Merge remote-tracking branch 'upstream/master' into zygas-suse-autogenzygas-suse-autogen

16 files changed, 176 insertions, 155 deletions

diff --git a/interfaces/builtin/bluez.go b/interfaces/builtin/bluez.go
index 07339933e3..519f28a28c 100644
--- a/interfaces/builtin/bluez.go
+++ b/interfaces/builtin/bluez.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2017 Canonical Ltd
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3 as
@@ -25,7 +25,7 @@ import (
	"github.com/snapcore/snapd/interfaces"
 )
 
-var bluezPermanentSlotAppArmor = []byte(`
+const bluezPermanentSlotAppArmor = `
 # Description: Allow operating as the bluez service. This gives privileged
 # access to the system.
 
@@ -92,9 +92,9 @@ var bluezPermanentSlotAppArmor = []byte(`
 path=/org/freedesktop/hostname1
 interface=org.freedesktop.DBus.Properties
 peer=(label=unconfined),
-`)
+`
 
-var bluezConnectedPlugAppArmor = []byte(`
+const bluezConnectedPlugAppArmor = `
 # Description: Allow using bluez service. This gives privileged access to the
 # bluez service.
 
@@ -124,9 +124,9 @@ dbus (receive)
 path=/org/bluez{,/**}
 interface=org.freedesktop.DBus.*
 peer=(label=unconfined),
-`)
+`
 
-var bluezPermanentSlotSecComp = []byte(`
+const bluezPermanentSlotSecComp = `
 # Description: Allow operating as the bluez service. This gives privileged
 # access to the system.
 accept
@@ -134,9 +134,9 @@ accept4
 bind
 listen
 shutdown
-`)
+`
 
-var bluezPermanentSlotDBus = []byte(`
+const bluezPermanentSlotDBus = `
 <policy user="root">
 <allow own="org.bluez"/>
 <allow own="org.bluez.obex"/>
@@ -156,7 +156,7 @@ var bluezPermanentSlotDBus = []byte(`
 <policy context="default">
 <deny send_destination="org.bluez"/>
 </policy>
-`)
+`
 
 type BluezInterface struct{}
 
@@ -173,7 +173,7 @@ func (iface *BluezInterface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *i
	case interfaces.SecurityAppArmor:
	old := []byte("###SLOT_SECURITY_TAGS###")
	new := slotAppLabelExpr(slot)
-	snippet := bytes.Replace(bluezConnectedPlugAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(bluezConnectedPlugAppArmor), old, new, -1)
	return snippet, nil
	}
	return nil, nil
@@ -182,11 +182,11 @@ func (iface *BluezInterface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *i
 func (iface *BluezInterface) PermanentSlotSnippet(slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) {
	switch securitySystem {
	case interfaces.SecurityAppArmor:
-	return bluezPermanentSlotAppArmor, nil
+	return []byte(bluezPermanentSlotAppArmor), nil
	case interfaces.SecuritySecComp:
-	return bluezPermanentSlotSecComp, nil
+	return []byte(bluezPermanentSlotSecComp), nil
	case interfaces.SecurityDBus:
-	return bluezPermanentSlotDBus, nil
+	return []byte(bluezPermanentSlotDBus), nil
	}
	return nil, nil
 }
diff --git a/interfaces/builtin/browser_support.go b/interfaces/builtin/browser_support.go
index ae6cc100dd..b07b3cfc32 100644
--- a/interfaces/builtin/browser_support.go
+++ b/interfaces/builtin/browser_support.go
@@ -45,11 +45,22 @@ owner /var/tmp/etilqs_* rw,
 owner /{dev,run}/shm/{,.}org.chromium.Chromium.* rw,
 owner /{dev,run}/shm/{,.}com.google.Chrome.* rw,
 
+# Allow reading platform files
+/run/udev/data/+platform:* r,
+
 # Chrome/Chromium should be adjusted to not use gconf. It is only used with
 # legacy systems that don't have snapd
 deny dbus (send)
 bus=session
 interface="org.gnome.GConf.Server",
+
+# Lttng tracing is very noisy and should not be allowed by confined apps. Can
+# safely deny. LP: #1260491
+deny /{dev,run,var/run}/shm/lttng-ust-* r,
+
+# webbrowser-app/webapp-container tries to read this file to determine if it is
+# confined or not, so explicitly deny to avoid noise in the logs.
+deny @{PROC}/@{pid}/attr/current r,
 `
 
 const browserSupportConnectedPlugAppArmorWithoutSandbox = `
@@ -103,7 +114,6 @@ owner @{PROC}/@{pid}/fd/[0-9]* w,
 /run/udev/data/+acpi:* r,
 /run/udev/data/+hwmon:hwmon[0-9]* r,
 /run/udev/data/+i2c:* r,
-/run/udev/data/+platform:* r,
 /sys/devices/**/bConfigurationValue r,
 /sys/devices/**/descriptors r,
 /sys/devices/**/manufacturer r,
diff --git a/interfaces/builtin/fwupd.go b/interfaces/builtin/fwupd.go
index ff5ae18df8..cfecb6ade7 100644
--- a/interfaces/builtin/fwupd.go
+++ b/interfaces/builtin/fwupd.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2017 Canonical Ltd
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3 as
@@ -25,7 +25,7 @@ import (
	"github.com/snapcore/snapd/interfaces"
 )
 
-var fwupdPermanentSlotAppArmor = []byte(`
+const fwupdPermanentSlotAppArmor = `
 # Description: Allow operating as the fwupd service. This gives privileged
 # access to the system.
 
@@ -83,9 +83,9 @@ var fwupdPermanentSlotAppArmor = []byte(`
 dbus (bind)
 bus=system
 name="org.freedesktop.fwupd",
-`)
+`
 
-var fwupdConnectedPlugAppArmor = []byte(`
+const fwupdConnectedPlugAppArmor = `
 # Description: Allow using fwupd service. This gives # privileged access to the
 # fwupd service.
 
@@ -108,9 +108,9 @@ var fwupdConnectedPlugAppArmor = []byte(`
 path=/
 interface=org.freedesktop.DBus.Properties
 peer=(label=###SLOT_SECURITY_TAGS###),
-`)
+`
 
-var fwupdConnectedSlotAppArmor = []byte(`
+const fwupdConnectedSlotAppArmor = `
 # Description: Allow firmware update using fwupd service. This gives privileged
 # access to the fwupd service.
 
@@ -139,9 +139,9 @@ var fwupdConnectedSlotAppArmor = []byte(`
 path=/org/freedesktop/fwupd{,/**}
 interface=org.freedesktop.fwupd
 peer=(label=###PLUG_SECURITY_TAGS###),
-`)
+`
 
-var fwupdPermanentSlotDBus = []byte(`
+const fwupdPermanentSlotDBus = `
 <policy user="root">
 <allow own="org.freedesktop.fwupd"/>
 <allow send_destination="org.freedesktop.fwupd" send_interface="org.freedesktop.fwupd"/>
@@ -153,20 +153,20 @@ var fwupdPermanentSlotDBus = []byte(`
 <deny own="org.freedesktop.fwupd"/>
 <deny send_destination="org.freedesktop.fwupd" send_interface="org.freedesktop.fwupd"/>
 </policy>
-`)
+`
 
-var fwupdPermanentSlotSecComp = []byte(`
+const fwupdPermanentSlotSecComp = `
 # Description: Allow operating as the fwupd service. This gives privileged
 # access to the system.
 # Can communicate with DBus system service
 bind
-`)
+`
 
-var fwupdConnectedPlugSecComp = []byte(`
+const fwupdConnectedPlugSecComp = `
 # Description: Allow using fwupd service. Reserved because this gives
 # privileged access to the fwupd service.
 bind
-`)
+`
 
 // FwupdInterface type
 type FwupdInterface struct{}
@@ -187,10 +187,10 @@ func (iface *FwupdInterface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *i
	case interfaces.SecurityAppArmor:
	old := []byte("###SLOT_SECURITY_TAGS###")
	new := slotAppLabelExpr(slot)
-	snippet := bytes.Replace(fwupdConnectedPlugAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(fwupdConnectedPlugAppArmor), old, new, -1)
	return snippet, nil
	case interfaces.SecuritySecComp:
-	return fwupdConnectedPlugSecComp, nil
+	return []byte(fwupdConnectedPlugSecComp), nil
	}
	return nil, nil
 }
@@ -199,11 +199,11 @@ func (iface *FwupdInterface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *i
 func (iface *FwupdInterface) PermanentSlotSnippet(slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) {
	switch securitySystem {
	case interfaces.SecurityAppArmor:
-	return fwupdPermanentSlotAppArmor, nil
+	return []byte(fwupdPermanentSlotAppArmor), nil
	case interfaces.SecurityDBus:
-	return fwupdPermanentSlotDBus, nil
+	return []byte(fwupdPermanentSlotDBus), nil
	case interfaces.SecuritySecComp:
-	return fwupdPermanentSlotSecComp, nil
+	return []byte(fwupdPermanentSlotSecComp), nil
	}
	return nil, nil
 }
@@ -214,7 +214,7 @@ func (iface *FwupdInterface) ConnectedSlotSnippet(plug *interfaces.Plug, slot *i
	case interfaces.SecurityAppArmor:
	old := []byte("###PLUG_SECURITY_TAGS###")
	new := plugAppLabelExpr(plug)
-	snippet := bytes.Replace(fwupdConnectedSlotAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(fwupdConnectedSlotAppArmor), old, new, -1)
	return snippet, nil
	}
	return nil, nil
diff --git a/interfaces/builtin/iio.go b/interfaces/builtin/iio.go
index 745ab0f6f3..c7a9281377 100644
--- a/interfaces/builtin/iio.go
+++ b/interfaces/builtin/iio.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2017 Canonical Ltd
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3 as
@@ -29,13 +29,13 @@ import (
	"github.com/snapcore/snapd/interfaces"
 )
 
-var iioConnectedPlugAppArmor = []byte(`
+const iioConnectedPlugAppArmor = `
 # Description: Give access to a specific IIO device on the system.
 
 ###IIO_DEVICE_PATH### rw,
 /sys/bus/iio/devices/###IIO_DEVICE_NAME###/ r,
 /sys/bus/iio/devices/###IIO_DEVICE_NAME###/** rwk,
-`)
+`
 
 // The type for iio interface
 type IioInterface struct{}
@@ -105,7 +105,7 @@ func (iface *IioInterface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *int
	switch securitySystem {
	case interfaces.SecurityAppArmor:
	cleanedPath := filepath.Clean(path)
-	snippet := bytes.Replace(iioConnectedPlugAppArmor, []byte("###IIO_DEVICE_PATH###"), []byte(cleanedPath), -1)
+	snippet := bytes.Replace([]byte(iioConnectedPlugAppArmor), []byte("###IIO_DEVICE_PATH###"), []byte(cleanedPath), -1)
 
	// The path is already verified against a regular expression
	// in SanitizeSlot so we can rely on its structure here and
diff --git a/interfaces/builtin/location_control.go b/interfaces/builtin/location_control.go
index e1f030d8e5..8646332591 100644
--- a/interfaces/builtin/location_control.go
+++ b/interfaces/builtin/location_control.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2017 Canonical Ltd
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3 as
@@ -25,7 +25,7 @@ import (
	"github.com/snapcore/snapd/interfaces"
 )
 
-var locationControlPermanentSlotAppArmor = []byte(`
+const locationControlPermanentSlotAppArmor = `
 # Description: Allow operating as the location service. This gives privileged
 # access to the system.
 
@@ -55,9 +55,9 @@ dbus (receive, send)
 path=/com/ubuntu/location/Service{,/**}
 interface=org.freedesktop.DBus**
 peer=(label=unconfined),
-`)
+`
 
-var locationControlConnectedSlotAppArmor = []byte(`
+const locationControlConnectedSlotAppArmor = `
 # Allow connected clients to interact with the service
 
 # Allow clients to register providers
@@ -82,9 +82,9 @@ dbus (send)
 interface=org.freedesktop.DBus.Properties
 member=PropertiesChanged
 peer=(label=###PLUG_SECURITY_TAGS###),
-`)
+`
 
-var locationControlConnectedPlugAppArmor = []byte(`
+const locationControlConnectedPlugAppArmor = `
 # Description: Allow using location service. This gives privileged access to
 # the service.
 
@@ -118,23 +118,23 @@ dbus (receive)
 path=/
 interface=org.freedesktop.DBus.ObjectManager
 peer=(label=unconfined),
-`)
+`
 
-var locationControlPermanentSlotDBus = []byte(`
+const locationControlPermanentSlotDBus = `
 <policy user="root">
 <allow own="com.ubuntu.location.Service"/>
 <allow send_destination="com.ubuntu.location.Service"/>
 <allow send_interface="com.ubuntu.location.Service"/>
 </policy>
-`)
+`
 
-var locationControlConnectedPlugDBus = []byte(`
+const locationControlConnectedPlugDBus = `
 <policy context="default">
 <deny own="com.ubuntu.location.Service"/>
 <allow send_destination="com.ubuntu.location.Service"/>
 <allow send_interface="com.ubuntu.location.Service"/>
 </policy>
-`)
+`
 
 type LocationControlInterface struct{}
 
@@ -151,10 +151,10 @@ func (iface *LocationControlInterface) ConnectedPlugSnippet(plug *interfaces.Plu
	case interfaces.SecurityAppArmor:
	old := []byte("###SLOT_SECURITY_TAGS###")
	new := slotAppLabelExpr(slot)
-	snippet := bytes.Replace(locationControlConnectedPlugAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(locationControlConnectedPlugAppArmor), old, new, -1)
	return snippet, nil
	case interfaces.SecurityDBus:
-	return locationControlConnectedPlugDBus, nil
+	return []byte(locationControlConnectedPlugDBus), nil
	}
	return nil, nil
 }
@@ -162,9 +162,9 @@ func (iface *LocationControlInterface) ConnectedPlugSnippet(plug *interfaces.Plu
 func (iface *LocationControlInterface) PermanentSlotSnippet(slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) {
	switch securitySystem {
	case interfaces.SecurityAppArmor:
-	return locationControlPermanentSlotAppArmor, nil
+	return []byte(locationControlPermanentSlotAppArmor), nil
	case interfaces.SecurityDBus:
-	return locationControlPermanentSlotDBus, nil
+	return []byte(locationControlPermanentSlotDBus), nil
	}
	return nil, nil
 }
@@ -174,7 +174,7 @@ func (iface *LocationControlInterface) ConnectedSlotSnippet(plug *interfaces.Plu
	case interfaces.SecurityAppArmor:
	old := []byte("###PLUG_SECURITY_TAGS###")
	new := plugAppLabelExpr(plug)
-	snippet := bytes.Replace(locationControlConnectedSlotAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(locationControlConnectedSlotAppArmor), old, new, -1)
	return snippet, nil
	}
	return nil, nil
diff --git a/interfaces/builtin/location_observe.go b/interfaces/builtin/location_observe.go
index 5ba0514490..95a2c01e23 100644
--- a/interfaces/builtin/location_observe.go
+++ b/interfaces/builtin/location_observe.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2017 Canonical Ltd
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3 as
@@ -25,7 +25,7 @@ import (
	"github.com/snapcore/snapd/interfaces"
 )
 
-var locationObservePermanentSlotAppArmor = []byte(`
+const locationObservePermanentSlotAppArmor = `
 # Description: Allow operating as the location service. This gives privileged
 # access to the system.
 
@@ -55,9 +55,9 @@ dbus (receive, send)
 path=/com/ubuntu/location/Service{,/**}
 interface=org.freedesktop.DBus**
 peer=(label=unconfined),
-`)
+`
 
-var locationObserveConnectedSlotAppArmor = []byte(`
+const locationObserveConnectedSlotAppArmor = `
 # Allow connected clients to interact with the service
 
 # Allow the service to host sessions
@@ -117,9 +117,9 @@ dbus (send)
 interface=org.freedesktop.DBus.Properties
 member=PropertiesChanged
 peer=(label=###PLUG_SECURITY_TAGS###),
-`)
+`
 
-var locationObserveConnectedPlugAppArmor = []byte(`
+const locationObserveConnectedPlugAppArmor = `
 # Description: Allow using location service. This gives privileged access to
 # the service.
 
@@ -183,9 +183,9 @@ dbus (receive)
 path=/
 interface=org.freedesktop.DBus.ObjectManager
 peer=(label=unconfined),
-`)
+`
 
-var locationObservePermanentSlotDBus = []byte(`
+const locationObservePermanentSlotDBus = `
 <policy user="root">
 <allow own="com.ubuntu.location.Service"/>
 <allow own="com.ubuntu.location.Service.Session"/>
@@ -194,9 +194,9 @@ var locationObservePermanentSlotDBus = []byte(`
 <allow send_interface="com.ubuntu.location.Service"/>
 <allow send_interface="com.ubuntu.location.Service.Session"/>
 </policy>
-`)
+`
 
-var locationObserveConnectedPlugDBus = []byte(`
+const locationObserveConnectedPlugDBus = `
 <policy context="default">
 <deny own="com.ubuntu.location.Service"/>
 <allow send_destination="com.ubuntu.location.Service"/>
@@ -204,7 +204,7 @@ var locationObserveConnectedPlugDBus = []byte(`
 <allow send_interface="com.ubuntu.location.Service"/>
 <allow send_interface="com.ubuntu.location.Service.Session"/>
 </policy>
-`)
+`
 
 type LocationObserveInterface struct{}
 
@@ -221,10 +221,10 @@ func (iface *LocationObserveInterface) ConnectedPlugSnippet(plug *interfaces.Plu
	case interfaces.SecurityAppArmor:
	old := []byte("###SLOT_SECURITY_TAGS###")
	new := slotAppLabelExpr(slot)
-	snippet := bytes.Replace(locationObserveConnectedPlugAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(locationObserveConnectedPlugAppArmor), old, new, -1)
	return snippet, nil
	case interfaces.SecurityDBus:
-	return locationObserveConnectedPlugDBus, nil
+	return []byte(locationObserveConnectedPlugDBus), nil
	default:
	return nil, nil
	}
@@ -233,9 +233,9 @@ func (iface *LocationObserveInterface) ConnectedPlugSnippet(plug *interfaces.Plu
 func (iface *LocationObserveInterface) PermanentSlotSnippet(slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) {
	switch securitySystem {
	case interfaces.SecurityAppArmor:
-	return locationObservePermanentSlotAppArmor, nil
+	return []byte(locationObservePermanentSlotAppArmor), nil
	case interfaces.SecurityDBus:
-	return locationObservePermanentSlotDBus, nil
+	return []byte(locationObservePermanentSlotDBus), nil
	default:
	return nil, nil
	}
@@ -246,7 +246,7 @@ func (iface *LocationObserveInterface) ConnectedSlotSnippet(plug *interfaces.Plu
	case interfaces.SecurityAppArmor:
	old := []byte("###PLUG_SECURITY_TAGS###")
	new := plugAppLabelExpr(plug)
-	snippet := bytes.Replace(locationObserveConnectedSlotAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(locationObserveConnectedSlotAppArmor), old, new, -1)
	return snippet, nil
	default:
	return nil, nil
diff --git a/interfaces/builtin/mir.go b/interfaces/builtin/mir.go
index d84a719c46..932e83afae 100644
--- a/interfaces/builtin/mir.go
+++ b/interfaces/builtin/mir.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (c) 2016 Canonical Ltd
+ * Copyright (c) 2016-2017 Canonical Ltd
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3 as
@@ -25,23 +25,27 @@ import (
	"github.com/snapcore/snapd/interfaces"
 )
 
-var mirPermanentSlotAppArmor = []byte(`
+const mirPermanentSlotAppArmor = `
 # Description: Allow operating as the Mir server. This gives privileged access
 # to the system.
 
 # needed since Mir is the display server, to configure tty devices
 capability sys_tty_config,
-/{dev,run}/shm/\#* rw,
 /dev/tty[0-9]* rw,
-network netlink raw,
+
+/{dev,run}/shm/\#* rw,
 /run/mir_socket rw,
-#NOTE: this allows reading and inserting all input events
+
+# NOTE: this allows reading and inserting all input events
 /dev/input/* rw,
+
+# For using udev
+network netlink raw,
 /run/udev/data/c13:[0-9]* r,
 /run/udev/data/+input:input[0-9]* r,
-`)
+`
 
-var mirPermanentSlotSecComp = []byte(`
+const mirPermanentSlotSecComp = `
 # Description: Allow operating as the mir server. This gives privileged access
 # to the system.
 # Needed for server launch
@@ -51,19 +55,19 @@ listen
 accept
 accept4
 shmctl
-`)
+`
 
-var mirConnectedSlotAppArmor = []byte(`
+const mirConnectedSlotAppArmor = `
 # Description: Permit clients to use Mir
 unix (receive, send) type=seqpacket addr=none peer=(label=###PLUG_SECURITY_TAGS###),
-`)
+`
 
-var mirConnectedPlugAppArmor = []byte(`
+const mirConnectedPlugAppArmor = `
 # Description: Permit clients to use Mir
 unix (receive, send) type=seqpacket addr=none peer=(label=###SLOT_SECURITY_TAGS###),
 /run/mir_socket rw,
 /run/user/[0-9]*/mir_socket rw,
-`)
+`
 
 type MirInterface struct{}
 
@@ -80,7 +84,7 @@ func (iface *MirInterface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *int
	case interfaces.SecurityAppArmor:
	old := []byte("###SLOT_SECURITY_TAGS###")
	new := slotAppLabelExpr(slot)
-	snippet := bytes.Replace(mirConnectedPlugAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(mirConnectedPlugAppArmor), old, new, -1)
	return snippet, nil
	}
	return nil, nil
@@ -91,9 +95,9 @@ func (iface *MirInterface) PermanentSlotSnippet(
	securitySystem interfaces.SecuritySystem) ([]byte, error) {
	switch securitySystem {
	case interfaces.SecurityAppArmor:
-	return mirPermanentSlotAppArmor, nil
+	return []byte(mirPermanentSlotAppArmor), nil
	case interfaces.SecuritySecComp:
-	return mirPermanentSlotSecComp, nil
+	return []byte(mirPermanentSlotSecComp), nil
	}
	return nil, nil
 }
@@ -103,7 +107,7 @@ func (iface *MirInterface) ConnectedSlotSnippet(plug *interfaces.Plug, slot *int
	case interfaces.SecurityAppArmor:
	old := []byte("###PLUG_SECURITY_TAGS###")
	new := plugAppLabelExpr(plug)
-	snippet := bytes.Replace(mirConnectedSlotAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(mirConnectedSlotAppArmor), old, new, -1)
	return snippet, nil
	}
	return nil, nil
diff --git a/interfaces/builtin/modem_manager.go b/interfaces/builtin/modem_manager.go
index 0b5ceafdd8..601be692f7 100644
--- a/interfaces/builtin/modem_manager.go
+++ b/interfaces/builtin/modem_manager.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2017 Canonical Ltd
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3 as
@@ -26,7 +26,7 @@ import (
	"github.com/snapcore/snapd/release"
 )
 
-var modemManagerPermanentSlotAppArmor = []byte(`
+const modemManagerPermanentSlotAppArmor = `
 # Description: Allow operating as the ModemManager service. This gives
 # privileged access to the system.
 
@@ -79,9 +79,9 @@ dbus (receive, send)
 path=/org/freedesktop/ModemManager1{,/**}
 interface=org.freedesktop.DBus.*
 peer=(label=unconfined),
-`)
+`
 
-var modemManagerConnectedSlotAppArmor = []byte(`
+const modemManagerConnectedSlotAppArmor = `
 # Allow connected clients to interact with the service
 
 # Allow traffic to/from our path and interface with any method
@@ -97,9 +97,9 @@ dbus (receive, send)
 path=/org/freedesktop/ModemManager1{,/**}
 interface=org.freedesktop.DBus.*
 peer=(label=###PLUG_SECURITY_TAGS###),
-`)
+`
 
-var modemManagerConnectedPlugAppArmor = []byte(`
+const modemManagerConnectedPlugAppArmor = `
 # Description: Allow using ModemManager service. This gives privileged access
 # to the ModemManager service.
 
@@ -116,9 +116,9 @@ dbus (receive, send)
 path=/org/freedesktop/ModemManager1{,/**}
 interface=org.freedesktop.DBus.*
 peer=(label=###SLOT_SECURITY_TAGS###),
-`)
+`
 
-var modemManagerConnectedPlugAppArmorClassic = []byte(`
+const modemManagerConnectedPlugAppArmorClassic = `
 # Allow access to the unconfined ModemManager service on classic.
 dbus (receive, send)
 bus=system
@@ -130,9 +130,9 @@ dbus (receive, send)
 path=/org/freedesktop/ModemManager1{,/**}
 interface=org.freedesktop.DBus.*
 peer=(label=unconfined),
-`)
+`
 
-var modemManagerPermanentSlotSecComp = []byte(`
+const modemManagerPermanentSlotSecComp = `
 # Description: Allow operating as the ModemManager service. This gives
 # privileged access to the system.
 
@@ -142,23 +142,23 @@ accept4
 bind
 listen
 shutdown
-`)
+`
 
-var modemManagerPermanentSlotDBus = []byte(`
+const modemManagerPermanentSlotDBus = `
 <policy user="root">
 <allow own="org.freedesktop.ModemManager1"/>
 <allow send_destination="org.freedesktop.ModemManager1"/>
 </policy>
-`)
+`
 
-var modemManagerConnectedPlugDBus = []byte(`
+const modemManagerConnectedPlugDBus = `
 <policy context="default">
 <deny own="org.freedesktop.ModemManager1"/>
 <deny send_destination="org.freedesktop.ModemManager1"/>
 </policy>
-`)
+`
 
-var modemManagerPermanentSlotUdev = []byte(`
+const modemManagerPermanentSlotUdev = `
 # Concatenation of all ModemManager udev rules
 # do not edit this file, it will be overwritten on update
 
@@ -1147,7 +1147,7 @@ KERNEL=="cdc-wdm*", SUBSYSTEM=="usb", ENV{ID_MM_CANDIDATE}="1"
 KERNEL=="cdc-wdm*", SUBSYSTEM=="usbmisc", ENV{ID_MM_CANDIDATE}="1"
 
