| Current Path : /var/lib/snapd/apparmor/profiles/ |
| Current File : /var/lib/snapd/apparmor/profiles/snap-update-ns.canonical-livepatch |
# Description: Allows snap-update-ns to construct the mount namespace specific
# to a particular snap (see the name below). This specifically includes the
# precise locations of the layout elements.
# vim:syntax=apparmor
#include <tunables/global>
#include if exists "/etc/apparmor.d/tunables/home.d"
profile snap-update-ns.canonical-livepatch (attach_disconnected) {
# The next four rules mirror those above. We want to be able to read
# and map snap-update-ns into memory but it may come from a variety of places.
/usr/lib{,exec,64}/snapd/snap-update-ns mr,
/var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr,
/{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns mr,
/var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr,
# Allow reading the dynamic linker cache.
/etc/ld.so.cache r,
# Allow reading, mapping and executing the dynamic linker.
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix,
# Allow reading and mapping various parts of the standard library and
# dynamically loaded nss modules and what not.
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr,
# Common devices accesses
/dev/null rw,
/dev/full rw,
/dev/zero rw,
/dev/random r,
/dev/urandom r,
# golang runtime variables
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# glibc 2.27+ may poke this file to find out the number of CPUs
# available in the system when creating a new arena for malloc, see
# Golang issue 25628
/sys/devices/system/cpu/online r,
# Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code).
owner @{PROC}/@{pid}/cmdline r,
# Allow reading of own maps (Go runtime)
owner @{PROC}/@{pid}/maps r,
# Allow reading file descriptor paths
owner @{PROC}/@{pid}/fd/* r,
# Allow reading /proc/version. For release.go WSL detection.
@{PROC}/version r,
# Allow reading own cgroups
owner @{PROC}/@{pid}/cgroup r,
# Allow reading own mountinfo (Go runtime 1.25+)
owner @{PROC}/@{pid}/mountinfo r,
# Allow reading the auxv, apparently Go does this on s390x
# https://bugs.launchpad.net/snapd/+bug/2141461
owner @{PROC}/@{pid}/auxv r,
# Allow reading somaxconn, required in newer distro releases
@{PROC}/sys/net/core/somaxconn r,
# but silence noisy denial of inet/inet6
deny network inet,
deny network inet6,
# Allow reading the os-release file (possibly a symlink to /usr/lib).
/{etc/,usr/lib/}os-release r,
# Allow creating/grabbing global and per-snap lock files.
/run/snapd/lock/canonical-livepatch.lock rwk,
/run/snapd/lock/.lock rwk,
# While the base abstraction has rules for encryptfs encrypted home and
# private directories, it is missing rules for directory read on the toplevel
# directory of the mount (LP: #1848919)
owner @{HOME}/.Private/ r,
owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
# Allow reading stored mount namespaces,
/run/snapd/ns/ r,
/run/snapd/ns/canonical-livepatch.mnt r,
# Allow reading per-snap desired mount profiles. Those are written by
# snapd and represent the desired layout and content connections.
/var/lib/snapd/mount/snap.canonical-livepatch.fstab r,
/var/lib/snapd/mount/snap.canonical-livepatch.user-fstab r,
# Allow reading and writing actual per-snap mount profiles. Note that
# the wildcard in the rule to allow an atomic write + rename strategy.
# Those files are written by snap-update-ns and represent the actual
# mount profile at a given moment.
/run/snapd/ns/snap.canonical-livepatch.fstab{,.*} rw,
# Allow writing to a log file for both per-snap and per-snap-and-user log files.
/run/snapd/ns/snap.canonical-livepatch.log w,
/run/snapd/ns/snap.canonical-livepatch.user.*.log w,
# NOTE: at this stage the /snap directory is stable as we have called
# pivot_root already.
# Needed to perform mount/unmounts.
capability sys_admin,
# Needed for mimic construction.
capability chown,
# Needed for dropping to calling user when processing per-user mounts
capability setuid,
capability setgid,
# Allow snap-update-ns to override file ownership and permission checks.
# This is required because writable mimics now preserve the permissions
# of the original and hence we may be asked to create a directory when the
# parent is a tmpfs without DAC write access.
capability dac_override,
# Allow freezing and thawing the per-snap cgroup freezers
# v1 hierarchy where we know the group name of all processes of
# a given snap upfront
/sys/fs/cgroup/freezer/snap.canonical-livepatch/freezer.state rw,
# v2 hierarchy, where we need to walk the tree to looking for the tracking
# groups and act on each one
/sys/fs/cgroup/ r,
/sys/fs/cgroup/** r,
/sys/fs/cgroup/**/snap.canonical-livepatch.*.scope/cgroup.freeze rw,
/sys/fs/cgroup/**/snap.canonical-livepatch.*.service/cgroup.freeze rw,
# Allow the content interface to bind fonts from the host filesystem
mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/canonical-livepatch/*/**,
mount options=(rw private) -> /snap/canonical-livepatch/*/**,
umount /snap/canonical-livepatch/*/**,
# set up user mount namespace
mount options=(rslave) -> /,
# Allow traversing from the root directory and several well-known places.
# Specific directory permissions are added by snippets below.
/ r,
/etc/ r,
/snap/ r,
/tmp/ r,
/usr/ r,
/var/ r,
/var/lib/ r,
/var/lib/snapd/ r,
/var/snap/ r,
# Allow reading timezone data.
/usr/share/zoneinfo/** r,
# Don't allow anyone to touch /snap/bin
audit deny mount /snap/bin/** -> /**,
audit deny mount /** -> /snap/bin/**,
# Don't allow bind mounts to /media which has special
# sharing and propagates mount events outside of the snap namespace.
audit deny mount -> /media,
# Allow receiving signals from unconfined (eg, systemd)
signal (receive) peer=unconfined,
# Allow sending and receiving signals from ourselves.
signal peer=@{profile_name},
# Commonly needed permissions for writable mimics.
/tmp/ r,
/tmp/.snap/{,**} rw,
# snapd logger.go checks /proc/cmdline
@{PROC}/cmdline r,
# snap checks if vendored apparmor parser should be used at startup
/usr/lib/snapd/info r,
/lib/apparmor/functions r,
# Allow snap-update-ns to open home directory
owner @{HOME}/ r,
/var/ r,
/var/lib/ r,
/var/lib/snapd/ r,
/var/lib/snapd/hostfs/ r,
/var/lib/snapd/hostfs/var/ r,
/var/lib/snapd/hostfs/var/lib/ r,
/var/lib/snapd/hostfs/var/lib/dhcp/ r,
/var/lib/dhcp/ r,
mount options=(rw bind) /var/lib/snapd/hostfs/var/lib/dhcp/ -> /var/lib/dhcp/,
umount /var/lib/dhcp/,
# Read-only access to /boot
mount options=(bind,rw) /var/lib/snapd/hostfs/boot/ -> /boot/,
mount options=(bind,remount,ro) -> /boot/,
umount /boot/,
# Mount documentation of system packages
mount options=(bind) /var/lib/snapd/hostfs/usr/share/doc/ -> /usr/share/doc/,
remount options=(bind, ro) /usr/share/doc/,
umount /usr/share/doc/,
mount options=(bind) /var/lib/snapd/hostfs/usr/local/share/doc/ -> /usr/local/share/doc/,
remount options=(bind, ro) /usr/local/share/doc/,
umount /usr/local/share/doc/,
mount options=(bind) /var/lib/snapd/hostfs/usr/share/cups/doc-root/ -> /usr/share/cups/doc-root/,
remount options=(bind, ro) /usr/share/cups/doc-root/,
umount /usr/share/cups/doc-root/,
mount options=(bind) /var/lib/snapd/hostfs/usr/share/gimp/2.0/help/ -> /usr/share/gimp/2.0/help/,
remount options=(bind, ro) /usr/share/gimp/2.0/help/,
umount /usr/share/gimp/2.0/help/,
mount options=(bind) /var/lib/snapd/hostfs/usr/share/gtk-doc/ -> /usr/share/gtk-doc/,
remount options=(bind, ro) /usr/share/gtk-doc/,
umount /usr/share/gtk-doc/,
mount options=(bind) /var/lib/snapd/hostfs/usr/share/javascript/ -> /usr/share/javascript/,
remount options=(bind, ro) /usr/share/javascript/,
umount /usr/share/javascript/,
mount options=(bind) /var/lib/snapd/hostfs/usr/share/libreoffice/help/ -> /usr/share/libreoffice/help/,
remount options=(bind, ro) /usr/share/libreoffice/help/,
umount /usr/share/libreoffice/help/,
mount options=(bind) /var/lib/snapd/hostfs/usr/share/sphinx_rtd_theme/ -> /usr/share/sphinx_rtd_theme/,
remount options=(bind, ro) /usr/share/sphinx_rtd_theme/,
umount /usr/share/sphinx_rtd_theme/,
mount options=(bind) /var/lib/snapd/hostfs/usr/share/xubuntu-docs/ -> /usr/share/xubuntu-docs/,
remount options=(bind, ro) /usr/share/xubuntu-docs/,
umount /usr/share/xubuntu-docs/,
# Writable mimic /usr/share/cups
# .. permissions for traversing the prefix that is assumed to exist
"/" r,
"/usr/" r,
# .. variant with mimic at /usr/share/
# Allow reading the mimic directory, it must exist in the first place.
"/usr/share/" r,
# Allow setting the read-only directory aside via a bind mount.
"/tmp/.snap/usr/share/" rw,
mount options=(rbind, rw) "/usr/share/" -> "/tmp/.snap/usr/share/",
# Allow mounting tmpfs over the read-only directory.
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/",
# Allow creating empty files and directories for bind mounting things
# to reconstruct the now-writable parent directory.
"/tmp/.snap/usr/share/*/" rw,
"/usr/share/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/share/*/" -> "/usr/share/*/",
"/tmp/.snap/usr/share/*" rw,
"/usr/share/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/share/*" -> "/usr/share/*",
# Allow unmounting the auxiliary directory.
# TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
mount options=(rprivate) -> "/tmp/.snap/usr/share/",
umount "/tmp/.snap/usr/share/",
# Allow unmounting the destination directory as well as anything
# inside. This lets us perform the undo plan in case the writable
# mimic fails.
mount options=(rprivate) -> "/usr/share/",
mount options=(rprivate) -> "/usr/share/*",
mount options=(rprivate) -> "/usr/share/*/",
umount "/usr/share/",
umount "/usr/share/*",
umount "/usr/share/*/",
# .. variant with mimic at /usr/share/cups/
"/usr/share/cups/" r,
"/tmp/.snap/usr/share/cups/" rw,
mount options=(rbind, rw) "/usr/share/cups/" -> "/tmp/.snap/usr/share/cups/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/cups/",
"/tmp/.snap/usr/share/cups/*/" rw,
"/usr/share/cups/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/share/cups/*/" -> "/usr/share/cups/*/",
"/tmp/.snap/usr/share/cups/*" rw,
"/usr/share/cups/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/share/cups/*" -> "/usr/share/cups/*",
mount options=(rprivate) -> "/tmp/.snap/usr/share/cups/",
umount "/tmp/.snap/usr/share/cups/",
mount options=(rprivate) -> "/usr/share/cups/",
mount options=(rprivate) -> "/usr/share/cups/*",
mount options=(rprivate) -> "/usr/share/cups/*/",
umount "/usr/share/cups/",
umount "/usr/share/cups/*",
umount "/usr/share/cups/*/",
# Writable mimic /usr/share/gimp/2.0
# .. variant with mimic at /usr/share/gimp/
"/usr/share/gimp/" r,
"/tmp/.snap/usr/share/gimp/" rw,
mount options=(rbind, rw) "/usr/share/gimp/" -> "/tmp/.snap/usr/share/gimp/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/gimp/",
"/tmp/.snap/usr/share/gimp/*/" rw,
"/usr/share/gimp/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/share/gimp/*/" -> "/usr/share/gimp/*/",
"/tmp/.snap/usr/share/gimp/*" rw,
"/usr/share/gimp/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/share/gimp/*" -> "/usr/share/gimp/*",
mount options=(rprivate) -> "/tmp/.snap/usr/share/gimp/",
umount "/tmp/.snap/usr/share/gimp/",
mount options=(rprivate) -> "/usr/share/gimp/",
mount options=(rprivate) -> "/usr/share/gimp/*",
mount options=(rprivate) -> "/usr/share/gimp/*/",
umount "/usr/share/gimp/",
umount "/usr/share/gimp/*",
umount "/usr/share/gimp/*/",
# .. variant with mimic at /usr/share/gimp/2.0/
"/usr/share/gimp/2.0/" r,
"/tmp/.snap/usr/share/gimp/2.0/" rw,
mount options=(rbind, rw) "/usr/share/gimp/2.0/" -> "/tmp/.snap/usr/share/gimp/2.0/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/gimp/2.0/",
"/tmp/.snap/usr/share/gimp/2.0/*/" rw,
"/usr/share/gimp/2.0/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/share/gimp/2.0/*/" -> "/usr/share/gimp/2.0/*/",
"/tmp/.snap/usr/share/gimp/2.0/*" rw,
"/usr/share/gimp/2.0/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/share/gimp/2.0/*" -> "/usr/share/gimp/2.0/*",
mount options=(rprivate) -> "/tmp/.snap/usr/share/gimp/2.0/",
umount "/tmp/.snap/usr/share/gimp/2.0/",
mount options=(rprivate) -> "/usr/share/gimp/2.0/",
mount options=(rprivate) -> "/usr/share/gimp/2.0/*",
mount options=(rprivate) -> "/usr/share/gimp/2.0/*/",
umount "/usr/share/gimp/2.0/",
umount "/usr/share/gimp/2.0/*",
umount "/usr/share/gimp/2.0/*/",
# Writable mimic /usr/share/javascript
# .. variant with mimic at /usr/share/javascript/
"/usr/share/javascript/" r,
"/tmp/.snap/usr/share/javascript/" rw,
mount options=(rbind, rw) "/usr/share/javascript/" -> "/tmp/.snap/usr/share/javascript/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/javascript/",
"/tmp/.snap/usr/share/javascript/*/" rw,
"/usr/share/javascript/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/share/javascript/*/" -> "/usr/share/javascript/*/",
"/tmp/.snap/usr/share/javascript/*" rw,
"/usr/share/javascript/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/share/javascript/*" -> "/usr/share/javascript/*",
mount options=(rprivate) -> "/tmp/.snap/usr/share/javascript/",
umount "/tmp/.snap/usr/share/javascript/",
mount options=(rprivate) -> "/usr/share/javascript/",
mount options=(rprivate) -> "/usr/share/javascript/*",
mount options=(rprivate) -> "/usr/share/javascript/*/",
umount "/usr/share/javascript/",
umount "/usr/share/javascript/*",
umount "/usr/share/javascript/*/",
# Writable mimic /usr/share/libreoffice
# .. variant with mimic at /usr/share/libreoffice/
"/usr/share/libreoffice/" r,
"/tmp/.snap/usr/share/libreoffice/" rw,
mount options=(rbind, rw) "/usr/share/libreoffice/" -> "/tmp/.snap/usr/share/libreoffice/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/libreoffice/",
"/tmp/.snap/usr/share/libreoffice/*/" rw,
"/usr/share/libreoffice/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/share/libreoffice/*/" -> "/usr/share/libreoffice/*/",
"/tmp/.snap/usr/share/libreoffice/*" rw,
"/usr/share/libreoffice/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/share/libreoffice/*" -> "/usr/share/libreoffice/*",
mount options=(rprivate) -> "/tmp/.snap/usr/share/libreoffice/",
umount "/tmp/.snap/usr/share/libreoffice/",
mount options=(rprivate) -> "/usr/share/libreoffice/",
mount options=(rprivate) -> "/usr/share/libreoffice/*",
mount options=(rprivate) -> "/usr/share/libreoffice/*/",
umount "/usr/share/libreoffice/",
umount "/usr/share/libreoffice/*",
umount "/usr/share/libreoffice/*/",
# Writable mimic /usr/share/sphinx_rtd_theme
# .. variant with mimic at /usr/share/sphinx_rtd_theme/
"/usr/share/sphinx_rtd_theme/" r,
"/tmp/.snap/usr/share/sphinx_rtd_theme/" rw,
mount options=(rbind, rw) "/usr/share/sphinx_rtd_theme/" -> "/tmp/.snap/usr/share/sphinx_rtd_theme/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/share/sphinx_rtd_theme/",
"/tmp/.snap/usr/share/sphinx_rtd_theme/*/" rw,
"/usr/share/sphinx_rtd_theme/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/share/sphinx_rtd_theme/*/" -> "/usr/share/sphinx_rtd_theme/*/",
"/tmp/.snap/usr/share/sphinx_rtd_theme/*" rw,
"/usr/share/sphinx_rtd_theme/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/share/sphinx_rtd_theme/*" -> "/usr/share/sphinx_rtd_theme/*",
mount options=(rprivate) -> "/tmp/.snap/usr/share/sphinx_rtd_theme/",
umount "/tmp/.snap/usr/share/sphinx_rtd_theme/",
mount options=(rprivate) -> "/usr/share/sphinx_rtd_theme/",
mount options=(rprivate) -> "/usr/share/sphinx_rtd_theme/*",
mount options=(rprivate) -> "/usr/share/sphinx_rtd_theme/*/",
umount "/usr/share/sphinx_rtd_theme/",
umount "/usr/share/sphinx_rtd_theme/*",
umount "/usr/share/sphinx_rtd_theme/*/",
# Writable mimic /usr/local/share/doc
# .. variant with mimic at /usr/local/
"/usr/local/" r,
"/tmp/.snap/usr/local/" rw,
mount options=(rbind, rw) "/usr/local/" -> "/tmp/.snap/usr/local/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/local/",
"/tmp/.snap/usr/local/*/" rw,
"/usr/local/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/local/*/" -> "/usr/local/*/",
"/tmp/.snap/usr/local/*" rw,
"/usr/local/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/local/*" -> "/usr/local/*",
mount options=(rprivate) -> "/tmp/.snap/usr/local/",
umount "/tmp/.snap/usr/local/",
mount options=(rprivate) -> "/usr/local/",
mount options=(rprivate) -> "/usr/local/*",
mount options=(rprivate) -> "/usr/local/*/",
umount "/usr/local/",
umount "/usr/local/*",
umount "/usr/local/*/",
# .. variant with mimic at /usr/local/share/
"/usr/local/share/" r,
"/tmp/.snap/usr/local/share/" rw,
mount options=(rbind, rw) "/usr/local/share/" -> "/tmp/.snap/usr/local/share/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/local/share/",
"/tmp/.snap/usr/local/share/*/" rw,
"/usr/local/share/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/local/share/*/" -> "/usr/local/share/*/",
"/tmp/.snap/usr/local/share/*" rw,
"/usr/local/share/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/local/share/*" -> "/usr/local/share/*",
mount options=(rprivate) -> "/tmp/.snap/usr/local/share/",
umount "/tmp/.snap/usr/local/share/",
mount options=(rprivate) -> "/usr/local/share/",
mount options=(rprivate) -> "/usr/local/share/*",
mount options=(rprivate) -> "/usr/local/share/*/",
umount "/usr/local/share/",
umount "/usr/local/share/*",
umount "/usr/local/share/*/",
# .. variant with mimic at /usr/local/share/doc/
"/usr/local/share/doc/" r,
"/tmp/.snap/usr/local/share/doc/" rw,
mount options=(rbind, rw) "/usr/local/share/doc/" -> "/tmp/.snap/usr/local/share/doc/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/local/share/doc/",
"/tmp/.snap/usr/local/share/doc/*/" rw,
"/usr/local/share/doc/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/local/share/doc/*/" -> "/usr/local/share/doc/*/",
"/tmp/.snap/usr/local/share/doc/*" rw,
"/usr/local/share/doc/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/local/share/doc/*" -> "/usr/local/share/doc/*",
mount options=(rprivate) -> "/tmp/.snap/usr/local/share/doc/",
umount "/tmp/.snap/usr/local/share/doc/",
mount options=(rprivate) -> "/usr/local/share/doc/",
mount options=(rprivate) -> "/usr/local/share/doc/*",
mount options=(rprivate) -> "/usr/local/share/doc/*/",
umount "/usr/local/share/doc/",
umount "/usr/local/share/doc/*",
umount "/usr/local/share/doc/*/",
# Layout /etc/dpkg/dpkg.cfg: bind-file $SNAP/etc/dpkg/dpkg.cfg
mount options=(bind, rw) "/snap/canonical-livepatch/406/etc/dpkg/dpkg.cfg" -> "/etc/dpkg/dpkg.cfg",
mount options=(rprivate) -> "/etc/dpkg/dpkg.cfg",
umount "/etc/dpkg/dpkg.cfg",
# Writable mimic /etc/dpkg
# .. variant with mimic at /etc/
"/etc/" r,
"/tmp/.snap/etc/" rw,
mount options=(rbind, rw) "/etc/" -> "/tmp/.snap/etc/",
mount fstype=tmpfs options=(rw) tmpfs -> "/etc/",
"/tmp/.snap/etc/*/" rw,
"/etc/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/etc/*/" -> "/etc/*/",
"/tmp/.snap/etc/*" rw,
"/etc/*" rw,
mount options=(bind, rw) "/tmp/.snap/etc/*" -> "/etc/*",
mount options=(rprivate) -> "/tmp/.snap/etc/",
umount "/tmp/.snap/etc/",
mount options=(rprivate) -> "/etc/",
mount options=(rprivate) -> "/etc/*",
mount options=(rprivate) -> "/etc/*/",
umount "/etc/",
umount "/etc/*",
umount "/etc/*/",
# .. variant with mimic at /etc/dpkg/
"/etc/dpkg/" r,
"/tmp/.snap/etc/dpkg/" rw,
mount options=(rbind, rw) "/etc/dpkg/" -> "/tmp/.snap/etc/dpkg/",
mount fstype=tmpfs options=(rw) tmpfs -> "/etc/dpkg/",
"/tmp/.snap/etc/dpkg/*/" rw,
"/etc/dpkg/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/etc/dpkg/*/" -> "/etc/dpkg/*/",
"/tmp/.snap/etc/dpkg/*" rw,
"/etc/dpkg/*" rw,
mount options=(bind, rw) "/tmp/.snap/etc/dpkg/*" -> "/etc/dpkg/*",
mount options=(rprivate) -> "/tmp/.snap/etc/dpkg/",
umount "/tmp/.snap/etc/dpkg/",
mount options=(rprivate) -> "/etc/dpkg/",
mount options=(rprivate) -> "/etc/dpkg/*",
mount options=(rprivate) -> "/etc/dpkg/*/",
umount "/etc/dpkg/",
umount "/etc/dpkg/*",
umount "/etc/dpkg/*/",
# Writable mimic /snap/canonical-livepatch/406/etc/dpkg
"/snap/" r,
"/snap/canonical-livepatch/" r,
# .. variant with mimic at /snap/canonical-livepatch/406/
"/snap/canonical-livepatch/406/" r,
"/tmp/.snap/snap/canonical-livepatch/406/" rw,
mount options=(rbind, rw) "/snap/canonical-livepatch/406/" -> "/tmp/.snap/snap/canonical-livepatch/406/",
mount fstype=tmpfs options=(rw) tmpfs -> "/snap/canonical-livepatch/406/",
"/tmp/.snap/snap/canonical-livepatch/406/*/" rw,
"/snap/canonical-livepatch/406/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/snap/canonical-livepatch/406/*/" -> "/snap/canonical-livepatch/406/*/",
"/tmp/.snap/snap/canonical-livepatch/406/*" rw,
"/snap/canonical-livepatch/406/*" rw,
mount options=(bind, rw) "/tmp/.snap/snap/canonical-livepatch/406/*" -> "/snap/canonical-livepatch/406/*",
mount options=(rprivate) -> "/tmp/.snap/snap/canonical-livepatch/406/",
umount "/tmp/.snap/snap/canonical-livepatch/406/",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/*",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/*/",
umount "/snap/canonical-livepatch/406/",
umount "/snap/canonical-livepatch/406/*",
umount "/snap/canonical-livepatch/406/*/",
# .. variant with mimic at /snap/canonical-livepatch/406/etc/
"/snap/canonical-livepatch/406/etc/" r,
"/tmp/.snap/snap/canonical-livepatch/406/etc/" rw,
mount options=(rbind, rw) "/snap/canonical-livepatch/406/etc/" -> "/tmp/.snap/snap/canonical-livepatch/406/etc/",
mount fstype=tmpfs options=(rw) tmpfs -> "/snap/canonical-livepatch/406/etc/",
"/tmp/.snap/snap/canonical-livepatch/406/etc/*/" rw,
"/snap/canonical-livepatch/406/etc/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/snap/canonical-livepatch/406/etc/*/" -> "/snap/canonical-livepatch/406/etc/*/",
"/tmp/.snap/snap/canonical-livepatch/406/etc/*" rw,
"/snap/canonical-livepatch/406/etc/*" rw,
mount options=(bind, rw) "/tmp/.snap/snap/canonical-livepatch/406/etc/*" -> "/snap/canonical-livepatch/406/etc/*",
mount options=(rprivate) -> "/tmp/.snap/snap/canonical-livepatch/406/etc/",
umount "/tmp/.snap/snap/canonical-livepatch/406/etc/",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/etc/",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/etc/*",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/etc/*/",
umount "/snap/canonical-livepatch/406/etc/",
umount "/snap/canonical-livepatch/406/etc/*",
umount "/snap/canonical-livepatch/406/etc/*/",
# .. variant with mimic at /snap/canonical-livepatch/406/etc/dpkg/
"/snap/canonical-livepatch/406/etc/dpkg/" r,
"/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/" rw,
mount options=(rbind, rw) "/snap/canonical-livepatch/406/etc/dpkg/" -> "/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/",
mount fstype=tmpfs options=(rw) tmpfs -> "/snap/canonical-livepatch/406/etc/dpkg/",
"/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/*/" rw,
"/snap/canonical-livepatch/406/etc/dpkg/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/*/" -> "/snap/canonical-livepatch/406/etc/dpkg/*/",
"/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/*" rw,
"/snap/canonical-livepatch/406/etc/dpkg/*" rw,
mount options=(bind, rw) "/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/*" -> "/snap/canonical-livepatch/406/etc/dpkg/*",
mount options=(rprivate) -> "/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/",
umount "/tmp/.snap/snap/canonical-livepatch/406/etc/dpkg/",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/etc/dpkg/",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/etc/dpkg/*",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/etc/dpkg/*/",
umount "/snap/canonical-livepatch/406/etc/dpkg/",
umount "/snap/canonical-livepatch/406/etc/dpkg/*",
umount "/snap/canonical-livepatch/406/etc/dpkg/*/",
# Layout /usr/bin/dpkg: bind-file $SNAP/usr/bin/dpkg
mount options=(bind, rw) "/snap/canonical-livepatch/406/usr/bin/dpkg" -> "/usr/bin/dpkg",
mount options=(rprivate) -> "/usr/bin/dpkg",
umount "/usr/bin/dpkg",
# Writable mimic /usr/bin
# .. variant with mimic at /usr/
"/tmp/.snap/usr/" rw,
mount options=(rbind, rw) "/usr/" -> "/tmp/.snap/usr/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/",
"/tmp/.snap/usr/*/" rw,
"/usr/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/*/" -> "/usr/*/",
"/tmp/.snap/usr/*" rw,
"/usr/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/*" -> "/usr/*",
mount options=(rprivate) -> "/tmp/.snap/usr/",
umount "/tmp/.snap/usr/",
mount options=(rprivate) -> "/usr/",
mount options=(rprivate) -> "/usr/*",
mount options=(rprivate) -> "/usr/*/",
umount "/usr/",
umount "/usr/*",
umount "/usr/*/",
# .. variant with mimic at /usr/bin/
"/usr/bin/" r,
"/tmp/.snap/usr/bin/" rw,
mount options=(rbind, rw) "/usr/bin/" -> "/tmp/.snap/usr/bin/",
mount fstype=tmpfs options=(rw) tmpfs -> "/usr/bin/",
"/tmp/.snap/usr/bin/*/" rw,
"/usr/bin/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/usr/bin/*/" -> "/usr/bin/*/",
"/tmp/.snap/usr/bin/*" rw,
"/usr/bin/*" rw,
mount options=(bind, rw) "/tmp/.snap/usr/bin/*" -> "/usr/bin/*",
mount options=(rprivate) -> "/tmp/.snap/usr/bin/",
umount "/tmp/.snap/usr/bin/",
mount options=(rprivate) -> "/usr/bin/",
mount options=(rprivate) -> "/usr/bin/*",
mount options=(rprivate) -> "/usr/bin/*/",
umount "/usr/bin/",
umount "/usr/bin/*",
umount "/usr/bin/*/",
# Writable mimic /snap/canonical-livepatch/406/usr/bin
# .. variant with mimic at /snap/canonical-livepatch/406/usr/
"/snap/canonical-livepatch/406/usr/" r,
"/tmp/.snap/snap/canonical-livepatch/406/usr/" rw,
mount options=(rbind, rw) "/snap/canonical-livepatch/406/usr/" -> "/tmp/.snap/snap/canonical-livepatch/406/usr/",
mount fstype=tmpfs options=(rw) tmpfs -> "/snap/canonical-livepatch/406/usr/",
"/tmp/.snap/snap/canonical-livepatch/406/usr/*/" rw,
"/snap/canonical-livepatch/406/usr/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/snap/canonical-livepatch/406/usr/*/" -> "/snap/canonical-livepatch/406/usr/*/",
"/tmp/.snap/snap/canonical-livepatch/406/usr/*" rw,
