions/python>
/etc/python3.[0-9]*/** r,
# explicitly deny noisy denials to read-only filesystems (see LP: #1496895
# for details)
deny /usr/lib/python3*/{,**/}__pycache__/ w,
deny /usr/lib/python3*/{,**/}__pycache__/**.pyc.[0-9]* w,
# bind mount used here (see 'parallel installs', above)
# deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/ w,
# deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/*.pyc.[0-9]* w,
# for perl apps/services
#include <abstractions/perl>
# Missing from perl abstraction
/usr/lib/@{multiarch}/perl{,5,-base}/auto/**.so* mr,
# Note: the following dangerous accesses should not be allowed in most
# policy, but we cannot explicitly deny since other trusted interfaces might
# add them.
# Explicitly deny ptrace for now since it can be abused to break out of the
# seccomp sandbox. LKML: "Serge E. Hallyn": seccomp vs ptrace
#audit deny ptrace (trace),
# Explicitly deny capability mknod so apps can't create devices
#audit deny capability mknod,
# Explicitly deny mount, remount and umount so apps can't modify things in
# their namespace
#audit deny mount,
#audit deny remount,
#audit deny umount,
# End dangerous accesses
# Note: this potentially allows snaps to DoS other snaps via resource
# exhaustion but we can't sensibly mediate this today. In the future we may
# employ cgroup limits, AppArmor rlimit mlock rules or something else.
capability ipc_lock,
# for bash 'binaries' (do *not* use abstractions/bash)
# user-specific bash files
/etc/bash.bashrc r,
/etc/inputrc r,
/etc/environment r,
/etc/profile r,
# user/group/seat lookups
/etc/{passwd,group,nsswitch.conf} r, # very common
/var/lib/extrausers/{passwd,group} r,
/run/systemd/users/[0-9]* r,
/etc/default/nss r,
# libnss-systemd (subset from nameservice abstraction)
#
# User/Group Record Lookup API via Varlink
# JSON User Records
# nss-systemd
#
# Allow User/Group lookups via common VarLink socket APIs. Applications need
# to either consult all of them or the io.systemd.Multiplexer frontend.
/run/systemd/userdb/ r,
/run/systemd/userdb/io.systemd.Multiplexer rw,
/run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users
/run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs
/run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS
/run/systemd/userdb/io.systemd.Machine rw, # systemd-machined
/etc/libnl-3/{classid,pktloc} r, # apps that use libnl
# For snappy reexec on 4.8+ kernels
/usr/lib/snapd/snap-exec m,
# For gdb support
/usr/lib/snapd/snap-gdb-shim ixr,
/usr/lib/snapd/snap-gdbserver-shim ixr,
# For in-snap tab completion
/etc/bash_completion.d/{,*} r,
/usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal)
/usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here
# uptime
@{PROC}/uptime r,
@{PROC}/loadavg r,
# Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib
# which is allowed by the base abstraction, but on 14.04 it is an actual file
# so need to add it here. Also allow read locks on the file.
/etc/os-release rk,
/usr/lib/os-release k,
# systemd native journal API (see sd_journal_print(4)). This should be in
# AppArmor's base abstraction, but until it is, include here. We include
# the base journal path as well as the journal namespace pattern path. Each
# journal namespace for quota groups will be prefixed with 'snap-'.
/run/systemd/journal{,.snap-*}/socket w,
/run/systemd/journal{,.snap-*}/stdout rw, # 'r' shouldn't be needed, but journald
# doesn't leak anything so allow
# snapctl and its requirements
### MY CHANGE
# /usr/bin/snapctl ixr,
# /usr/lib/snapd/snapctl ixr,
@{PROC}/sys/net/core/somaxconn r,
# /run/snapd-snap.socket rw,
# Note: for now, don't explicitly deny this noisy denial so --devmode isn't
# broken but eventually we may conditionally deny this since it is an
# information leak.
#deny /{,var/}run/utmp r,
# java
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/auxv r,
@{PROC}/sys/vm/zone_reclaim_mode r,
/etc/lsb-release r,
/sys/devices/**/read_ahead_kb r,
/sys/devices/system/cpu/** r,
/sys/devices/system/node/node[0-9]*/* r,
/sys/kernel/mm/transparent_hugepage/enabled r,
/sys/kernel/mm/transparent_hugepage/defrag r,
# NOTE: this leaks running process but java seems to want it (even though it
# seems to operate ok without it) and SDL apps crash without it. Allow owner
# match until AppArmor kernel var is available to solve this properly (see
# LP: #1546825 for details). comm is a subset of cmdline, so allow it too.
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,
# Per man(5) proc, the kernel enforces that a thread may only modify its comm
# value or those in its thread group.
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
# Allow reading and writing to our file descriptors in /proc which, for
# example, allow access to /dev/std{in,out,err} which are all symlinks to
# /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE)
# linkat() temporary file technique, allow all fds. Importantly, access to
# another task's fd via this proc interface is mediated via 'ptrace (read)'
# (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so
# this rule by itself doesn't allow opening another snap's fds via proc.
owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw,
# Miscellaneous accesses
/dev/{,u}random w,
/etc/machine-id r,
/etc/mime.types r,
@{PROC}/ r,
@{PROC}/version r,
@{PROC}/version_signature r,
/etc/{,writable/}hostname r,
/etc/{,writable/}localtime r,
/etc/{,writable/}mailname r,
/etc/{,writable/}timezone r,
owner @{PROC}/@{pid}/cgroup rk,
@{PROC}/@{pid}/cpuset r,
@{PROC}/@{pid}/io r,
owner @{PROC}/@{pid}/limits r,
owner @{PROC}/@{pid}/loginuid r,
@{PROC}/@{pid}/smaps r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/statm r,
@{PROC}/@{pid}/status r,
@{PROC}/@{pid}/task/ r,
@{PROC}/@{pid}/task/[0-9]*/smaps r,
@{PROC}/@{pid}/task/[0-9]*/stat r,
@{PROC}/@{pid}/task/[0-9]*/statm r,
@{PROC}/@{pid}/task/[0-9]*/status r,
@{PROC}/sys/fs/pipe-max-size r,
@{PROC}/sys/kernel/hostname r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/ostype r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/kernel/shmmax r,
# Allow apps to introspect the level of dbus mediation AppArmor implements.
/sys/kernel/security/apparmor/features/dbus/mask r,
@{PROC}/sys/fs/file-max r,
@{PROC}/sys/fs/file-nr r,
@{PROC}/sys/fs/inotify/max_* r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/random/entropy_avail r,
@{PROC}/sys/kernel/random/uuid r,
@{PROC}/sys/kernel/cap_last_cap r,
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
# time and getrandom()/{,u}random and, when available, runs under an
# unprivilged, dedicated user).
/run/uuidd/request rw,
/sys/devices/virtual/tty/{console,tty*}/active r,
/sys/fs/cgroup/memory/{,user.slice/}memory.limit_in_bytes r,
# /sys/fs/cgroup/memory/{,**/}snap.@{SNAP_INSTANCE_NAME}{,.*}/memory.limit_in_bytes r,
#/sys/fs/cgroup/memory/{,**/}snap.@{SNAP_INSTANCE_NAME}{,.*}/memory.stat r,
/sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.cfs_{period,quota}_us r,
#/sys/fs/cgroup/cpu,cpuacct/{,**/}snap.@{SNAP_INSTANCE_NAME}{,.*}/cpu.cfs_{period,quota}_us r,
/sys/fs/cgroup/cpu,cpuacct/{,user.slice/}cpu.shares r,
#/sys/fs/cgroup/cpu,cpuacct/{,**/}snap.@{SNAP_INSTANCE_NAME}{,.*}/cpu.shares r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
/sys/module/apparmor/parameters/enabled r,
/{,usr/}lib/ r,
# Reads of oom_adj and oom_score_adj are safe
owner @{PROC}/@{pid}/oom_{,score_}adj r,
# Note: for now, don't explicitly deny write access so --devmode isn't broken
# but eventually we may conditionally deny this since it allows the process
# to increase the oom heuristic of other processes (make them more likely to
# be killed). Once AppArmor kernel var is available to solve this properly,
# this can safely be allowed since non-root processes won't be able to
# decrease the value and root processes will only be able to with
# 'capability sys_resource,' which we deny be default.
# deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
# Eases hardware assignment (doesn't give anything away)
/etc/udev/udev.conf r,
/sys/ r,
/sys/bus/ r,
/sys/class/ r,
# this leaks interface names and stats, but not in a way that is traceable
# to the user/device
@{PROC}/net/dev r,
@{PROC}/@{pid}/net/dev r,
# Read-only of this snap
# /var/lib/snapd/snaps/@{SNAP_NAME}_*.snap r,
# Read-only of snapd restart state for snapctl specifically
/var/lib/snapd/maintenance.json r,
# Read-only for the install directory
# bind mount used here (see 'parallel installs', above)
# @{INSTALL_DIR}/{ @{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r,
# @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/ r,
# @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/** mrklix,
# Read-only install directory for other revisions to help with bugs like
# LP: #1616650 and LP: #1655992
# @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix,
# Read-only home area for other versions
# bind mount *not* used here (see 'parallel installs', above)
# owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/ r,
# owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/** mrkix,
# Experimental snap folder changes
# owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/ r,
# owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/** mrkix,
# owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/** wl,
# owner @{HOME}/.snap/data/@{SNAP_INSTANCE_NAME}/common/** wl,
# owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/ r,
# owner @{HOME}/Snap/@{SNAP_INSTANCE_NAME}/** mrkixwl,
# Writable home area for this version.
# bind mount *not* used here (see 'parallel installs', above)
# owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/** wl,
# owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/** wl,
# Read-only system area for other versions
# bind mount used here (see 'parallel installs', above)
# /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r,
# /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix,
# Writable system area only for this version
# bind mount used here (see 'parallel installs', above)
# /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/** wl,
# /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/** wl,
# The ubuntu-core-launcher creates an app-specific private restricted /tmp
# and will fail to launch the app if something goes wrong. As such, we can
# simply allow full access to /tmp.
/tmp/ r,
/tmp/** mrwlkix,
# App-specific access to files and directories in /dev/shm. We allow file
# access in /dev/shm for shm_open() and files in subdirectories for open()
# # bind mount *not* used here (see 'parallel installs', above)
# /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix,
# Also allow app-specific access for sem_open()
# /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk,
# Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user
# bind mount *not* used here (see 'parallel installs', above)
# owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/ rw,
# owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/** mrwklix,
# Allow apps from the same package to communicate with each other via an
# abstract or anonymous socket
# unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.**",
# unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.*),
# Allow apps from the same package to communicate with each other via DBus.
# Note: this does not grant access to the DBus sockets of well known buses
# (will still need to use an appropriate interface for that).
# dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.*),
# In addition to the above, dbus-run-session attempts reading these files
# from the snap base runtime.
/usr/share/dbus-1/services/{,*} r,
/usr/share/dbus-1/system-services/{,*} r,
# Allow apps to perform DBus introspection on org.freedesktop.DBus for both
# the system and session buses.
# Note: this does not grant access to the DBus sockets of these buses, but
# we grant it here since it is missing from the dbus abstractions
# (LP: #1866168)
dbus (send)
bus={session,system}
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
# Allow apps from the same package to signal each other via signals
# signal peer=snap.@{SNAP_INSTANCE_NAME}.*,
# Allow receiving signals from all snaps (and focus on mediating sending of
# signals)
signal (receive) peer=snap.*,
# Allow receiving signals from unconfined (eg, systemd)
signal (receive) peer=unconfined,
# for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign'
/{,usr/}{,s}bin/udevadm ixr,
/etc/udev/udev.conf r,
/{,var/}run/udev/tags/snappy-assign/ r,
@{PROC}/cmdline r,
/sys/devices/**/uevent r,
# LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above
# requires:
# /run/udev/data/* r,
# but that reveals too much about the system and cannot be granted to apps
# by default at this time.
# For convenience, allow apps to see what is in /dev even though cgroups
# will block most access
/dev/ r,
/dev/**/ r,
# Allow setting up pseudoterminal via /dev/pts system. This is safe because
# the launcher uses a per-app devpts newinstance.
/dev/ptmx rw,
# Do the same with /sys/devices and /sys/class to help people using hw-assign
/sys/devices/ r,
/sys/devices/**/ r,
/sys/class/ r,
/sys/class/**/ r,
# Allow all snaps to chroot
capability sys_chroot,
# Lttng tracing is very noisy and should not be allowed by confined apps. Can
# safely deny for the normal case (LP: #1260491). If/when an lttng-trace
# interface is needed, we can rework this.
deny /{dev,run,var/run}/shm/lttng-ust-* rw,
# Allow read-access on /home/ for navigating to other parts of the
# filesystem. While this allows enumerating users, this is already allowed
# via /etc/passwd and getent.
@{HOMEDIRS}/ r,
# Allow read-access to / for navigating to other parts of the filesystem.
/ r,
# Snap-specific run directory. Bind mount *not* used here
# (see 'parallel installs', above)
# /run/snap.@{SNAP_INSTANCE_NAME}/ rw,
# /run/snap.@{SNAP_INSTANCE_NAME}/** mrwklix,
# Snap-specific lock directory and prerequisite navigation permissions.
/run/lock/ r,
# /run/lock/snap.@{SNAP_INSTANCE_NAME}/ rw,
# /run/lock/snap.@{SNAP_INSTANCE_NAME}/** mrwklix,
# Default rules for core base runtimes
# The base abstraction doesn't yet have this
/{,usr/}lib/terminfo/** rk,
/usr/share/terminfo/** k,
/usr/share/zoneinfo/** k,
# for python apps/services
### MY CHANGE
### /usr/bin/python{,2,2.[0-9]*,3,3.[0-9]*} ixr,
# additional accesses needed for newer pythons in later bases
### /usr/lib{,32,64}/python3.[0-9]*/**.{pyc,so} mr,
### /usr/lib{,32,64}/python3.[0-9]*/**.{egg,py,pth} r,
### /usr/lib{,32,64}/python3.[0-9]*/{site,dist}-packages/ r,
### /usr/lib{,32,64}/python3.[0-9]*/lib-dynload/*.so mr,
### /usr/include/python3.[0-9]*/pyconfig.h r,
# for perl apps/services
### MY CHANGE
### /usr/bin/perl{,5*} ixr,
# AppArmor <2.12 doesn't have rules for perl-base, so add them here
/usr/lib/@{multiarch}/perl{,5,-base}/** r,
/usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr,
# for bash 'binaries' (do *not* use abstractions/bash)
# user-specific bash files
### MY CHANGE
### /{,usr/}bin/bash ixr,
###/{,usr/}bin/dash ixr,
### /usr/share/terminfo/** r,
# Common utilities for shell scripts
###MY CHANGE
# lsb-release
/usr/bin/lsb_release ixr,
/usr/bin/ r,
/usr/share/distro-info/*.csv r,
# For printing the cache (we don't allow updating the cache)
/{,usr/}sbin/ldconfig{,.real} ixr,
# Allow all snaps to chroot
/{,usr/}sbin/chroot ixr,
# Rules added by the mount-control interface
capability sys_admin, # for mount
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/self/mountinfo r,
/{,usr/}bin/mount ixr,
/{,usr/}bin/umount ixr,
# mount/umount (via libmount) track some mount info in these files
/run/mount/utab* wrlk,
mount options=(ro,bind,noatime,noexec) "/usr/share/hunspell" -> "/var/snap/firefox/common/host-hunspell{,/}",
umount "/var/snap/firefox/common/host-hunspell{,/}",
# Access for communication with audio recording service done via
# audio-playback interface. The audio service will verify if the audio-record
# interface is connected.
# Allow access to the Wayland compositor server socket
owner /run/user/[0-9]*/wayland-[0-9]* rw,
# Needed when using QT_QPA_PLATFORM=wayland-egl (MESA dri config)
/etc/drirc r,
# Allow communicating with pulseaudio service
/{run,dev}/shm/pulse-shm-* mrwk,
owner /{,var/}run/pulse/ r,
owner /{,var/}run/pulse/native rwk,
owner /{,var/}run/pulse/pid r,
owner /{,var/}run/user/[0-9]*/ r,
owner /{,var/}run/user/[0-9]*/pulse/ r,
/run/udev/data/c116:[0-9]* r,
/run/udev/data/+sound:card[0-9]* r,
# Allow communicating with pulseaudio service on the desktop in classic distro.
# Only on desktop do we need access to /etc/pulse for any PulseAudio client
# to read available client side configuration settings. On an Ubuntu Core
# device those things will be stored inside the snap directory.
/etc/pulse/ r,
/etc/pulse/** r,
owner @{HOME}/.pulse-cookie rk,
owner @{HOME}/.config/pulse/cookie rk,
owner /{,var/}run/user/*/pulse/ r,
owner /{,var/}run/user/*/pulse/native rwk,
owner /{,var/}run/user/*/pulse/pid r,
# Allow communicating with the cups server for printing and configuration.
#include <abstractions/cups-client>
/{,var/}run/cups/printcap r,
# Allow receiving all DBus signal notifications from the daemon (see
# notifier/dbus.c in cups sources)
dbus (receive)
bus=system
path=/org/cups/cupsd/Notifier
interface=org.cups.cupsd.Notifier
peer=(label="{unconfined,/usr/sbin/cupsd,cupsd}"),
# Allow unconfined clients to interact with the player on classic
dbus (receive)
bus=session
path=/org/mpris/MediaPlayer2
peer=(label=unconfined),
dbus (receive)
bus=session
interface=org.freedesktop.DBus.Introspectable
peer=(label=unconfined),
# Description: Allow operating as an MPRIS player.
# DBus accesses
#include <abstractions/dbus-session-strict>
# MPRIS D-Bus Interface Specification — v2.2
# allow binding to the well-known DBus mpris interface based on the snap's name
# dbus (bind)
# bus=session,
# name="org.mpris.MediaPlayer2.@{SNAP_INSTANCE_NAME}{,.*}",
# register as a player
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member="{Request,Release}Name"
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member="GetConnectionUnix{ProcessID,User}"
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (send)
bus=session
path=/org/mpris/MediaPlayer2
interface=org.freedesktop.DBus.Properties
member="{GetAll,PropertiesChanged}"
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (send)
bus=session
path=/org/mpris/MediaPlayer2
interface="org.mpris.MediaPlayer2{,.Player}"
peer=(name=org.freedesktop.DBus, label=unconfined),
# we can always connect to ourselves
dbus (receive)
bus=session
path=/org/mpris/MediaPlayer2
peer=(label=@{profile_name}),
# Description: Allow owning a name on DBus public bus
#include <abstractions/dbus-session-strict>
# register on DBus
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member="{Request,Release}Name"
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member="GetConnectionUnix{ProcessID,User}"
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member="GetConnectionCredentials"
peer=(name=org.freedesktop.DBus, label=unconfined),
# bind to a well-known DBus name: org.mozilla.firefox
dbus (bind)
bus=session
name=org.mozilla.firefox,
# For KDE applications and some other cases, also support alternation for:
# - using org.kde.foo-PID as the 'well-known' name
# - using org.foo.cmd_<num>_<num> as the 'well-known' name
# Note, snapd does not allow declaring a 'well-known' name that ends with
# '-[0-9]+' or that contains '_'. Parallel installs of DBus services aren't
# supported at this time, but if they were, this could allow a parallel
# install'swell-known name to overlap with the normal install.
dbus (bind)
bus=session
name=org.mozilla.firefox{_,-}[1-9]{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9]}{,_[1-9]{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9_]}{,[0-9]}},
# For Firefox, support using org.mozilla.firefox.<id> as the 'well-known' name
# where <id> is the base64-encoded profile name.
# See 1441894 - Snap apparmor denial binding to dbus for a discussion and details.
dbus (bind)
bus=session
name="org.mozilla.firefox.*",
# Allow us to talk to dbus-daemon
dbus (receive)
bus=session
path="/org/mozilla/firefox{,/**}"
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (send)
bus=session
path="/org/mozilla/firefox{,/**}"
interface=org.freedesktop.DBus.Properties
peer=(name=org.freedesktop.DBus, label=unconfined),
# Allow us to introspect org.freedesktop.DBus (needed by pydbus)
dbus (send)
bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.freedesktop.DBus, label=unconfined),
# Description: Allow reading and writing to joystick devices
#
# Old joystick interface
#
# Per linux/Documentation/admin-guide/devices.txt at master · torvalds/linux
# only js0-js31 is valid so limit the /dev and udev entries to those devices.
/dev/input/js{[0-9],[12][0-9],3[01]} rw,
/run/udev/data/c13:{[0-9],[12][0-9],3[01]} r,
#
# New evdev-joystick interface
#
# Per linux/Documentation/admin-guide/devices.txt at master · torvalds/linux
# the minor is 65 and up so limit udev to that.
/run/udev/data/c13:{6[5-9],[7-9][0-9],[1-9][0-9][0-9]*} r,
# /dev/input/event* is unfortunately not namespaced and includes all input
# devices, including keyboards and mice, which allows input sniffing and
# injection. Until we have inode tagging of devices, we use a glob rule here
# and rely on udev tagging to only add evdev devices to the snap's device
# cgroup that are marked with ENV{ID_INPUT_JOYSTICK}=="1". As such, even though
# AppArmor allows all evdev, the device cgroup does not.
/dev/input/event[0-9]* rw,
# Allow reading for supported event reports for all input devices. See
# https://www.kernel.org/doc/Documentation/input/event-codes.txt
# FIXME: this is a very minor information leak and snapd should instead query
# udev for the specific accesses associated with the above devices.
/sys/devices/**/input[0-9]*/capabilities/* r,
# Description: Allow write access to u2f hidraw devices.
# Use a glob rule and rely on device cgroup for mediation.
/dev/hidraw* rw,
# char 234-254 are used for dynamic assignment, which u2f devices are
/run/udev/data/c23[4-9]:* r,
/run/udev/data/c24[0-9]:* r,
/run/udev/data/c25[0-4]:* r,
# misc required accesses
/run/udev/data/+power_supply:hid* r,
/run/udev/data/c14:[0-9]* r,
/sys/devices/**/i2c*/**/report_descriptor r,
/sys/devices/**/usb*/**/report_descriptor r,
# Description: Can access Unity7. Note, Unity 7 runs on X and requires access
# to various DBus services and this environment does not prevent eavesdropping
# or apps interfering with one another.
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
# Allow finding the DBus session bus id (eg, via dbus_bus_get_id())
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetId
peer=(name=org.freedesktop.DBus, label=unconfined),
#include <abstractions/X>
#include <abstractions/fonts>
owner @{HOME}/.local/share/fonts/{,**} r,
/var/cache/fontconfig/ r,
/var/cache/fontconfig/** mr,
# subset of gnome abstraction
/etc/gnome/defaults.list r,
/etc/gtk-*/* r,
# /usr/lib{,32,64}/gtk-*/** mr,
# /usr/lib{,32,64}/gdk-pixbuf-*/** mr,
# /usr/lib/@{multiarch}/gtk-*/** mr,
# /usr/lib/@{multiarch}/gdk-pixbuf-*/** mr,
/etc/pango/* r,
/usr/lib{,32,64}/pango/** mr,
/usr/lib/@{multiarch}/pango/** mr,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/icons/*/index.theme rk,
/usr/share/pixmaps/ r,
/usr/share/pixmaps/** r,
# The snapcraft desktop part may look for schema files in various locations, so
# allow reading system installed schemas.
/usr/share/glib*/schemas/{,*} r,
# Snappy's 'xdg-open' talks to the snapd-xdg-open service which currently works
# only in environments supporting dbus-send (eg, X11). In the future once
# snappy's xdg-open supports all snaps images, this access may move to another
# interface. This is duplicated from desktop for compatibility with existing
# snaps.
/usr/bin/xdg-open ixr,
# While /usr/share/applications comes from the base runtime of the snap, it
# has some things that snaps actually need, so allow access to those and deny
# access to the others. This is duplicated from desktop for compatibility with
# existing snaps.
/usr/share/applications/ r,
/usr/share/applications/mimeapps.list r,
/usr/share/applications/xdg-open.desktop r,
# silence noisy denials from desktop files in core* snaps that aren't usable by
# snaps
deny /usr/share/applications/python*.desktop r,
deny /usr/share/applications/vim.desktop r,
deny /usr/share/applications/snap-handle-link.desktop r, # core16
# This allow access to the first version of the snapd-xdg-open
# version which was shipped outside of snapd
dbus (send)
bus=session
path=/
interface=com.canonical.SafeLauncher
member=OpenURL
peer=(label=unconfined),
# ... and this allows access to the new xdg-open service which
# is now part of snapd itself.
dbus (send)
bus=session
path=/io/snapcraft/Launcher
interface=io.snapcraft.Launcher
member={OpenURL,OpenFile}
peer=(label=unconfined),
# Allow use of snapd's internal 'xdg-settings'
/usr/bin/xdg-settings ixr,
dbus (send)
bus=session
path=/io/snapcraft/Settings
interface=io.snapcraft.Settings
member={Check,CheckSub,Get,GetSub,Set,SetSub}
peer=(label=unconfined),
# input methods (ibus)
# subset of ibus abstraction
/usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ r,
owner @{HOME}/.config/ibus/bus/* r,
# allow communicating with ibus-daemon (this allows sniffing key events)
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/ibus/dbus-*"),
# abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)
# This should use this, but due to LP: #1856738 we cannot
#unix (connect, receive, send)
# type=stream
# peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/home/*/.cache/ibus/dbus-*"),
# input methods (mozc)
# allow communicating with mozc server (TODO: investigate if allows sniffing)
unix (connect, receive, send)
type=stream
peer=(addr="@tmp/.mozc.*"),
# input methods (fcitx)
# allow communicating with fcitx dbus service
dbus send
bus=fcitx
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
owner @{HOME}/.config/fcitx/dbus/* r,
# allow creating an input context
dbus send
bus={fcitx,session}
path=/inputmethod
interface=org.fcitx.Fcitx.InputMethod
member=CreateIC*
peer=(label=unconfined),
# allow setting up and tearing down the input context
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member="{Close,Destroy,Enable}IC"
peer=(label=unconfined),
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member=Reset
peer=(label=unconfined),
# allow service to send us signals
dbus receive
bus=fcitx
peer=(label=unconfined),
dbus receive
bus=session
interface=org.fcitx.Fcitx.*
peer=(label=unconfined),
# use the input context
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member="Focus{In,Out}"
peer=(label=unconfined),
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member="{CommitPreedit,Set*}"
peer=(label=unconfined),
# this is an information leak and allows key and mouse sniffing. If the input
# context path were tied to the process' security label, this would not be an
# issue.
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member="{MouseEvent,ProcessKeyEvent}"
peer=(label=unconfined),
# this method does not exist with the sunpinyin backend (at least), so allow
# it for other input methods. This may consitute an information leak (which,
# again, could be avoided if the path were tied to the process' security
# label).
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
# Needed by QtSystems on X to detect mouse and keyboard. Note, the 'netlink
# raw' rule is not finely mediated by apparmor so we mediate with seccomp arg
# filtering.
### MY CHANGE
### network netlink raw,
/run/udev/data/c13:[0-9]* r,
/run/udev/data/+input:* r,
# subset of freedesktop.org
/usr/share/mime/** r,
owner @{HOME}/.local/share/mime/** r,
owner @{HOME}/.config/user-dirs.* r,
/etc/xdg/user-dirs.conf r,
/etc/xdg/user-dirs.defaults r,
# gtk settings (subset of gnome abstraction)
owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini r,
owner @{HOME}/.config/gtk-3.0/settings.ini r,
# Note: this leaks directory names that wouldn't otherwise be known to the snap
owner @{HOME}/.config/gtk-3.0/bookmarks r,
# accessibility
#include <abstractions/dbus-accessibility-strict>
dbus (send)
bus=session
path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(label=unconfined),
dbus (send)
bus=session
path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get{,All}
peer=(label=unconfined),
# unfortunate, but org.a11y.atspi is not designed for separation
dbus (receive, send)
bus=accessibility
path=/org/a11y/atspi/**
peer=(label=unconfined),
# org.freedesktop.Accounts
dbus (send)
bus=system
path=/org/freedesktop/Accounts
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus (send)
bus=system
path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts
member=FindUserById
peer=(label=unconfined),
# Get() is an information leak
# TODO: verify what it is leaking
dbus (receive, send)
bus=system
path=/org/freedesktop/Accounts/User[0-9]*
interface=org.freedesktop.DBus.Properties
member={Get,PropertiesChanged}
peer=(label=unconfined),
# gmenu
# Note: the gmenu DBus api was not designed for application isolation and apps
# may specify anything as their 'path'. For example, these work in the many
# cases:
# - /org/gtk/Application/anonymous{,/**}
# - /com/canonical/unity/gtk/window/[0-9]*
# but libreoffice does:
# - /org/libreoffice{,/**}
# As such, cannot mediate by DBus path so we'll be as strict as we can in the
# other mediated parts
dbus (send)
bus=session
interface=org.gtk.Actions
member=Changed
peer=(label=unconfined),
dbus (receive)
bus=session
interface=org.gtk.Actions
member={Activate,DescribeAll,SetState}
peer=(label=unconfined),
dbus (receive)
bus=session
interface=org.gtk.Menus
member={Start,End}
peer=(label=unconfined),
dbus (send)
bus=session
interface=org.gtk.Menus
member=Changed
peer=(label=unconfined),
# Ubuntu menus
dbus (send)
bus=session
path="/com/ubuntu/MenuRegistrar"
interface="com.ubuntu.MenuRegistrar"
member="{Register,Unregister}{App,Surface}Menu"
peer=(label=unconfined),
# url helper
dbus (send)
bus=session
interface=com.canonical.SafeLauncher.OpenURL
peer=(label=unconfined),
# new url helper (part of snap userd)
dbus (send)
bus=session
interface=io.snapcraft.Launcher.OpenURL
peer=(label=unconfined),
# dbusmenu
dbus (send)
bus=session
path=/{MenuBar{,/[0-9A-F]*},com/canonical/{menu/[0-9A-F]*,dbusmenu}}
interface=com.canonical.dbusmenu
member="{LayoutUpdated,ItemsPropertiesUpdated}"
peer=(label=unconfined),
dbus (receive)
bus=session
path=/{MenuBar{,/[0-9A-F]*},com/canonical/{menu/[0-9A-F]*,dbusmenu}}
interface="{com.canonical.dbusmenu,org.freedesktop.DBus.Properties}"
member=Get*
peer=(label=unconfined),
dbus (receive)
bus=session
path=/{MenuBar{,/[0-9A-F]*},com/canonical/{menu/[0-9A-F]*,dbusmenu}}
interface=com.canonical.dbusmenu
member="{AboutTo*,Event*}"
peer=(label=unconfined),
dbus (receive)
bus=session
path=/{MenuBar{,/[0-9A-F]*},com/canonical/{menu/[0-9A-F]*,dbusmenu}}
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus (receive)
bus=session
path=/com/canonical/dbusmenu
interface=org.freedesktop.DBus.Properties
member=Get*
peer=(label=unconfined),
# app-indicators
dbus (send)
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher, label=unconfined),
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member="{GetConnectionUnixProcessID,RequestName,ReleaseName}"
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (bind)
bus=session
name=org.kde.StatusNotifierItem-[0-9]*,
dbus (send)
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.kde.StatusNotifierWatcher, label=unconfined),
dbus (send)
bus=session
path=/{StatusNotifierWatcher,org/ayatana/NotificationItem/*}
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(label=unconfined),
dbus (send)
bus=session
path=/{StatusNotifierItem,org/ayatana/NotificationItem/*}
interface=org.kde.StatusNotifierItem
member="New{AttentionIcon,Icon,IconThemePath,OverlayIcon,Status,Title,ToolTip}"
peer=(label=unconfined),
dbus (receive)
bus=session
path=/{StatusNotifierItem,org/ayatana/NotificationItem/*}
interface=org.kde.StatusNotifierItem
member={Activate,ContextMenu,Scroll,SecondaryActivate,ProvideXdgActivationToken,XAyatanaSecondaryActivate}
peer=(label=unconfined),
dbus (send)
bus=session
path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu}
interface=com.canonical.dbusmenu
member="{LayoutUpdated,ItemsPropertiesUpdated}"
peer=(label=unconfined),
dbus (receive)
bus=session
path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**}
interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu}
member={Get*,AboutTo*,Event*}
peer=(label=unconfined),
# notifications
dbus (send)
bus=session
path=/org/freedesktop/Notifications
interface=org.freedesktop.Notifications
member="{GetCapabilities,GetServerInformation,Notify,CloseNotification}"
peer=(label=unconfined),
dbus (receive)
bus=session
path=/org/freedesktop/Notifications
interface=org.freedesktop.Notifications
member={ActionInvoked,NotificationClosed,NotificationReplied}
peer=(label=unconfined),
# KDE Plasma's Inhibited property indicating "do not disturb" mode
# libnotificationmanager/dbus/org.freedesktop.Notifications.xml · master · Plasma / Plasma Workspace · GitLab
dbus (send)
bus=session
path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member="Get{,All}"
peer=(label=unconfined),
dbus (receive)
bus=session
path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(label=unconfined),
dbus (send)
bus=session
path=/org/ayatana/NotificationItem/*
interface=org.kde.StatusNotifierItem
member=XAyatanaNew*
peer=(label=unconfined),
# unity launcher
dbus (send)
bus=session
path=/com/canonical/unity/launcherentry/[0-9]*
interface=com.canonical.Unity.LauncherEntry
member=Update
peer=(label=unconfined),
dbus (send)
bus=session
path=/com/canonical/unity/launcherentry/[0-9]*
interface=com.canonical.dbusmenu
member="{LayoutUpdated,ItemsPropertiesUpdated}"
peer=(label=unconfined),
dbus (receive)
bus=session
path=/com/canonical/unity/launcherentry/[0-9]*
interface="{com.canonical.dbusmenu,org.freedesktop.DBus.Properties}"
member=Get*
peer=(label=unconfined),
# Support applications which use the unity messaging menu, xdg-mime, etc
# This leaks the names of snaps with desktop files
/var/lib/snapd/desktop/applications/ r,
# Allowing reading only our desktop files (required by (at least) the unity
# messaging menu).
# parallel-installs: this leaks read access to desktop files owned by keyed
# instances of @{SNAP_NAME} to @{SNAP_NAME} snap
# /var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,
# Explicitly deny access to other snap's desktop files
# deny /var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_DESKTOP}[^_.]*.desktop r,
deny /var/lib/snapd/desktop/applications/[^f]* r,
deny /var/lib/snapd/desktop/applications/f[^i]* r,
deny /var/lib/snapd/desktop/applications/fi[^r]* r,
deny /var/lib/snapd/desktop/applications/fir[^e]* r,
deny /var/lib/snapd/desktop/applications/fire[^f]* r,
deny /var/lib/snapd/desktop/applications/firef[^o]* r,
deny /var/lib/snapd/desktop/applications/firefo[^x]* r,
# Snaps are unable to use the data in mimeinfo.cache (since they can't execute
# the returned desktop file themselves). unity messaging menu doesn't require
# mimeinfo.cache and xdg-mime will fallback to reading the desktop files
# directly to look for MimeType. Since reading the snap's own desktop files is
# allowed, we can safely deny access to this file (and xdg-mime will either
# return one of the snap's mimetypes, or none).
deny /var/lib/snapd/desktop/applications/mimeinfo.cache r,
# then allow talking to Unity DBus service
dbus (send)
bus=session
interface=org.freedesktop.DBus.Properties
path=/com/canonical/indicator/messages/service
member=GetAll
peer=(label=unconfined),
dbus (send)
bus=session
path=/com/canonical/indicator/messages/service
interface=com.canonical.indicator.messages.service
member={Register,Unregister}Application
peer=(label=unconfined),
# When @{SNAP_NAME} == @{SNAP_INSTANCE_NAME}, this rule
# allows the snap to access parallel installs of this snap.
dbus (receive)
bus=session
interface=org.freedesktop.DBus.Properties
path=/com/canonical/indicator/messages/firefox_*_desktop
member=GetAll
peer=(label=unconfined),
# When @{SNAP_NAME} == @{SNAP_INSTANCE_NAME}, this rule
# allows the snap to access parallel installs of this snap.
dbus (receive, send)
bus=session
interface=com.canonical.indicator.messages.application
path=/com/canonical/indicator/messages/firefox_*_desktop
peer=(label=unconfined),
# This rule is meant to be covered by abstractions/dbus-session-strict but
# the unity launcher code has a typo that uses /org/freedesktop/dbus as the
# path instead of /org/freedesktop/DBus, so we need to all it here.
dbus (send)
bus=session
path=/org/freedesktop/dbus
interface=org.freedesktop.DBus
member=NameHasOwner
peer=(name=org.freedesktop.DBus, label=unconfined),
# appmenu
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=ListNames
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (send)
bus=session
path=/com/canonical/AppMenu/Registrar
interface=com.canonical.AppMenu.Registrar
member="{RegisterWindow,UnregisterWindow}"
peer=(label=unconfined),
dbus (send)
bus=session
path=/com/canonical/AppMenu/Registrar
interface=com.canonical.dbusmenu
member=UnregisterWindow
peer=(label=unconfined),
dbus (receive)
bus=session
path=/com/canonical/menu/[0-9]*
interface="{org.freedesktop.DBus.Properties,com.canonical.dbusmenu}"
member="{GetAll,GetLayout}"
peer=(label=unconfined),
# Allow requesting interest in receiving media key events. This tells Gnome
# settings that our application should be notified when key events we are
# interested in are pressed, and allows us to receive those events.
dbus (receive, send)
bus=session
interface=org.gnome.SettingsDaemon.MediaKeys
path=/org/gnome/SettingsDaemon/MediaKeys
peer=(label=unconfined),
dbus (send)
bus=session
interface=org.freedesktop.DBus.Properties
path=/org/gnome/SettingsDaemon/MediaKeys
member="Get{,All}"
peer=(label=unconfined),
# Allow checking status, activating and locking the screensaver
# mate
dbus (send)
bus=session
path="/{,org/mate/}ScreenSaver"
interface=org.mate.ScreenSaver
member="{GetActive,GetActiveTime,Lock,SetActive}"
peer=(label=unconfined),
dbus (receive)
bus=session
path="/{,org/mate/}ScreenSaver"
interface=org.mate.ScreenSaver
member=ActiveChanged
peer=(label=unconfined),
# Unity
dbus (send)
bus=session
interface=com.canonical.Unity.Session
path=/com/canonical/Unity/Session
member="{ActivateScreenSaver,IsLocked,Lock}"
peer=(label=unconfined),
# Allow unconfined to introspect us
dbus (receive)
bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
# gtk2/gvfs gtk_show_uri()
dbus (send)
bus=session
path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMountableInfo,
dbus (send)
bus=session
path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=LookupMount,
# Description: Can access basic graphical desktop resources. To be used with
# other interfaces (eg, wayland).
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
# Allow finding the DBus session bus id (eg, via dbus_bus_get_id())
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetId
peer=(name=org.freedesktop.DBus, label=unconfined),
#include <abstractions/fonts>
owner @{HOME}/.local/share/fonts/{,**} r,
/var/cache/fontconfig/ r,
/var/cache/fontconfig/** mr,
# some applications are known to mmap fonts
/usr/{,local/}share/fonts/** m,
# Allow access to xdg-document-portal file system. Access control is
# handled by bind mounting a snap-specific sub-tree to this location
# (ie, this is /run/user/<uid>/doc/by-app/snap.@{SNAP_INSTANCE_NAME}
# on the host).
owner /run/user/[0-9]*/doc/{,*/} r,
# Allow rw access without owner match to the documents themselves since
# the user guided the access and can specify anything DAC allows.
/run/user/[0-9]*/doc/*/** rw,
# Allow access to xdg-desktop-portal and xdg-document-portal
dbus (receive, send)
bus=session
interface=org.freedesktop.portal.*
path=/org/freedesktop/portal/{desktop,documents}{,/**}
peer=(label=unconfined),
dbus (receive, send)
bus=session
interface=org.freedesktop.DBus.Properties
path=/org/freedesktop/portal/{desktop,documents}{,/**}
peer=(label=unconfined),
# The portals service is normally running and newer versions of
# xdg-desktop-portal include AssumedAppArmor=unconfined. Since older
# systems don't have this and because gtkfilechoosernativeportal.c relies on
# service activation, allow sends to peer=(name=org.freedesktop.portal.{Desktop,Documents})
# for service activation.
dbus (send)
bus=session
interface=org.freedesktop.portal.*
path=/org/freedesktop/portal/desktop{,/**}
peer=(name=org.freedesktop.portal.Desktop),
dbus (send)
bus=session
interface=org.freedesktop.DBus.Properties
path=/org/freedesktop/portal/desktop{,/**}
peer=(name=org.freedesktop.portal.Desktop),
dbus (send)
bus=session
interface=org.freedesktop.portal.*
path=/org/freedesktop/portal/documents{,/**}
peer=(name=org.freedesktop.portal.Documents),
dbus (send)
bus=session
interface=org.freedesktop.DBus.Properties
path=/org/freedesktop/portal/documents{,/**}
peer=(name=org.freedesktop.portal.Documents),
# Allow to get the current idle time only from Mutter
dbus (send)
bus=session
path="/org/gnome/Mutter/IdleMonitor/Core"
interface="org.gnome.Mutter.IdleMonitor"
member="GetIdletime"
peer=(label=unconfined),
# Description: Can access common desktop legacy methods. This gives privileged
# access to the user's input.
# accessibility (a11y)
#include <abstractions/dbus-session-strict>
dbus (send)
bus=session
path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(label=unconfined),
#include <abstractions/dbus-accessibility-strict>
# Allow access to the non-abstract D-Bus socket used by at-spi > 2.42.0
# Snap confined applications cannot connect to a11y bus (#43) · Issues · GNOME / at-spi2-core · GitLab
owner /{,var/}run/user/[0-9]*/at-spi/bus* rw,
# Allow access to the socket used by speech-dispatcher
owner /{,var/}run/user/[0-9]*/speech-dispatcher/speechd.sock rw,
# Allow the accessibility services in the user session to send us any events
dbus (receive)
bus=accessibility
peer=(label=unconfined),
# Allow querying for capabilities and registering
dbus (send)
bus=accessibility
path="/org/a11y/atspi/accessible/root"
interface="org.a11y.atspi.Socket"
member="Embed"
peer=(name=org.a11y.atspi.Registry, label=unconfined),
dbus (send)
bus=accessibility
path="/org/a11y/atspi/registry"
interface="org.a11y.atspi.Registry"
member="GetRegisteredEvents"
peer=(name=org.a11y.atspi.Registry, label=unconfined),
dbus (send)
bus=accessibility
path="/org/a11y/atspi/registry/deviceeventcontroller"
interface="org.a11y.atspi.DeviceEventController"
member="Get{DeviceEvent,Keystroke}Listeners"
peer=(name=org.a11y.atspi.Registry, label=unconfined),
dbus (send)
bus=accessibility
path="/org/a11y/atspi/registry/deviceeventcontroller"
interface="org.a11y.atspi.DeviceEventController"
member="NotifyListenersSync"
peer=(name=org.a11y.atspi.Registry, label=unconfined),
# org.a11y.atspi is not designed for application isolation and these rules
# can be used to send change events for other processes.
dbus (send)
bus=accessibility
path="/org/a11y/atspi/accessible/root"
interface="org.a11y.atspi.Event.Object"
member="ChildrenChanged"
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (send)
bus=accessibility
path="/org/a11y/atspi/accessible/root"
interface="org.a11y.atspi.Accessible"
member="Get*"
peer=(label=unconfined),
dbus (send)
bus=accessibility
path="/org/a11y/atspi/accessible/[0-9]*"
interface="org.a11y.atspi.Event.Object"
member="{ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved}"
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (send)
bus=accessibility
path="/org/a11y/atspi/accessible/[0-9]*"
interface="org.freedesktop.DBus.Properties"
member="Get{,All}"
peer=(label=unconfined),
dbus (send)
bus=accessibility
path="/org/a11y/atspi/cache"
interface="org.a11y.atspi.Cache"
member="{Add,Remove}Accessible"
peer=(name=org.freedesktop.DBus, label=unconfined),
# ibus
# subset of ibus abstraction
/usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ r,
owner @{HOME}/.config/ibus/bus/* r,
# allow communicating with ibus-daemon (this allows sniffing key events)
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/ibus/dbus-*"),
# abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)
# This should use this, but due to LP: #1856738 we cannot
#unix (connect, receive, send)
# type=stream
# peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/home/*/.cache/ibus/dbus-*"),
# when running with glib >= 2.75.0, ibus uses a regular socket
owner @{HOME}/.cache/ibus/dbus-* rw,
# mozc
# allow communicating with mozc server
unix (connect, receive, send)
type=stream
peer=(addr="@tmp/.mozc.*"),
# fcitx
# allow communicating with fcitx dbus service
dbus send
bus=fcitx
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
owner @{HOME}/.config/fcitx/dbus/* r,
# allow creating an input context
dbus send
bus={fcitx,session}
path=/inputmethod
interface=org.fcitx.Fcitx.InputMethod
member=CreateIC*
peer=(label=unconfined),
# allow setting up and tearing down the input context
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member="{Close,Destroy,Enable}IC"
peer=(label=unconfined),
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member=Reset
peer=(label=unconfined),
# allow service to send us signals
dbus receive
bus=fcitx
peer=(label=unconfined),
dbus receive
bus=session
interface=org.fcitx.Fcitx.*
peer=(label=unconfined),
# use the input context
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member="Focus{In,Out}"
peer=(label=unconfined),
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member="{CommitPreedit,Set*}"
peer=(label=unconfined),
# this is an information leak and allows key and mouse sniffing. If the input
# context path were tied to the process' security label, this would not be an
# issue.
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member="{MouseEvent,ProcessKeyEvent}"
peer=(label=unconfined),
# this method does not exist with the sunpinyin backend (at least), so allow
# it for other input methods. This may consitute an information leak (which,
# again, could be avoided if the path were tied to the process' security
# label).
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
# gtk2/gvfs gtk_show_uri()
dbus (send)
bus=session
path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMountableInfo,
dbus (send)
bus=session
path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=LookupMount,
# Support applications which use the unity messaging menu, xdg-mime, etc
# This leaks the names of snaps with desktop files
/var/lib/snapd/desktop/applications/ r,
# Allowing reading only our desktop files (required by (at least) the unity
# messaging menu).
# parallel-installs: this leaks read access to desktop files owned by keyed
# instances of @{SNAP_NAME} to @{SNAP_NAME} snap
# /var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,
# Explicitly deny access to other snap's desktop files
# deny /var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_DESKTOP}[^_.]*.desktop r,
deny /var/lib/snapd/desktop/applications/[^f]* r,
deny /var/lib/snapd/desktop/applications/f[^i]* r,
deny /var/lib/snapd/desktop/applications/fi[^r]* r,
deny /var/lib/snapd/desktop/applications/fir[^e]* r,
deny /var/lib/snapd/desktop/applications/fire[^f]* r,
deny /var/lib/snapd/desktop/applications/firef[^o]* r,
deny /var/lib/snapd/desktop/applications/firefo[^x]* r,
# Snaps are unable to use the data in mimeinfo.cache (since they can't execute
# the returned desktop file themselves). unity messaging menu doesn't require
# mimeinfo.cache and xdg-mime will fallback to reading the desktop files
# directly to look for MimeType. Since reading the snap's own desktop files is
# allowed, we can safely deny access to this file (and xdg-mime will either
# return one of the snap's mimetypes, or none).
deny /var/lib/snapd/desktop/applications/mimeinfo.cache r,
# glib-networking's GLib proxy (different than the portal's proxy service
# org.freedesktop.portal.ProxyResolver). The Lookup API allows specifying
# various URLs (eg, file://, http:// and https://) which will be given to the
# unconfined glib-pacrunner.
dbus (send)
bus=session
path=/org/gtk/GLib/PACRunner
interface=org.gtk.GLib.PACRunner
member=Lookup
peer=(label=unconfined),
# app-indicators
dbus (send)
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher, label=unconfined),
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member="{GetConnectionUnixProcessID,RequestName,ReleaseName}"
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (bind)
bus=session
name=org.kde.StatusNotifierItem-[0-9]*,
dbus (send)
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.kde.StatusNotifierWatcher, label=unconfined),
dbus (send)
bus=session
path=/{StatusNotifierWatcher,org/ayatana/NotificationItem/*}
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(label=unconfined),
dbus (send)
bus=session
path=/{StatusNotifierItem,org/ayatana/NotificationItem/*}
interface=org.kde.StatusNotifierItem
member="New{AttentionIcon,Icon,IconThemePath,OverlayIcon,Status,Title,ToolTip}"
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (receive)
bus=session
path=/{StatusNotifierItem,org/ayatana/NotificationItem/*}
interface=org.kde.StatusNotifierItem
member={Activate,ContextMenu,Scroll,SecondaryActivate,ProvideXdgActivationToken,XAyatanaSecondaryActivate}
peer=(label=unconfined),
dbus (send)
bus=session
path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu}
interface=com.canonical.dbusmenu
member="{LayoutUpdated,ItemsPropertiesUpdated}"
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (receive)
bus=session
path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**}
interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu}
member={Get*,AboutTo*,Event*}
peer=(label=unconfined),
# notifications
dbus (send)
bus=session
path=/org/freedesktop/Notifications
interface=org.freedesktop.Notifications
member="{GetCapabilities,GetServerInformation,Notify,CloseNotification}"
peer=(label=unconfined),
dbus (receive)
bus=session
path=/org/freedesktop/Notifications
interface=org.freedesktop.Notifications
member={ActionInvoked,NotificationClosed,NotificationReplied}
peer=(label=unconfined),
# KDE Plasma's Inhibited property indicating "do not disturb" mode
# libnotificationmanager/dbus/org.freedesktop.Notifications.xml · master · Plasma / Plasma Workspace · GitLab
dbus (send)
bus=session
path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member="Get{,All}"
peer=(label=unconfined),
dbus (receive)
bus=session
path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(label=unconfined),
dbus (send)
bus=session
path=/org/ayatana/NotificationItem/*
interface=org.kde.StatusNotifierItem
member=XAyatanaNew*
peer=(name=org.freedesktop.DBus, label=unconfined),
# Description: Can access global gsettings of the user's session. Restricted
# because this gives privileged access to sensitive information stored in
# gsettings and allows adjusting settings of other applications. Future GLib
# will not require plugging the interface and will instead probe if running
# under confinement and use a private data store in $SNAP_USER_DATA).
#include <abstractions/dbus-session-strict>
#include <abstractions/dconf>
owner /{,var/}run/user/*/dconf/user w,
owner @{HOME}/.config/dconf/user w,
dbus (receive, send)
bus=session
interface="ca.desrt.dconf.Writer"
peer=(label=unconfined),
# Description: Can access non-hidden files in user's $HOME. This is restricted
# because it gives file access to all of the user's $HOME.
# Note, @{HOME} is the user's $HOME, not the snap's $HOME
# Allow read access to toplevel $HOME for the user
owner @{HOME}/ r,
# Allow read/write access to all files in @{HOME}, except snap application
# data in @{HOME}/snap and toplevel hidden directories in @{HOME}.
owner @{HOME}/[^s.]** rwklix,
owner @{HOME}/s[^n]** rwklix,
owner @{HOME}/sn[^a]** rwklix,
owner @{HOME}/sna[^p]** rwklix,
owner @{HOME}/snap[^/]** rwklix,
# Allow creating a few files not caught above
owner @{HOME}/{s,sn,sna}{,/} rwklix,
# Allow access to @{HOME}/snap/ to allow directory traversals from
# @{HOME}/snap/@{SNAP_INSTANCE_NAME} through @{HOME}/snap to @{HOME}.
# While this leaks snap names, it fixes usability issues for snaps
# that require this transitional interface.
owner @{HOME}/snap/ r,
# Allow access to gvfs mounts for files owned by the user (including hidden
# files; only allow writes to files, not the mount point).
owner /run/user/[0-9]*/gvfs/{,**} r,
owner /run/user/[0-9]*/gvfs/*/** w,
# Disallow writes to the well-known directory included in
# the user's PATH on several distributions
audit deny @{HOME}/bin/{,**} wl,
# Description: Can access opengl.
# specific gl libs
/var/lib/snapd/lib/gl{,32}/ r,
/var/lib/snapd/lib/gl{,32}/** rm,
# libdrm data files
/usr/share/libdrm/amdgpu.ids r,
# Bi-arch distribution nvidia support
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcuda*.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvidia*.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvoptix*.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}tls/libnvidia*.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvcuvid.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}lib{GL,GLESv1_CM,GLESv2,EGL}*nvidia.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libGLdispatch.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}vdpau/libvdpau_nvidia.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnv{rm,dc,imp,os}*.so{,.*} rm,
# CUDA libs
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnpp{c,ig,ial,icc,idei,ist,if,im,itc}*.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcublas{,Lt}*.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcufft.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcusolver.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcuparse.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcurand.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcudnn{,_adv_infer,_adv_train,_cnn_infer,_cnn_train,_ops_infer,_ops_train}*.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvrtc{,-builtins}*.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvToolsExt.so{,.*} rm,
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}nvidia/wine/*.dll rm,
# Support reading the Vulkan ICD files
/var/lib/snapd/lib/vulkan/ r,
/var/lib/snapd/lib/vulkan/** r,
/var/lib/snapd/hostfs/usr/share/vulkan/icd.d/*nvidia*.json r,
# Support reading the GLVND EGL vendor files
/var/lib/snapd/lib/glvnd/ r,
/var/lib/snapd/lib/glvnd/** r,
/var/lib/snapd/hostfs/usr/share/glvnd/egl_vendor.d/ r,
/var/lib/snapd/hostfs/usr/share/glvnd/egl_vendor.d/*nvidia*.json r,
# Support Nvidia EGL external platform
/var/lib/snapd/hostfs/usr/share/egl/egl_external_platform.d/ r,
/var/lib/snapd/hostfs/usr/share/egl/egl_external_platform.d/*nvidia*.json r,
# Main bi-arch GL libraries
/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}{,nvidia*/}lib{OpenGL,GL,GLU,GLESv1_CM,GLESv2,EGL,GLX}.so{,.*} rm,
# Allow access to all cards since a) this is common on hybrid systems, b) ARM
# devices commonly have two devices (such as on the Raspberry Pi 4, one for KMS
# and another that does not) and c) there is nothing saying that /dev/dri/card0
# is the default card or the application is currently using.
/dev/dri/ r,
/dev/dri/card[0-9]* rw,
# nvidia
/etc/vdpau_wrapper.cfg r,
@{PROC}/driver/nvidia/params r,
@{PROC}/modules r,
/dev/nvidia* rw,
unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
# VideoCore/EGL (shared device with VideoCore camera)
/dev/vchiq rw,
# VideoCore Video decoding (required for accelerated MMAL video playback)
/dev/vcsm-cma rw,
# va-api
/dev/dri/renderD[0-9]* rw,
# intel
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
# cuda
@{PROC}/sys/vm/mmap_min_addr r,
@{PROC}/devices r,
/sys/devices/system/memory/block_size_bytes r,
/sys/module/tegra_fuse/parameters/tegra_* r,
unix (bind,listen) type=seqpacket addr="@cuda-uvmfd-[0-9a-f]*",
/{dev,run}/shm/cuda.* rw,
/dev/nvhost-* rw,
/dev/nvmap rw,
# Tegra display driver
/dev/tegra_dc_ctrl rw,
/dev/tegra_dc_[0-9]* rw,
# Xilinx zocl DRM driver
# XRT/src/runtime_src/core/edge/drm at master · Xilinx/XRT
/sys/devices/platform/amba{,_pl@[0-9]*}/amba{,_pl@[0-9]*}:zyxclmm_drm/* r,
# Imagination PowerVR driver
/dev/pvr_sync rw,
# ARM Mali driver
/dev/mali[0-9]* rw,
/dev/dma_buf_te rw,
/dev/dma_heap/linux,cma rw,
/dev/dma_heap/system rw,
# NXP i.MX driver
# GitHub - Freescale/kernel-module-imx-gpu-viv: FSL Community fork of Vivante i.MX GPU Linux kernel driver
/dev/galcore rw,
# OpenCL ICD files
/etc/OpenCL/vendors/ r,
/etc/OpenCL/vendors/** r,
# Parallels guest tools 3D acceleration (video toolgate)
@{PROC}/driver/prl_vtg rw,
# /sys/devices
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/config r,
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/revision r,
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/resource r,
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/irq r,
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/boot_vga r,
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/{,subsystem_}class r,
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/{,subsystem_}device r,
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/{,subsystem_}vendor r,
/sys/devices/**/drm{,_dp_aux_dev}/** r,
# FIXME: this is an information leak and snapd should instead query udev for
# the specific accesses associated with the above devices.
/sys/bus/pci/devices/ r,
/sys/bus/platform/devices/soc:gpu/ r,
/run/udev/data/+drm:card* r,
/run/udev/data/+pci:[0-9a-f]* r,
/run/udev/data/+platform:soc:gpu* r,
# FIXME: for each device in /dev that this policy references, lookup the
# device type, major and minor and create rules of this form:
# /run/udev/data/<type><major>:<minor> r,
# For now, allow 'c'haracter devices and 'b'lock devices based on
# https://www.kernel.org/doc/Documentation/devices.txt
/run/udev/data/c226:[0-9]* r, # 226 drm
# From Bug #1862832 “snapd and Ubuntu 20.04 nvidia triggers apparmor de...” : Bugs : snapd
/run/nvidia-xdriver-* rw,
unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"),
# Description: Can access removable storage filesystems
# Allow read-access to /run/ for navigating to removable media.
/run/ r,
# Allow read on /run/media/ for navigating to the mount points. While this
# allows enumerating users, this is already allowed via /etc/passwd and getent.
/{,run/}media/ r,
# Mount points could be in /run/media/<user>/* or /media/<user>/*
/{,run/}media/*/ r,
/{,run/}media/*/** mrwklix,
# Allow read-only access to /mnt to enumerate items.
/mnt/ r,
# Allow write access to anything under /mnt
/mnt/** mrwklix,
# Description: Can access specific personal files or directories in the
# users's home directory.
# This is restricted because it gives file access to arbitrary locations.
owner "@{HOME}/.mozilla/firefox{,/,/**}" rk,
# Description: Can access specific system files or directories.
# This is restricted because it gives file access to arbitrary locations.
"/etc/firefox{,/,/**}" rk,
# Description: Can access the X server. Restricted because X does not prevent
# eavesdropping or apps interfering with one another.
# The X abstraction doesn't check the peer label, but in this case that's
# ok because x11ConnectedSlotAppArmor will limit which clients can connect
# to the slot implementation.
#include <abstractions/X>
#include <abstractions/fonts>
owner @{HOME}/.local/share/fonts/{,**} r,
/var/cache/fontconfig/ r,
/var/cache/fontconfig/** mr,
# Allow access to the user specific copy of the xauth file specified
# in the XAUTHORITY environment variable, that "snap run" creates on
# startup.
owner /run/user/[0-9]*/.Xauthority r,
# Allow reading an Xwayland Xauth file
# (see meta-xwayland: Generate a Xauth file and pass this to Xwayland when starting it (!626) · Merge requests · GNOME / mutter · GitLab)
owner /run/user/[0-9]*/.mutter-Xwaylandauth.* r,
owner /run/user/[0-9]*/mutter/Xauthority r,
# Allow reading KDE Plasma's Xwayland Xauth file
owner /run/user/[0-9]*/xauth_* r,
# Needed by QtSystems on X to detect mouse and keyboard. Note, the 'netlink
# raw' rule is not finely mediated by apparmor so we mediate with seccomp arg
# filtering.
### MY CHANGE
### network netlink raw,
/run/udev/data/c13:[0-9]* r,
/run/udev/data/+input:* r,
# Deny access to ICE granted by abstractions/X
# See: https://bugs.launchpad.net/snapd/+bug/1901489
deny owner @{HOME}/.ICEauthority r,
deny owner /run/user/*/ICEauthority r,
deny unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
# Description: Can access the network as a client.
#include <abstractions/nameservice>
/run/systemd/resolve/stub-resolv.conf rk,
/etc/mdns.allow r, # not yet included in the mdns abstraction
network netlink dgram, # not yet included in the nameservice abstraction
# systemd-resolved (not yet included in nameservice abstraction)
#
# Allow access to the safe members of the systemd-resolved D-Bus API:
#
# resolved
#
# This API may be used directly over the D-Bus system bus or it may be used
# indirectly via the nss-resolve plugin:
#
# nss-resolve
#
#include <abstractions/dbus-strict>
dbus send
bus=system
path="/org/freedesktop/resolve1"
interface="org.freedesktop.resolve1.Manager"
member="Resolve{Address,Hostname,Record,Service}"
peer=(name="org.freedesktop.resolve1"),
# libnss-systemd (D-Bus portion from nameservice abstraction)
# Also allow lookups for systemd-exec's DynamicUsers via D-Bus
# systemd.exec
dbus send
bus=system
path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager"
member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
peer=(name="org.freedesktop.systemd1"),
#include <abstractions/ssl_certs>
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/net/ipv4/tcp_fastopen r,
# Allow using netcat as client
/{,usr/}bin/nc{,.openbsd} ixr,
# Description: Can access various APIs needed by modern browsers (eg, Google
# Chrome/Chromium and Mozilla) and file paths they expect. This interface is
# transitional and is only in place while upstream's work to change their paths
# and snappy is updated to properly mediate the APIs.
# This allows raising the OOM score of other processes owned by the user.
owner @{PROC}/@{pid}/oom_score_adj rw,
# Chrome/Chromium should be fixed to honor TMPDIR or the snap packaging
# adjusted to use LD_PRELOAD technique from LP: #1577514
/var/tmp/ r,
owner /var/tmp/etilqs_* rw,
# Chrome/Chromium should be modified to use snap.$SNAP_INSTANCE_NAME.* or
# the snap packaging adjusted to use LD_PRELOAD technique from LP: #1577514
owner /{dev,run}/shm/{,.}org.chromium.* mrw,
owner /{dev,run}/shm/{,.}com.google.Chrome.* mrw,
owner /{dev,run}/shm/{,.}com.microsoft.Edge.* mrw,
owner /{dev,run}/shm/.io.nwjs.* mrw,
# Chrome's Singleton API sometimes causes an ouid/fsuid mismatch denial, so
# for now, allow non-owner read on the singleton socket (LP: #1731012). See
# Electron snap killed when using app.makeSingleInstance API
# parallel-installs: $XDG_RUNTIME_DIR is not remapped, need to use SNAP_INSTANCE_NAME
# /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/{,.}org.chromium.*/SS r,
# /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/{,.}com.google.Chrome.*/SS r,
# /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/{,.}com.microsoft.Edge.*/SS r,
# Allow access to Jupyter notebooks.
# This is temporary and will be reverted once LP: #1959417 is fixed upstream.
owner @{HOME}/.local/share/jupyter/** rw,
# Allow reading platform files
/run/udev/data/+platform:* r,
# miscellaneous accesses
@{PROC}/vmstat r,
# Chromium content api sometimes queries about huge pages. Allow status of
# hugepages and transparent_hugepage, but not the pages themselves.
/sys/kernel/mm/{hugepages,transparent_hugepage}/{,**} r,
# Chromium content api in gnome-shell reads this
/etc/opt/chrome/{,**} r,
/etc/chromium/{,**} r,
# Chrome/Chromium should be adjusted to not use gconf. It is only used with
# legacy systems that don't have snapd
deny dbus (send)
bus=session
interface="org.gnome.GConf.Server",
# webbrowser-app/webapp-container tries to read this file to determine if it is
# confined or not, so explicitly deny to avoid noise in the logs.
deny @{PROC}/@{pid}/attr/{,apparmor/}current r,
# This is an information leak but disallowing it leads to developer confusion
# when using the chromium content api file chooser due to a (harmless) glib
# warning and the noisy AppArmor denial.
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
# Since snapd still uses SECCOMP_RET_KILL, we have added a workaround rule to
# allow mknod on character devices since chromium unconditionally performs
# a mknod() to create the /dev/nvidiactl device, regardless of if it exists or
# not or if the process has CAP_MKNOD or not. Since we don't want to actually
# grant the ability to create character devices, explicitly deny the
# capability. When snapd uses SECCOMP_RET_ERRNO, we can remove this rule.
# Call for testing: chromium 62.0.3202.62
deny capability mknod,
# Description: Can inhibit and uninhibit screen savers in desktop sessions.
#include <abstractions/dbus-session-strict>
#include <abstractions/dbus-strict>
# gnome-session
dbus (send)
bus=session
path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={Inhibit,Uninhibit}
peer=(label=unconfined),
# unity screen API
dbus (send)
bus=system
interface="org.freedesktop.DBus.Introspectable"
path="/com/canonical/Unity/Screen"
member="Introspect"
peer=(label=unconfined),
dbus (send)
bus=system
interface="com.canonical.Unity.Screen"
path="/com/canonical/Unity/Screen"
member={keepDisplayOn,removeDisplayOnRequest}
peer=(label=unconfined),
# freedesktop.org ScreenSaver
# compatibility rule
dbus (send)
bus=session
path=/Screensaver
interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit,SimulateUserActivity}
peer=(label=unconfined),
# xfce4-power-manager -
# xfce4-power-manager/src/org.freedesktop.PowerManagement.Inhibit.xml at 0b3ad06ad4f51eae1aea3cdc26f434d8b5ce763e · xfce-mirror/xfce4-power-manager
dbus (send)
bus=session
path=/org/freedesktop/PowerManagement/Inhibit
interface=org.freedesktop.PowerManagement.Inhibit
member={Inhibit,UnInhibit}
peer=(label=unconfined),
# API rule
dbus (send)
bus=session
path=/{,org/freedesktop/,org/gnome/}ScreenSaver
interface=org.{freedesktop,gnome}.ScreenSaver
member={Inhibit,UnInhibit,SimulateUserActivity}
peer=(label=unconfined),
# gnome, kde and cinnamon screensaver
dbus (send)
bus=session
path=/{,ScreenSaver}
interface=org.{gnome.ScreenSaver,kde.screensaver,cinnamon.ScreenSaver}
member=SimulateUserActivity
peer=(label=unconfined),
# Description: Can query UPower for power devices, history and statistics.
#include <abstractions/dbus-strict>
# Find all devices monitored by UPower
dbus (send)
bus=system
path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
peer=(label=unconfined),
# Read all properties from UPower and devices
# do not use peer=(label=unconfined) here since this is DBus activated
dbus (send)
bus=system
path=/org/freedesktop/UPower{,/Wakeups,/devices/**}
interface=org.freedesktop.DBus.Properties
member=Get{,All},
dbus (send)
bus=system
path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=GetCriticalAction
peer=(label=unconfined),
dbus (send)
bus=system
path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=GetDisplayDevice
peer=(label=unconfined),
dbus (send)
bus=system
path=/org/freedesktop/UPower/devices/**
interface=org.freedesktop.UPower.Device
member=GetHistory
peer=(label=unconfined),
# Receive property changed events
dbus (receive)
bus=system
path=/org/freedesktop/UPower{,/devices/**}
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(label=unconfined),
# Allow clients to introspect the service
# do not use peer=(label=unconfined) here since this is DBus activated
dbus (send)
bus=system
interface=org.freedesktop.DBus.Introspectable
path=/org/freedesktop/UPower
member=Introspect,
# Description: This interface allows for getting hardware information
# from the system. This is reserved because it allows reading potentially
# sensitive information.
# used by lscpu and 'lspci -A intel-conf1/intel-conf2'
capability sys_rawio,
# see loaded kernel modules
@{PROC}/modules r,
# used by lspci
capability sys_admin,
/etc/modprobe.d/{,*} r,
/{,usr/}lib/modprobe.d/{,*} r,
# for reading the available input devices on the system
/proc/bus/input/devices r,
# files in /sys pertaining to hardware (eg, 'lspci -A linux-sysfs')
/sys/{block,bus,class,devices,firmware}/{,**} r,
# files in /proc/bus/pci (eg, 'lspci -A linux-proc')
@{PROC}/bus/pci/{,**} r,
# power information
/sys/power/{,**} r,
/run/udev/data/+power_supply:* r,
# interrupts
@{PROC}/interrupts r,
# libsensors
/etc/sensors3.conf r,
/etc/sensors.d/{,*} r,
# Needed for udevadm
/run/udev/data/** r,
### MY CHANGE
### network netlink raw,
# util-linux
/{,usr/}bin/lsblk ixr,
/{,usr/}bin/lscpu ixr,
/{,usr/}bin/lsmem ixr,
# lsusb
# Note: lsusb and its database have to be shipped in the snap if not on classic
/{,usr/}bin/lsusb ixr,
/var/lib/usbutils/usb.ids r,
/dev/ r,
/dev/bus/usb/{,**/} r,
/etc/udev/udev.conf r,
# lshw -quiet (note, lshw also tries to create /dev/fb-*, but fails gracefully)
@{PROC}/devices r,
@{PROC}/ide/{,**} r,
@{PROC}/scsi/{,**} r,
@{PROC}/device-tree/{,**} r,
/sys/kernel/debug/usb/devices r,
@{PROC}/sys/abi/{,*} r,
# hwinfo --short
@{PROC}/ioports r,
@{PROC}/dma r,
@{PROC}/tty/driver/{,*} r,
@{PROC}/sys/dev/cdrom/info r,
# status of hugepages and transparent_hugepage, but not the pages themselves
/sys/kernel/mm/{hugepages,transparent_hugepage}/{,**} r,
# systemd-detect-virt
/{,usr/}bin/systemd-detect-virt ixr,
# VMs
@{PROC}/cpuinfo r,
@{PROC}/sysinfo r, # Linux on z/VM
@{PROC}/xen/capabilities r,
/sys/hypervisor/properties/features r,
/sys/hypervisor/type r,
# containers
/run/systemd/container r,
# /proc/1/sched in a systemd-nspawn container with '-a' is supposed to show on
# its first line a pid that != 1 and systemd-detect-virt tries to detect this.
# This doesn't seem to be the case on (at least) systemd 240 on Ubuntu. This
# file is somewhat sensitive for arbitrary pids, but is not overly so for pid
# 1. For containers, systemd won't normally look at this file since it has
# access to /run/systemd/container and 'container' from the environment, and
# systemd fails gracefully when it doesn't have access to /proc/1/sched. For
# VMs, systemd requires access to /proc/1/sched in its detection algorithm.
# See src/basic/virt.c from systemd sources for details.
@{PROC}/1/sched r,
# systemd-detect-virt --private-users will look at these and the access is
# better added to system-observe. Since snaps typically only care about
# --container and --vm leave these commented out.
#@{PROC}/@{pid}/uid_map r,
#@{PROC}/@{pid}/gid_map r,
#@{PROC}/@{pid}/setgroups r,
# systemd-detect-virt --chroot requires 'ptrace (read)' on unconfined to
# determine if it is running in a chroot. Like above, this is best granted via
# system-observe.
#ptrace (read) peer=unconfined,
# Description: allows domain, record, service, and service type browsing
# as well as address, host and service resolving
/{,var/}run/avahi-daemon/socket rw,
#include <abstractions/dbus-strict>
dbus (send)
bus=system
path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi,label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
# Allow accessing DBus properties and resolving
dbus (send)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member={Get*,Resolve*,IsNSSSupportAvailable}
peer=(name=org.freedesktop.Avahi,label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
# Allow receiving anything from the slot server
dbus (receive)
bus=system
interface=org.freedesktop.Avahi.Server
peer=(label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
# Don't allow introspection since it reveals too much (path is not service
# specific for unconfined)
# do not use peer=(label=unconfined) here since this is DBus activated
#dbus (send)
# bus=system
# path=/
# interface=org.freedesktop.DBus.Introspectable
# member=Introspect,
# These allows tampering with other snap's browsers, so don't autoconnect for
# now.
# address resolving
dbus (send)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member=AddressResolverNew
peer=(name=org.freedesktop.Avahi, label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
dbus (send)
bus=system
path=/Client*/AddressResolver*
interface=org.freedesktop.Avahi.AddressResolver
member=Free
peer=(name=org.freedesktop.Avahi, label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
dbus (receive)
bus=system
interface=org.freedesktop.Avahi.AddressResolver
peer=(label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
# host name resolving
dbus (send)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member=HostNameResolverNew
peer=(name=org.freedesktop.Avahi, label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
dbus (send)
bus=system
path=/Client*/HostNameResolver*
interface=org.freedesktop.Avahi.HostNameResolver
member=Free
peer=(name=org.freedesktop.Avahi, label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
dbus (receive)
bus=system
interface=org.freedesktop.Avahi.HostNameResolver
peer=(label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
# service resolving
dbus (send)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member=ServiceResolverNew
peer=(name=org.freedesktop.Avahi, label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
dbus (send)
bus=system
path=/Client*/ServiceResolver*
interface=org.freedesktop.Avahi.ServiceResolver
member=Free
peer=(name=org.freedesktop.Avahi, label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
dbus (receive)
bus=system
interface=org.freedesktop.Avahi.ServiceResolver
peer=(label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
# domain browsing
dbus (send)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member=DomainBrowserNew
peer=(name=org.freedesktop.Avahi, label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
dbus (send)
bus=system
path=/Client*/DomainBrowser*
interface=org.freedesktop.Avahi.DomainBrowser
member=Free
peer=(name=org.freedesktop.Avahi, label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
dbus (receive)
bus=system
interface=org.freedesktop.Avahi.DomainBrowser
peer=(label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
# record browsing
dbus (send)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member=RecordBrowserNew
peer=(name=org.freedesktop.Avahi, label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
dbus (send)
bus=system
path=/Client*/RecordBrowser*
interface=org.freedesktop.Avahi.RecordBrowser
member=Free
peer=(name=org.freedesktop.Avahi, label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
dbus (receive)
bus=system
interface=org.freedesktop.Avahi.RecordBrowser
peer=(label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
# service browsing
dbus (send)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member=ServiceBrowserNew
peer=(name=org.freedesktop.Avahi, label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
dbus (send)
bus=system
path=/Client*/ServiceBrowser*
interface=org.freedesktop.Avahi.ServiceBrowser
member=Free
peer=(name=org.freedesktop.Avahi, label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
dbus (receive)
bus=system
interface=org.freedesktop.Avahi.ServiceBrowser
peer=(label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
# Service type browsing
dbus (send)
bus=system
path=/
interface=org.freedesktop.Avahi.Server
member=ServiceTypeBrowserNew
peer=(name=org.freedesktop.Avahi, label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
dbus (send)
bus=system
path=/Client*/ServiceTypeBrowser*
interface=org.freedesktop.Avahi.ServiceTypeBrowser
member=Free
peer=(name=org.freedesktop.Avahi, label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
dbus (receive)
bus=system
interface=org.freedesktop.Avahi.ServiceTypeBrowser
peer=(label="{unconfined,/usr/sbin/avahi-daemon,avahi-daemon}"),
# Description: can access documentation of system packages.
# /usr/{,local/}share/doc/{,**} r,
# /usr/share/cups/doc-root/{,**} r,
# /usr/share/gimp/2.0/help/{,**} r,
# /usr/share/gtk-doc/{,**} r,
# /usr/share/libreoffice/help/{,**} r,
# /usr/share/xubuntu-docs/{,**} r,
# In addition to the bind mount, add any AppArmor rules so that
# snaps may directly access the slot implementation's files
# read-only.
"/snap/gnome-42-2204/141/**" mrkix,
# In addition to the bind mount, add any AppArmor rules so that
# snaps may directly access the slot implementation's files
# read-only.
"/snap/gtk-common-themes/1535/share/icons/default/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Adwaita/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/hicolor/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/HighContrast/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Humanity/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Humanity-Dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/ubuntu-mono-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/ubuntu-mono-light/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/DMZ-Black/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/DMZ-White/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-bark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-blue/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-magenta/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-olive/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-prussiangreen/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-purple/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-red/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-sage/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-viridian/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-bark-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-blue-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-magenta-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-olive-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-prussiangreen-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-purple-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-red-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-sage-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-viridian-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/elementary/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Ambiant-MATE/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Radiant-MATE/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-MATE-light/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-MATE-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-mate/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Yaru-mate-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Papirus-Adapta-Maia/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Papirus-Adapta-Nokto-Maia/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Papirus-Dark-Maia/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Papirus-Light-Maia/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Papirus-Maia/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/breeze_cursors/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/Breeze_Snow/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/elementary-xfce/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/elementary-xfce-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/elementary-xfce-darker/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/elementary-xfce-darkest/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/handhelds/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/redglass/**" mrkix,
"/snap/gtk-common-themes/1535/share/icons/whiteglass/**" mrkix,
# In addition to the bind mount, add any AppArmor rules so that
# snaps may directly access the slot implementation's files
# read-only.
"/snap/gtk-common-themes/1535/share/sounds/Yaru/**" mrkix,
"/snap/gtk-common-themes/1535/share/sounds/freedesktop/**" mrkix,
# In addition to the bind mount, add any AppArmor rules so that
# snaps may directly access the slot implementation's files
# read-only.
"/snap/gtk-common-themes/1535/share/themes/Adwaita/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Adwaita-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/HighContrast/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Ambiance/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Radiance/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Arc/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Arc-Dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Arc-Darker/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Breeze/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Breeze-Dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-light/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-bark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-blue/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-magenta/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-olive/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-prussiangreen/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-purple/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-red/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-sage/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-viridian/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-bark-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-blue-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-magenta-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-olive-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-prussiangreen-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-purple-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-red-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-sage-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-viridian-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/elementary/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Ambiant-MATE/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Ambiant-MATE-Dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Radiant-MATE/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-MATE-light/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-MATE-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-mate/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Yaru-mate-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Matcha-aliz/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Matcha-azul/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Matcha-dark-aliz/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Matcha-dark-azul/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Matcha-dark-sea/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Matcha-sea/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Greybird/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Greybird-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Materia/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Materia-compact/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Materia-dark/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Materia-dark-compact/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Materia-light/**" mrkix,
"/snap/gtk-common-themes/1535/share/themes/Materia-light-compact/**" mrkix,
# TODO: should this be somewhere else?
/etc/mailcap r,
# While /usr/share/applications comes from the base runtime of the snap, it
# has some things that snaps actually need, so allow access to those and deny
# access to the others. This is duplicated from desktop for compatibility with
# existing snaps.
/usr/share/applications/ r,
/usr/share/applications/mimeapps.list r,
/usr/share/applications/xdg-open.desktop r,
# silence noisy denials from desktop files in core* snaps that aren't usable by
# snaps
deny /usr/share/applications/python*.desktop r,
deny /usr/share/applications/vim.desktop r,
deny /usr/share/applications/snap-handle-link.desktop r, # core16
# Chromium content api unfortunately needs these for normal operation
owner @{PROC}/@{pid}/fd/[0-9]* w,
# Various files in /run/udev/data needed by Chrome Settings. Leaks device
# information.
# input
/run/udev/data/c1:[0-9]* r, # /dev/psaux
/run/udev/data/c10:[0-9]* r, # /dev/adbmouse
/run/udev/data/c13:[0-9]* r, # /dev/input/*
/run/udev/data/c180:[0-9]* r, # /dev/vrbuttons
/run/udev/data/c4:[0-9]* r, # /dev/tty*, /dev/ttyS*
/run/udev/data/c5:[0-9]* r, # /dev/tty, /dev/console, etc
/run/udev/data/c7:[0-9]* r, # /dev/vcs*
/run/udev/data/+hid:* r,
/run/udev/data/+input:input[0-9]* r,
# screen
/run/udev/data/c29:[0-9]* r, # /dev/fb*
/run/udev/data/+backlight:* r,
/run/udev/data/+leds:* r,
# sound
/run/udev/data/c116:[0-9]* r, # alsa
/run/udev/data/+sound:card[0-9]* r,
# miscellaneous
/run/udev/data/c108:[0-9]* r, # /dev/ppp
/run/udev/data/c189:[0-9]* r, # USB serial converters
/run/udev/data/c89:[0-9]* r, # /dev/i2c-*
/run/udev/data/c81:[0-9]* r, # video4linux (/dev/video*, etc)
/run/udev/data/c202:[0-9]* r, # /dev/cpu/*/msr
/run/udev/data/c203:[0-9]* r, # /dev/cuse
/run/udev/data/+acpi:* r,
/run/udev/data/+hwmon:hwmon[0-9]* r,
/run/udev/data/+i2c:* r,
/sys/devices/**/bConfigurationValue r,
/sys/devices/**/descriptors r,
/sys/devices/**/manufacturer r,
/sys/devices/**/product r,
/sys/devices/**/revision r,
/sys/devices/**/serial r,
/sys/devices/**/vendor r,
/sys/devices/system/node/node[0-9]*/meminfo r,
# Allow getting the manufacturer and model of the
# computer where Chrome/chromium is currently running.
# This is going to be used by the upcoming Hardware Platform
# extension API.
# 84618eee98fdf7548905e883e63e4f693800fcfa - chromium/src.git - Git at Google
/sys/devices/virtual/dmi/id/product_name r,
/sys/devices/virtual/dmi/id/sys_vendor r,
# Chromium content api tries to read these. It is an information disclosure
# since these contain the names of snaps. Chromium operates fine without the
# access so just block it.
deny /sys/devices/virtual/block/loop[0-9]*/loop/backing_file r,
deny /sys/devices/virtual/block/dm-[0-9]*/dm/name r,
# networking
/run/udev/data/n[0-9]* r,
/run/udev/data/+bluetooth:hci[0-9]* r,
/run/udev/data/+rfkill:rfkill[0-9]* r,
/run/udev/data/c241:[0-9]* r, # /dev/vhost-vsock
# storage
/run/udev/data/b1:[0-9]* r, # /dev/ram*
/run/udev/data/b7:[0-9]* r, # /dev/loop*
/run/udev/data/b8:[0-9]* r, # /dev/sd*
/run/udev/data/b11:[0-9]* r, # /dev/scd* and sr*
/run/udev/data/b230:[0-9]* r, # /dev/zvol*
/run/udev/data/c21:[0-9]* r, # /dev/sg*
/run/udev/data/+usb:[0-9]* r,
# experimental
/run/udev/data/b252:[0-9]* r,
/run/udev/data/b253:[0-9]* r,
/run/udev/data/b259:[0-9]* r,
/run/udev/data/c24[0-9]:[0-9]* r,
/run/udev/data/c25[0-4]:[0-9]* r,
/sys/bus/**/devices/ r,
# Google Cloud Print
unix (bind)
type=stream
addr="@[0-9A-F]*._service_*",
# Policy needed only when using the chrome/chromium setuid sandbox
capability sys_ptrace,
# ptrace (trace) peer=snap.@{SNAP_INSTANCE_NAME}.**,
# unix (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.**),
# If this were going to be allowed to all snaps, then for all the following
# rules we would want to wrap in a 'browser_sandbox' profile, but a limitation
# in AppArmor profile transitions prevents this.
#
# @{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/opt/google/chrome{,-beta,-unstable}/chrome-sandbox cx -> browser_sandbox,
# profile browser_sandbox {
# ...
# # This rule needs to work but generates a parser error
# @{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/opt/google/chrome/chrome px -> snap.@{SNAP_INSTANCE_NAME}.@{SNAP_APP},
# @{INSTALL_DIR}/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/opt/google/chrome/chrome px -> snap.@{SNAP_INSTANCE_NAME}.@{SNAP_APP},
# ...
# }
# Required for dropping into PID namespace. Keep in mind that until the
# process drops this capability it can escape confinement, but once it
# drops CAP_SYS_ADMIN we are ok.
capability sys_admin,
# All of these are for sanely dropping from root and chrooting
capability chown,
capability fsetid,
capability setgid,
capability setuid,
capability sys_chroot,
# User namespace sandbox
owner @{PROC}/@{pid}/setgroups rw,
owner @{PROC}/@{pid}/uid_map rw,
owner @{PROC}/@{pid}/gid_map rw,
# Webkit uses a particular SHM names # LP: 1578217
owner /{dev,run}/shm/WK2SharedMemory.* mrw,
# Chromium content api on (at least) later versions of Ubuntu just use this
owner /{dev,run}/shm/shmfd-* mrw,
# Clearing the PG_Referenced and ACCESSED/YOUNG bits provides a method to
# measure approximately how much memory a process is using via /proc/self/smaps
# (man 5 proc). This access allows the snap to clear references for pids from
# other snaps and the system, so it is limited to snaps that specify:
# allow-sandbox: true.
owner @{PROC}/@{pid}/clear_refs w,
# Allow setting realtime priorities. Clients require RLIMIT_RTTIME in the first
# place and client authorization is done via PolicyKit. Note that setrlimit()
# is allowed by default seccomp policy but requires 'capability sys_resource',
# which we deny be default.
# README - rtkit.git - RealtimeKit
dbus (send)
bus=system
path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.RealtimeKit1, label=unconfined),
dbus (send)
bus=system
path=/org/freedesktop/RealtimeKit1
interface=org.freedesktop.RealtimeKit1
member=MakeThread{HighPriority,Realtime,RealtimeWithPID}
peer=(name=org.freedesktop.RealtimeKit1, label=unconfined),
# Until we have proper device assignment, allow access to all cameras
/dev/video[0-9]* rw,
# VideoCore cameras (shared device with VideoCore/EGL)
/dev/vchiq rw,
# Allow detection of cameras. Leaks plugged in USB device info
/sys/bus/usb/devices/ r,
/sys/devices/pci**/usb*/**/busnum r,
/sys/devices/pci**/usb*/**/devnum r,
/sys/devices/pci**/usb*/**/idVendor r,
/sys/devices/pci**/usb*/**/idProduct r,
/sys/devices/pci**/usb*/**/interface r,
/sys/devices/pci**/usb*/**/modalias r,
/sys/devices/pci**/usb*/**/speed r,
/run/udev/data/c81:[0-9]* r, # video4linux (/dev/video*, etc)
/run/udev/data/+usb:* r,
/sys/class/video4linux/ r,
/sys/devices/pci**/usb*/**/video4linux/** r,
/sys/devices/platform/**/usb*/**/video4linux/** r,
# allow unconfined clients to introspect us on classic
dbus (receive)
bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
# allow us to respond to unconfined clients via "org.mozilla.firefox{,.*}"
# on classic (send should be handled via another snappy interface).
dbus (receive)
bus=session
interface="org.mozilla.firefox{,.*}"
peer=(label=unconfined),
# allow us to respond to unconfined clients via "/org/mozilla/firefox{,/**}" (eg,
# org.freedesktop.*, org.gtk.Application, etc) on classic (send should be
# handled via another snappy interface).
dbus (receive)
bus=session
path="/org/mozilla/firefox{,/**}"
peer=(label=unconfined),
# allow use of user namespaces
# userns,
# subset of gnome abstraction
/etc/gtk-3.0/settings.ini r,
owner @{HOME}/.config/gtk-3.0/settings.ini r,
owner @{HOME}/.config/gtk-3.0/*.css r,
# Note: this leaks directory names that wouldn't otherwise be known to the snap
owner @{HOME}/.config/gtk-3.0/bookmarks r,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/icons/*/index.theme rk,
/usr/share/pixmaps/ r,
/usr/share/pixmaps/** r,
/usr/share/unity/icons/** r,
/usr/share/thumbnailer/icons/** r,
/usr/share/themes/** r,
# The snapcraft desktop part may look for schema files in various locations, so
# allow reading system installed schemas.
/usr/share/glib*/schemas/{,*} r,
/usr/share/gnome/glib*/schemas/{,*} r,
/usr/share/ubuntu/glib*/schemas/{,*} r,
# subset of freedesktop.org
owner @{HOME}/.local/share/mime/** r,
owner @{HOME}/.config/user-dirs.* r,
/etc/xdg/user-dirs.conf r,
/etc/xdg/user-dirs.defaults r,
# gmenu
dbus (send)
bus=session
interface=org.gtk.Actions
member=Changed
peer=(label=unconfined),
# notifications
dbus (send)
bus=session
path=/org/freedesktop/Notifications
interface=org.freedesktop.Notifications
member="{GetCapabilities,GetServerInformation,Notify,CloseNotification}"
peer=(label=unconfined),
dbus (receive)
bus=session
path=/org/freedesktop/Notifications
interface=org.freedesktop.Notifications
member={ActionInvoked,NotificationClosed,NotificationReplied}
peer=(label=unconfined),
# KDE Plasma's Inhibited property indicating "do not disturb" mode
# libnotificationmanager/dbus/org.freedesktop.Notifications.xml · master · Plasma / Plasma Workspace · GitLab
dbus (send)
bus=session
path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member="Get{,All}"
peer=(label=unconfined),
dbus (receive)
bus=session
path=/org/freedesktop/Notifications
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(label=unconfined),
# DesktopAppInfo Launched
dbus (send)
bus=session
path=/org/gtk/gio/DesktopAppInfo
interface=org.gtk.gio.DesktopAppInfo
member=Launched
peer=(label=unconfined),
# Allow requesting interest in receiving media key events. This tells Gnome
# settings that our application should be notified when key events we are
# interested in are pressed, and allows us to receive those events.
dbus (receive, send)
bus=session
interface=org.gnome.SettingsDaemon.MediaKeys
path=/org/gnome/SettingsDaemon/MediaKeys
peer=(label=unconfined),
dbus (send)
bus=session
interface=org.freedesktop.DBus.Properties
path=/org/gnome/SettingsDaemon/MediaKeys
member="Get{,All}"
peer=(label=unconfined),
# Allow accessing the GNOME crypto services prompt APIs as used by
# applications using libgcr (such as pinentry-gnome3) for secure pin
# entry to unlock GPG keys etc. See:
# https://developer.gnome.org/gcr/unstable/GcrPrompt.html
# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
dbus (send)
bus=session
path=/org/gnome/keyring/Prompter
interface=org.gnome.keyring.internal.Prompter
member="{BeginPrompting,PerformPrompt,StopPrompting}"
peer=(label=unconfined),
# While the DBus path is not snap-specific, by the time an application
# registers the prompt path via DBus, Gcr will check that it isn't
# already in use and send the client an error if it is. See:
# interfaces/desktop: allow access to system prompter interface by alexmurray · Pull Request #7673 · snapcore/snapd
dbus (receive)
bus=session
path=/org/gnome/keyring/Prompt/p[0-9]*
interface=org.gnome.keyring.internal.Prompter.Callback
member="{PromptReady,PromptDone}"
peer=(label=unconfined),
# Allow use of snapd's internal 'xdg-open'
/usr/bin/xdg-open ixr,
# While /usr/share/applications comes from the base runtime of the snap, it
# has some things that snaps actually need, so allow access to those and deny
# access to the others
/usr/share/applications/ r,
/usr/share/applications/mimeapps.list r,
/usr/share/applications/xdg-open.desktop r,
# silence noisy denials from desktop files in core* snaps that aren't usable by
# snaps
deny /usr/share/applications/python*.desktop r,
deny /usr/share/applications/vim.desktop r,
deny /usr/share/applications/snap-handle-link.desktop r, # core16
dbus (send)
bus=session
path=/
interface=com.canonical.SafeLauncher
member=OpenURL
peer=(label=unconfined),
# ... and this allows access to the new xdg-open service which
# is now part of snapd itself.
dbus (send)
bus=session
path=/io/snapcraft/Launcher
interface=io.snapcraft.Launcher
member={OpenURL,OpenFile}
peer=(label=unconfined),
# Allow checking status, activating and locking the screensaver
# gnome/kde/freedesktop.org
dbus (send)
bus=session
path="/{,org/freedesktop/,org/gnome/}ScreenSaver"
interface="org.{freedesktop,gnome}.ScreenSaver"
member="{GetActive,GetActiveTime,Lock,SetActive}"
peer=(label=unconfined),
dbus (receive)
bus=session
path="/{,org/freedesktop/,org/gnome/}ScreenSaver"
interface="org.{freedesktop,gnome}.ScreenSaver"
member=ActiveChanged
peer=(label=unconfined),
# Allow unconfined to introspect us
dbus (receive)
bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
# Allow use of snapd's internal 'xdg-settings'
/usr/bin/xdg-settings ixr,
dbus (send)
bus=session
path=/io/snapcraft/Settings
interface=io.snapcraft.Settings
member={Check,CheckSub,Get,GetSub,Set,SetSub}
peer=(label=unconfined),
# These accesses are noisy and applications can't do anything with the found
# icon files, so explicitly deny to silence the denials
deny /var/lib/snapd/desktop/icons/{,**/} r,
# These accesses occur when flatpaks are on the system since it updates
# XDG_DATA_DIRS to contain $HOME/.local/share/flatpak/exports/share. Until
# we have better XDG_DATA_DIRS handling, silence these noisy denials.
# AppArmor denial cluttering systemd logs · Issue #23 · snapcrafters/discord
deny @{HOME}/.local/share/flatpak/exports/share/** r,
# Allow access to the IBus portal (IBUS_USE_PORTAL=1)
dbus (send)
bus=session
path=/org/freedesktop/IBus
interface=org.freedesktop.IBus.Portal
member=CreateInputContext
peer=(name=org.freedesktop.portal.IBus),
dbus (send, receive)
bus=session
path=/org/freedesktop/IBus/InputContext_[0-9]*
interface=org.freedesktop.IBus.InputContext
peer=(label=unconfined),
# Allow access to the Fcitx portal, supported by fcitx/fcitx5
dbus (send)
bus=session
path=/{,org/freedesktop/portal/}inputmethod
interface=org.fcitx.Fcitx.InputMethod1
member={CreateInputContext,Version}
peer=(name=org.freedesktop.portal.Fcitx),
dbus (send, receive)
bus=session
path=/{,org/freedesktop/portal/}inputcontext/**
interface=org.fcitx.Fcitx.InputContext1
peer=(label=unconfined),
# Layout path: /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0
"/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0{,/**}" mrwklix,
# Layout path: /usr/share/alsa
"/usr/share/alsa{,/**}" mrwklix,
# Layout path: /usr/share/libdrm
"/usr/share/libdrm{,/**}" mrwklix,
# Layout path: /usr/share/xml/iso-codes
"/usr/share/xml/iso-codes{,/**}" mrwklix,
###############
# end firefox
##############
/etc/udev/udev.conf r,
/etc/localtime r,
/etc/machine-id r,
/etc/os-release r,
/etc/fonts/** r,
/etc/gtk-3.0/settings.ini r,
/etc/opt/chrome/** r,
/etc/gcrypt/hwf.deny r,
/etc/gcrypt/random.conf r,
/etc/sysconfig/clock r,
owner @{PROC}/@{pid}/maps k,
owner @{PROC}/@{pid}/map_files/ r,
### MY CHANGE
### /opt/google/chrome/chrome_crashpad_handler ux,
### /opt/google/chrome/chrome-sandbox ux,
### /opt/google/chrome/chrome_crashpad_handler ux,
### /opt/google/chrome/chrome-sandbox ux,
/opt/google/chrome/chrome_crashpad_handler ix,
/opt/google/chrome/chrome-sandbox ix,
/opt/google/chrome/** mrixlk,
/opt/google/chrome/chrome mrixlk,
/usr/bin/google-chrome mrixlk,
owner /run/user/[0-9]*/dconf/user r,
/usr/share/locale/** r,
/usr/share/zoneinfo/** r,
/usr/share/fontconfig/** r,
/usr/share/fonts/** r,
/usr/share/icons/** r,
/usr/share/locale-langpack/** r,
/usr/share/pixmaps/** r,
# /usr/share/ubuntu/** r,
/usr/share/themes/** r,
/usr/share/X11/locale/** r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/dconf/** r,
/usr/share/mime.** r,
/usr/share//mime//mime.cache r,
/usr/local/share/** r,
/usr/local/share/fonts/** r,
/usr/lib/locale/locale-archive r,
/sys/devices/system/cpu/** r,
/sys/devices/virtual/dmi/id/board_vendor r,
/sys/devices/virtual/dmi/id/board_name r,
/sys/devices/virtual/dmi/id/bios_vendor r,
/sys/devices/virtual/dmi/id/bios_version r,
/dev/shm/.com.google* rw,
/dev/urandom r,
/dev/tty r,
/dev/null rw,
/dev/fd/** rw,
/proc/ r,
/proc/[0-9]*/cmdline r,
/proc/[0-9]*/fd/ r,
/proc/[0-9]*/stat r,
/proc/[0-9]*/statm r,
/proc/[0-9]*/status r,
/proc/[0-9]*/task rw,
/proc/cpuinfo r,
# /proc/filesystems r,
/proc/stat r,
/proc/sys/kernel/yama/ptrace_scope r,
/proc/self/stat r,
/proc/self/exe r,
/proc/self/cmdline r,
/proc/sys/fs/inotify/max_user_watches r,
# /var/tmp/ r,
# /var/tmp/* rw,
/var/cache/fontconfig/** r,
/var/lib/dbus/machine-id r,
### MY CHANGE
### over doing writes
owner @{HOME}/Downloads/** rwk,
owner @{HOME}/.config/ r,
owner @{HOME}/.config/** r,
owner @{HOME}/.config/** rwk,
owner @{HOME}/.local/ r,
owner @{HOME}/.local/** r,
### owner @{HOME}/.local/** rwk,
owner @{HOME}/.cache/ r,
owner @{HOME}/.cache/** r,
### owner @{HOME}/.cache/** rwk,
owner @{HOME}/.local/share/mime/** r,
owner @{HOME}/.config/user-dirs.* r,
/etc/xdg/user-dirs.conf r,
/etc/xdg/user-dirs.defaults r,
# /etc/ld.so.cache mr,
/lib/x86_64-linux-gnu/libdl.so.2 mr,
/lib/x86_64-linux-gnu/libpthread.so.0 mr,
/lib/x86_64-linux-gnu/libgobject-2.0.so.0 mr,
/lib/x86_64-linux-gnu/libglib-2.0.so.0 mr,
/lib/x86_64-linux-gnu/libnss3.so mr,
/lib/x86_64-linux-gnu/libnssutil3.so mr,
/lib/x86_64-linux-gnu/libsmime3.so mr,
/lib/x86_64-linux-gnu/libnspr4.so mr,
/lib/x86_64-linux-gnu/libdbus-1.so.3 mr,
/lib/x86_64-linux-gnu/libatk-1.0.so.0 mr,
/lib/x86_64-linux-gnu/libatk-bridge-2.0.so.0 mr,
/lib/x86_64-linux-gnu/libcups.so.2 mr,
/lib/x86_64-linux-gnu/libgio-2.0.so.0 mr,
/lib/x86_64-linux-gnu/libdrm.so.2 mr,
/lib/x86_64-linux-gnu/libatspi.so.0 mr,
/lib/x86_64-linux-gnu/libexpat.so.1 mr,
/lib/x86_64-linux-gnu/libm.so.6 mr,
/lib/x86_64-linux-gnu/libX11.so.6 mr,
/lib/x86_64-linux-gnu/libXcomposite.so.1 mr,
/lib/x86_64-linux-gnu/libXdamage.so.1 mr,
/lib/x86_64-linux-gnu/libXext.so.6 mr,
/lib/x86_64-linux-gnu/libXfixes.so.3 mr,
/lib/x86_64-linux-gnu/libXrandr.so.2 mr,
/lib/x86_64-linux-gnu/libgbm.so.1 mr,
/lib/x86_64-linux-gnu/libxcb.so.1 mr,
/lib/x86_64-linux-gnu/libxkbcommon.so.0 mr,
/lib/x86_64-linux-gnu/libpango-1.0.so.0 mr,
/lib/x86_64-linux-gnu/libcairo.so.2 mr,
/lib/x86_64-linux-gnu/libasound.so.2 mr,
/lib/x86_64-linux-gnu/libgcc_s.so.1 mr,
/lib/x86_64-linux-gnu/libc.so.6 mr,
/lib/x86_64-linux-gnu/libffi.so.8 mr,
/lib/x86_64-linux-gnu/libpcre.so.3 mr,
/lib/x86_64-linux-gnu/libplc4.so mr,
/lib/x86_64-linux-gnu/libplds4.so mr,
/lib/x86_64-linux-gnu/libsystemd.so.0 mr,
/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 mr,
/lib/x86_64-linux-gnu/libavahi-common.so.3 mr,
/lib/x86_64-linux-gnu/libavahi-client.so.3 mr,
/lib/x86_64-linux-gnu/libgnutls.so.30 mr,
/lib/x86_64-linux-gnu/libz.so.1 mr,
/lib/x86_64-linux-gnu/libgmodule-2.0.so.0 mr,
/lib/x86_64-linux-gnu/libmount.so.1 mr,
/lib/x86_64-linux-gnu/libselinux.so.1 mr,
/lib/x86_64-linux-gnu/libXi.so.6 mr,
/lib/x86_64-linux-gnu/libXrender.so.1 mr,
/lib/x86_64-linux-gnu/libwayland-server.so.0 mr,
/lib/x86_64-linux-gnu/libxcb-randr.so.0 mr,
/lib/x86_64-linux-gnu/libXau.so.6 mr,
/lib/x86_64-linux-gnu/libXdmcp.so.6 mr,
/lib/x86_64-linux-gnu/libfribidi.so.0 mr,
/lib/x86_64-linux-gnu/libthai.so.0 mr,
/lib/x86_64-linux-gnu/libharfbuzz.so.0 mr,
/lib/x86_64-linux-gnu/libpixman-1.so.0 mr,
/lib/x86_64-linux-gnu/libfontconfig.so.1 mr,
/lib/x86_64-linux-gnu/libfreetype.so.6 mr,
/lib/x86_64-linux-gnu/libpng16.so.16 mr,
/lib/x86_64-linux-gnu/libxcb-shm.so.0 mr,
/lib/x86_64-linux-gnu/libxcb-render.so.0 mr,
/lib/x86_64-linux-gnu/liblzma.so.5 mr,
/lib/x86_64-linux-gnu/libzstd.so.1 mr,
/lib/x86_64-linux-gnu/liblz4.so.1 mr,
/lib/x86_64-linux-gnu/libcap.so.2 mr,
/lib/x86_64-linux-gnu/libgcrypt.so.20 mr,
/lib/x86_64-linux-gnu/libkrb5.so.3 mr,
/lib/x86_64-linux-gnu/libk5crypto.so.3 mr,
/lib/x86_64-linux-gnu/libcom_err.so.2 mr,
/lib/x86_64-linux-gnu/libkrb5support.so.0 mr,
/lib/x86_64-linux-gnu/libp11-kit.so.0 mr,
/lib/x86_64-linux-gnu/libidn2.so.0 mr,
/lib/x86_64-linux-gnu/libunistring.so.2 mr,
/lib/x86_64-linux-gnu/libtasn1.so.6 mr,
/lib/x86_64-linux-gnu/libnettle.so.8 mr,
/lib/x86_64-linux-gnu/libhogweed.so.6 mr,
/lib/x86_64-linux-gnu/libgmp.so.10 mr,
/lib/x86_64-linux-gnu/libblkid.so.1 mr,
/lib/x86_64-linux-gnu/libpcre2-8.so.0 mr,
/lib/x86_64-linux-gnu/libbsd.so.0 mr,
/lib/x86_64-linux-gnu/libdatrie.so.1 mr,
/lib/x86_64-linux-gnu/libgraphite2.so.3 mr,
/lib/x86_64-linux-gnu/libuuid.so.1 mr,
/lib/x86_64-linux-gnu/libbrotlidec.so.1 mr,
/lib/x86_64-linux-gnu/libgpg-error.so.0 mr,
/lib/x86_64-linux-gnu/libkeyutils.so.1 mr,
/lib/x86_64-linux-gnu/libresolv.so.2 mr,
/lib/x86_64-linux-gnu/libmd.so.0 mr,
/lib/x86_64-linux-gnu/libbrotlicommon.so.1 mr,
/proc/filesystems r,
/opt/google/chrome/CHROME_VERSION_EXTRA r,
/etc/localtime r,
/proc/self/stat r,
/proc/stat r,
/usr/lib/locale/locale-archive r,
/opt/google/chrome/icudtl.dat r,
/etc/os-release r,
/proc/24406/stat r,
/proc/self/stat r,
/run/user/1000/.mutter-Xwaylandauth.10SPM2 r,
/proc/self/stat r,
/proc/stat r,
/etc/opt/chrome/policies/managed r,
/etc/opt/chrome/policies/managed r,
/etc/opt/chrome/policies/managed/disable_mediarouter.json r,
/etc/machine-id r,
/usr/share/locale/locale.alias r,
/opt/google/chrome/chrome_100_percent.pak r,
/opt/google/chrome/chrome_200_percent.pak r,
/opt/google/chrome/locales/en-GB.pak r,
/opt/google/chrome/resources.pak r,
/sys/devices/system/cpu r,
/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq r,
/proc/self/cmdline r,
# /etc/ld.so.cache mr,
/lib/x86_64-linux-gnu/libgtk-3.so.0 mr,
/lib/x86_64-linux-gnu/libgdk-3.so.0 mr,
/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0 mr,
/lib/x86_64-linux-gnu/libcairo-gobject.so.2 mr,
/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0 mr,
/lib/x86_64-linux-gnu/libepoxy.so.0 mr,
/lib/x86_64-linux-gnu/libpangoft2-1.0.so.0 mr,
/lib/x86_64-linux-gnu/libXinerama.so.1 mr,
/lib/x86_64-linux-gnu/libXcursor.so.1 mr,
/lib/x86_64-linux-gnu/libwayland-cursor.so.0 mr,
/lib/x86_64-linux-gnu/libwayland-egl.so.1 mr,
/lib/x86_64-linux-gnu/libwayland-client.so.0 mr,
/lib/x86_64-linux-gnu/libjpeg.so.8 mr,
/usr/share/locale/locale.alias r,
# /etc/ld.so.cache mr,
/lib/x86_64-linux-gnu/libX11-xcb.so.1 mr,
/usr/share/locale-langpack/en_CA/LC_MESSAGES/gtk30.mo r,
/usr/share/locale-langpack/en/LC_MESSAGES/gtk30.mo r,
/usr/share/locale-langpack/en_CA/LC_MESSAGES/gtk30-properties.mo r,
# /etc/ld.so.cache mr,
# /etc/ld.so.cache mr,
/run/user/1000/.mutter-Xwaylandauth.10SPM2 r,
# /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r,
/usr/share/locale-langpack/en_CA/LC_MESSAGES/atk10.mo r,
/etc/gtk-3.0/settings.ini r,
/usr/share/locale-langpack/en_CA/LC_MESSAGES/glib20.mo r,
/usr/share/themes/Yaru/gtk-3.0/gtk.gresource r,
/usr/lib/x86_64-linux-gnu/gio/modules r,
# /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache r,
/usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so mr,
/usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so mr,
/usr/share/themes/Yaru/gtk-3.0/gtk.css r,
# /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache r,
/usr/share/themes/Default/gtk-3.0/gtk-keys.css r,
/usr/lib/x86_64-linux-gnu/gtk-3.0/modules/libcanberra-gtk-module.so mr,
# /etc/ld.so.cache mr,
/lib/x86_64-linux-gnu/libcanberra-gtk3.so.0 mr,
/lib/x86_64-linux-gnu/libcanberra.so.0 mr,
/lib/x86_64-linux-gnu/libvorbisfile.so.3 mr,
/lib/x86_64-linux-gnu/libtdb.so.1 mr,
/lib/x86_64-linux-gnu/libltdl.so.7 mr,
/lib/x86_64-linux-gnu/libvorbis.so.0 mr,
/lib/x86_64-linux-gnu/libogg.so.0 mr,
/usr/share/X11/locale/locale.alias r,
/usr/share/X11/locale/locale.alias r,
/usr/share/X11/locale/locale.dir r,
/usr/share/X11/locale/en_US.UTF-8/XLC_LOCALE r,
/proc/24394/stat r,
/proc/24394/status r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so mr,
/run/user/1000/dconf/user r,
/opt/google/chrome/WidevineCdm/manifest.json r,
/opt/google/chrome/WidevineCdm/manifest.json r,
/dev/shm/.com.google.Chrome.8LmHuw r,
/dev/shm/.com.google.Chrome.VnpBBj r,
/dev/shm/.com.google.Chrome.6BomkU r,
# /etc/ld.so.cache mr,
/lib/x86_64-linux-gnu/libsecret-1.so.0 mr,
/dev/urandom r,
/dev/shm/.com.google.Chrome.ev2Vno r,
/dev/shm/.com.google.Chrome.71a7Gx r,
/dev/shm/.com.google.Chrome.71a7Gx r,
/usr/share/fonts/truetype/ubuntu/Ubuntu-R.ttf r,
/usr/share/fonts/truetype/ubuntu/Ubuntu-M.ttf r,
/usr/share/icons/Yaru/index.theme r,
/usr/share/icons/Yaru/icon-theme.cache r,
/usr/share/icons/Yaru/icon-theme.cache r,
/usr/share/icons/Humanity/index.theme r,
/usr/share/icons/Humanity/icon-theme.cache r,
/usr/share/icons/Humanity/icon-theme.cache r,
/usr/share/icons/Adwaita/index.theme r,
/usr/share/icons/Adwaita/icon-theme.cache r,
/usr/share/icons/Adwaita/icon-theme.cache r,
/usr/share/icons/hicolor/index.theme r,
/usr/share/icons/hicolor/icon-theme.cache r,
/usr/share/icons/hicolor/icon-theme.cache r,
/usr/share/icons r,
/var/lib/snapd/desktop/icons r,
/usr/share/pixmaps r,
/usr/share/icons/Yaru/scalable/ui/window-minimize-symbolic.svg r,
/usr/share/icons/Yaru/scalable/ui/window-minimize-symbolic.svg r,
/usr/share//mime//mime.cache r,
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so mr,
# /etc/ld.so.cache mr,
/lib/x86_64-linux-gnu/librsvg-2.so.2 mr,
/lib/x86_64-linux-gnu/libxml2.so.2 mr,
/lib/x86_64-linux-gnu/libicuuc.so.70 mr,
/lib/x86_64-linux-gnu/libicudata.so.70 mr,
/lib/x86_64-linux-gnu/libstdc++.so.6 mr,
/usr/share/locale-langpack/en_CA/LC_MESSAGES/gdk-pixbuf.mo r,
/usr/share/icons/Yaru/scalable/ui/window-maximize-symbolic.svg r,
/usr/share/icons/Yaru/scalable/ui/window-maximize-symbolic.svg r,
/usr/share/icons/Yaru/scalable/ui/window-close-symbolic.svg r,
/usr/share/icons/Yaru/scalable/ui/window-close-symbolic.svg r,
/dev/shm/.com.google.Chrome.n5fnEP r,
/dev/shm/.com.google.Chrome.Xxc0Ww r,
/usr/share/themes/Yaru/gtk-3.0/gtk.gresource r,