 LABEL="mm_candidate_end"
-`)
+`
 
 type ModemManagerInterface struct{}
 
@@ -1179,13 +1179,13 @@ func (iface *ModemManagerInterface) ConnectedPlugSnippet(plug *interfaces.Plug,
 func (iface *ModemManagerInterface) PermanentSlotSnippet(slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) {
	switch securitySystem {
	case interfaces.SecurityAppArmor:
-	return modemManagerPermanentSlotAppArmor, nil
+	return []byte(modemManagerPermanentSlotAppArmor), nil
	case interfaces.SecuritySecComp:
-	return modemManagerPermanentSlotSecComp, nil
+	return []byte(modemManagerPermanentSlotSecComp), nil
	case interfaces.SecurityUDev:
-	return modemManagerPermanentSlotUdev, nil
+	return []byte(modemManagerPermanentSlotUdev), nil
	case interfaces.SecurityDBus:
-	return modemManagerPermanentSlotDBus, nil
+	return []byte(modemManagerPermanentSlotDBus), nil
	}
	return nil, nil
 }
@@ -1195,7 +1195,7 @@ func (iface *ModemManagerInterface) ConnectedSlotSnippet(plug *interfaces.Plug,
	case interfaces.SecurityAppArmor:
	old := []byte("###PLUG_SECURITY_TAGS###")
	new := plugAppLabelExpr(plug)
-	snippet := bytes.Replace(modemManagerConnectedSlotAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(modemManagerConnectedSlotAppArmor), old, new, -1)
	return snippet, nil
	}
	return nil, nil
diff --git a/interfaces/builtin/mpris.go b/interfaces/builtin/mpris.go
index b2907b157d..4a7ca045f7 100644
--- a/interfaces/builtin/mpris.go
+++ b/interfaces/builtin/mpris.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2017 Canonical Ltd
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3 as
@@ -28,7 +28,7 @@ import (
	"github.com/snapcore/snapd/release"
 )
 
-var mprisPermanentSlotAppArmor = []byte(`
+const mprisPermanentSlotAppArmor = `
 # Description: Allow operating as an MPRIS player.
 
 # DBus accesses
@@ -73,9 +73,9 @@ dbus (receive)
 bus=session
 path=/org/mpris/MediaPlayer2
 peer=(label=@{profile_name}),
-`)
+`
 
-var mprisConnectedSlotAppArmor = []byte(`
+const mprisConnectedSlotAppArmor = `
 # Allow connected clients to interact with the player
 dbus (receive)
 bus=session
@@ -92,9 +92,9 @@ dbus (receive)
 interface="org.mpris.MediaPlayer2{,.*}"
 path=/org/mpris/MediaPlayer2
 peer=(label=###PLUG_SECURITY_TAGS###),
-`)
+`
 
-var mprisConnectedSlotAppArmorClassic = []byte(`
+const mprisConnectedSlotAppArmorClassic = `
 # Allow unconfined clients to interact with the player on classic
 dbus (receive)
 bus=session
@@ -104,9 +104,9 @@ dbus (receive)
 bus=session
 interface=org.freedesktop.DBus.Introspectable
 peer=(label=unconfined),
-`)
+`
 
-var mprisConnectedPlugAppArmor = []byte(`
+const mprisConnectedPlugAppArmor = `
 # Description: Allow connecting to an MPRIS player.
 
 #include <abstractions/dbus-session-strict>
@@ -135,7 +135,7 @@ dbus (send)
 bus=session
 path=/org/mpris/MediaPlayer2
 peer=(label=###SLOT_SECURITY_TAGS###),
-`)
+`
 
 type MprisInterface struct{}
 
@@ -152,7 +152,7 @@ func (iface *MprisInterface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *i
	case interfaces.SecurityAppArmor:
	old := []byte("###SLOT_SECURITY_TAGS###")
	new := slotAppLabelExpr(slot)
-	snippet := bytes.Replace(mprisConnectedPlugAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(mprisConnectedPlugAppArmor), old, new, -1)
	return snippet, nil
	}
	return nil, nil
@@ -168,7 +168,7 @@ func (iface *MprisInterface) PermanentSlotSnippet(slot *interfaces.Slot, securit
 
	old := []byte("###MPRIS_NAME###")
	new := []byte(name)
-	snippet := bytes.Replace(mprisPermanentSlotAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(mprisPermanentSlotAppArmor), old, new, -1)
	// on classic, allow unconfined remotes to control the player
	// (eg, indicator-sound)
	if release.OnClassic {
@@ -184,7 +184,7 @@ func (iface *MprisInterface) ConnectedSlotSnippet(plug *interfaces.Plug, slot *i
	case interfaces.SecurityAppArmor:
	old := []byte("###PLUG_SECURITY_TAGS###")
	new := plugAppLabelExpr(plug)
-	snippet := bytes.Replace(mprisConnectedSlotAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(mprisConnectedSlotAppArmor), old, new, -1)
	return snippet, nil
	}
	return nil, nil
diff --git a/interfaces/builtin/network_manager.go b/interfaces/builtin/network_manager.go
index 39f9af0c0f..3b4f0c4cc5 100644
--- a/interfaces/builtin/network_manager.go
+++ b/interfaces/builtin/network_manager.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2017 Canonical Ltd
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3 as
@@ -26,7 +26,7 @@ import (
	"github.com/snapcore/snapd/release"
 )
 
-var networkManagerPermanentSlotAppArmor = []byte(`
+const networkManagerPermanentSlotAppArmor = `
 # Description: Allow operating as the NetworkManager service. This gives
 # privileged access to the system.
 
@@ -179,9 +179,9 @@ dbus (receive, send)
 path=/fi/w1/wpa_supplicant1{,/**}
 interface=org.freedesktop.DBus.*
 peer=(label=unconfined),
-`)
+`
 
-var networkManagerConnectedPlugAppArmor = []byte(`
+const networkManagerConnectedPlugAppArmor = `
 # Description: Allow using NetworkManager service. This gives privileged access
 # to the NetworkManager service.
 
@@ -192,9 +192,9 @@ dbus (receive, send)
 bus=system
 path=/org/freedesktop/NetworkManager{,/**}
 peer=(label=###SLOT_SECURITY_TAGS###),
-`)
+`
 
-var networkManagerPermanentSlotSecComp = []byte(`
+const networkManagerPermanentSlotSecComp = `
 # Description: Allow operating as the NetworkManager service. This gives
 # privileged access to the system.
 accept
@@ -219,9 +219,9 @@ fchown32
 fchownat
 lchown
 lchown32
-`)
+`
 
-var networkManagerPermanentSlotDBus = []byte(`
+const networkManagerPermanentSlotDBus = `
 <!-- DBus policy for NetworkManager (upstream version 1.2.2) -->
 <policy user="root">
 <allow own="org.freedesktop.NetworkManager"/>
@@ -363,7 +363,7 @@ var networkManagerPermanentSlotDBus = []byte(`
 
 <limit name="max_replies_per_connection">1024</limit>
 <limit name="max_match_rules_per_connection">2048</limit>
-`)
+`
 
 type NetworkManagerInterface struct{}
 
@@ -389,7 +389,7 @@ func (iface *NetworkManagerInterface) ConnectedPlugSnippet(plug *interfaces.Plug
	} else {
	new = slotAppLabelExpr(slot)
	}
-	snippet := bytes.Replace(networkManagerConnectedPlugAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(networkManagerConnectedPlugAppArmor), old, new, -1)
	return snippet, nil
	}
	return nil, nil
@@ -398,11 +398,11 @@ func (iface *NetworkManagerInterface) ConnectedPlugSnippet(plug *interfaces.Plug
 func (iface *NetworkManagerInterface) PermanentSlotSnippet(slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) {
	switch securitySystem {
	case interfaces.SecurityAppArmor:
-	return networkManagerPermanentSlotAppArmor, nil
+	return []byte(networkManagerPermanentSlotAppArmor), nil
	case interfaces.SecuritySecComp:
-	return networkManagerPermanentSlotSecComp, nil
+	return []byte(networkManagerPermanentSlotSecComp), nil
	case interfaces.SecurityDBus:
-	return networkManagerPermanentSlotDBus, nil
+	return []byte(networkManagerPermanentSlotDBus), nil
	}
	return nil, nil
 }
diff --git a/interfaces/builtin/ppp.go b/interfaces/builtin/ppp.go
index 53ba4e75c6..76cf4ddd24 100644
--- a/interfaces/builtin/ppp.go
+++ b/interfaces/builtin/ppp.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2017 Canonical Ltd
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3 as
@@ -23,7 +23,7 @@ import (
	"github.com/snapcore/snapd/interfaces"
 )
 
-var pppConnectedPlugAppArmor = []byte(`
+const pppConnectedPlugAppArmor = `
 # Description: Allow operating ppp daemon. This gives privileged access to the
 # ppp daemon.
 
@@ -40,7 +40,7 @@ var pppConnectedPlugAppArmor = []byte(`
 @{PROC}/@{pid}/loginuid r,
 capability setgid,
 capability setuid,
-`)
+`
 
 // ppp_generic creates /dev/ppp. Other ppp modules will be automatically loaded
 // by the kernel on different ioctl calls for this device. Note also that
@@ -62,7 +62,7 @@ func (iface *PppInterface) PermanentPlugSnippet(plug *interfaces.Plug, securityS
 func (iface *PppInterface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) {
	switch securitySystem {
	case interfaces.SecurityAppArmor:
-	return pppConnectedPlugAppArmor, nil
+	return []byte(pppConnectedPlugAppArmor), nil
	case interfaces.SecurityKMod:
	return pppConnectedPlugKmod, nil
	}
diff --git a/interfaces/builtin/ubuntu_download_manager.go b/interfaces/builtin/ubuntu_download_manager.go
index f26fe38865..418dcc5e4f 100644
--- a/interfaces/builtin/ubuntu_download_manager.go
+++ b/interfaces/builtin/ubuntu_download_manager.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2017 Canonical Ltd
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3 as
@@ -28,7 +28,7 @@ import (
 
 /* The methods: allowGSMDownload, createMmsDownload, exit and setDefaultThrottle
 are deliberately left out of this profile due to their privileged nature. */
-var downloadConnectedPlugAppArmor = []byte(`
+const downloadConnectedPlugAppArmor = `
 # Description: Can access the download manager.
 
 #include <abstractions/dbus-session-strict>
@@ -103,9 +103,9 @@ dbus (send)
 interface=com.canonical.applications.DownloadManager
 member=isGSMDownloadAllowed
 peer=(label=###SLOT_SECURITY_TAGS###),
-`)
+`
 
-var downloadPermanentSlotAppArmor = []byte(`
+const downloadPermanentSlotAppArmor = `
 # Description: Allow operating as a download manager.
 
 # DBus accesses
@@ -137,9 +137,9 @@ dbus (send)
 interface=org.freedesktop.DBus
 member="GetConnectionAppArmorSecurityContext"
 peer=(name=org.freedesktop.DBus, label=unconfined),
-`)
+`
 
-var downloadConnectedSlotAppArmor = []byte(`
+const downloadConnectedSlotAppArmor = `
 # Allow connected clients to interact with the download manager
 dbus (receive)
 bus=session
@@ -182,7 +182,7 @@ dbus (send)
 # Allow writing to app download directories
 owner @{HOME}/snap/###PLUG_NAME###/common/Downloads/ rw,
 owner @{HOME}/snap/###PLUG_NAME###/common/Downloads/** rwk,
-`)
+`
 
 type UbuntuDownloadManagerInterface struct{}
 
@@ -203,7 +203,7 @@ func (iface *UbuntuDownloadManagerInterface) ConnectedPlugSnippet(plug *interfac
	case interfaces.SecurityAppArmor:
	old := []byte("###SLOT_SECURITY_TAGS###")
	new := slotAppLabelExpr(slot)
-	snippet := bytes.Replace(downloadConnectedPlugAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(downloadConnectedPlugAppArmor), old, new, -1)
	return snippet, nil
	}
	return nil, nil
@@ -212,7 +212,7 @@ func (iface *UbuntuDownloadManagerInterface) ConnectedPlugSnippet(plug *interfac
 func (iface *UbuntuDownloadManagerInterface) PermanentSlotSnippet(slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) {
	switch securitySystem {
	case interfaces.SecurityAppArmor:
-	return downloadPermanentSlotAppArmor, nil
+	return []byte(downloadPermanentSlotAppArmor), nil
	}
	return nil, nil
 }
@@ -222,7 +222,7 @@ func (iface *UbuntuDownloadManagerInterface) ConnectedSlotSnippet(plug *interfac
	case interfaces.SecurityAppArmor:
	old := []byte("###PLUG_SECURITY_TAGS###")
	new := plugAppLabelExpr(plug)
-	snippet := bytes.Replace(downloadConnectedSlotAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(downloadConnectedSlotAppArmor), old, new, -1)
	old = []byte("###PLUG_NAME###")
	new = []byte(plug.Snap.Name())
	snippet = bytes.Replace(snippet, old, new, -1)
diff --git a/interfaces/builtin/udisks2.go b/interfaces/builtin/udisks2.go
index 1cb28f8187..774df2beff 100644
--- a/interfaces/builtin/udisks2.go
+++ b/interfaces/builtin/udisks2.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2017 Canonical Ltd
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3 as
@@ -87,9 +87,12 @@ umount /{,run/}media/**,
 # give raw read access to the system disks and therefore the entire system.
 /dev/sd* r,
 /dev/mmcblk* r,
+
+# Needed for probing raw devices
+capability sys_rawio,
 `
 
-var udisks2ConnectedSlotAppArmor = []byte(`
+const udisks2ConnectedSlotAppArmor = `
 # Allow connected clients to interact with the service. This gives privileged
 # access to the system.
 
@@ -112,9 +115,9 @@ dbus (receive, send)
 path=/org/freedesktop/UDisks2/**
 interface=org.freedesktop.UDisks2.*
 peer=(label=###PLUG_SECURITY_TAGS###),
-`)
+`
 
-var udisks2ConnectedPlugAppArmor = []byte(`
+const udisks2ConnectedPlugAppArmor = `
 # Description: Allow using udisks service. This gives privileged access to the
 # service.
 
@@ -139,7 +142,7 @@ dbus (receive, send)
 path=/org/freedesktop/UDisks2/**
 interface=org.freedesktop.UDisks2.*
 peer=(label=###SLOT_SECURITY_TAGS###),
-`)
+`
 
 const udisks2PermanentSlotSecComp = `
 bind
@@ -341,7 +344,7 @@ func (iface *UDisks2Interface) ConnectedPlugSnippet(plug *interfaces.Plug, slot
	case interfaces.SecurityAppArmor:
	old := []byte("###SLOT_SECURITY_TAGS###")
	new := slotAppLabelExpr(slot)
-	snippet := bytes.Replace(udisks2ConnectedPlugAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(udisks2ConnectedPlugAppArmor), old, new, -1)
	return snippet, nil
	case interfaces.SecurityDBus:
	return []byte(udisks2ConnectedPlugDBus), nil
@@ -368,7 +371,7 @@ func (iface *UDisks2Interface) ConnectedSlotSnippet(plug *interfaces.Plug, slot
	case interfaces.SecurityAppArmor:
	old := []byte("###PLUG_SECURITY_TAGS###")
	new := plugAppLabelExpr(plug)
-	snippet := bytes.Replace(udisks2ConnectedSlotAppArmor, old, new, -1)
+	snippet := bytes.Replace([]byte(udisks2ConnectedSlotAppArmor), old, new, -1)
	return snippet, nil
	}
	return nil, nil
diff --git a/interfaces/builtin/unity7.go b/interfaces/builtin/unity7.go
index 4aad6fa134..ab5ce4c3b6 100644
--- a/interfaces/builtin/unity7.go
+++ b/interfaces/builtin/unity7.go
@@ -457,7 +457,7 @@ dbus (send)
 
 # Lttng tracing is very noisy and should not be allowed by confined apps. Can
 # safely deny. LP: #1260491
-deny /{,var/}{dev,run}/shm/lttng-ust-* r,
+deny /{dev,run,var/run}/shm/lttng-ust-* r,
 `
 
 // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/seccomp/policygroups/ubuntu-core/16.04/unity7
diff --git a/snap/implicit.go b/snap/implicit.go
index f83c995e44..127ea55c97 100644
--- a/snap/implicit.go
+++ b/snap/implicit.go
@@ -31,6 +31,7 @@ var implicitSlots = []string{
	"account-control",
	"alsa",
	"bluetooth-control",
+	"browser-support",
	"camera",
	"classic-support",
	"core-support",
@@ -73,7 +74,6 @@ var implicitSlots = []string{
 
 var implicitClassicSlots = []string{
	"avahi-observe",
-	"browser-support",
	"cups-control",
	"gsettings",
	"libvirt",
diff --git a/tests/main/docker/task.yaml b/tests/main/docker/task.yaml
index 5bc70632e4..8b22a109fe 100644
--- a/tests/main/docker/task.yaml
+++ b/tests/main/docker/task.yaml
@@ -12,6 +12,10 @@ prepare: |
 # not count this.
 snap install docker
 
+ # FIXME: this should not be needed but snap declaration is currently
+ # broken
+ snap connect docker:docker-cli docker:docker-daemon
+
 restore: |
 apt remove -y linux-image-extra-$(uname -r)-generic || true