Update apparmor profile for snap-confine #73

Merged
merged 10 commits into from Jul 8, 2016

Ensure that /snap/bin cannot be used for bind mounts

  • Loading branch information...
commit 9b09f3a2e574bb7782b5be5beaefa4e6cc74ddd6 @zyga zyga committed Jul 7, 2016
@@ -120,8 +120,8 @@
mount options=(rw bind) /snap/*/** -> /snap/*/**,
mount options=(ro bind) /snap/*/** -> /snap/*/**,
@jdstrand

jdstrand Jul 7, 2016

Contributor

From IRC discussion (thanks @zyga for remembering the deny rules):

# but don't share /snap/bin
audit deny mount /snap/bin/** -> /**,
audit deny mount /** -> /snap/bin/**,
@zyga

zyga Jul 8, 2016

Collaborator

Done

# But we don't want anyone to touch /snap/bin
- deny audit mount /snap/bin/** -> /**,
- deny audit mount /** -> /snap/bin/**,
+ audit deny mount /snap/bin/** -> /**,
+ audit deny mount /** -> /snap/bin/**,
# nvidia handling, glob needs /usr/** and the launcher must be
# able to bind mount the nvidia dir
@@ -0,0 +1,23 @@
+summary: Check that apparmor profiles prevents bind mounting /snap/bin anywhere
+# This is blacklisted on debian because it relies on apparmor mount mediation
+systems: [-debian-8]
+prepare: |
+ echo "Having installed the snapd-hacker-toolbelt snap"
+ snap install snapd-hacker-toolbelt
+ echo "We can change its mount profile externally to create bind mount /snap/bin somewhere"
+ echo "/snap/bin -> /snap/snapd-hacker-toolbelt/mnt"
+ mkdir -p /var/lib/snapd/mount
+ echo "/snap/bin /snap/snapd-hacker-toolbelt/current/mnt none bind,ro 0 0" > /var/lib/snapd/mount/snap.snapd-hacker-toolbelt.busybox.fstab
+ sysctl -w kernel.printk_ratelimit=0
+execute: |
+ cd /
+ echo "Let's clear the kernel ring buffer"
+ dmesg -c
+ echo "We can now run busybox true and expect it to fail"
+ ! /snap/bin/snapd-hacker-toolbelt.busybox true
+ echo "Not only the command failed because snap-confine failed, we see why!"
+ dmesg | grep 'apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="/usr/lib/snapd/snap-confine" name="/snap/snapd-hacker-toolbelt/[0-9]\+/mnt/" pid=[0-9]\+ comm="ubuntu-core-lau" srcname="/snap/bin/" flags="rw, bind"'
@jdstrand

jdstrand Jul 7, 2016

Contributor

This grep will be brittle in the long run since the kernel audit subsystem changes its output periodically, I suggest something like grep 'apparmor="DENIED" .* srcname="/snap/bin/" and leave it at that.

+restore: |
+ snap remove snapd-hacker-toolbelt
+ rm -rf /var/snap/snapd-hacker-toolbelt
+ rm -f /var/lib/snapd/mount/snap.snapd-hacker-toolbelt.busybox.fstab