/snap-confine

Use apparmor-support module #189

Merged
merged 8 commits into from Nov 30, 2016
+24 −23

Conversation

Reviewers

@tyhicks tyhicks

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@zyga @tyhicks
@zyga
Collaborator

zyga commented Nov 23, 2016

This branch builds upon #188 to switch all of snap-confine over to the wrapped apparmor APIs.

The main commit describes why this is beneficial:

This patch changes snap-confine to call apparmor functions indirectly,
through apparmor-support APIs. Those APIs are always available, even if
apparmor is not enabled at compile time. This cuts the number of ifdefs
that have to be scattered around the code a little.

As an indirect improvement the sc_maybe_aa_change_hat() function relies
on an earlier call to sc_apparmor_init() which calls aa_getcon() to
determine if the snap-confine process is itself confined. If it is not,
the hat change is not attempted as it would always fail.

Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com

zyga added some commits Nov 23, 2016

@zyga
Use apparmor-support to interact with apparmor 
This patch changes snap-confine to call apparmor functions indirectly,
through apparmor-support APIs. Those APIs are always available, even if
apparmor is not enabled at compile time. This cuts the number of ifdefs
that have to be scattered around the code a little.

As an indirect improvement the sc_maybe_aa_change_hat() function relies
on an earlier call to sc_apparmor_init() which calls aa_getcon() to
determine if the snap-confine process is itself confined. If it is not,
the hat change is not attempted as it would always fail.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
5da0029
@zyga
Merge remote-tracking branch 'origin/master' into use-aa-support
554667e
@zyga
Adjust apparmor profile to allow reading of the 'attr/current' 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
bc59404
@zyga
Merge branch 'aa-support' into use-aa-support
bf659f2
@zyga
Merge branch 'aa-support' into use-aa-support
eb3cb4f
@zyga
Merge branch 'master' of github.com:snapcore/snap-confine into use-aa… 
…-support
6a51f46
@zyga
Allow additional things for aa_is_enabled() 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
d010269
@tyhicks

tyhicks approved these changes Nov 30, 2016
View changes

Looks good.

src/snap-confine.apparmor.in
+ # Reading current profile
+ @{PROC}/[0-9]*/attr/current r,
+
+ # Probably to find where apparmor is mounted
@tyhicks

tyhicks Nov 30, 2016

Collaborator

You can drop the "probably" here. It is used to find where securityfs is mounted.

@zyga

zyga Nov 30, 2016

Collaborator

Thanks, I will

@zyga
Tweak comment 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
5a3f6af

@zyga zyga merged commit 19a7ebe into master Nov 30, 2016
1 check was pending

1 check was pending

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details

@zyga zyga deleted the use-aa-support branch Nov 30, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment