1SNAP-CONFINE(8)                     snappy                     SNAP-CONFINE(8)
2
3
4

NAME

6       snap-confine - internal tool for confining snappy applications
7

SYNOPSIS

9          snap-confine   [--classic]   [--base   BASE]   SECURITY_TAG  COMMAND
10          [...ARGUMENTS]
11

DESCRIPTION

13       The snap-confine is a program used internally by snapd to construct the
14       execution environment for snap applications.
15

OPTIONS

17       The snap-confine program accepts two options:
18          --classic  requests  the  so-called _classic_ _confinement_ in which
19          applications are not confined at all (like in classic systems, hence
20          the  name).  This  disables  the  use of a dedicated, per-snap mount
21          namespace. The snapd service generates permissive apparmor and  sec‐
22          comp profiles that allow everything.
23
24          --base  BASE  directs snap-confine to use the given base snap as the
25          root filesystem. If omitted it defaults to the core  snap.  This  is
26          derived  from  snap meta-data by snapd when starting the application
27          process.
28

FEATURES

30   Apparmor profiles
31       snap-confine switches to the apparmor profile $SECURITY_TAG.  The  pro‐
32       file is mandatory and snap-confine will refuse to run without it.
33
34       The  profile  has to be loaded into the kernel prior to using snap-con‐
35       fine.  Typically this is arranged for by snapd.  The  profile  contains
36       rich description of what the application process is allowed to do, this
37       includes system calls, file paths, access patterns, linux capabilities,
38       etc.  The  apparmor profile can also do extensive dbus mediation. Refer
39       to apparmor documentation for more details.
40
41   Seccomp profiles
42       snap-confine looks for the /var/lib/snapd/seccomp/bpf/$SECURITY_TAG.bin
43       file.  This file is mandatory and snap-confine will refuse to run with‐
44       out it. This file contains the  seccomp  bpf  binary  program  that  is
45       loaded into the kernel by snap-confine.
46
47       The  file  is  generated  with the /usr/lib/snapd/snap-seccomp compiler
48       from  the  $SECURITY_TAG.src  file  that  uses  a  custom  syntax  that
49       describes  the  set  of allowed system calls and optionally their argu‐
50       ments. The profile is then used to confine the started application.
51
52       As a security precaution disallowed  system  calls  cause  the  started
53       application  executable  to be killed by the kernel. In the future this
54       restriction may be lifted to return EPERM instead.
55
56   Mount profiles
57       snap-confine uses a helper process, snap-update-ns, to apply the  mount
58       namespace  profile  to  freshly  constructed mount namespace. That tool
59       looks  for  the  /var/lib/snapd/mount/snap.$SNAP_NAME.fstab  file.   If
60       present  it  is read, parsed and treated like a mostly-typical fstab(5)
61       file.  The mount directives listed there are  executed  in  order.  All
62       directives must succeed as any failure will abort execution.
63
64       By  default all mount entries start with the following flags: bind, ro,
65       nodev, nosuid.  Some of those flags can be reversed by  an  appropriate
66       option (e.g. rw can cause the mount point to be writable).
67
68       Certain additional features are enabled and conveyed through the use of
69       mount options prefixed with x-snapd-.
70
71       As a security precaution only bind mounts are supported at this time.
72
73   Sharing of the mount namespace
74       As of version 1.0.41 all the applications from the same snap will share
75       the same mount namespace. Applications from different snaps continue to
76       use separate mount namespaces.
77

ENVIRONMENT

79       snap-confine responds to the following environment variables
80
81       SNAP_CONFINE_DEBUG:
82              When defined the program will print additional diagnostic infor‐
83              mation about the actions being performed. All the output goes to
84              stderr.
85
86       The following variables are only used when snap-confine is  not  setuid
87       root.  This is only applicable when testing the program itself.
88
89       SNAPPY_LAUNCHER_INSIDE_TESTS:
90              Internal variable that should not be relied upon.
91
92       SNAP_CONFINE_NO_ROOT:
93              Internal variable that should not be relied upon.
94
95       SNAPPY_LAUNCHER_SECCOMP_PROFILE_DIR:
96              Internal variable that should not be relied upon.
97
98       SNAP_USER_DATA:
99              Full     path     to     the    directory    like    /home/$LOG‐
100              NAME/snap/$SNAP_NAME/$SNAP_REVISION.
101
102              This directory is created by snap-confine on startup. This is  a
103              temporary feature that will be merged into snapd's snap-run com‐
104              mand. The set of directories that can  be  created  is  confined
105              with apparmor.
106

FILES

108       snap-confine and snap-update-ns use the following files:
109
110       /var/lib/snapd/mount/snap.*.fstab:
111          Description of the mount profile.
112
113       /var/lib/snapd/seccomp/bpf/*.src:
114          Input for the /usr/lib/snapd/snap-seccomp profile compiler.
115
116       /var/lib/snapd/seccomp/bpf/*.bin:
117          Compiled seccomp bpf profile programs.
118
119       /run/snapd/ns/:
120          Directory used to keep shared mount namespaces.
121
122          snap-confine  internally  converts  this directory to a private bind
123          mount.  Semantically the behavior  is  identical  to  the  following
124          mount commands:
125
126          mount   --bind   /run/snapd/ns  /run/snapd/ns  mount  --make-private
127          /run/snapd/ns
128
129       /run/snapd/ns/.lock:
130          A  flock(2)-based  lock  file  acquired  to   create   and   convert
131          /run/snapd/ns/ to a private bind mount.
132
133       /run/snapd/ns/$SNAP_NAME.lock:
134          A  flock(2)-based  lock  file  acquired  to create or join the mount
135          namespace represented as /run/snaps/ns/$SNAP_NAME.mnt.
136
137       /run/snapd/ns/$SNAP_NAME.mnt:
138          This file can be either:
139
140          · An empty file that may be seen before the mount namespace is  pre‐
141            served or when the mount namespace is unmounted.
142
143          · A  file  belonging  to  the nsfs file system, representing a fully
144            populated mount namespace of  a  given  snap.  The  file  is  bind
145            mounted from /proc/self/ns/mnt from the first process in any snap.
146
147       /proc/self/mountinfo:
148          This  file  is  read to decide if /run/snapd/ns/ needs to be created
149          and converted to a private bind mount, as described above.
150
151       Note that the apparmor profile  is  external  to  snap-confine  and  is
152       loaded directly into the kernel. The actual apparmor profile is managed
153       by snapd.
154

BUGS

156       Please            report            all            bugs            with
157       https://bugs.launchpad.net/snap-confine/+filebug
158

AUTHOR

160       zygmunt.krynicki@canonical.com
161
163       Canonical Ltd.
164
165
166
167
1682.28                              2017-09-18                   SNAP-CONFINE(8)
Impressum