4 files changed, 98 insertions, 0 deletions
diff --git a/snappy/meta/package.yaml b/snappy/meta/package.yaml
new file mode 100644
index 0000000..85e4835
--- /dev/null
+++ b/snappy/meta/package.yaml
@@ -0,0 +1,10 @@
+name: walinuxagent 
+version: 2.1.1
+vendor: Microsoft Corporation <lizzha@microsoft.com>
+type: framework
+services:
+ - name: walinuxagent
+   start: bin/waagent.start
+   security-policy:
+      apparmor: meta/walinuxagent.apparmor
+      seccomp: meta/walinuxagent.seccomp
diff --git a/snappy/meta/readme.md b/snappy/meta/readme.md
new file mode 100644
index 0000000..33a7768
--- /dev/null
+++ b/snappy/meta/readme.md
@@ -0,0 +1,2 @@
+Microsoft Azure Linux Agent Snap Framework
+
diff --git a/snappy/meta/walinuxagent.apparmor b/snappy/meta/walinuxagent.apparmor
new file mode 100644
index 0000000..8315713
--- /dev/null
+++ b/snappy/meta/walinuxagent.apparmor
@@ -0,0 +1,85 @@
+# AppArmor confinement for waagent
+
+#include <tunables/global>
+
+# Specified profile variables
+###VAR###
+
+###PROFILEATTACH### flags=(attach_disconnected) {
+  #include <abstractions/base>
+  #include <abstractions/ssl_certs>  
+  #include <abstractions/openssl>
+  #include <abstractions/python>
+
+  # Executable binaries
+  /usr/{,s}bin/*                                ixr,
+  /{,s}bin/*                                    ixr,
+
+  # Capabilities
+  capability net_bind_service,
+  capability net_raw,
+  capability net_admin,
+  capability dac_override,
+  capability sys_module,
+  capability sys_admin,
+  capability sys_ptrace,
+
+  ptrace (read),
+  ptrace (trace),
+
+  mount,
+  umount,
+  network, 
+
+  # Log path
+  /var/log/waagent.log                          rw,
+  /var/log/azure/                               rw,
+  /var/log/azure/**                             rw,
+
+  # Lib path
+  /var/lib/waagent/                             rw,
+  /var/lib/waagent/**                           mrwlk,
+  # Enable VM extensions to execute unconfined
+  /var/lib/waagent/**                           PUx,
+  /{,usr/}lib/                                  r,
+  /{,usr/}lib/**                                r,
+
+  /etc/                                         r,
+  /etc/**                                       r,
+  /etc/udev/rules.d/**                          w,
+
+  /usr/share/                                   r,
+  /usr/share/**                                 r,
+  /usr/local/{,s}bin/                           r,
+  /usr/{,s}bin/                                 r,
+  /{,s}bin/                                     r,
+
+  /dev/                                         r,
+  /dev/sr0                                      r,
+  /dev/null                                     w,
+  /dev/console                                  rw,
+  /dev/tty                                      rw,
+
+  /run/                                         r,
+  /run/**                                       r,
+  /run/mount/utab                               w,
+  /run/waagent.pid                              w,
+
+  @{PROC}/                                      r,
+  @{PROC}/**                                    r,
+
+  /sys/module/                                  r,
+  /sys/module/**                                r,
+  /sys/firmware/acpi/tables/**                  r,
+  /sys/block/                                   r,
+  /sys/block/sd*/device/timeout                 rw,
+  /sys/devices/**                               rw,
+
+  /mnt/cdrom/                                   rw,
+  /mnt/cdrom/secure/                            rw,
+
+  # Writable for the install directory
+  @{CLICK_DIR}/@{APP_PKGNAME}/                   r,
+  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/    r,
+  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/**  mrwklix,
+}
diff --git a/snappy/meta/walinuxagent.seccomp b/snappy/meta/walinuxagent.seccomp
new file mode 100644
index 0000000..90fbc81
--- /dev/null
+++ b/snappy/meta/walinuxagent.seccomp
@@ -0,0 +1 @@
+@unrestricted