OXIESEC PANEL
- Current Dir:
/
/
var
/
lib
/
snapd
/
apparmor
/
profiles
Server IP: 139.59.38.164
Upload:
Create Dir:
Name
Size
Modified
Perms
📁
..
-
05/26/2021 04:15:37 AM
rwxr-xr-x
📄
snap-confine.core.17210
28.62 KB
05/08/2025 11:44:45 PM
rw-r--r--
📄
snap-update-ns.certbot
15.1 KB
06/12/2025 09:50:09 PM
rw-r--r--
📄
snap-update-ns.certbot-dns-digitalocean
12.31 KB
06/12/2025 09:50:09 PM
rw-r--r--
📄
snap-update-ns.core
5.34 KB
05/09/2024 07:16:09 AM
rw-r--r--
📄
snap-update-ns.hello-world
5.42 KB
08/15/2024 06:40:18 AM
rw-r--r--
📄
snap.certbot-dns-digitalocean.hook.post-refresh
21.94 KB
06/12/2025 09:50:09 PM
rw-r--r--
📄
snap.certbot.certbot
719 bytes
06/12/2025 09:50:09 PM
rw-r--r--
📄
snap.certbot.hook.configure
742 bytes
06/12/2025 09:50:09 PM
rw-r--r--
📄
snap.certbot.hook.prepare-plug-plugin
776 bytes
06/12/2025 09:50:09 PM
rw-r--r--
📄
snap.certbot.renew
713 bytes
06/12/2025 09:50:09 PM
rw-r--r--
📄
snap.core.hook.configure
21.65 KB
05/08/2025 11:44:45 PM
rw-r--r--
📄
snap.hello-world.env
21.65 KB
08/15/2024 06:40:18 AM
rw-r--r--
📄
snap.hello-world.evil
21.65 KB
08/15/2024 06:40:18 AM
rw-r--r--
📄
snap.hello-world.hello-world
21.67 KB
08/15/2024 06:40:18 AM
rw-r--r--
📄
snap.hello-world.sh
21.64 KB
08/15/2024 06:40:18 AM
rw-r--r--
Editing: snap-update-ns.certbot
Close
# Description: Allows snap-update-ns to construct the mount namespace specific # to a particular snap (see the name below). This specifically includes the # precise locations of the layout elements. # vim:syntax=apparmor #include <tunables/global> profile snap-update-ns.certbot (attach_disconnected) { # The next four rules mirror those above. We want to be able to read # and map snap-update-ns into memory but it may come from a variety of places. /usr/lib{,exec,64}/snapd/snap-update-ns mr, /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr, /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns mr, /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr, # Allow reading the dynamic linker cache. /etc/ld.so.cache r, # Allow reading, mapping and executing the dynamic linker. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix, # Allow reading and mapping various parts of the standard library and # dynamically loaded nss modules and what not. /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr, # Common devices accesses /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, # golang runtime variables /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, # glibc 2.27+ may poke this file to find out the number of CPUs # available in the system when creating a new arena for malloc, see # Golang issue 25628 /sys/devices/system/cpu/online r, # Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code). owner @{PROC}/@{pid}/cmdline r, # Allow reading of own maps (Go runtime) owner @{PROC}/@{pid}/maps r, # Allow reading file descriptor paths owner @{PROC}/@{pid}/fd/* r, # Allow reading /proc/version. For release.go WSL detection. @{PROC}/version r, # Allow reading own cgroups owner @{PROC}/@{pid}/cgroup r, # Allow reading somaxconn, required in newer distro releases @{PROC}/sys/net/core/somaxconn r, # but silence noisy denial of inet/inet6 deny network inet, deny network inet6, # Allow reading the os-release file (possibly a symlink to /usr/lib). /{etc/,usr/lib/}os-release r, # Allow creating/grabbing global and per-snap lock files. /run/snapd/lock/certbot.lock rwk, /run/snapd/lock/.lock rwk, # Allow reading stored mount namespaces, /run/snapd/ns/ r, /run/snapd/ns/certbot.mnt r, # Allow reading per-snap desired mount profiles. Those are written by # snapd and represent the desired layout and content connections. /var/lib/snapd/mount/snap.certbot.fstab r, /var/lib/snapd/mount/snap.certbot.user-fstab r, # Allow reading and writing actual per-snap mount profiles. Note that # the wildcard in the rule to allow an atomic write + rename strategy. # Those files are written by snap-update-ns and represent the actual # mount profile at a given moment. /run/snapd/ns/snap.certbot.fstab{,.