snap install
manpage
執行
$ man snap可以找到一段說明
COMMANDS
...略...
install
Install a snap to the system
The install command installs and activates the named snap in the system.
Usage: snap install [install-OPTIONS]
--channel
Install from this channel instead of the device's default
--devmode
Install the snap with non-enforcing securityhelp
執行
$ snap -h可以找到一段說明
Usage:
snap [OPTIONS] <command>
Help Options:
-h, --help Show this help message
Available commands:
...略...
install Install a snap to the system執行
$ snap install -h或是執行
$ snap install --help則會顯示
Usage:
snap [OPTIONS] install [install-OPTIONS] <snap>
The install command installs and activates the named snap in the system.
Help Options:
-h, --help Show this help message
[install command options]
--channel= Install from this channel instead of the device's default
--devmode Install the snap with non-enforcing security指令範例
執行
$ snap install顯示
error: the required argument `<snap>` was not provided執行
$ sudo snap install hello-world會有安裝的動態
執行
$ snap list顯示
Name Version Developer
hello-world 6.0 canonical
ubuntu-core 16.04+20160419.20-55 canonical在一次執行
$ sudo snap install hello-world顯示
error: can't install "hello-world": snap "hello-world" already installed探索
執行
$ whereis hello-world顯示
hello-world: /snap/bin/hello-world.sh /snap/bin/hello-world.usehw /snap/bin/hello-world.env /snap/bin/hello-world.echo /snap/bin/hello-world.showdev /snap/bin/hello-world.evil探索 /snap/
執行
ls /snap/ -1顯示
bin
hello-world
ubuntu-core探索 /snap/bin
執行
$ tree /snap/bin顯示
/snap/bin
├── hello-world.echo
├── hello-world.env
├── hello-world.evil
├── hello-world.sh
├── hello-world.showdev
└── hello-world.usehw
0 directories, 6 files執行
$ hello-world.echo顯示
Hello World!探索 /etc/profile.d/apps-bin-path.sh
執行
$ cat /etc/profile.d/apps-bin-path.sh顯示
# Expand the $PATH to include /snaps/bin which is what snappy applications
# use
PATH=$PATH:/snap/bin探索 /snap/hello-world
執行
$ tree /snap/hello-world/顯示
/snap/hello-world/
├── 25
│ ├── bin
│ │ ├── echo
│ │ ├── env
│ │ ├── evil
│ │ ├── sh
│ │ ├── showdev
│ │ └── usehw
│ └── meta
│ ├── icon.png
│ └── snap.yaml
└── current -> 25
4 directories, 8 files探索 /snap/hello-world/current/meta/snap.yaml
執行
$ cat /snap/hello-world/current/meta/snap.yaml顯示
name: hello-world
version: 6.0
architectures: [ all ]
summary: The hello-world of snappy apps
description: This is a simple hello world example that includes a
interesting apps to play with snappy and the sandboxing in snappy
hello-world.echo - simply output text
hello-world.env - dump the env of commands run inside app sandbox
hello-world.evil - show how snappy prevents apps to do stuff outside their sandbox
hello-world.showdev - depreated - will be replaced with skills
hello-world.usehw - depreated - will be replaced with skills example
hello-world.sh - enter interactive shell that runs in app sandbox
apps:
echo:
command: bin/echo
env:
command: bin/env
evil:
command: bin/evil
showdev:
command: bin/showdev
usehw:
command: bin/usehw
sh:
command: bin/sh探索 /snap/hello-world/current/bin/echo
執行
$ cat /snap/hello-world/current/bin/echo顯示
#!/bin/sh
echo "Hello World!"探索 /snap/hello-world/current/bin/env
執行
$ cat /snap/hello-world/current/bin/env顯示
#!/bin/bash
/usr/bin/env探索 /snap/hello-world/current/bin/evil
執行
$ cat /snap/hello-world/current/bin/evil顯示
#!/bin/sh
set -e
echo "Hello Evil World!"
echo "This example demonstrates the app confinement"
echo "You should see a permission denied error next"
echo "Haha" > /var/tmp/myevil.txt
echo "If you see this line the confinement is not working correctly, please file a bug"探索 /snap/hello-world/current/bin/sh
執行
$ cat /snap/hello-world/current/bin/sh顯示
#!/bin/bash
cat <<EOM
Launching a shell inside the default app confinement. Navigate to your
app-specific directories with:
$ cd \$SNAP
$ cd \$SNAP_DATA
$ cd \$SNAP_USER_DATA
EOM
/bin/bash --norc -i探索 /snap/hello-world/current/bin/showdev
執行
$ cat /snap/hello-world/current/bin/showdev顯示
#!/bin/sh
# show the view on the /dev/ system of an app
args=$@
test -z "$args" && findargs=/dev/
test -n "$args" && findargs=$args
echo "Hello /dev World: Here is what I can see with 'find $findargs'"
find $findargs
APPNAME=`echo $SNAP | cut -f 3 -d '/'`
echo ""
echo "Here is hardware that has been assigned to me ($APPNAME):"
udevadm trigger --verbose --dry-run --tag-match=snappy-assign --property-match=SNAPPY_APP="$APPNAME"探索 /snap/hello-world/current/bin/showdev
執行
$ cat /snap/hello-world/current/bin/showdev顯示
#!/bin/sh
set -e
echo "Hello hw-assign world!"
echo "This example demonstrates the app confinement for assigned hardware"
echo ""
APPNAME=`echo $SNAP | cut -f 3 -d '/'`
if [ -z "$APPNAME" ]; then
echo "Could not determine application name."
exit 1
fi
hw=`udevadm trigger --verbose --dry-run --tag-match=snappy-assign --property-match=SNAPPY_APP="$APPNAME" | grep kmsg || true`
if [ -z "$hw" ]; then
echo "No hardware is assigned for this device. Try adding /dev/kmsg with:"
echo " $ sudo snappy hw-assign $APPNAME /dev/kmsg"
else
echo "Good, '$hw' is assigned to us."
echo "Now try to read a line from /dev/kmsg:"
head -1 /dev/kmsg
echo ""
echo "It worked!"
fi探索 /var/snap
執行
$ tree /var/snap顯示
/var/snap
├── hello-world
│ ├── 25
│ └── current -> 25
└── ubuntu-core
├── 109
└── current -> 109
6 directories, 0 files探索 /var/lib/snapd/
執行
$ tree /var/lib/snapd/顯示
/var/lib/snapd/
├── apparmor
│ ├── additional
│ └── profiles
│ ├── snap.hello-world.echo
│ ├── snap.hello-world.env
│ ├── snap.hello-world.evil
│ ├── snap.hello-world.sh
│ ├── snap.hello-world.showdev
│ └── snap.hello-world.usehw
├── assertions
│ ├── asserts-v0
│ └── private-keys-v0
├── desktop
│ └── applications
├── lib
│ └── gl
├── seccomp
│ └── profiles
│ ├── snap.hello-world.echo
│ ├── snap.hello-world.env
│ ├── snap.hello-world.evil
│ ├── snap.hello-world.sh
│ ├── snap.hello-world.showdev
│ └── snap.hello-world.usehw
├── snaps
│ ├── hello-world_25.snap
│ └── ubuntu-core_109.snap
└── state.json
13 directories, 15 files探索 /var/lib/snapd/state.json
執行
$ sudo less /var/lib/snapd/state.json探索 /var/lib/snapd/apparmor/profiles/snap.hello-world.echo
執行
$ less /var/lib/snapd/apparmor/profiles/snap.hello-world.echo顯示
# Description: Allows access to app-specific directories and basic runtime
# Usage: common
# vim:syntax=apparmor
#include <tunables/global>
@{APP_NAME}="echo"
@{SNAP_NAME}="hello-world"
@{SNAP_REVISION}="25"
@{INSTALL_DIR}="/snap"
profile "snap.hello-world.echo" (attach_disconnected) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/openssl>
