Merge profiles: add /run/snapd.socket rule for curl

This ideally is a temporary fix because we do not want to allow all users of curl to be able to access the snapd socket. However, this will work for now until we can mediate the accesses better. Fixes: LP: #2120669 Signed-off-by: Ryan Lee <ryan.lee@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1774 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-08-22 01:57:43 +00:00 · 2025-08-18 23:54:40 +00:00 · 2025-08-18 23:54:40 +00:00 · db74dda3c6
commit db74dda3c6
parent e7daccedc6 0e58e3d7fb
1 changed files with 4 additions and 0 deletions
--- a/profiles/apparmor.d/curl
+++ b/profiles/apparmor.d/curl
@ -42,6 +42,10 @@ profile curl /usr/bin/curl {
  network inet6 stream,
  network inet6 dgram,

+  # Allow access to the snap socket until we can revisit it with delegation
+  # or profile refactoring
+  file rw @{run}/snapd.socket,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/curl>
 }