*} rw, # NOTE: at this stage the /snap directory is stable as we have called # pivot_root already. # Needed to perform mount/unmounts. capability sys_admin, # Needed for mimic construction. capability chown, # Needed for dropping to calling user when processing per-user mounts capability setuid, capability setgid, # Allow snap-update-ns to override file ownership and permission checks. # This is required because writable mimics now preserve the permissions # of the original and hence we may be asked to create a directory when the # parent is a tmpfs without DAC write access. capability dac_override, # Allow freezing and thawing the per-snap cgroup freezers # v1 hierarchy where we know the group name of all processes of # a given snap upfront /sys/fs/cgroup/freezer/snap.certbot/freezer.state rw, # v2 hierarchy, where we need to walk the tree to looking for the tracking # groups and act on each one /sys/fs/cgroup/ r, /sys/fs/cgroup/** r, /sys/fs/cgroup/**/snap.certbot.*.scope/cgroup.freeze rw, /sys/fs/cgroup/**/snap.certbot.*.service/cgroup.freeze rw, # Allow the content interface to bind fonts from the host filesystem mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/certbot/*/**, mount options=(rw private) -> /snap/certbot/*/**, umount /snap/certbot/*/**, # set up user mount namespace mount options=(rslave) -> /, # Allow traversing from the root directory and several well-known places. # Specific directory permissions are added by snippets below. / r, /etc/ r, /snap/ r, /tmp/ r, /usr/ r, /var/ r, /var/snap/ r, # Allow reading timezone data. /usr/share/zoneinfo/** r, # Don't allow anyone to touch /snap/bin audit deny mount /snap/bin/** -> /**, audit deny mount /** -> /snap/bin/**, # Don't allow bind mounts to /media which has special # sharing and propagates mount events outside of the snap namespace. audit deny mount -> /media, # Allow receiving signals from unconfined (eg, systemd) signal (receive) peer=unconfined, # Allow sending and receiving signals from ourselves. signal peer=@{profile_name}, # Commonly needed permissions for writable mimics. /tmp/ r, /tmp/.snap/{,**} rw, # snapd logger.go checks /proc/cmdline @{PROC}/cmdline r, # snap checks if vendored apparmor parser should be used at startup /usr/lib/snapd/info r, /lib/apparmor/functions r, # Read-only content sharing certbot:plugin -> certbot-dns-digitalocean:certbot (r#0) mount options=(bind) "/snap/certbot-dns-digitalocean/4356/lib/python3.12/site-packages/" -> "/snap/certbot/4737/certbot-plugin{,-[0-9]*}/", remount options=(bind, ro) "/snap/certbot/4737/certbot-plugin{,-[0-9]*}/", mount options=(rprivate) -> "/snap/certbot/4737/certbot-plugin{,-[0-9]*}/", umount "/snap/certbot/4737/certbot-plugin{,-[0-9]*}/", # Writable mimic /snap/certbot-dns-digitalocean/4356/lib/python3.12 # .. permissions for traversing the prefix that is assumed to exist # .. variant with mimic at / # Allow reading the mimic directory, it must exist in the first place. "/" r, # Allow setting the read-only directory aside via a bind mount. "/tmp/.snap/" rw, mount options=(rbind, rw) "/" -> "/tmp/.snap/", # Allow mounting tmpfs over the read-only directory. mount fstype=tmpfs options=(rw) tmpfs -> "/", # Allow creating empty files and directories for bind mounting things # to reconstruct the now-writable parent directory. "/tmp/.snap/*/" rw, "/*/" rw, mount options=(rbind, rw) "/tmp/.snap/*/" -> "/*/", "/tmp/.snap/*" rw, "/*" rw, mount options=(bind, rw) "/tmp/.snap/*" -> "/*", # Allow unmounting the auxiliary directory. # TODO: use fstype=tmpfs here for more strictness (LP: #1613403) mount options=(rprivate) -> "/tmp/.snap/", umount "/tmp/.snap/", # Allow unmounting the destination directory as well as anything # inside. This lets us perform the undo plan in case the writable # mimic fails. mount options=(rprivate) -> "/", mount options=(rprivate) -> "/*", mount options=(rprivate) -> "/*/", umount "/", umount "/*", umount "/*/", # .. variant with mimic at /snap/ "/snap/" r, "/tmp/.snap/snap/" rw, mount options=(rbind, rw) "/snap/" -> "/tmp/.snap/snap/", mount fstype=tmpfs options=(rw) tmpfs -> "/snap/", "/tmp/.snap/snap/*/" rw, "/snap/*/" rw, mount options=(rbind, rw) "/tmp/.snap/snap/*/" -> "/snap/*/", "/tmp/.snap/snap/*" rw, "/snap/*" rw, mount options=(bind, rw) "/tmp/.snap/snap/*" -> "/snap/*", mount options=(rprivate) -> "/tmp/.snap/snap/", umount "/tmp/.snap/snap/", mount options=(rprivate) -> "/snap/", mount options=(rprivate) -> "/snap/*", mount options=(rprivate) -> "/snap/*/", umount "/snap/", umount "/snap/*", umount "/snap/*/", # .. variant with mimic at /snap/certbot-dns-digitalocean/ "/snap/certbot-dns-digitalocean/" r, "/tmp/.snap/snap/certbot-dns-digitalocean/" rw, mount options=(rbind, rw) "/snap/certbot-dns-digitalocean/" -> "/tmp/.snap/snap/certbot-dns-digitalocean/", mount fstype=tmpfs options=(rw) tmpfs -> "/snap/certbot-dns-digitalocean/", "/tmp/.snap/snap/certbot-dns-digitalocean/*/" rw, "/snap/certbot-dns-digitalocean/*/" rw, mount options=(rbind, rw) "/tmp/.snap/snap/certbot-dns-digitalocean/*/" -> "/snap/certbot-dns-digitalocean/*/", "/tmp/.snap/snap/certbot-dns-digitalocean/*" rw, "/snap/certbot-dns-digitalocean/*" rw, mount options=(bind, rw) "/tmp/.snap/snap/certbot-dns-digitalocean/*" -> "/snap/certbot-dns-digitalocean/*", mount options=(rprivate) -> "/tmp/.snap/snap/certbot-dns-digitalocean/", umount "/tmp/.snap/snap/certbot-dns-digitalocean/", mount options=(rprivate) -> "/snap/certbot-dns-digitalocean/", mount options=(rprivate) -> "/snap/certbot-dns-digitalocean/*", mount options=(rprivate) -> "/snap/certbot-dns-digitalocean/*/", umount "/snap/certbot-dns-digitalocean/", umount "/snap/certbot-dns-digitalocean/*", umount "/snap/certbot-dns-digitalocean/*/", # .. variant with mimic at /snap/certbot-dns-digitalocean/4356/ "/snap/certbot-dns-digitalocean/4356/" r, "/tmp/.snap/snap/certbot-dns-digitalocean/4356/" rw, mount options=(rbind, rw) "/snap/certbot-dns-digitalocean/4356/" -> "/tmp/.snap/snap/certbot-dns-digitalocean/4356/", mount fstype=tmpfs options=(rw) tmpfs -> "/snap/certbot-dns-digitalocean/4356/", "/tmp/.snap/snap/certbot-dns-digitalocean/4356/*/" rw, "/snap/certbot-dns-digitalocean/4356/*/" rw, mount options=(rbind, rw) "/tmp/.snap/snap/certbot-dns-digitalocean/4356/*/" -> "/snap/certbot-dns-digitalocean/4356/*/", "/tmp/.snap/snap/certbot-dns-digitalocean/4356/*" rw, "/snap/certbot-dns-digitalocean/4356/*" rw, mount options=(bind, rw) "/tmp/.snap/snap/certbot-dns-digitalocean/4356/*" -> "/snap/certbot-dns-digitalocean/4356/*", mount options=(rprivate) -> "/tmp/.snap/snap/certbot-dns-digitalocean/4356/", umount "/tmp/.snap/snap/certbot-dns-digitalocean/4356/", mount options=(rprivate) -> "/snap/certbot-dns-digitalocean/4356/", mount options=(rprivate) -> "/snap/certbot-dns-digitalocean/4356/*", mount options=(rprivate) -> "/snap/certbot-dns-digitalocean/4356/*/", umount "/snap/certbot-dns-digitalocean/4356/", umount "/snap/certbot-dns-digitalocean/4356/*", umount "/snap/certbot-dns-digitalocean/4356/*/", # .. variant with mimic at /snap/certbot-dns-digitalocean/4356/lib/ "/snap/certbot-dns-digitalocean/4356/lib/" r, "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/" rw, mount options=(rbind, rw) "/snap/certbot-dns-digitalocean/4356/lib/" -> "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/", mount fstype=tmpfs options=(rw) tmpfs -> "/snap/certbot-dns-digitalocean/4356/lib/", "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/*/" rw, "/snap/certbot-dns-digitalocean/4356/lib/*/" rw, mount options=(rbind, rw) "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/*/" -> "/snap/certbot-dns-digitalocean/4356/lib/*/", "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/*" rw, "/snap/certbot-dns-digitalocean/4356/lib/*" rw, mount options=(bind, rw) "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/*" -> "/snap/certbot-dns-digitalocean/4356/lib/*", mount options=(rprivate) -> "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/", umount "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/", mount options=(rprivate) -> "/snap/certbot-dns-digitalocean/4356/lib/", mount options=(rprivate) -> "/snap/certbot-dns-digitalocean/4356/lib/*", mount options=(rprivate) -> "/snap/certbot-dns-digitalocean/4356/lib/*/", umount "/snap/certbot-dns-digitalocean/4356/lib/", umount "/snap/certbot-dns-digitalocean/4356/lib/*", umount "/snap/certbot-dns-digitalocean/4356/lib/*/", # .. variant with mimic at /snap/certbot-dns-digitalocean/4356/lib/python3.12/ "/snap/certbot-dns-digitalocean/4356/lib/python3.12/" r, "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/python3.12/" rw, mount options=(rbind, rw) "/snap/certbot-dns-digitalocean/4356/lib/python3.12/" -> "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/python3.12/", mount fstype=tmpfs options=(rw) tmpfs -> "/snap/certbot-dns-digitalocean/4356/lib/python3.12/", "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/python3.12/*/" rw, "/snap/certbot-dns-digitalocean/4356/lib/python3.12/*/" rw, mount options=(rbind, rw) "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/python3.12/*/" -> "/snap/certbot-dns-digitalocean/4356/lib/python3.12/*/", "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/python3.12/*" rw, "/snap/certbot-dns-digitalocean/4356/lib/python3.12/*" rw, mount options=(bind, rw) "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/python3.12/*" -> "/snap/certbot-dns-digitalocean/4356/lib/python3.12/*", mount options=(rprivate) -> "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/python3.12/", umount "/tmp/.snap/snap/certbot-dns-digitalocean/4356/lib/python3.12/", mount options=(rprivate) -> "/snap/certbot-dns-digitalocean/4356/lib/python3.12/", mount options=(rprivate) -> "/snap/certbot-dns-digitalocean/4356/lib/python3.12/*", mount options=(rprivate) -> "/snap/certbot-dns-digitalocean/4356/lib/python3.12/*/", umount "/snap/certbot-dns-digitalocean/4356/lib/python3.12/", umount "/snap/certbot-dns-digitalocean/4356/lib/python3.12/*", umount "/snap/certbot-dns-digitalocean/4356/lib/python3.12/*/", # Writable mimic /snap/certbot/4737 # .. variant with mimic at /snap/certbot/ "/snap/certbot/" r, "/tmp/.snap/snap/certbot/" rw, mount options=(rbind, rw) "/snap/certbot/" -> "/tmp/.snap/snap/certbot/", mount fstype=tmpfs options=(rw) tmpfs -> "/snap/certbot/", "/tmp/.snap/snap/certbot/*/" rw, "/snap/certbot/*/" rw, mount options=(rbind, rw) "/tmp/.snap/snap/certbot/*/" -> "/snap/certbot/*/", "/tmp/.snap/snap/certbot/*" rw, "/snap/certbot/*" rw, mount options=(bind, rw) "/tmp/.snap/snap/certbot/*" -> "/snap/certbot/*", mount options=(rprivate) -> "/tmp/.snap/snap/certbot/", umount "/tmp/.snap/snap/certbot/", mount options=(rprivate) -> "/snap/certbot/", mount options=(rprivate) -> "/snap/certbot/*", mount options=(rprivate) -> "/snap/certbot/*/", umount "/snap/certbot/", umount "/snap/certbot/*", umount "/snap/certbot/*/", # .. variant with mimic at /snap/certbot/4737/ "/snap/certbot/4737/" r, "/tmp/.snap/snap/certbot/4737/" rw, mount options=(rbind, rw) "/snap/certbot/4737/" -> "/tmp/.snap/snap/certbot/4737/", mount fstype=tmpfs options=(rw) tmpfs -> "/snap/certbot/4737/", "/tmp/.snap/snap/certbot/4737/*/" rw, "/snap/certbot/4737/*/" rw, mount options=(rbind, rw) "/tmp/.snap/snap/certbot/4737/*/" -> "/snap/certbot/4737/*/", "/tmp/.snap/snap/certbot/4737/*" rw, "/snap/certbot/4737/*" rw, mount options=(bind, rw) "/tmp/.snap/snap/certbot/4737/*" -> "/snap/certbot/4737/*", mount options=(rprivate) -> "/tmp/.snap/snap/certbot/4737/", umount "/tmp/.snap/snap/certbot/4737/", mount options=(rprivate) -> "/snap/certbot/4737/", mount options=(rprivate) -> "/snap/certbot/4737/*", mount options=(rprivate) -> "/snap/certbot/4737/*/", umount "/snap/certbot/4737/", umount "/snap/certbot/4737/*", umount "/snap/certbot/4737/*/", }