/snapd

interfaces: apparmor support for classic confinement #2366

Merged
merged 3 commits into from Nov 29, 2016

Conversation

Reviewers

@jdstrand jdstrand

@chipaca chipaca

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@zyga @chipaca @jdstrand @mvo5
@zyga
Contributor

zyga commented Nov 28, 2016

This simple branch adds apparmor support for classic confinement. In classic confinement (when interfaces.ConfinementOptions{Classic: true}) apparmor is in non-enforcing mode. As with devmode, using JailMode flag forces the enforcing confinement.

zyga added some commits Nov 28, 2016

@zyga
interfaces/apparmor: shorten test data 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
3a79739
@zyga
interfaces/apparmor: classic confinement is non-enforcing 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
ad75108
@zyga
interfaces/apparmor: add tests for classic confinement 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

All checks have passed

5 successful checks
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
@mvo5
xenial-amd64 — autopkgtest finished (success)
Details
@mvo5
xenial-i386 — autopkgtest finished (success)
Details
@mvo5
yakkety-amd64 — autopkgtest finished (success)
Details
@mvo5
zesty-amd64 — autopkgtest finished (success)
Details
5e66159

@mvo5 mvo5 merged commit 4a53918 into snapcore:master Nov 29, 2016
5 checks passed

5 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
xenial-amd64 autopkgtest finished (success)
Details
xenial-i386 autopkgtest finished (success)
Details
yakkety-amd64 autopkgtest finished (success)
Details
zesty-amd64 autopkgtest finished (success)
Details

@zyga zyga deleted the zyga:classic-confinement-apparmor branch Nov 29, 2016

interfaces/apparmor/backend.go
@@ -145,7 +145,7 @@ func (b *Backend) combineSnippets(snapInfo *snap.Info, opts interfaces.Confineme
func addContent(securityTag string, snapInfo *snap.Info, opts interfaces.ConfinementOptions, snippets map[string][][]byte, content map[string]*osutil.FileState) {
policy := defaultTemplate
- if opts.DevMode && !opts.JailMode {
+ if (opts.DevMode || opts.Classic) && !opts.JailMode {
policy = attachPattern.ReplaceAll(policy, attachComplain)
@jdstrand

jdstrand Nov 29, 2016
Edited 1 time

Contributor

classic shouldn't complain-- you'll get a ton of syslog entries when the snap is legitimately running in classic. Instead please generate a different profile. Eg:

$ cat /var/lib/snapd/apparmor/profiles/snap.iam.classic
#include <tunables/global>

@{SNAP_NAME}="iam"
@{SNAP_REVISION}="x1"
@{INSTALL_DIR}="/snap"

# use complain to future-proof if we missed something
profile "snap.iam.classic" (attach_disconnected,complain) {
  # set file rules so that exec() inherit our profile unless there is
  # already a profile for it (eg, snap-confine)
  / rwkl,
  /** rwlkm,
  /** pix,

  capability,
  change_profile,
  dbus,
  network,
  mount,
  remount,
  umount,
  pivot_root,
  ptrace,
  signal,
  unix,
}
@jdstrand

jdstrand Nov 29, 2016

Contributor

Alternatively, keep the template but add interfaces/builtin/classic.go with the above rules (and keep ',complain'). classic.go could also use '@unrestricted' for seccomp. The potential downside is this approach makes 'classic' show up in 'snap interfaces'.

@zyga

zyga Nov 29, 2016

Contributor

+1, I'll do that early tomorrow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment