snap-confine man page

snap-confine — internal tool for confining snappy applications

Synopsis

snap-confine SECURITY_TAG COMMAND [...ARGUMENTS]

Description

The snap-confine is a program used internally by snapd to construct a confined execution environment for snap applications.

Options

The snap-confine program does not support any options.

Features

Apparmor profiles

snap-confine switches to the apparmor profile $SECURITY_TAG. The profile is mandatory and snap-confine will refuse to run without it.

has to be loaded into the kernel prior to using snap-confine. Typically this is arranged for by snapd. The profile contains rich description of what the application process is allowed to do, this includes system calls, file paths, access patterns, linux capabilities, etc. The apparmor profile can also do extensive dbus mediation. Refer to apparmor documentation for more details.

Seccomp profiles

snap-confine looks for the /var/lib/snapd/seccomp/profiles/$SECURITY_TAG file. This file is mandatory and snap-confine will refuse to run without it.

The file is read and parsed using a custom syntax that describes the set of allowed system calls and optionally their arguments. The profile is then used to confine the started application.

As a security precaution disallowed system calls cause the started application executable to be killed by the kernel. In the future this restriction may be lifted to return EPERM instead.

Mount profiles

snap-confine looks for the /var/lib/snapd/mount/$SECURITY_TAG.fstab file. If present it is read, parsed and treated like a typical fstab(5) file. The mount directives listed there are executed in order. All directives must succeed as any failure will abort execution.

By default all mount entries start with the following flags: bind, ro, nodev, nosuid. Some of those flags can be reversed by an appropriate option (e.g. rw can cause the mount point to be writable).

As a security precaution only bind mounts are supported at this time.

Quirks

snap-confine contains a quirk system that emulates some or the behavior of the older versions of snap-confine that certain snaps (still in devmode but useful and important) have grown to rely on. This section documents the list of quirks:

·
The /var/lib/lxd directory, if it exists on the host, is made available in the execution environment. This allows various snaps, while running in devmode, to access the LXD socket. LP: #1613845

Sharing of the mount namespace

As of version 1.0.41 all the applications from the same snap will share the same mount namespace. Applications from different snaps continue to use separate mount namespaces.

Environment

snap-confine responds to the following environment variables

SNAP_CONFINE_DEBUG:
When defined the program will print additional diagnostic information about the actions being performed. All the output goes to stderr.

The following variables are only used when snap-confine is not setuid root. This is only applicable when testing the program itself.

SNAPPY_LAUNCHER_INSIDE_TESTS:
Internal variable that should not be relied upon.
SNAP_CONFINE_NO_ROOT:
Internal variable that should not be relied upon.
SNAPPY_LAUNCHER_SECCOMP_PROFILE_DIR:
Internal variable that should not be relied upon.
SNAP_USER_DATA:
Full path to the directory like /home/$LOGNAME/snap/$SNAP_NAME/$SNAP_REVISION.

This directory is created by snap-confine on startup. This is a temporary feature that will be merged into snapd's snap-run command. The set of directories that can be created is confined with apparmor.

Files

snap-confine uses the following files:

/var/lib/snapd/mount/*.fstab:

Description of the mount profile.

/var/lib/snapd/seccomp/profiles/*:

Description of the seccomp profile.

/run/snapd/ns/:

Directory used to keep shared mount namespaces.

snap-confine internally converts this directory to a private bind mount. Semantically the behavior is identical to the following mount commands:

mount --bind /run/snapd/ns /run/snapd/ns mount --make-private /run/snapd/ns

/run/snapd/ns/.lock:

A flock(2)-based lock file acquired to create and convert /run/snapd/ns/ to a private bind mount.

/run/snapd/ns/$SNAP_NAME.lock:

A flock(2)-based lock file acquired to create or join the mount namespace represented as /run/snaps/ns/$SNAP_NAME.mnt.

/run/snapd/ns/$SNAP_NAME.mnt:

This file can be either:

·
An empty file that may be seen before the mount namespace is preserved or when the mount namespace is unmounted.
·
A file belonging to the nsfs file system, representing a fully populated mount namespace of a given snap. The file is bind mounted from /proc/self/ns/mnt from the first process in any snap.

/proc/self/mountinfo:

This file is read to decide if /run/snapd/ns/ needs to be created and converted to a private bind mount, as described above.

Note that the apparmor profile is external to snap-confine and is loaded directly into the kernel. The actual apparmor profile is managed by snapd.

Bugs

Please report all bugs with https://bugs.launchpad.net/snap-confine…

Author

zygmunt.krynicki@canonical.com

Referenced By

ubuntu-core-launcher(1).

2016-10-05 1.0.43 snappy