1SNAP-CONFINE(8) snappy SNAP-CONFINE(8)
2
3
4
6 snap-confine - internal tool for confining snappy applications
7
9 snap-confine [--classic] [--base BASE] SECURITY_TAG COMMAND [...AR‐
10 GUMENTS]
11
13 The snap-confine is a program used internally by snapd to construct the
14 execution environment for snap applications.
15
17 The snap-confine program accepts two options:
18 --classic requests the so-called _classic_ _confinement_ in which
19 applications are not confined at all (like in classic systems, hence
20 the name). This disables the use of a dedicated, per-snap mount
21 namespace. The snapd service generates permissive apparmor and sec‐
22 comp profiles that allow everything.
23
24 --base BASE directs snap-confine to use the given base snap as the
25 root filesystem. If omitted it defaults to the core snap. This is
26 derived from snap meta-data by snapd when starting the application
27 process.
28
30 Apparmor profiles
31 snap-confine switches to the apparmor profile $SECURITY_TAG. The pro‐
32 file is mandatory and snap-confine will refuse to run without it.
33
34 The profile has to be loaded into the kernel prior to using snap-con‐
35 fine. Typically this is arranged for by snapd. The profile contains
36 rich description of what the application process is allowed to do, this
37 includes system calls, file paths, access patterns, linux capabilities,
38 etc. The apparmor profile can also do extensive dbus mediation. Refer
39 to apparmor documentation for more details.
40
41 Seccomp profiles
42 snap-confine looks for the /var/lib/snapd/seccomp/bpf/$SECURITY_TAG.bin
43 file. This file is mandatory and snap-confine will refuse to run with‐
44 out it. This file contains the seccomp bpf binary program that is
45 loaded into the kernel by snap-confine.
46
47 The file is generated with the /usr/lib/snapd/snap-seccomp compiler
48 from the $SECURITY_TAG.src file that uses a custom syntax that de‐
49 scribes the set of allowed system calls and optionally their arguments.
50 The profile is then used to confine the started application.
51
52 As a security precaution disallowed system calls cause the started ap‐
53 plication executable to be killed by the kernel. In the future this re‐
54 striction may be lifted to return EPERM instead.
55
56 Mount profiles
57 snap-confine uses a helper process, snap-update-ns, to apply the mount
58 namespace profile to freshly constructed mount namespace. That tool
59 looks for the /var/lib/snapd/mount/snap.$SNAP_NAME.fstab file. If
60 present it is read, parsed and treated like a mostly-typical fstab(5)
61 file. The mount directives listed there are executed in order. All di‐
62 rectives must succeed as any failure will abort execution.
63
64 By default all mount entries start with the following flags: bind, ro,
65 nodev, nosuid. Some of those flags can be reversed by an appropriate
66 option (e.g. rw can cause the mount point to be writable).
67
68 Certain additional features are enabled and conveyed through the use of
69 mount options prefixed with x-snapd-.
70
71 As a security precaution only bind mounts are supported at this time.
72
73 Sharing of the mount namespace
74 As of version 1.0.41 all the applications from the same snap will share
75 the same mount namespace. Applications from different snaps continue to
76 use separate mount namespaces.
77
79 snap-confine responds to the following environment variables
80
81 SNAP_CONFINE_DEBUG:
82 When defined the program will print additional diagnostic infor‐
83 mation about the actions being performed. All the output goes to
84 stderr.
85
86 The following variables are only used when snap-confine is not setuid
87 root. This is only applicable when testing the program itself.
88
89 SNAPPY_LAUNCHER_INSIDE_TESTS:
90 Internal variable that should not be relied upon.
91
92 SNAPPY_LAUNCHER_SECCOMP_PROFILE_DIR:
93 Internal variable that should not be relied upon.
94
95 SNAP_USER_DATA:
96 Full path to the directory like /home/$LOG‐
97 NAME/snap/$SNAP_NAME/$SNAP_REVISION.
98
99 This directory is created by snap-confine on startup. This is a
100 temporary feature that will be merged into snapd's snap-run com‐
101 mand. The set of directories that can be created is confined
102 with apparmor.
103
105 snap-confine and snap-update-ns use the following files:
106
107 /var/lib/snapd/mount/snap.*.fstab:
108 Description of the mount profile.
109
110 /var/lib/snapd/seccomp/bpf/*.src:
111 Input for the /usr/lib/snapd/snap-seccomp profile compiler.
112
113 /var/lib/snapd/seccomp/bpf/*.bin:
114 Compiled seccomp bpf profile programs.
115
116 /run/snapd/ns/:
117 Directory used to keep shared mount namespaces.
118
119 snap-confine internally converts this directory to a private bind
120 mount. Semantically the behavior is identical to the following
121 mount commands:
122
123 mount --bind /run/snapd/ns /run/snapd/ns mount --make-private
124 /run/snapd/ns
125
126 /run/snapd/ns/.lock:
127 A flock(2)-based lock file acquired to create and convert
128 /run/snapd/ns/ to a private bind mount.
129
130 /run/snapd/ns/$SNAP_NAME.lock:
131 A flock(2)-based lock file acquired to create or join the mount
132 namespace represented as /run/snaps/ns/$SNAP_NAME.mnt.
133
134 /run/snapd/ns/$SNAP_NAME.mnt:
135 This file can be either:
136
137 • An empty file that may be seen before the mount namespace is pre‐
138 served or when the mount namespace is unmounted.
139
140 • A file belonging to the nsfs file system, representing a fully
141 populated mount namespace of a given snap. The file is bind
142 mounted from /proc/self/ns/mnt from the first process in any snap.
143
144 /proc/self/mountinfo:
145 This file is read to decide if /run/snapd/ns/ needs to be created
146 and converted to a private bind mount, as described above.
147
148 Note that the apparmor profile is external to snap-confine and is
149 loaded directly into the kernel. The actual apparmor profile is managed
150 by snapd.
151
153 Please report all bugs with https://bugs.launchpad.net/snapd/+filebug
154
156 zygmunt.krynicki@canonical.com
157
159 Canonical Ltd.
160
161
162
163
1642.28 2017-09-18 SNAP-CONFINE(8)