Adding custom apparmor rules
Jamie Strandboge
jamie at canonical.com
Thu Nov 12 15:26:55 UTC 2015
On 11/12/2015 07:54 AM, Darren Landoll wrote:
> I'm trying to add some apparmor rules to my snap for accessing
> additional /sys/... entries. The snap also has default rules from the
> mir_client capability, but seems to lose all of those default rules
> when I add my custom apparmor profile.
>
> Is there a good reference somewhere that I missed for how to do
> something like this?
>
On 15.04, you can add /sys/devices and /sys/class/gpio (along with /dev) via the
'snappy hw-assign' command if you are using templated policy. If you are using
custom policy you can add what you want but cannot use 'caps' with it so you'll
have to add the rules from mir_client to your custom policy.
On 16.04 this will be simplified and more useful. Notably, it will be easier to
add simple rules to templated policy and capabilities assignment will work
properly with custom policy. There is an active branch that implements this that
should land soon. Further refinements may be made to the snap.yaml as per
Gustavo's recent emails to the snappy-devel list.
Daniel, when is the 15.04 developer manual supposed to go online? It would be
really useful to reference for cases like this.
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-app-devel/attachments/20151112/9b20d383/attachment.pgp>
More information about the snappy-app-devel
mailing list