Add apparmor support module

[zyga]

This patch adds a new set of files, mimicking the xxx-support pattern
used for other changes, that so some extent abstracts the use of
apparmor in snap-confine.

Even when snap-confine is not compiled with apparmor support the same
APIs are available and gracefully degrade to no-ops.

As a small extension, snap confine can now know if it is confined (e.g.
a development version running in a random directory is not confined) and
will no longer crash when changing hats via aa_change_hat().

The patch doesn't yet change any of the tree to use the new functions.
This will be done in the next commit.

Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com

[tyhicks]

This looks good. I only have two small suggestions that I left inline.

[tyhicks]

This misses the situation where AppArmor support is compiled into snap-confine but AppArmor has been explicitly disabled by passing "apparmor=0" on the kernel command line. aa_getcon() will return -1 with errno set to EINVAL in this condition but that errno unfortunately overlaps with some other conditions.

The definitive way to see if AppArmor is enabled is aa_is_enabled(). You should call it first and, if it returns 1, proceed to calling aa_getcon() to check if snap-confine is confined. See the aa_is_enabled() man page for details.

[zyga]

+1 Thanks for this feedback. I'll do this.

[tyhicks]

You'll want to check for "mixed" mode here. I've left a more descriptive review comment in the accompanying header file.

[zyga]

Ack

[tyhicks]

There is a new'ish mode (as of the 16.04 kernel), called "mixed". It means that two or more AppArmor profiles are stacked together but not all of their enforcement modes are the same. The mode string returned from aa_getcon() is "mixed".

[zyga]

Thanks, I'll update the code to handle this as well.