/usr/share/themes/Yaru/gtk-3.0/gtk.css r,
/proc/24435/stat r,
/proc/24435/status r,
/proc/24445/stat r,
/proc/24445/status r,
# /usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules.cache r,
/proc/24431/stat r,
/proc/24431/status r,
/dev/shm/.com.google.Chrome.YkkcJL r,
/dev/shm/.com.google.Chrome.hxTqvz r,
/dev/shm/.com.google.Chrome.GfH2x2 r,
/dev/shm/.com.google.Chrome.D6DXe2 r,
/dev/shm/.com.google.Chrome.clK2as r,
/dev/shm/.com.google.Chrome.3sa3pj r,
/proc/24481/stat r,
/proc/24481/status r,
/proc/24481/status r,
/proc/24481/statm r,
/proc/24482/stat r,
/proc/24482/status r,
/proc/24482/status r,
/proc/24482/statm r,
/dev/shm/.com.google.Chrome.6ZtBCC r,
/dev/shm/.com.google.Chrome.BJZBAq r,
/proc/24556/stat r,
/proc/24556/status r,
/proc/24556/status r,
/proc/24556/statm r,
/dev/shm/.com.google.Chrome.N4UlIT r,
/proc/24567/stat r,
/proc/24567/status r,
/proc/24567/stat r,
/dev/shm/.com.google.Chrome.0VFZ4Q r,
/proc/24573/stat r,
/proc/24573/status r,
/proc/24573/stat r,
/dev/shm/.com.google.Chrome.WW93fa r,
/proc/24579/stat r,
/proc/24579/status r,
/proc/24579/stat r,
/proc/self/stat r,
/proc/stat r,
/usr/share/fonts/truetype/liberation2/LiberationSans-Regular.ttf r,
/dev/shm/.com.google.Chrome.hi8EeO r,
/dev/shm/.com.google.Chrome.hi8EeO r,
/sys/devices/system/cpu/kernel_max r,
/sys/devices/system/cpu/possible r,
/sys/devices/system/cpu/present r,
/sys/devices/system/cpu/possible r,
/sys/devices/system/cpu/present r,
/proc/cpuinfo r,
/usr/share/fonts/truetype/ubuntu/Ubuntu-B.ttf r,
/dev/shm/.com.google.Chrome.RDBu0j r,
/proc/24587/stat r,
/proc/24587/status r,
/dev/urandom r,
/usr/share/fonts/truetype/ubuntu/Ubuntu-R.ttf r,
/usr/share/fonts/truetype/ubuntu/Ubuntu-R.ttf r,
/dev/shm/.com.google.Chrome.GLbmX4 r,
/proc/24595/stat r,
/proc/24595/status r,
/proc/24595/status r,
/proc/24595/statm r,
/dev/shm/.com.google.Chrome.eFyebM r,
/proc/24481/stat r,
/proc/24482/stat r,
/dev/shm/.com.google.Chrome.8poeUK r,
/proc/24611/stat r,
/proc/24611/status r,
/proc/24611/status r,
/proc/24611/statm r,
/dev/shm/.com.google.Chrome.988UDb r,
/proc/24625/stat r,
/proc/24625/status r,
/proc/24625/status r,
/proc/24625/statm r,
/dev/shm/.com.google.Chrome.hqVSp6 r,
/proc/24636/stat r,
/proc/24636/status r,
/dev/shm/.com.google.Chrome.ne7QX7 r,
/proc/24637/stat r,
/proc/24637/status r,
/proc/24637/stat r,
/dev/shm/.com.google.Chrome.tcBC1d r,
/proc/24659/stat r,
/proc/24659/status r,
/proc/24659/status r,
/proc/24659/statm r,
/proc/24611/stat r,
/dev/shm/.com.google.Chrome.6W3jFC r,
/proc/24668/stat r,
/proc/24668/status r,
/proc/24668/stat r,
/dev/shm/.com.google.Chrome.du8ECU r,
/proc/24674/stat r,
/proc/24674/status r,
/proc/24674/stat r,
/proc/24595/stat r,
/dev/shm/.com.google.Chrome.foJVbR r,
/proc/24680/stat r,
/proc/24680/status r,
/proc/24680/status r,
/proc/24680/statm r,
/proc/24625/stat r,
/dev/shm/.com.google.Chrome.TSjBXe r,
/proc/24703/stat r,
/proc/24703/status r,
/proc/24703/status r,
/proc/24703/statm r,
/dev/shm/.com.google.Chrome.MAxHoJ r,
/proc/24724/stat r,
/proc/24724/status r,
/dev/shm/.com.google.Chrome.aYns1f r,
/proc/24734/stat r,
/proc/24734/status r,
/proc/24734/status r,
/proc/24734/statm r,
/dev/shm/.com.google.Chrome.5ZabYe r,
/proc/24743/stat r,
/proc/24743/status r,
/proc/24743/status r,
/proc/24743/statm r,
/dev/shm/.com.google.Chrome.aMxM8a r,
/dev/shm/.com.google.Chrome.cL8mgx r,
/proc/24754/stat r,
/proc/24754/status r,
/proc/24755/stat r,
/proc/24755/status r,
/proc/24754/stat r,
/proc/24755/stat r,
/proc/24724/stat r,
/dev/shm/.com.google.Chrome.ojMwCb r,
/proc/24767/stat r,
/proc/24767/status r,
/proc/24767/status r,
/proc/24767/statm r,
/proc/24743/stat r,
/dev/shm/.com.google.Chrome.WJqnA1 r,
/proc/24776/stat r,
/proc/24776/status r,
/proc/24776/status r,
/proc/24776/statm r,
/proc/24734/stat r,
/proc/24703/stat r,
/dev/shm/.com.google.Chrome.uQha5v r,
/proc/24799/stat r,
/proc/24799/status r,
/dev/shm/.com.google.Chrome.CTczBs r,
/proc/24805/stat r,
/proc/24805/status r,
/proc/24805/status r,
/proc/24805/statm r,
/dev/shm/.com.google.Chrome.oljb6l r,
/proc/24815/stat r,
/proc/24815/status r,
/proc/24815/status r,
/proc/24815/statm r,
/proc/24799/stat r,
/dev/shm/.com.google.Chrome.ZLA7Jv r,
/dev/shm/.com.google.Chrome.C52HDi r,
/dev/shm/.com.google.Chrome.C52HDi r,
/dev/shm/.com.google.Chrome.lkWy1c r,
/proc/24834/stat r,
/proc/24834/status r,
/proc/24834/stat r,
/dev/shm/.com.google.Chrome.NBMUhX r,
/proc/24846/stat r,
/proc/24846/status r,
/proc/24846/status r,
/proc/24846/statm r,
/dev/shm/.com.google.Chrome.kSgUf6 r,
/proc/24855/stat r,
/proc/24855/status r,
/proc/24855/status r,
/proc/24855/statm r,
/dev/shm/.com.google.Chrome.ChqH3o r,
/proc/24865/stat r,
/proc/24865/status r,
/proc/24865/stat r,
/proc/24805/stat r,
/dev/shm/.com.google.Chrome.snVCC6 r,
/proc/24880/stat r,
/proc/24880/status r,
/proc/24846/stat r,
/proc/24880/stat r,
/proc/24815/stat r,
/dev/shm/.com.google.Chrome.UDFU9n r,
/proc/24895/stat r,
/proc/24895/status r,
/dev/shm/.com.google.Chrome.jMUYYX r,
/proc/24901/stat r,
/proc/24901/status r,
/proc/24901/status r,
/proc/24901/statm r,
/dev/shm/.com.google.Chrome.xMpwXE r,
/proc/24910/stat r,
/proc/24910/status r,
/proc/24910/status r,
/proc/24910/statm r,
/dev/shm/.com.google.Chrome.4UqO5u r,
/proc/24922/stat r,
/proc/24922/status r,
/proc/24922/stat r,
/dev/shm/.com.google.Chrome.5mrkOz r,
/proc/24928/stat r,
/proc/24928/status r,
/proc/24928/stat r,
/proc/24895/stat r,
/proc/24855/stat r,
/proc/24901/stat r,
/dev/shm/.com.google.Chrome.4UD2oc r,
/proc/24935/stat r,
/proc/24935/status r,
/proc/24935/status r,
/proc/24935/statm r,
/dev/shm/.com.google.Chrome.UiW1Nl r,
/proc/24944/stat r,
/proc/24944/status r,
/proc/24944/status r,
/proc/24944/statm r,
/dev/shm/.com.google.Chrome.Z3hXI7 r,
/dev/shm/.com.google.Chrome.U4B0y0 r,
/proc/24956/stat r,
/proc/24956/status r,
/proc/24960/stat r,
/proc/24960/status r,
/proc/24956/stat r,
/proc/24960/stat r,
/dev/shm/.com.google.Chrome.kKCyTR r,
/dev/shm/.com.google.Chrome.op8452 r,
/proc/24970/stat r,
/proc/24970/status r,
/proc/24970/status r,
/proc/24970/statm r,
/dev/shm/.com.google.Chrome.YA6luT r,
/proc/24979/stat r,
/proc/24979/status r,
/proc/24979/status r,
/proc/24979/statm r,
/proc/24944/stat r,
/dev/shm/.com.google.Chrome.Isly3q r,
/proc/24988/stat r,
/proc/24988/status r,
/proc/24988/status r,
/proc/24988/statm r,
/proc/24979/stat r,
/proc/24935/stat r,
/proc/24910/stat r,
/proc/meminfo r,
/proc/24394/stat r,
/proc/24394/status r,
/proc/24680/stat r,
/proc/24680/status r,
/proc/24556/stat r,
/proc/24556/status r,
/proc/24659/stat r,
/proc/24659/status r,
/proc/24776/stat r,
/proc/24776/status r,
/proc/24767/stat r,
/proc/24767/status r,
/proc/24970/stat r,
/proc/24970/status r,
/proc/24988/stat r,
/proc/24988/status r,
/proc/24431/stat r,
/proc/24431/status r,
/proc/24435/stat r,
/proc/24435/status r,
/proc/24445/stat r,
/proc/24445/status r,
/proc/24587/stat r,
/proc/24587/status r,
/proc/24636/stat r,
/proc/24636/status r,
/dev/shm/.com.google.Chrome.TtNybf r,
/proc/25009/stat r,
/proc/25009/status r,
/proc/25009/status r,
/proc/25009/statm r,
/dev/shm/.com.google.Chrome.5S2KSO r,
/proc/25027/stat r,
/proc/25027/status r,
/proc/25027/stat r,
/dev/shm/.com.google.Chrome.7xUzsC r,
/proc/25033/stat r,
/proc/25033/status r,
/proc/25033/stat r,
/dev/shm/.com.google.Chrome.YW28rN r,
/proc/25040/stat r,
/proc/25040/status r,
/proc/25040/status r,
/proc/25040/statm r,
/proc/24988/stat r,
/dev/shm/.com.google.Chrome.Pgf7hD r,
/proc/25058/stat r,
/proc/25058/status r,
/dev/shm/.com.google.Chrome.YfPMw6 r,
/proc/25064/stat r,
/proc/25064/status r,
/proc/25064/status r,
/proc/25064/statm r,
/dev/shm/.com.google.Chrome.FW3RIc r,
/proc/25074/stat r,
/proc/25074/status r,
/proc/25074/status r,
/proc/25074/statm r,
/dev/shm/.com.google.Chrome.0cf1fI r,
/proc/25085/stat r,
/proc/25085/status r,
/proc/25085/stat r,
/dev/shm/.com.google.Chrome.guzIBc r,
/proc/25091/stat r,
/proc/25091/status r,
/proc/25091/stat r,
/proc/25058/stat r,
/dev/shm/.com.google.Chrome.NATEoy r,
/dev/shm/.com.google.Chrome.9dKIo2 r,
/proc/25098/stat r,
/proc/25098/status r,
/proc/25098/status r,
/proc/25098/statm r,
/proc/25098/stat r,
/dev/shm/.com.google.Chrome.tYOVDv r,
/proc/25107/stat r,
/proc/25107/status r,
/proc/25107/status r,
/proc/25107/statm r,
/proc/25064/stat r,
/proc/25040/stat r,
/dev/shm/.com.google.Chrome.93umEf r,
/dev/shm/.com.google.Chrome.3ok6E0 r,
/proc/25125/stat r,
/proc/25125/status r,
/proc/25126/stat r,
/proc/25126/status r,
/proc/25125/stat r,
/proc/25126/stat r,
/dev/shm/.com.google.Chrome.dzbUM2 r,
/proc/25137/stat r,
/proc/25137/status r,
/proc/25137/stat r,
/dev/shm/.com.google.Chrome.2GKEsc r,
/proc/25143/stat r,
/proc/25143/status r,
/proc/25143/stat r,
/dev/shm/.com.google.Chrome.2KHrIw r,
/proc/25153/stat r,
/proc/25153/status r,
/dev/shm/.com.google.Chrome.8yHxWy r,
/proc/25159/stat r,
/proc/25159/status r,
/proc/25153/stat r,
/dev/shm/.com.google.Chrome.KXWVp9 r,
/proc/25159/stat r,
/proc/25165/stat r,
/proc/25165/status r,
/dev/shm/.com.google.Chrome.2WNzLP r,
/proc/25165/stat r,
/proc/25171/stat r,
/proc/25171/status r,
/proc/25171/stat r,
/dev/shm/.com.google.Chrome.d7Gdmc r,
/proc/25177/stat r,
/proc/25177/status r,
/proc/25177/status r,
/proc/25177/statm r,
/dev/shm/.com.google.Chrome.1CIThh r,
/dev/shm/.com.google.Chrome.gsytpz r,
/proc/25186/stat r,
/proc/25186/status r,
/proc/25187/stat r,
/proc/25187/status r,
/proc/25186/stat r,
/proc/25187/stat r,
/proc/25177/stat r,
/dev/shm/.com.google.Chrome.u4LrWH r,
/proc/25208/stat r,
/proc/25208/status r,
/proc/25208/status r,
/proc/25208/statm r,
/proc/25074/stat r,
/proc/24970/stat r,
/dev/shm/.com.google.Chrome.aZB5vS r,
/proc/25227/stat r,
/proc/25227/status r,
/proc/25227/status r,
/proc/25227/statm r,
/dev/shm/.com.google.Chrome.d3dH0G r,
/proc/25236/stat r,
/proc/25236/status r,
/proc/25236/status r,
/proc/25236/statm r,
/dev/shm/.com.google.Chrome.50bMsa r,
/proc/25248/stat r,
/proc/25248/status r,
/proc/25248/stat r,
/dev/shm/.com.google.Chrome.H92Iyk r,
/proc/25254/stat r,
/proc/25254/status r,
/proc/25254/stat r,
/dev/shm/.com.google.Chrome.n5cb1k r,
/proc/25262/stat r,
/proc/25262/status r,
/proc/25262/status r,
/proc/25262/statm r,
/proc/25227/stat r,
/proc/25107/stat r,
/dev/shm/.com.google.Chrome.PczcO8 r,
/proc/25275/stat r,
/proc/25275/status r,
/proc/25275/stat r,
/dev/shm/.com.google.Chrome.og2x1u r,
/proc/25262/stat r,
/proc/25208/stat r,
/proc/24776/stat r,
/proc/25009/stat r,
/proc/24767/stat r,
/proc/24680/stat r,
/proc/24659/stat r,
/proc/25236/stat r,
/proc/24556/stat r,
/proc/24435/stat r,
/proc/24431/stat r,
/proc/24431/stat r,
/proc/24431/stat r,
/proc/24445/stat r,
/proc/24445/stat r,
/proc/24587/stat r,
/proc/24636/stat r,
/proc/24636/stat r,
/tmp/.com.google.Chrome.BkFJwB r,
###MY CHANGES
deny / rx,
# deny @{PROC}/ r,
# deny /dev/ r,
# deny /dev/**/ r,
deny @{HOMEDIRS}/ rx,
### ETC is where cron lives, and cron can startup a persisted hack-app
deny /etc/ rwx,
deny /etc/** rwx,
### udev creates devices upon whatever and runs jobs
deny /lib/udev/ rwx,
deny /lib/udev/** rwx,
### systemd starts up services at boot, which are scripts,
deny /usr/lib/systemd/ rwx,
deny /usr/lib/systemd/** rwx,
### deny changing everything in Home
deny @{HOME}/ wx,
deny @{HOME}/Documents/ rwx,
deny @{HOME}/Documents/** rwx,
### .config starts up things for the user
# needs @{HOME}/.config/dconf/user w , as per above
# so deny everything else in @{HOME}/.config
deny @{HOME}/.config/ wx,
deny @{HOME}/.config/enchant/** rwx,
deny @{HOME}/.config/evolution/** rwx,
deny @{HOME}/.config/gnome-session/** rwx,
deny @{HOME}/.config/goa-1.0/** rwx,
deny @{HOME}/.config/gtk-3.0/** rwx,
deny @{HOME}/.config/gtk-4.0/** rwx,
deny @{HOME}/.config/ibus/** rwx,
deny @{HOME}/.config/nautilus/** rwx,
@{HOME}/.config/pulse/cookie rw,
deny @{HOME}/.config/pulse/** x,
deny @{HOME}/.config/tiling-assistant/** rwx,
deny @{HOME}/.config/update-notifier/** rwx,
deny @{HOME}/Desktop/** rwx,
deny @{HOME}/.local/** rwx,
deny @{HOME}/Music/** rwx,
deny @{HOME}/Pictures/** rwx,
deny @{HOME}/Public/** rwx,
deny @{HOME}/snap/** rwx,
deny @{HOME}/.ssh/** rwx,
deny @{HOME}/Templates/** rwx,
deny @{HOME}/Videos/** rwx,
deny @{HOME}/Downloads/** x,
deny @{HOME}/Uploads/** wx,
### and only allow updating cache
### and only allow updating its own dir
### but deny all executes from them
@{HOME}/.config/google-chrome/ rw,
@{HOME}/.config/google-chrome/** rw,
@{HOME}/.cache/google-chrome/ rw,
@{HOME}/.cache/google-chrome/** rw,
deny @{HOME}/.config/google-chrome/ x,
deny @{HOME}/.config/google-chrome/** x,
deny @{HOME}/.cache/google-chrome/ x,
deny @{HOME}/.cache/google-chrome/** x,
### allow access only to Downloads
### forbid reading from Documents, all uploads must be copied to @{HOME}/Uploads
owner @{HOME}/Downloads/** rw,
owner @{HOME}/Uploads/** r,
}
Last edited: