Add --disable-confinement configure option

PORTING

@@ -0,0 +1,15 @@
+Welcome brave porters!
+
+This file is intended to guide you towards porting snappy (comprised of snapd
+and this project, snap-confine) to work on a new kernel. The confinement setup by
+snap-confine has several requirements on the kernel.
+
+TODO: list required patches (apparmor, seccomp)
+TODO: list required kernel configufation
+TODO: list minimum supported kernel version
+
+While you are working on porting those patches to your kernel of choice, you
+may configure snap-confine with --disable-security. This switch drops
+requirement on apparmor, seccomp and udev and reduces snap-confine to arrange
+the filesystem in a correct way for snaps to operate without really confining
+them in any way.

configure.ac

@@ -32,10 +32,34 @@ AC_FUNC_FORK
 AC_FUNC_STRNLEN
 AC_CHECK_FUNCS([mkdir regcomp setenv strdup strerror])
 
-# Check for required external libraries
-PKG_CHECK_MODULES([UDEV], [libudev])
-PKG_CHECK_MODULES([SECCOMP], [libseccomp])
-PKG_CHECK_MODULES([APPARMOR], [libapparmor])
+# Allow to build without confinement by calling:
+# ./configure --disable-confinement
+# This makes it possible to run snaps in devmode on almost any host,
+# regardless of the kernel version.
+AC_ARG_ENABLE([confinement],
+    AS_HELP_STRING([--disable-confinement], [Disable strict confinement]),
+    [case "${enableval}" in
+        yes) enable_confinement=yes ;;
+        no)  enable_confinement=no ;;
+        *) AC_MSG_ERROR([bad value ${enableval} for --disable-confinement])
+    esac], [enable_confinement=yes])
+AM_CONDITIONAL([STRICT_CONFINEMENT], [test "x$enable_confinement" = "xyes"])
+
+# Check for required external libraries when confinement is enabled.
+AS_IF([test "x$enable_confinement" = "xyes"], [
+    PKG_CHECK_MODULES([APPARMOR], [libapparmor])
+    PKG_CHECK_MODULES([SECCOMP], [libseccomp])
+    PKG_CHECK_MODULES([UDEV], [libudev])
+    AC_DEFINE([STRICT_CONFINEMENT], [1],
+        [Define if strict apparmor confinement is available])
+], [
+    AC_MSG_WARN([
+    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    X                                                     X
+    X Confinement disabled, all snaps will run in devmode X
+    X                                                     X
+    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX])
+])
 
 AC_CONFIG_FILES([Makefile src/Makefile tests/Makefile])
 AC_OUTPUT

src/Makefile.am

@@ -1,15 +1,13 @@
 bin_PROGRAMS = snap-confine
-snap_confine_SOURCES = main.c seccomp_utils.c utils.c
-snap_confine_CFLAGS = \
-    -Wall -Werror \
-    $(AM_CFLAGS) \
-    $(SECCOMP_CFLAGS) \
-    $(APPARMOR_CFLAGS) \
-    $(UDEV_CFLAGS)
-snap_confine_LDADD = \
-    $(SECCOMP_LIBS) \
-    $(APPARMOR_LIBS) \
-    $(UDEV_LIBS)
+snap_confine_SOURCES = main.c utils.c
+snap_confine_CFLAGS = -Wall -Werror
+snap_confine_LDADD =
+
+if STRICT_CONFINEMENT
+snap_confine_SOURCES += seccomp_utils.c
+snap_confine_CFLAGS += $(APPARMOR_CFLAGS) $(SECCOMP_CFLAGS) $(UDEV_CFLAGS)
+snap_confine_LDADD += $(APPARMOR_LIBS) $(SECCOMP_LIBS) $(UDEV_LIBS)
+endif
 
 # Force particular coding style on all source and header files.
 .PHONY: check-syntax
@@ -34,6 +32,7 @@ fmt:
 	       indent -linux "$$f"; \
 	done;
 
+if STRICT_CONFINEMENT
 # Install udev rules
 install-data-local:
 	install -d -m 755 $(DESTDIR)/lib/udev/rules.d
@@ -43,6 +42,7 @@ install-data-local:
 install-exec-local:
 	install -d -m 755 $(DESTDIR)/lib/udev
 	install -m 755 snappy-app-dev $(DESTDIR)/lib/udev/
+endif
 
 # Ensure that snap-confine is +s (setuid)
 install-exec-hook:

src/main.c

@@ -18,13 +18,17 @@
 #define _GNU_SOURCE
 #endif
 
+#include "config.h"
+
 #include <unistd.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <limits.h>
 #include <linux/sched.h>
 #include <sys/mount.h>
+#ifdef STRICT_CONFINEMENT
 #include <sys/apparmor.h>
+#endif				// ifdef STRICT_CONFINEMENT
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
@@ -39,20 +43,23 @@
 
 #include <ctype.h>
 
-#include "libudev.h"
-
 #include "utils.h"
+#ifdef STRICT_CONFINEMENT
+#include "libudev.h"
 #include "seccomp_utils.h"
+#endif				// ifdef STRICT_CONFINEMENT
 
 #define MAX_BUF 1000
 
+#ifdef STRICT_CONFINEMENT
 struct snappy_udev {
 	struct udev *udev;
 	struct udev_enumerate *devices;
 	struct udev_list_entry *assigned;
 	char tagname[MAX_BUF];
 	size_t tagname_len;
 };
+#endif				// ifdef STRICT_CONFINEMENT
 
 bool verify_appname(const char *appname)
 {
@@ -72,6 +79,7 @@ bool verify_appname(const char *appname)
 	return (status == 0);
 }
 
+#ifdef STRICT_CONFINEMENT
 void run_snappy_app_dev_add(struct snappy_udev *udev_s, const char *path)
 {
 	if (udev_s == NULL)
@@ -250,11 +258,14 @@ void setup_devices_cgroup(const char *appname, struct snappy_udev *udev_s)
 	}
 }
 
+#endif				// ifdef STRICT_CONFINEMENT
+
 bool is_running_on_classic_distribution()
 {
 	return (access("/var/lib/dpkg/status", F_OK) == 0);
 }
 
+#ifdef STRICT_CONFINEMENT
 void setup_private_mount(const char *appname)
 {
 	uid_t uid = getuid();
@@ -341,6 +352,7 @@ void setup_private_pts()
 		die("unable to mount '/dev/pts/ptmx'->'/dev/ptmx'");
 	}
 }
+#endif				// ifdef STRICT_CONFINEMENT
 
 void setup_snappy_os_mounts()
 {
@@ -483,7 +495,9 @@ int main(int argc, char **argv)
 		die("Usage: %s <security-tag> <binary>", argv[0]);
 
 	const char *appname = argv[1];
+#ifdef STRICT_CONFINEMENT
 	const char *aa_profile = argv[1];
+#endif				// ifdef STRICT_CONFINEMENT
 	const char *binary = argv[2];
 	uid_t real_uid = getuid();
 	gid_t real_gid = getgid();
@@ -516,6 +530,7 @@ int main(int argc, char **argv)
 		if (is_running_on_classic_distribution()) {
 			setup_snappy_os_mounts();
 		}
+#ifdef STRICT_CONFINEMENT
 		// set up private mounts
 		setup_private_mount(appname);
 
@@ -527,6 +542,7 @@ int main(int argc, char **argv)
 		if (snappy_udev_init(appname, &udev_s) == 0)
 			setup_devices_cgroup(appname, &udev_s);
 		snappy_udev_cleanup(&udev_s);
+#endif				// ifdef STRICT_CONFINEMENT
 
 		// the rest does not so temporarily drop privs back to calling
 		// user (we'll permanently drop after loading seccomp)
@@ -545,6 +561,7 @@ int main(int argc, char **argv)
 
 	// https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement
 
+#ifdef STRICT_CONFINEMENT
 	int rc = 0;
 	// set apparmor rules
 	rc = aa_change_onexec(aa_profile);
@@ -554,6 +571,7 @@ int main(int argc, char **argv)
 	}
 	// set seccomp (note: seccomp_load_filters die()s on all failures)
 	seccomp_load_filters(aa_profile);
+#endif				// ifdef STRICT_CONFINEMENT
 
 	// Permanently drop if not root
 	if (geteuid() == 0) {