Your IP : 216.73.216.224


Current Path : /var/lib/snapd/apparmor/profiles/
Upload File :
Current File : /var/lib/snapd/apparmor/profiles/snap-update-ns.canonical-livepatch

# Description: Allows snap-update-ns to construct the mount namespace specific
# to a particular snap (see the name below). This specifically includes the
# precise locations of the layout elements.

# vim:syntax=apparmor

#include <tunables/global>

#include if exists "/etc/apparmor.d/tunables/home.d"

profile snap-update-ns.canonical-livepatch (attach_disconnected) {
  # The next four rules mirror those above. We want to be able to read
  # and map snap-update-ns into memory but it may come from a variety of places.
  /usr/lib{,exec,64}/snapd/snap-update-ns mr,
  /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr,
  /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns mr,
  /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr,

  # Allow reading the dynamic linker cache.
  /etc/ld.so.cache r,
  # Allow reading, mapping and executing the dynamic linker.
  /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix,
  # Allow reading and mapping various parts of the standard library and
  # dynamically loaded nss modules and what not.
  /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr,
  /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr,

  # Common devices accesses
  /dev/null rw,
  /dev/full rw,
  /dev/zero rw,
  /dev/random r,
  /dev/urandom r,

  # golang runtime variables
  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  # glibc 2.27+ may poke this file to find out the number of CPUs
  # available in the system when creating a new arena for malloc, see
  # Golang issue 25628
  /sys/devices/system/cpu/online r,

  # Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code).
  owner @{PROC}/@{pid}/cmdline r,

  # Allow reading of own maps (Go runtime)
  owner @{PROC}/@{pid}/maps r,

  # Allow reading file descriptor paths
  owner @{PROC}/@{pid}/fd/* r,

  # Allow reading /proc/version. For release.go WSL detection.
  @{PROC}/version r,

  # Allow reading own cgroups
  owner @{PROC}/@{pid}/cgroup r,

  # Allow reading own mountinfo (Go runtime 1.25+)
  owner @{PROC}/@{pid}/mountinfo r,

  # Allow reading the auxv, apparently Go does this on s390x
  # https://bugs.launchpad.net/snapd/+bug/2141461
  owner @{PROC}/@{pid}/auxv r,

  # Allow reading somaxconn, required in newer distro releases
  @{PROC}/sys/net/core/somaxconn r,
  # but silence noisy denial of inet/inet6
  deny network inet,
  deny network inet6,

  # Allow reading the os-release file (possibly a symlink to /usr/lib).
  /{etc/,usr/lib/}os-release r,

  # Allow creating/grabbing global and per-snap lock files.
  /run/snapd/lock/canonical-livepatch.lock rwk,
  /run/snapd/lock/.lock rwk,

  # While the base abstraction has rules for encryptfs encrypted home and
  # private directories, it is missing rules for directory read on the toplevel
  # directory of the mount (LP: #1848919)
  owner @{HOME}/.Private/ r,
  owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,

  # Allow reading stored mount namespaces,
  /run/snapd/ns/ r,
  /run/snapd/ns/canonical-livepatch.mnt r,

  # Allow reading per-snap desired mount profiles. Those are written by
  # snapd and represent the desired layout and content connections.
  /var/lib/snapd/mount/snap.canonical-livepatch.fstab r,
  /var/lib/snapd/mount/snap.canonical-livepatch.user-fstab r,

  # Allow reading and writing actual per-snap mount profiles. Note that
  # the wildcard in the rule to allow an atomic write + rename strategy.
  # Those files are written by snap-update-ns and represent the actual
  # mount profile at a given moment.
  /run/snapd/ns/snap.canonical-livepatch.fstab{,.*} rw,

  # Allow writing to a log file for both per-snap and per-snap-and-user log files.
  /run/snapd/ns/snap.canonical-livepatch.log w,
  /run/snapd/ns/snap.canonical-livepatch.user.*.log w,

  # NOTE: at this stage the /snap directory is stable as we have called
  # pivot_root already.

  # Needed to perform mount/unmounts.
  capability sys_admin,
  # Needed for mimic construction.
  capability chown,
  # Needed for dropping to calling user when processing per-user mounts
  capability setuid,
  capability setgid,
  # Allow snap-update-ns to override file ownership and permission checks.
  # This is required because writable mimics now preserve the permissions
  # of the original and hence we may be asked to create a directory when the
  # parent is a tmpfs without DAC write access.
  capability dac_override,