# for python apps/services
#include <abstractions/python>
/usr/bin/python{,2,2.[0-9]*,3,3.[0-9]*} ixr,
deny /usr/lib/python3*/{,**/}__pycache__/ w, # noisy
deny /usr/lib/python3*/{,**/}__pycache__/**.pyc.[0-9]* w,
# for perl apps/services
#include <abstractions/perl>
/usr/bin/perl{,5*} ixr,
# TODO: we must remove these since things like 'container-management' will be
# broken if we have explicit denies. However, the development tools need to be
# clear that these can't be allowed.
# Explicitly deny ptrace for now since it can be abused to break out of the
# seccomp sandbox. https://lkml.org/lkml/2015/3/18/823
# audit deny ptrace (trace),
# Explicitly deny capability mknod so apps can't create devices
# audit deny capability mknod,
# Explicitly deny mount, remount and umount so apps can't modify things in
# their namespace
# audit deny mount,
# audit deny remount,
# audit deny umount,
# for bash 'binaries' (do *not* use abstractions/bash)
# user-specific bash files
/bin/bash ixr,
/bin/dash ixr,
/etc/bash.bashrc r,
/etc/{passwd,group,nsswitch.conf} r, # very common
/etc/libnl-3/{classid,pktloc} r, # apps that use libnl
/var/lib/extrausers/{passwd,group} r,
/etc/profile r,
/usr/share/terminfo/** r,
/etc/inputrc r,
deny @{HOME}/.inputrc r,
# Common utilities for shell scripts
/{,usr/}bin/{,g,m}awk ixr,
/{,usr/}bin/basename ixr,
/{,usr/}bin/bunzip2 ixr,
/{,usr/}bin/bzcat ixr,
/{,usr/}bin/bzdiff ixr,
/{,usr/}bin/bzgrep ixr,
/{,usr/}bin/bzip2 ixr,
/{,usr/}bin/cat ixr,
/{,usr/}bin/chmod ixr,
/{,usr/}bin/cmp ixr,
/{,usr/}bin/cp ixr,
/{,usr/}bin/cpio ixr,
/{,usr/}bin/cut ixr,
/{,usr/}bin/date ixr,
/{,usr/}bin/dd ixr,
/{,usr/}bin/diff{,3} ixr,
/{,usr/}bin/dir ixr,
/{,usr/}bin/dirname ixr,
/{,usr/}bin/echo ixr,
/{,usr/}bin/{,e,f,r}grep ixr,
/{,usr/}bin/env ixr,
/{,usr/}bin/expr ixr,
/{,usr/}bin/false ixr,
/{,usr/}bin/find ixr,
/{,usr/}bin/fmt ixr,
/{,usr/}bin/getopt ixr,
/{,usr/}bin/groups ixr,
/{,usr/}bin/gzip ixr,
/{,usr/}bin/head ixr,
/{,usr/}bin/hostname ixr,
/{,usr/}bin/id ixr,
/{,usr/}bin/igawk ixr,
/{,usr/}bin/kill ixr,
/{,usr/}bin/ldd ixr,
/{,usr/}bin/less{,file,pipe} ixr,
/{,usr/}bin/ln ixr,
/{,usr/}bin/line ixr,
/{,usr/}bin/link ixr,
/{,usr/}bin/logger ixr,
/{,usr/}bin/ls ixr,
/{,usr/}bin/md5sum ixr,
/{,usr/}bin/mkdir ixr,
/{,usr/}bin/mktemp ixr,
/{,usr/}bin/more ixr,
/{,usr/}bin/mv ixr,
/{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial
/{,usr/}bin/pgrep ixr,
/{,usr/}bin/printenv ixr,
/{,usr/}bin/printf ixr,
/{,usr/}bin/ps ixr,
/{,usr/}bin/pwd ixr,
/{,usr/}bin/readlink ixr,
/{,usr/}bin/realpath ixr,
/{,usr/}bin/rev ixr,
/{,usr/}bin/rm ixr,
/{,usr/}bin/rmdir ixr,
/{,usr/}bin/sed ixr,
/{,usr/}bin/seq ixr,
/{,usr/}bin/sleep ixr,
/{,usr/}bin/sort ixr,
/{,usr/}bin/stat ixr,
/{,usr/}bin/tac ixr,
/{,usr/}bin/tail ixr,
/{,usr/}bin/tar ixr,
/{,usr/}bin/tee ixr,
/{,usr/}bin/test ixr,
/{,usr/}bin/tempfile ixr,
/{,usr/}bin/tset ixr,
/{,usr/}bin/touch ixr,
/{,usr/}bin/tr ixr,
/{,usr/}bin/true ixr,
/{,usr/}bin/uname ixr,
/{,usr/}bin/uniq ixr,
/{,usr/}bin/unlink ixr,
/{,usr/}bin/unxz ixr,
/{,usr/}bin/unzip ixr,
/{,usr/}bin/vdir ixr,
/{,usr/}bin/wc ixr,
/{,usr/}bin/which ixr,
/{,usr/}bin/xargs ixr,
/{,usr/}bin/xz ixr,
/{,usr/}bin/yes ixr,
/{,usr/}bin/zcat ixr,
/{,usr/}bin/z{,e,f}grep ixr,
/{,usr/}bin/zip ixr,
/{,usr/}bin/zipgrep ixr,
# uptime
/{,usr/}bin/uptime ixr,
@{PROC}/uptime r,
@{PROC}/loadavg r,
# this is an information leak
deny /{,var/}run/utmp r,
# java
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/auxv r,
@{PROC}/@{pid}/version_signature r,
@{PROC}/@{pid}/version r,
@{PROC}/sys/vm/zone_reclaim_mode r,
/etc/lsb-release r,
/sys/devices/**/read_ahead_kb r,
/sys/devices/system/cpu/** r,
/sys/kernel/mm/transparent_hugepage/enabled r,
/sys/kernel/mm/transparent_hugepage/defrag r,
# NOTE: this leaks running process and java seems to want it, but operates
# ok without it. Deny for now to silence the denial but we could allow
# owner match until AppArmor kernel var is available to solve this properly.
deny @{PROC}/@{pid}/cmdline r,
#owner @{PROC}/@{pid}/cmdline r,
# Miscellaneous accesses
/etc/mime.types r,
@{PROC}/ r,
/etc/{,writable/}hostname r,
/etc/{,writable/}localtime r,
/etc/{,writable/}timezone r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/statm r,
@{PROC}/@{pid}/status r,
@{PROC}/sys/kernel/hostname r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/fs/file-max r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/random/uuid r,
# Eases hardware assignment (doesn't give anything away)
/etc/udev/udev.conf r,
/sys/ r,
/sys/bus/ r,
/sys/class/ r,
# this leaks interface names and stats, but not in a way that is traceable
# to the user/device
@{PROC}/net/dev r,
# Read-only for the install directory
@{INSTALL_DIR}/@{SNAP_NAME}/ r,
@{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/ r,
@{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/** mrklix,
# Don't log noisy python denials (see LP: #1496895 for more details)
deny @{INSTALL_DIR}/@{SNAP_NAME}/**/__pycache__/ w,
deny @{INSTALL_DIR}/@{SNAP_NAME}/**/__pycache__/*.pyc.[0-9]* w,
# Read-only home area for other versions
owner @{HOME}/snap/@{SNAP_NAME}/ r,
owner @{HOME}/snap/@{SNAP_NAME}/** mrkix,
# Writable home area for this version.
owner @{HOME}/snap/@{SNAP_NAME}/@{SNAP_REVISION}/** wl,
# Read-only system area for other versions
/var/snap/@{SNAP_NAME}/ r,
/var/snap/@{SNAP_NAME}/** mrkix,
# Writable system area only for this version
/var/snap/@{SNAP_NAME}/@{SNAP_REVISION}/** wl,
# The ubuntu-core-launcher creates an app-specific private restricted /tmp
# and will fail to launch the app if something goes wrong. As such, we can
# simply allow full access to /tmp.
/tmp/ r,
/tmp/** mrwlkix,
# Also do the same for shm
/{dev,run}/shm/snap/@{SNAP_NAME}/ r,
/{dev,run}/shm/snap/@{SNAP_NAME}/** rk,
/{dev,run}/shm/snap/@{SNAP_NAME}/@{SNAP_REVISION}/ r,
/{dev,run}/shm/snap/@{SNAP_NAME}/@{SNAP_REVISION}/** mrwlkix,
# Allow apps from the same package to communicate with each other via an
# abstract or anonymous socket
unix peer=(label=snap.@{SNAP_NAME}.*),
# Allow apps from the same package to signal each other via signals
signal peer=snap.@{SNAP_NAME}.*,
# for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign'
/{,s}bin/udevadm ixr,
/etc/udev/udev.conf r,
/{,var/}run/udev/tags/snappy-assign/ r,
@{PROC}/cmdline r,
/sys/devices/**/uevent r,
# LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above
# requires:
# /run/udev/data/* r,
# but that reveals too much about the system and cannot be granted to apps
# by default at this time.
# For convenience, allow apps to see what is in /dev even though cgroups
# will block most access
/dev/ r,
/dev/**/ r,
# Do the same with /sys/devices and /sys/class to help people using hw-assign
/sys/devices/ r,
/sys/devices/**/ r,
/sys/class/ r,
/sys/class/**/ r,
}探索 /var/lib/snapd/seccomp/profiles/snap.hello-world.echo
執行
$ less /var/lib/snapd/seccomp/profiles/snap.hello-world.echo顯示
# Description: Allows access to app-specific directories and basic runtime
# Usage: common
#
# Dangerous syscalls that we don't ever want to allow
# kexec
deny kexec_load
# kernel modules
deny create_module
deny init_module
deny finit_module
deny delete_module
# these have a history of vulnerabilities, are not widely used, and
# open_by_handle_at has been used to break out of docker containers by brute
# forcing the handle value: http://stealth.openwall.net/xSports/shocker.c
deny name_to_handle_at
deny open_by_handle_at
# Explicitly deny ptrace since it can be abused to break out of the seccomp
# sandbox
deny ptrace
# Explicitly deny capability mknod so apps can't create devices
deny mknod
deny mknodat
# Explicitly deny (u)mount so apps can't change mounts in their namespace
deny mount
deny umount
deny umount2
# Explicitly deny kernel keyring access
deny add_key
deny keyctl
deny request_key
# end dangerous syscalls
access
faccessat
alarm
brk
# ARM private syscalls
breakpoint
cacheflush
set_tls
usr26
usr32
capget
# AppArmor mediates capabilities, so allow capset (useful for apps that for
# example want to drop capabilities)
capset
chdir
fchdir
# We can't effectively block file perms due to open() with O_CREAT, so allow
# chmod until we have syscall arg filtering (LP: #1446748)
chmod
fchmod
fchmodat
# snappy doesn't currently support per-app UID/GIDs so don't allow chown. To
# properly support chown, we need to have syscall arg filtering (LP: #1446748)
# and per-app UID/GIDs.
#chown
#chown32
#fchown
#fchown32
#fchownat
#lchown
#lchown32
clock_getres
clock_gettime
clock_nanosleep
clone
close
creat
dup
dup2
dup3
epoll_create
epoll_create1
epoll_ctl
epoll_ctl_old
epoll_pwait
epoll_wait
epoll_wait_old
eventfd
eventfd2
execve
execveat
_exit
exit
exit_group
fallocate
# requires CAP_SYS_ADMIN
#fanotify_init
#fanotify_mark
fcntl
fcntl64
flock
fork
ftime
futex
get_mempolicy
get_robust_list
get_thread_area
getcpu
getcwd
getdents
getdents64
getegid
getegid32
geteuid
geteuid32
getgid
getgid32
getgroups
getgroups32
getitimer
getpgid
getpgrp
getpid
getppid
getpriority
getrandom
getresgid
getresgid32
getresuid
getresuid32
getrlimit
ugetrlimit
getrusage
getsid
gettid
gettimeofday
getuid
getuid32
getxattr
fgetxattr
lgetxattr
inotify_add_watch
inotify_init
inotify_init1
inotify_rm_watch
# Needed by shell
ioctl
io_cancel
io_destroy
io_getevents
io_setup
io_submit
ioprio_get
# affects other processes, requires CAP_SYS_ADMIN. Potentially allow with
# syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748)
#ioprio_set
ipc
kill
link
linkat
listxattr
llistxattr
flistxattr
lseek
llseek
_llseek
lstat
lstat64
madvise
fadvise64
fadvise64_64
arm_fadvise64_64
mbarrier
mbind
mincore
mkdir
mkdirat
mlock
mlockall
mmap
mmap2
mprotect
# LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now
#mq_getsetattr
#mq_notify
#mq_open
#mq_timedreceive
#mq_timedsend
#mq_unlink
mremap
msgctl
msgget
msgrcv
msgsnd
msync
munlock
munlockall
munmap
nanosleep
# LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set
# RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value
# and allow this call
#nice
# LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT
open
openat
pause
pipe
pipe2
poll
ppoll
# LP: #1446748 - support syscall arg filtering
prctl
arch_prctl
read
pread
pread64
preadv
readv
readahead
readdir
readlink
readlinkat
remap_file_pages
removexattr
fremovexattr
lremovexattr
rename
renameat
renameat2
# The man page says this shouldn't be needed, but we've seen denials for it
# in the wild
restart_syscall
rmdir
rt_sigaction
rt_sigpending
rt_sigprocmask
rt_sigqueueinfo
rt_sigreturn
rt_sigsuspend
rt_sigtimedwait
rt_tgsigqueueinfo
sched_getaffinity
sched_getattr
sched_getparam
sched_get_priority_max
sched_get_priority_min
sched_getscheduler
sched_rr_get_interval
# LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the
# app may only change its own scheduler
sched_setscheduler
sched_yield
select
_newselect
pselect
pselect6
semctl
semget
semop
semtimedop
sendfile
sendfile64
# While we don't yet have seccomp arg filtering (LP: #1446748), we must allow
# these because the launcher drops privileges after seccomp_load(). Eventually
# we will only allow dropping to particular UIDs. For now, we mediate this with
# AppArmor
setgid
setgid32
setregid
setregid32
setresgid
setresgid32
setresuid
setresuid32
setreuid
setreuid32
setuid
setuid32
#setgroups
#setgroups32
# These break isolation but are common and can't be mediated at the seccomp
# level with arg filtering
setpgid
setpgrp
set_thread_area
setitimer
# apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard
# limits
setrlimit
prlimit64
set_mempolicy
set_robust_list
setsid
set_tid_address
setxattr
fsetxattr
lsetxattr
shmat
shmctl
shmdt
shmget
signal
sigaction
signalfd
signalfd4
sigaltstack
sigpending
sigprocmask
sigreturn
sigsuspend
sigtimedwait
sigwaitinfo
# needed by ls -l
socket
connect
# Per man page, on Linux this is limited to only AF_UNIX so it is ok to have
# in the default template
socketpair
splice
stat
stat64
fstat
fstat64
fstatat64
lstat
newfstatat
oldfstat
oldlstat
oldstat
statfs
statfs64
fstatfs
fstatfs64
statvfs
fstatvfs
ustat
symlink
symlinkat
sync
sync_file_range
sync_file_range2
arm_sync_file_range
fdatasync
fsync
syncfs
sysinfo
syslog
tee
tgkill
time
timer_create
timer_delete
timer_getoverrun
timer_gettime
timer_settime
timerfd
timerfd_create
timerfd_gettime
timerfd_settime
times
tkill
truncate
truncate64
ftruncate
ftruncate64
umask
uname
olduname
oldolduname
unlink
unlinkat
utime
utimensat
utimes
futimesat
vfork
vmsplice
wait4
oldwait4
waitpid
waitid
write
writev
pwrite
pwrite64
pwritev