Use apparmor-support module #189

Merged
merged 8 commits into from Nov 30, 2016
View
@@ -12,6 +12,8 @@ decode_mount_opts_SOURCES = \
snap_discard_ns_SOURCES = \
ns-support.c \
ns-support.h \
+ apparmor-support.c \
+ apparmor-support.h \
utils.c \
utils.h \
secure-getenv.c \
@@ -102,6 +104,8 @@ snap_confine_unit_tests_SOURCES = \
verify-executable-name-test.c \
mountinfo-test.c \
ns-support-test.c \
+ apparmor-support.c \
+ apparmor-support.h \
mount-opt-test.c
snap_confine_unit_tests_CFLAGS = $(snap_confine_CFLAGS) $(GLIB_CFLAGS)
snap_confine_unit_tests_LDADD = $(snap_confine_LDADD) $(GLIB_LIBS)
View
@@ -36,9 +36,6 @@
#include <sys/vfs.h>
#include <sys/wait.h>
#include <unistd.h>
-#ifdef HAVE_APPARMOR
-#include <sys/apparmor.h>
-#endif // ifdef HAVE_APPARMOR
#include "utils.h"
#include "user-support.h"
@@ -322,7 +319,8 @@ void sc_unlock_ns_mutex(struct sc_ns_group *group)
debug("released lock for namespace group %s", group->name);
}
-void sc_create_or_join_ns_group(struct sc_ns_group *group)
+void sc_create_or_join_ns_group(struct sc_ns_group *group,
+ struct sc_apparmor *apparmor)
{
// Open the mount namespace file.
char mnt_fname[PATH_MAX];
@@ -414,15 +412,12 @@ void sc_create_or_join_ns_group(struct sc_ns_group *group)
// It will do so by bind-mounting the SC_NS_MNT_FILE after the parent
// process calls unshare() and finishes setting up the namespace
// completely.
-#ifdef HAVE_APPARMOR
// Change the hat to a sub-profile that has limited permissions
// necessary to accomplish the capture of the mount namespace.
debug
("changing apparmor hat of the support process for mount namespace capture");
- if (aa_change_hat("mount-namespace-capture-helper", 0) < 0) {
- die("cannot change apparmor hat of the support process for mount namespace capture");
- }
-#endif
+ sc_maybe_aa_change_hat(apparmor,
+ "mount-namespace-capture-helper", 0);
// Configure the child to die as soon as the parent dies. In an odd
// case where the parent is killed then we don't want to complete our
// task or wait for anything.
View
@@ -20,6 +20,8 @@
#include <stdbool.h>
+#include "apparmor-support.h"
+
/**
* Initialize namespace sharing.
*
@@ -114,7 +116,8 @@ void sc_unlock_ns_mutex(struct sc_ns_group *group);
*
* @returns true if the mount namespace needs to be populated
**/
-void sc_create_or_join_ns_group(struct sc_ns_group *group);
+void sc_create_or_join_ns_group(struct sc_ns_group *group,
+ struct sc_apparmor *apparmor);
/**
* Check if the namespace needs to be populated.
@@ -54,6 +54,13 @@
# changing profile
@{PROC}/[0-9]*/attr/exec w,
+ # Reading current profile
+ @{PROC}/[0-9]*/attr/current r,
+
+ # To find where apparmor is mounted
+ @{PROC}/[0-9]*/mounts r,
+ # To find if apparmor is enabled
+ /sys/module/apparmor/parameters/enabled r,
# Don't allow changing profile to unconfined or profiles that start with
# '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on
View
@@ -22,9 +22,6 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
-#ifdef HAVE_APPARMOR
-#include <sys/apparmor.h>
-#endif // ifdef HAVE_APPARMOR
#include "classic.h"
#include "mount-support.h"
@@ -39,6 +36,7 @@
#include "ns-support.h"
#include "quirks.h"
#include "secure-getenv.h"
+#include "apparmor-support.h"
int main(int argc, char **argv)
{
@@ -79,6 +77,8 @@ int main(int argc, char **argv)
die("need to run as root or suid");
}
#endif
+ struct sc_apparmor apparmor;
+ sc_init_apparmor_support(&apparmor);
#ifdef HAVE_SECCOMP
scmp_filter_ctx seccomp_ctx
__attribute__ ((cleanup(sc_cleanup_seccomp_release))) = NULL;
@@ -94,7 +94,7 @@ int main(int argc, char **argv)
struct sc_ns_group *group = NULL;
group = sc_open_ns_group(group_name, 0);
sc_lock_ns_mutex(group);
- sc_create_or_join_ns_group(group);
+ sc_create_or_join_ns_group(group, &apparmor);
if (sc_should_populate_ns_group(group)) {
sc_populate_mount_ns(security_tag);
sc_preserve_populated_ns_group(group);
@@ -130,15 +130,7 @@ int main(int argc, char **argv)
setup_user_xdg_runtime_dir();
// https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement
-#ifdef HAVE_APPARMOR
- int rc = 0;
- // set apparmor rules
- rc = aa_change_onexec(security_tag);
- if (rc != 0) {
- if (secure_getenv("SNAPPY_LAUNCHER_INSIDE_TESTS") == NULL)
- die("aa_change_onexec failed with %i", rc);
- }
-#endif // ifdef HAVE_APPARMOR
+ sc_maybe_aa_change_onexec(&apparmor, security_tag);
#ifdef HAVE_SECCOMP
sc_load_seccomp_context(seccomp_ctx);
#endif // ifdef HAVE_SECCOMP