"/snap/canonical-livepatch/406/usr/*" rw,
mount options=(bind, rw) "/tmp/.snap/snap/canonical-livepatch/406/usr/*" -> "/snap/canonical-livepatch/406/usr/*",
mount options=(rprivate) -> "/tmp/.snap/snap/canonical-livepatch/406/usr/",
umount "/tmp/.snap/snap/canonical-livepatch/406/usr/",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/*",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/*/",
umount "/snap/canonical-livepatch/406/usr/",
umount "/snap/canonical-livepatch/406/usr/*",
umount "/snap/canonical-livepatch/406/usr/*/",
# .. variant with mimic at /snap/canonical-livepatch/406/usr/bin/
"/snap/canonical-livepatch/406/usr/bin/" r,
"/tmp/.snap/snap/canonical-livepatch/406/usr/bin/" rw,
mount options=(rbind, rw) "/snap/canonical-livepatch/406/usr/bin/" -> "/tmp/.snap/snap/canonical-livepatch/406/usr/bin/",
mount fstype=tmpfs options=(rw) tmpfs -> "/snap/canonical-livepatch/406/usr/bin/",
"/tmp/.snap/snap/canonical-livepatch/406/usr/bin/*/" rw,
"/snap/canonical-livepatch/406/usr/bin/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/snap/canonical-livepatch/406/usr/bin/*/" -> "/snap/canonical-livepatch/406/usr/bin/*/",
"/tmp/.snap/snap/canonical-livepatch/406/usr/bin/*" rw,
"/snap/canonical-livepatch/406/usr/bin/*" rw,
mount options=(bind, rw) "/tmp/.snap/snap/canonical-livepatch/406/usr/bin/*" -> "/snap/canonical-livepatch/406/usr/bin/*",
mount options=(rprivate) -> "/tmp/.snap/snap/canonical-livepatch/406/usr/bin/",
umount "/tmp/.snap/snap/canonical-livepatch/406/usr/bin/",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/bin/",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/bin/*",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/bin/*/",
umount "/snap/canonical-livepatch/406/usr/bin/",
umount "/snap/canonical-livepatch/406/usr/bin/*",
umount "/snap/canonical-livepatch/406/usr/bin/*/",
# Layout /usr/share/dpkg: bind $SNAP/usr/share/dpkg
mount options=(rbind, rw) "/snap/canonical-livepatch/406/usr/share/dpkg/" -> "/usr/share/dpkg/",
mount options=(rprivate) -> "/usr/share/dpkg/",
umount "/usr/share/dpkg/",
# Writable mimic /usr/share
# Writable mimic /snap/canonical-livepatch/406/usr/share
# .. variant with mimic at /snap/canonical-livepatch/406/usr/share/
"/snap/canonical-livepatch/406/usr/share/" r,
"/tmp/.snap/snap/canonical-livepatch/406/usr/share/" rw,
mount options=(rbind, rw) "/snap/canonical-livepatch/406/usr/share/" -> "/tmp/.snap/snap/canonical-livepatch/406/usr/share/",
mount fstype=tmpfs options=(rw) tmpfs -> "/snap/canonical-livepatch/406/usr/share/",
"/tmp/.snap/snap/canonical-livepatch/406/usr/share/*/" rw,
"/snap/canonical-livepatch/406/usr/share/*/" rw,
mount options=(rbind, rw) "/tmp/.snap/snap/canonical-livepatch/406/usr/share/*/" -> "/snap/canonical-livepatch/406/usr/share/*/",
"/tmp/.snap/snap/canonical-livepatch/406/usr/share/*" rw,
"/snap/canonical-livepatch/406/usr/share/*" rw,
mount options=(bind, rw) "/tmp/.snap/snap/canonical-livepatch/406/usr/share/*" -> "/snap/canonical-livepatch/406/usr/share/*",
mount options=(rprivate) -> "/tmp/.snap/snap/canonical-livepatch/406/usr/share/",
umount "/tmp/.snap/snap/canonical-livepatch/406/usr/share/",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/share/",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/share/*",
mount options=(rprivate) -> "/snap/canonical-livepatch/406/usr/share/*/",
umount "/snap/canonical-livepatch/406/usr/share/",
umount "/snap/canonical-livepatch/406/usr/share/*",
umount "/snap/canonical-livepatch/406/usr/share/*/",
}