  # Allow freezing and thawing the per-snap cgroup freezers
  # v1 hierarchy where we know the group name of all processes of
  # a given snap upfront
  /sys/fs/cgroup/freezer/snap.canonical-livepatch/freezer.state rw,
  # v2 hierarchy, where we need to walk the tree to looking for the tracking
  # groups and act on each one
  /sys/fs/cgroup/ r,
  /sys/fs/cgroup/** r,
  /sys/fs/cgroup/**/snap.canonical-livepatch.*.scope/cgroup.freeze rw,
  /sys/fs/cgroup/**/snap.canonical-livepatch.*.service/cgroup.freeze rw,

  # Allow the content interface to bind fonts from the host filesystem
  mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/canonical-livepatch/*/**,
  mount options=(rw private) -> /snap/canonical-livepatch/*/**,
  umount /snap/canonical-livepatch/*/**,

  # set up user mount namespace
  mount options=(rslave) -> /,

  # Allow traversing from the root directory and several well-known places.
  # Specific directory permissions are added by snippets below.
  / r,
  /etc/ r,
  /snap/ r,
  /tmp/ r,
  /usr/ r,
  /var/ r,
  /var/lib/ r,
  /var/lib/snapd/ r,
  /var/snap/ r,

  # Allow reading timezone data.
  /usr/share/zoneinfo/** r,

  # Don't allow anyone to touch /snap/bin
  audit deny mount /snap/bin/** -> /**,
  audit deny mount /** -> /snap/bin/**,

  # Don't allow bind mounts to /media which has special
  # sharing and propagates mount events outside of the snap namespace.
  audit deny mount -> /media,

  # Allow receiving signals from unconfined (eg, systemd)
  signal (receive) peer=unconfined,
  # Allow sending and receiving signals from ourselves.
  signal peer=@{profile_name},

  # Commonly needed permissions for writable mimics.
  /tmp/ r,
  /tmp/.snap/{,**} rw,

  # snapd logger.go checks /proc/cmdline
  @{PROC}/cmdline r,

  # snap checks if vendored apparmor parser should be used at startup
  /usr/lib/snapd/info r,
  /lib/apparmor/functions r,

  # Allow snap-update-ns to open home directory
  owner @{HOME}/ r,


/var/ r,
/var/lib/ r,
/var/lib/snapd/ r,
/var/lib/snapd/hostfs/ r,
/var/lib/snapd/hostfs/var/ r,
/var/lib/snapd/hostfs/var/lib/ r,
/var/lib/snapd/hostfs/var/lib/dhcp/ r,
/var/lib/dhcp/ r,
mount options=(rw bind) /var/lib/snapd/hostfs/var/lib/dhcp/ -> /var/lib/dhcp/,
umount /var/lib/dhcp/,

  # Read-only access to /boot
  mount options=(bind,rw) /var/lib/snapd/hostfs/boot/ -> /boot/,
  mount options=(bind,remount,ro) -> /boot/,
  umount /boot/,

  # Mount documentation of system packages

  mount options=(bind) /var/lib/snapd/hostfs/usr/share/doc/ -> /usr/share/doc/,

  remount options=(bind, ro) /usr/share/doc/,

  umount /usr/share/doc/,

  mount options=(bind) /var/lib/snapd/hostfs/usr/local/share/doc/ -> /usr/local/share/doc/,

  remount options=(bind, ro) /usr/local/share/doc/,

  umount /usr/local/share/doc/,

  mount options=(bind) /var/lib/snapd/hostfs/usr/share/cups/doc-root/ -> /usr/share/cups/doc-root/,

  remount options=(bind, ro) /usr/share/cups/doc-root/,

  umount /usr/share/cups/doc-root/,

  mount options=(bind) /var/lib/snapd/hostfs/usr/share/gimp/2.0/help/ -> /usr/share/gimp/2.0/help/,

  remount options=(bind, ro) /usr/share/gimp/2.0/help/,

  umount /usr/share/gimp/2.0/help/,

  mount options=(bind) /var/lib/snapd/hostfs/usr/share/gtk-doc/ -> /usr/share/gtk-doc/,

  remount options=(bind, ro) /usr/share/gtk-doc/,

  umount /usr/share/gtk-doc/,

  mount options=(bind) /var/lib/snapd/hostfs/usr/share/javascript/ -> /usr/share/javascript/,

  remount options=(bind, ro) /usr/share/javascript/,

  umount /usr/share/javascript/,

  mount options=(bind) /var/lib/snapd/hostfs/usr/share/libreoffice/help/ -> /usr/share/libreoffice/help/,

  remount options=(bind, ro) /usr/share/libreoffice/help/,

  umount /usr/share/libreoffice/help/,

  mount options=(bind) /var/lib/snapd/hostfs/usr/share/sphinx_rtd_theme/ -> /usr/share/sphinx_rtd_theme/,

  remount options=(bind, ro) /usr/share/sphinx_rtd_theme/,

  umount /usr/share/sphinx_rtd_theme/,

  mount options=(bind) /var/lib/snapd/hostfs/usr/share/xubuntu-docs/ -> /usr/share/xubuntu-docs/,

  remount options=(bind, ro) /usr/share/xubuntu-docs/,

  umount /usr/share/xubuntu-docs/,

  # Writable mimic /usr/share/cups

  # .. permissions for traversing the prefix that is assumed to exist

  "/" r,

  "/usr/" r,

  # .. variant with mimic at /usr/share/

  # Allow reading the mimic directory, it must exist in the first place.

  "/usr/share/" r,

  # Allow setting the read-only directory aside via a bind mount.

  "/tmp/.snap/usr/share/" rw,

  mount options=(rbind, rw) "/usr/share/" -> "/tmp/.snap/usr/share/",

  # Allow mounting tmpfs over the read-only directory.

  mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/",

  # Allow creating empty files and directories for bind mounting things
  # to reconstruct the now-writable parent directory.

  "/tmp/.snap/usr/share/*/" rw,

  "/usr/share/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/usr/share/*/" -> "/usr/share/*/",

  "/tmp/.snap/usr/share/*" rw,

  "/usr/share/*" rw,

  mount options=(bind, rw) "/tmp/.snap/usr/share/*" -> "/usr/share/*",

  # Allow unmounting the auxiliary directory.
  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)

  mount options=(rprivate) -> "/tmp/.snap/usr/share/",

  umount "/tmp/.snap/usr/share/",

  # Allow unmounting the destination directory as well as anything
  # inside.  This lets us perform the undo plan in case the writable
  # mimic fails.

  mount options=(rprivate) -> "/usr/share/",

  mount options=(rprivate) -> "/usr/share/*",

  mount options=(rprivate) -> "/usr/share/*/",

  umount "/usr/share/",

  umount "/usr/share/*",

  umount "/usr/share/*/",

  # .. variant with mimic at /usr/share/cups/

  "/usr/share/cups/" r,

  "/tmp/.snap/usr/share/cups/" rw,

  mount options=(rbind, rw) "/usr/share/cups/" -> "/tmp/.snap/usr/share/cups/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/cups/",

  "/tmp/.snap/usr/share/cups/*/" rw,

  "/usr/share/cups/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/usr/share/cups/*/" -> "/usr/share/cups/*/",

  "/tmp/.snap/usr/share/cups/*" rw,

  "/usr/share/cups/*" rw,

  mount options=(bind, rw) "/tmp/.snap/usr/share/cups/*" -> "/usr/share/cups/*",

  mount options=(rprivate) -> "/tmp/.snap/usr/share/cups/",

  umount "/tmp/.snap/usr/share/cups/",

  mount options=(rprivate) -> "/usr/share/cups/",

  mount options=(rprivate) -> "/usr/share/cups/*",

  mount options=(rprivate) -> "/usr/share/cups/*/",

  umount "/usr/share/cups/",

  umount "/usr/share/cups/*",

  umount "/usr/share/cups/*/",

  # Writable mimic /usr/share/gimp/2.0

  # .. variant with mimic at /usr/share/gimp/

  "/usr/share/gimp/" r,

  "/tmp/.snap/usr/share/gimp/" rw,

  mount options=(rbind, rw) "/usr/share/gimp/" -> "/tmp/.snap/usr/share/gimp/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/gimp/",

  "/tmp/.snap/usr/share/gimp/*/" rw,

  "/usr/share/gimp/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/usr/share/gimp/*/" -> "/usr/share/gimp/*/",

  "/tmp/.snap/usr/share/gimp/*" rw,

  "/usr/share/gimp/*" rw,

  mount options=(bind, rw) "/tmp/.snap/usr/share/gimp/*" -> "/usr/share/gimp/*",

  mount options=(rprivate) -> "/tmp/.snap/usr/share/gimp/",

  umount "/tmp/.snap/usr/share/gimp/",

  mount options=(rprivate) -> "/usr/share/gimp/",

  mount options=(rprivate) -> "/usr/share/gimp/*",

  mount options=(rprivate) -> "/usr/share/gimp/*/",

  umount "/usr/share/gimp/",

  umount "/usr/share/gimp/*",

  umount "/usr/share/gimp/*/",

  # .. variant with mimic at /usr/share/gimp/2.0/

  "/usr/share/gimp/2.0/" r,

  "/tmp/.snap/usr/share/gimp/2.0/" rw,

  mount options=(rbind, rw) "/usr/share/gimp/2.0/" -> "/tmp/.snap/usr/share/gimp/2.0/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/gimp/2.0/",

  "/tmp/.snap/usr/share/gimp/2.0/*/" rw,

  "/usr/share/gimp/2.0/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/usr/share/gimp/2.0/*/" -> "/usr/share/gimp/2.0/*/",

  "/tmp/.snap/usr/share/gimp/2.0/*" rw,

  "/usr/share/gimp/2.0/*" rw,

  mount options=(bind, rw) "/tmp/.snap/usr/share/gimp/2.0/*" -> "/usr/share/gimp/2.0/*",

  mount options=(rprivate) -> "/tmp/.snap/usr/share/gimp/2.0/",

  umount "/tmp/.snap/usr/share/gimp/2.0/",

  mount options=(rprivate) -> "/usr/share/gimp/2.0/",

  mount options=(rprivate) -> "/usr/share/gimp/2.0/*",

  mount options=(rprivate) -> "/usr/share/gimp/2.0/*/",

  umount "/usr/share/gimp/2.0/",

  umount "/usr/share/gimp/2.0/*",

  umount "/usr/share/gimp/2.0/*/",

  # Writable mimic /usr/share/javascript

  # .. variant with mimic at /usr/share/javascript/

  "/usr/share/javascript/" r,

  "/tmp/.snap/usr/share/javascript/" rw,

  mount options=(rbind, rw) "/usr/share/javascript/" -> "/tmp/.snap/usr/share/javascript/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/javascript/",

  "/tmp/.snap/usr/share/javascript/*/" rw,

  "/usr/share/javascript/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/usr/share/javascript/*/" -> "/usr/share/javascript/*/",

  "/tmp/.snap/usr/share/javascript/*" rw,

  "/usr/share/javascript/*" rw,

  mount options=(bind, rw) "/tmp/.snap/usr/share/javascript/*" -> "/usr/share/javascript/*",

  mount options=(rprivate) -> "/tmp/.snap/usr/share/javascript/",

  umount "/tmp/.snap/usr/share/javascript/",

  mount options=(rprivate) -> "/usr/share/javascript/",

  mount options=(rprivate) -> "/usr/share/javascript/*",

  mount options=(rprivate) -> "/usr/share/javascript/*/",

  umount "/usr/share/javascript/",

  umount "/usr/share/javascript/*",

  umount "/usr/share/javascript/*/",

  # Writable mimic /usr/share/libreoffice

  # .. variant with mimic at /usr/share/libreoffice/

  "/usr/share/libreoffice/" r,

  "/tmp/.snap/usr/share/libreoffice/" rw,

  mount options=(rbind, rw) "/usr/share/libreoffice/" -> "/tmp/.snap/usr/share/libreoffice/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/libreoffice/",

  "/tmp/.snap/usr/share/libreoffice/*/" rw,

  "/usr/share/libreoffice/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/usr/share/libreoffice/*/" -> "/usr/share/libreoffice/*/",

  "/tmp/.snap/usr/share/libreoffice/*" rw,

  "/usr/share/libreoffice/*" rw,

  mount options=(bind, rw) "/tmp/.snap/usr/share/libreoffice/*" -> "/usr/share/libreoffice/*",

  mount options=(rprivate) -> "/tmp/.snap/usr/share/libreoffice/",

  umount "/tmp/.snap/usr/share/libreoffice/",

  mount options=(rprivate) -> "/usr/share/libreoffice/",

  mount options=(rprivate) -> "/usr/share/libreoffice/*",

  mount options=(rprivate) -> "/usr/share/libreoffice/*/",

  umount "/usr/share/libreoffice/",

  umount "/usr/share/libreoffice/*",

  umount "/usr/share/libreoffice/*/",

  # Writable mimic /usr/share/sphinx_rtd_theme

  # .. variant with mimic at /usr/share/sphinx_rtd_theme/

  "/usr/share/sphinx_rtd_theme/" r,

  "/tmp/.snap/usr/share/sphinx_rtd_theme/" rw,

  mount options=(rbind, rw) "/usr/share/sphinx_rtd_theme/" -> "/tmp/.snap/usr/share/sphinx_rtd_theme/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/sphinx_rtd_theme/",

  "/tmp/.snap/usr/share/sphinx_rtd_theme/*/" rw,

  "/usr/share/sphinx_rtd_theme/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/usr/share/sphinx_rtd_theme/*/" -> "/usr/share/sphinx_rtd_theme/*/",

  "/tmp/.snap/usr/share/sphinx_rtd_theme/*" rw,

  "/usr/share/sphinx_rtd_theme/*" rw,

  mount options=(bind, rw) "/tmp/.snap/usr/share/sphinx_rtd_theme/*" -> "/usr/share/sphinx_rtd_theme/*",

  mount options=(rprivate) -> "/tmp/.snap/usr/share/sphinx_rtd_theme/",

  umount "/tmp/.snap/usr/share/sphinx_rtd_theme/",

  mount options=(rprivate) -> "/usr/share/sphinx_rtd_theme/",

  mount options=(rprivate) -> "/usr/share/sphinx_rtd_theme/*",

  mount options=(rprivate) -> "/usr/share/sphinx_rtd_theme/*/",

  umount "/usr/share/sphinx_rtd_theme/",

  umount "/usr/share/sphinx_rtd_theme/*",

  umount "/usr/share/sphinx_rtd_theme/*/",

  # Writable mimic /usr/local/share/doc

  # .. variant with mimic at /usr/local/

  "/usr/local/" r,

  "/tmp/.snap/usr/local/" rw,

  mount options=(rbind, rw) "/usr/local/" -> "/tmp/.snap/usr/local/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/usr/local/",

  "/tmp/.snap/usr/local/*/" rw,

  "/usr/local/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/usr/local/*/" -> "/usr/local/*/",

  "/tmp/.snap/usr/local/*" rw,

  "/usr/local/*" rw,

  mount options=(bind, rw) "/tmp/.snap/usr/local/*" -> "/usr/local/*",

  mount options=(rprivate) -> "/tmp/.snap/usr/local/",

  umount "/tmp/.snap/usr/local/",

  mount options=(rprivate) -> "/usr/local/",

  mount options=(rprivate) -> "/usr/local/*",

  mount options=(rprivate) -> "/usr/local/*/",

  umount "/usr/local/",

  umount "/usr/local/*",

  umount "/usr/local/*/",

  # .. variant with mimic at /usr/local/share/

  "/usr/local/share/" r,

  "/tmp/.snap/usr/local/share/" rw,

  mount options=(rbind, rw) "/usr/local/share/" -> "/tmp/.snap/usr/local/share/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/usr/local/share/",

  "/tmp/.snap/usr/local/share/*/" rw,

  "/usr/local/share/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/usr/local/share/*/" -> "/usr/local/share/*/",

  "/tmp/.snap/usr/local/share/*" rw,

  "/usr/local/share/*" rw,

  mount options=(bind, rw) "/tmp/.snap/usr/local/share/*" -> "/usr/local/share/*",

  mount options=(rprivate) -> "/tmp/.snap/usr/local/share/",

  umount "/tmp/.snap/usr/local/share/",

  mount options=(rprivate) -> "/usr/local/share/",

  mount options=(rprivate) -> "/usr/local/share/*",

  mount options=(rprivate) -> "/usr/local/share/*/",

  umount "/usr/local/share/",

  umount "/usr/local/share/*",

  umount "/usr/local/share/*/",

  # .. variant with mimic at /usr/local/share/doc/

  "/usr/local/share/doc/" r,

  "/tmp/.snap/usr/local/share/doc/" rw,

  mount options=(rbind, rw) "/usr/local/share/doc/" -> "/tmp/.snap/usr/local/share/doc/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/usr/local/share/doc/",

  "/tmp/.snap/usr/local/share/doc/*/" rw,

  "/usr/local/share/doc/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/usr/local/share/doc/*/" -> "/usr/local/share/doc/*/",

  "/tmp/.snap/usr/local/share/doc/*" rw,

  "/usr/local/share/doc/*" rw,

  mount options=(bind, rw) "/tmp/.snap/usr/local/share/doc/*" -> "/usr/local/share/doc/*",

  mount options=(rprivate) -> "/tmp/.snap/usr/local/share/doc/",

  umount "/tmp/.snap/usr/local/share/doc/",

  mount options=(rprivate) -> "/usr/local/share/doc/",

  mount options=(rprivate) -> "/usr/local/share/doc/*",

  mount options=(rprivate) -> "/usr/local/share/doc/*/",

  umount "/usr/local/share/doc/",

  umount "/usr/local/share/doc/*",

  umount "/usr/local/share/doc/*/",

  # Layout /etc/dpkg/dpkg.cfg: bind-file $SNAP/etc/dpkg/dpkg.cfg

  mount options=(bind, rw) "/snap/canonical-livepatch/406/etc/dpkg/dpkg.cfg" -> "/etc/dpkg/dpkg.cfg",

  mount options=(rprivate) -> "/etc/dpkg/dpkg.cfg",

  umount "/etc/dpkg/dpkg.cfg",

  # Writable mimic /etc/dpkg

  # .. variant with mimic at /etc/

  "/etc/" r,

  "/tmp/.snap/etc/" rw,

  mount options=(rbind, rw) "/etc/" -> "/tmp/.snap/etc/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/etc/",

  "/tmp/.snap/etc/*/" rw,

  "/etc/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/etc/*/" -> "/etc/*/",

  "/tmp/.snap/etc/*" rw,

  "/etc/*" rw,

  mount options=(bind, rw) "/tmp/.snap/etc/*" -> "/etc/*",

  mount options=(rprivate) -> "/tmp/.snap/etc/",

  umount "/tmp/.snap/etc/",

  mount options=(rprivate) -> "/etc/",

  mount options=(rprivate) -> "/etc/*",

  mount options=(rprivate) -> "/etc/*/",

  umount "/etc/",

  umount "/etc/*",

  umount "/etc/*/",

  # .. variant with mimic at /etc/dpkg/

  "/etc/dpkg/" r,

  "/tmp/.snap/etc/dpkg/" rw,

  mount options=(rbind, rw) "/etc/dpkg/" -> "/tmp/.snap/etc/dpkg/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/etc/dpkg/",

  "/tmp/.snap/etc/dpkg/*/" rw,

  "/etc/dpkg/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/etc/dpkg/*/" -> "/etc/dpkg/*/",

  "/tmp/.snap/etc/dpkg/*" rw,

  "/etc/dpkg/*" rw,

  mount options=(bind, rw) "/tmp/.snap/etc/dpkg/*" -> "/etc/dpkg/*",

  mount options=(rprivate) -> "/tmp/.snap/etc/dpkg/",

  umount "/tmp/.snap/etc/dpkg/",

  mount options=(rprivate) -> "/etc/dpkg/",

  mount options=(rprivate) -> "/etc/dpkg/*",

  mount options=(rprivate) -> "/etc/dpkg/*/",

  umount "/etc/dpkg/",

  umount "/etc/dpkg/*",

  umount "/etc/dpkg/*/",

  # Writable mimic /snap/canonical-livepatch/406/etc/dpkg

  "/snap/" r,

  "/snap/canonical-livepatch/" r,

  # .. variant with mimic at /snap/canonical-livepatch/406/

  "/snap/canonical-livepatch/406/" r,

  "/tmp/.snap/snap/canonical-livepatch/406/" rw,

  mount options=(rbind, rw) "/snap/canonical-livepatch/406/" -> "/tmp/.snap/snap/canonical-livepatch/406/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/snap/canonical-livepatch/406/",

  "/tmp/.snap/snap/canonical-livepatch/406/*/" rw,

  "/snap/canonical-livepatch/406/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/snap/canonical-livepatch/406/*/" -> "/snap/canonical-livepatch/406/*/",

  "/tmp/.snap/snap/canonical-livepatch/406/*" rw,

  "/snap/canonical-livepatch/406/*" rw,

  mount options=(bind, rw) "/tmp/.snap/snap/canonical-livepatch/406/*" -> "/snap/canonical-livepatch/406/*",

  mount options=(rprivate) -> "/tmp/.snap/snap/canonical-livepatch/406/",

  umount "/tmp/.snap/snap/canonical-livepatch/406/",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/*",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/*/",

  umount "/snap/canonical-livepatch/406/",

  umount "/snap/canonical-livepatch/406/*",

  umount "/snap/canonical-livepatch/406/*/",

  # .. variant with mimic at /snap/canonical-livepatch/406/etc/

  "/snap/canonical-livepatch/406/etc/" r,

  "/tmp/.snap/snap/canonical-livepatch/406/etc/" rw,

  mount options=(rbind, rw) "/snap/canonical-livepatch/406/etc/" -> "/tmp/.snap/snap/canonical-livepatch/406/etc/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/snap/canonical-livepatch/406/etc/",

  "/tmp/.snap/snap/canonical-livepatch/406/etc/*/" rw,

  "/snap/canonical-livepatch/406/etc/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/snap/canonical-livepatch/406/etc/*/" -> "/snap/canonical-livepatch/406/etc/*/",

  "/tmp/.snap/snap/canonical-livepatch/406/etc/*" rw,

  "/snap/canonical-livepatch/406/etc/*" rw,

  mount options=(bind, rw) "/tmp/.snap/snap/canonical-livepatch/406/etc/*" -> "/snap/canonical-livepatch/406/etc/*",

  mount options=(rprivate) -> "/tmp/.snap/snap/canonical-livepatch/406/etc/",

  umount "/tmp/.snap/snap/canonical-livepatch/406/etc/",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/etc/",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/etc/*",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/etc/*/",

  umount "/snap/canonical-livepatch/406/etc/",

  umount "/snap/canonical-livepatch/406/etc/*",

  umount "/snap/canonical-livepatch/406/etc/*/",

  # .. variant with mimic at /snap/canonical-livepatch/406/etc/dpkg/

  "/snap/canonical-livepatch/406/etc/dpkg/" r,

  "/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/" rw,

  mount options=(rbind, rw) "/snap/canonical-livepatch/406/etc/dpkg/" -> "/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/snap/canonical-livepatch/406/etc/dpkg/",

  "/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/*/" rw,

  "/snap/canonical-livepatch/406/etc/dpkg/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/*/" -> "/snap/canonical-livepatch/406/etc/dpkg/*/",

  "/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/*" rw,

  "/snap/canonical-livepatch/406/etc/dpkg/*" rw,

  mount options=(bind, rw) "/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/*" -> "/snap/canonical-livepatch/406/etc/dpkg/*",

  mount options=(rprivate) -> "/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/",

  umount "/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/etc/dpkg/",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/etc/dpkg/*",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/etc/dpkg/*/",

  umount "/snap/canonical-livepatch/406/etc/dpkg/",

  umount "/snap/canonical-livepatch/406/etc/dpkg/*",

  umount "/snap/canonical-livepatch/406/etc/dpkg/*/",

  # Layout /usr/bin/dpkg: bind-file $SNAP/usr/bin/dpkg

  mount options=(bind, rw) "/snap/canonical-livepatch/406/usr/bin/dpkg" -> "/usr/bin/dpkg",

  mount options=(rprivate) -> "/usr/bin/dpkg",

  umount "/usr/bin/dpkg",

  # Writable mimic /usr/bin

  # .. variant with mimic at /usr/

  "/tmp/.snap/usr/" rw,

  mount options=(rbind, rw) "/usr/" -> "/tmp/.snap/usr/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/usr/",

  "/tmp/.snap/usr/*/" rw,

  "/usr/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/usr/*/" -> "/usr/*/",

  "/tmp/.snap/usr/*" rw,

  "/usr/*" rw,

  mount options=(bind, rw) "/tmp/.snap/usr/*" -> "/usr/*",

  mount options=(rprivate) -> "/tmp/.snap/usr/",

  umount "/tmp/.snap/usr/",

  mount options=(rprivate) -> "/usr/",

  mount options=(rprivate) -> "/usr/*",

  mount options=(rprivate) -> "/usr/*/",

  umount "/usr/",

  umount "/usr/*",

  umount "/usr/*/",

  # .. variant with mimic at /usr/bin/

  "/usr/bin/" r,

  "/tmp/.snap/usr/bin/" rw,

  mount options=(rbind, rw) "/usr/bin/" -> "/tmp/.snap/usr/bin/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/usr/bin/",

  "/tmp/.snap/usr/bin/*/" rw,

  "/usr/bin/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/usr/bin/*/" -> "/usr/bin/*/",

  "/tmp/.snap/usr/bin/*" rw,

  "/usr/bin/*" rw,

  mount options=(bind, rw) "/tmp/.snap/usr/bin/*" -> "/usr/bin/*",

  mount options=(rprivate) -> "/tmp/.snap/usr/bin/",

  umount "/tmp/.snap/usr/bin/",

  mount options=(rprivate) -> "/usr/bin/",

  mount options=(rprivate) -> "/usr/bin/*",

  mount options=(rprivate) -> "/usr/bin/*/",

  umount "/usr/bin/",

  umount "/usr/bin/*",

  umount "/usr/bin/*/",

  # Writable mimic /snap/canonical-livepatch/406/usr/bin

  # .. variant with mimic at /snap/canonical-livepatch/406/usr/

  "/snap/canonical-livepatch/406/usr/" r,

  "/tmp/.snap/snap/canonical-livepatch/406/usr/" rw,

  mount options=(rbind, rw) "/snap/canonical-livepatch/406/usr/" -> "/tmp/.snap/snap/canonical-livepatch/406/usr/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/snap/canonical-livepatch/406/usr/",

  "/tmp/.snap/snap/canonical-livepatch/406/usr/*/" rw,

  "/snap/canonical-livepatch/406/usr/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/snap/canonical-livepatch/406/usr/*/" -> "/snap/canonical-livepatch/406/usr/*/",

  "/tmp/.snap/snap/canonical-livepatch/406/usr/*" rw,

  "/snap/canonical-livepatch/406/usr/*" rw,

  mount options=(bind, rw) "/tmp/.snap/snap/canonical-livepatch/406/usr/*" -> "/snap/canonical-livepatch/406/usr/*",

  mount options=(rprivate) -> "/tmp/.snap/snap/canonical-livepatch/406/usr/",

  umount "/tmp/.snap/snap/canonical-livepatch/406/usr/",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/*",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/*/",

  umount "/snap/canonical-livepatch/406/usr/",

  umount "/snap/canonical-livepatch/406/usr/*",

  umount "/snap/canonical-livepatch/406/usr/*/",

  # .. variant with mimic at /snap/canonical-livepatch/406/usr/bin/

  "/snap/canonical-livepatch/406/usr/bin/" r,

  "/tmp/.snap/snap/canonical-livepatch/406/usr/bin/" rw,

  mount options=(rbind, rw) "/snap/canonical-livepatch/406/usr/bin/" -> "/tmp/.snap/snap/canonical-livepatch/406/usr/bin/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/snap/canonical-livepatch/406/usr/bin/",

  "/tmp/.snap/snap/canonical-livepatch/406/usr/bin/*/" rw,

  "/snap/canonical-livepatch/406/usr/bin/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/snap/canonical-livepatch/406/usr/bin/*/" -> "/snap/canonical-livepatch/406/usr/bin/*/",

  "/tmp/.snap/snap/canonical-livepatch/406/usr/bin/*" rw,

  "/snap/canonical-livepatch/406/usr/bin/*" rw,

  mount options=(bind, rw) "/tmp/.snap/snap/canonical-livepatch/406/usr/bin/*" -> "/snap/canonical-livepatch/406/usr/bin/*",

  mount options=(rprivate) -> "/tmp/.snap/snap/canonical-livepatch/406/usr/bin/",

  umount "/tmp/.snap/snap/canonical-livepatch/406/usr/bin/",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/bin/",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/bin/*",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/bin/*/",

  umount "/snap/canonical-livepatch/406/usr/bin/",

  umount "/snap/canonical-livepatch/406/usr/bin/*",

  umount "/snap/canonical-livepatch/406/usr/bin/*/",

  # Layout /usr/share/dpkg: bind $SNAP/usr/share/dpkg

  mount options=(rbind, rw) "/snap/canonical-livepatch/406/usr/share/dpkg/" -> "/usr/share/dpkg/",

  mount options=(rprivate) -> "/usr/share/dpkg/",

  umount "/usr/share/dpkg/",

  # Writable mimic /usr/share

  # Writable mimic /snap/canonical-livepatch/406/usr/share

  # .. variant with mimic at /snap/canonical-livepatch/406/usr/share/

  "/snap/canonical-livepatch/406/usr/share/" r,

  "/tmp/.snap/snap/canonical-livepatch/406/usr/share/" rw,

  mount options=(rbind, rw) "/snap/canonical-livepatch/406/usr/share/" -> "/tmp/.snap/snap/canonical-livepatch/406/usr/share/",

  mount fstype=tmpfs options=(rw) tmpfs -> "/snap/canonical-livepatch/406/usr/share/",

  "/tmp/.snap/snap/canonical-livepatch/406/usr/share/*/" rw,

  "/snap/canonical-livepatch/406/usr/share/*/" rw,

  mount options=(rbind, rw) "/tmp/.snap/snap/canonical-livepatch/406/usr/share/*/" -> "/snap/canonical-livepatch/406/usr/share/*/",

  "/tmp/.snap/snap/canonical-livepatch/406/usr/share/*" rw,

  "/snap/canonical-livepatch/406/usr/share/*" rw,

  mount options=(bind, rw) "/tmp/.snap/snap/canonical-livepatch/406/usr/share/*" -> "/snap/canonical-livepatch/406/usr/share/*",

  mount options=(rprivate) -> "/tmp/.snap/snap/canonical-livepatch/406/usr/share/",

  umount "/tmp/.snap/snap/canonical-livepatch/406/usr/share/",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/share/",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/share/*",

  mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/share/*/",

  umount "/snap/canonical-livepatch/406/usr/share/",

  umount "/snap/canonical-livepatch/406/usr/share/*",

  umount "/snap/canonical-livepatch/406/usr/share/*/",

}