snapcore · zyga · Nov 30, 2016 · Nov 23, 2016 · Nov 23, 2016 · Nov 23, 2016
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -12,6 +12,8 @@ decode_mount_opts_SOURCES = \
 snap_discard_ns_SOURCES = \
 	ns-support.c \
 	ns-support.h \
+	apparmor-support.c \
+	apparmor-support.h \
 	utils.c \
 	utils.h \
 	secure-getenv.c \
@@ -102,6 +104,8 @@ snap_confine_unit_tests_SOURCES = \
 	verify-executable-name-test.c \
 	mountinfo-test.c \
 	ns-support-test.c \
+	apparmor-support.c \
+	apparmor-support.h \
 	mount-opt-test.c
 snap_confine_unit_tests_CFLAGS = $(snap_confine_CFLAGS) $(GLIB_CFLAGS)
 snap_confine_unit_tests_LDADD = $(snap_confine_LDADD) $(GLIB_LIBS)
diff --git a/src/ns-support.c b/src/ns-support.c
@@ -36,9 +36,6 @@
 #include <sys/vfs.h>
 #include <sys/wait.h>
 #include <unistd.h>
-#ifdef HAVE_APPARMOR
-#include <sys/apparmor.h>
-#endif				// ifdef HAVE_APPARMOR
 
 #include "utils.h"
 #include "user-support.h"
@@ -322,7 +319,8 @@ void sc_unlock_ns_mutex(struct sc_ns_group *group)
 	debug("released lock for namespace group %s", group->name);
 }
 
-void sc_create_or_join_ns_group(struct sc_ns_group *group)
+void sc_create_or_join_ns_group(struct sc_ns_group *group,
+				struct sc_apparmor *apparmor)
 {
 	// Open the mount namespace file.
 	char mnt_fname[PATH_MAX];
@@ -414,15 +412,12 @@ void sc_create_or_join_ns_group(struct sc_ns_group *group)
 		// It will do so by bind-mounting the SC_NS_MNT_FILE after the parent
 		// process calls unshare() and finishes setting up the namespace
 		// completely.
-#ifdef HAVE_APPARMOR
 		// Change the hat to a sub-profile that has limited permissions
 		// necessary to accomplish the capture of the mount namespace.
 		debug
 		    ("changing apparmor hat of the support process for mount namespace capture");
-		if (aa_change_hat("mount-namespace-capture-helper", 0) < 0) {
-			die("cannot change apparmor hat of the support process for mount namespace capture");
-		}
-#endif
+		sc_maybe_aa_change_hat(apparmor,
+				       "mount-namespace-capture-helper", 0);
 		// Configure the child to die as soon as the parent dies. In an odd
 		// case where the parent is killed then we don't want to complete our
 		// task or wait for anything.
diff --git a/src/ns-support.h b/src/ns-support.h
@@ -20,6 +20,8 @@
 
 #include <stdbool.h>
 
+#include "apparmor-support.h"
+
 /**
  * Initialize namespace sharing.
  *
@@ -114,7 +116,8 @@ void sc_unlock_ns_mutex(struct sc_ns_group *group);
  *
  * @returns true if the mount namespace needs to be populated
  **/
-void sc_create_or_join_ns_group(struct sc_ns_group *group);
+void sc_create_or_join_ns_group(struct sc_ns_group *group,
+				struct sc_apparmor *apparmor);
 
 /**
  * Check if the namespace needs to be populated.
diff --git a/src/snap-confine.apparmor.in b/src/snap-confine.apparmor.in
@@ -54,6 +54,13 @@
 
     # changing profile
     @{PROC}/[0-9]*/attr/exec w,
+    # Reading current profile
+    @{PROC}/[0-9]*/attr/current r,
+
+    # To find where apparmor is mounted
+    @{PROC}/[0-9]*/mounts r,
+    # To find if apparmor is enabled
+    /sys/module/apparmor/parameters/enabled r,
 
     # Don't allow changing profile to unconfined or profiles that start with
     # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on
diff --git a/src/snap-confine.c b/src/snap-confine.c
@@ -22,9 +22,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
-#ifdef HAVE_APPARMOR
-#include <sys/apparmor.h>
-#endif				// ifdef HAVE_APPARMOR
 
 #include "classic.h"
 #include "mount-support.h"
@@ -39,6 +36,7 @@
 #include "ns-support.h"
 #include "quirks.h"
 #include "secure-getenv.h"
+#include "apparmor-support.h"
 
 int main(int argc, char **argv)
 {
@@ -79,6 +77,8 @@ int main(int argc, char **argv)
 		die("need to run as root or suid");
 	}
 #endif
+	struct sc_apparmor apparmor;
+	sc_init_apparmor_support(&apparmor);
 #ifdef HAVE_SECCOMP
 	scmp_filter_ctx seccomp_ctx
 	    __attribute__ ((cleanup(sc_cleanup_seccomp_release))) = NULL;
@@ -94,7 +94,7 @@ int main(int argc, char **argv)
 		struct sc_ns_group *group = NULL;
 		group = sc_open_ns_group(group_name, 0);
 		sc_lock_ns_mutex(group);
-		sc_create_or_join_ns_group(group);
+		sc_create_or_join_ns_group(group, &apparmor);
 		if (sc_should_populate_ns_group(group)) {
 			sc_populate_mount_ns(security_tag);
 			sc_preserve_populated_ns_group(group);
@@ -130,15 +130,7 @@ int main(int argc, char **argv)
 	setup_user_xdg_runtime_dir();
 
 	// https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement
-#ifdef HAVE_APPARMOR
-	int rc = 0;
-	// set apparmor rules
-	rc = aa_change_onexec(security_tag);
-	if (rc != 0) {
-		if (secure_getenv("SNAPPY_LAUNCHER_INSIDE_TESTS") == NULL)
-			die("aa_change_onexec failed with %i", rc);
-	}
-#endif				// ifdef HAVE_APPARMOR
+	sc_maybe_aa_change_onexec(&apparmor, security_tag);
 #ifdef HAVE_SECCOMP
 	sc_load_seccomp_context(seccomp_ctx);
 #endif				// ifdef HAVE_SECCOMP