Use apparmor-support module #189

Merged
merged 8 commits into from Nov 30, 2016

Conversation

Projects
None yet
2 participants
Collaborator

zyga commented Nov 23, 2016

This branch builds upon #188 to switch all of snap-confine over to the wrapped apparmor APIs.

The main commit describes why this is beneficial:

This patch changes snap-confine to call apparmor functions indirectly,
through apparmor-support APIs. Those APIs are always available, even if
apparmor is not enabled at compile time. This cuts the number of ifdefs
that have to be scattered around the code a little.

As an indirect improvement the sc_maybe_aa_change_hat() function relies
on an earlier call to sc_apparmor_init() which calls aa_getcon() to
determine if the snap-confine process is itself confined. If it is not,
the hat change is not attempted as it would always fail.

Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com

zyga added some commits Nov 23, 2016

Use apparmor-support to interact with apparmor
This patch changes snap-confine to call apparmor functions indirectly,
through apparmor-support APIs. Those APIs are always available, even if
apparmor is not enabled at compile time. This cuts the number of ifdefs
that have to be scattered around the code a little.

As an indirect improvement the sc_maybe_aa_change_hat() function relies
on an earlier call to sc_apparmor_init() which calls aa_getcon() to
determine if the snap-confine process is itself confined. If it is not,
the hat change is not attempted as it would always fail.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Adjust apparmor profile to allow reading of the 'attr/current'
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Allow additional things for aa_is_enabled()
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Looks good.

src/snap-confine.apparmor.in
+ # Reading current profile
+ @{PROC}/[0-9]*/attr/current r,
+
+ # Probably to find where apparmor is mounted
@tyhicks

tyhicks Nov 30, 2016

Collaborator

You can drop the "probably" here. It is used to find where securityfs is mounted.

@zyga

zyga Nov 30, 2016

Collaborator

Thanks, I will

Tweak comment
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

@zyga zyga merged commit 19a7ebe into master Nov 30, 2016

1 check was pending

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details

@zyga zyga deleted the use-aa-support branch Nov 30, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment