1SNAP-CONFINE(8)                     snappy                     SNAP-CONFINE(8)
2
3
4

NAME

6       snap-confine - internal tool for confining snappy applications
7

SYNOPSIS

9          snap-confine  [--classic] [--base BASE] SECURITY_TAG COMMAND [...AR‐
10          GUMENTS]
11

DESCRIPTION

13       The snap-confine is a program used internally by snapd to construct the
14       execution environment for snap applications.
15

OPTIONS

17       The snap-confine program accepts two options:
18          --classic  requests  the  so-called _classic_ _confinement_ in which
19          applications are not confined at all (like in classic systems, hence
20          the  name).  This  disables  the  use of a dedicated, per-snap mount
21          namespace. The snapd service generates permissive apparmor and  sec‐
22          comp profiles that allow everything.
23
24          --base  BASE  directs snap-confine to use the given base snap as the
25          root filesystem. If omitted it defaults to the core  snap.  This  is
26          derived  from  snap meta-data by snapd when starting the application
27          process.
28

FEATURES

30   Apparmor profiles
31       snap-confine switches to the apparmor profile $SECURITY_TAG.  The  pro‐
32       file is mandatory and snap-confine will refuse to run without it.
33
34       The  profile  has to be loaded into the kernel prior to using snap-con‐
35       fine.  Typically this is arranged for by snapd.  The  profile  contains
36       rich description of what the application process is allowed to do, this
37       includes system calls, file paths, access patterns, linux capabilities,
38       etc.  The  apparmor profile can also do extensive dbus mediation. Refer
39       to apparmor documentation for more details.
40
41   Seccomp profiles
42       snap-confine looks for the /var/lib/snapd/seccomp/bpf/$SECURITY_TAG.bin
43       file.  This file is mandatory and snap-confine will refuse to run with‐
44       out it. This file contains the  seccomp  bpf  binary  program  that  is
45       loaded into the kernel by snap-confine.
46
47       The  file  is  generated  with the /usr/lib/snapd/snap-seccomp compiler
48       from the $SECURITY_TAG.src file that uses  a  custom  syntax  that  de‐
49       scribes the set of allowed system calls and optionally their arguments.
50       The profile is then used to confine the started application.
51
52       As a security precaution disallowed system calls cause the started  ap‐
53       plication executable to be killed by the kernel. In the future this re‐
54       striction may be lifted to return EPERM instead.
55
56   Mount profiles
57       snap-confine uses a helper process, snap-update-ns, to apply the  mount
58       namespace  profile  to  freshly  constructed mount namespace. That tool
59       looks  for  the  /var/lib/snapd/mount/snap.$SNAP_NAME.fstab  file.   If
60       present  it  is read, parsed and treated like a mostly-typical fstab(5)
61       file.  The mount directives listed there are executed in order. All di‐
62       rectives must succeed as any failure will abort execution.
63
64       By  default all mount entries start with the following flags: bind, ro,
65       nodev, nosuid.  Some of those flags can be reversed by  an  appropriate
66       option (e.g. rw can cause the mount point to be writable).
67
68       Certain additional features are enabled and conveyed through the use of
69       mount options prefixed with x-snapd-.
70
71       As a security precaution only bind mounts are supported at this time.
72
73   Sharing of the mount namespace
74       As of version 1.0.41 all the applications from the same snap will share
75       the same mount namespace. Applications from different snaps continue to
76       use separate mount namespaces.
77

ENVIRONMENT

79       snap-confine responds to the following environment variables
80
81       SNAP_CONFINE_DEBUG:
82              When defined the program will print additional diagnostic infor‐
83              mation about the actions being performed. All the output goes to
84              stderr.
85
86       The following variables are only used when snap-confine is  not  setuid
87       root.  This is only applicable when testing the program itself.
88
89       SNAPPY_LAUNCHER_INSIDE_TESTS:
90              Internal variable that should not be relied upon.
91
92       SNAPPY_LAUNCHER_SECCOMP_PROFILE_DIR:
93              Internal variable that should not be relied upon.
94
95       SNAP_USER_DATA:
96              Full     path     to     the    directory    like    /home/$LOG‐
97              NAME/snap/$SNAP_NAME/$SNAP_REVISION.
98
99              This directory is created by snap-confine on startup. This is  a
100              temporary feature that will be merged into snapd's snap-run com‐
101              mand. The set of directories that can  be  created  is  confined
102              with apparmor.
103

FILES

105       snap-confine and snap-update-ns use the following files:
106
107       /var/lib/snapd/mount/snap.*.fstab:
108          Description of the mount profile.
109
110       /var/lib/snapd/seccomp/bpf/*.src:
111          Input for the /usr/lib/snapd/snap-seccomp profile compiler.
112
113       /var/lib/snapd/seccomp/bpf/*.bin:
114          Compiled seccomp bpf profile programs.
115
116       /run/snapd/ns/:
117          Directory used to keep shared mount namespaces.
118
119          snap-confine  internally  converts  this directory to a private bind
120          mount.  Semantically the behavior  is  identical  to  the  following
121          mount commands:
122
123          mount   --bind   /run/snapd/ns  /run/snapd/ns  mount  --make-private
124          /run/snapd/ns
125
126       /run/snapd/ns/.lock:
127          A  flock(2)-based  lock  file  acquired  to   create   and   convert
128          /run/snapd/ns/ to a private bind mount.
129
130       /run/snapd/ns/$SNAP_NAME.lock:
131          A  flock(2)-based  lock  file  acquired  to create or join the mount
132          namespace represented as /run/snaps/ns/$SNAP_NAME.mnt.
133
134       /run/snapd/ns/$SNAP_NAME.mnt:
135          This file can be either:
136
137          • An empty file that may be seen before the mount namespace is  pre‐
138            served or when the mount namespace is unmounted.
139
140          • A  file  belonging  to  the nsfs file system, representing a fully
141            populated mount namespace of  a  given  snap.  The  file  is  bind
142            mounted from /proc/self/ns/mnt from the first process in any snap.
143
144       /proc/self/mountinfo:
145          This  file  is  read to decide if /run/snapd/ns/ needs to be created
146          and converted to a private bind mount, as described above.
147
148       Note that the apparmor profile  is  external  to  snap-confine  and  is
149       loaded directly into the kernel. The actual apparmor profile is managed
150       by snapd.
151

BUGS

153       Please report all bugs with https://bugs.launchpad.net/snapd/+filebug
154

AUTHOR

156       zygmunt.krynicki@canonical.com
157
159       Canonical Ltd.
160
161
162
163
1642.28                              2017-09-18                   SNAP-CONFINE(8)
Impressum