snap_browsers (1613B)
- profile snap_browsers {
- include if exists <abstractions/snap_browsers.d>
- include <abstractions/base>
- include <abstractions/dbus-session-strict>
- /etc/passwd r,
- /etc/nsswitch.conf r,
- /etc/fstab r,
- # noisy
- deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu
- /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrix, # re-exec
- /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/info r,
- /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snapd r,
- /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-seccomp rPix,
- /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-confine Pix,
- /var/lib/snapd/system-key r,
- /run/snapd.socket rw,
- @{PROC}/version r,
- @{PROC}/cmdline r,
- @{PROC}/sys/net/core/somaxconn r,
- @{PROC}/sys/kernel/seccomp/actions_avail r,
- @{PROC}/sys/kernel/random/uuid r,
- owner @{PROC}/@{pid}/cgroup r,
- owner @{PROC}/@{pid}/mountinfo r,
- owner @{HOME}/.snap/auth.json r, # if exists, required
- dbus send bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="StartTransientUnit" peer=(name="org.freedesktop.systemd1"),
- dbus receive bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="JobRemoved",
- /sys/kernel/security/apparmor/features/ r,
- # allow launching official browser snaps.
- /snap/chromium/[0-9]*/meta/{snap.yaml,hooks/} r,
- /snap/firefox/[0-9]*/meta/{snap.yaml,hooks/} r,
- /snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,
- /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
- # add other browsers here
- }