Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
interfaces/apparmor: allow access to core snap #2413
Conversation
All checks have passed
zyga
added
the
Critical
label
Dec 6, 2016
|
Based on conversations with @zyga, jailmode with --classic has been defined as strict mode plus read-only access to all of the core snap. As such, please:
This makes the intent of the default template clear that it is (still) a subset of core and makes policy audits clearer. |
|
Thanks for the review @jdstrand. I'll document the whole confinement story on the wiki. As for the extra core rule, I can do that via a fake snippet. I'll ping you for a second look. |
|
Thanks! I think it will also help us future-proof a bit-- I have a suspicion that we'll want to add another rule or two for classic that may not be appropriate for regular strict mode and this will facilitate that. |
Some checks were not successful
niemeyer
approved these changes
Dec 12, 2016
Per our discussion in the channel, LGTM as long as this is opened up only if --jailmode is actually used. We currently don't allow normal snaps to read all of core in its usual mount point, so it wouldn't make a lot of sense to allow them to read it only in an alternative path in general (either it's okay to read, or it's not).
|
Sorry, to be clear, --jailmode and --classic, not just --jailmode. |
| + // Add a special internal snippet for snaps using classic confinement | ||
| + // and jailmode together. This snippet provides access to the core snap | ||
| + // so that the dynamic linker and shared libraries can be used. | ||
| + tagSnippets = append(tagSnippets, classicJailmodeSnippet) |
niemeyer
Dec 12, 2016
Contributor
I think it'd make more sense to have this before the custom snippets.
zyga
added some commits
Dec 12, 2016
Some checks were not successful
Some checks were not successful
| + } else { | ||
| + tagSnippets = snippets[securityTag] | ||
| + } | ||
| + return bytes.Join(tagSnippets, []byte("\n")) |
jdstrand
Dec 12, 2016
Contributor
Thank you for this addition. @niemeyer was right to point out that we only want to give read access to the core snap when using --classic with --jailmode (thanks for that!). With strict, we don't want this rule. With just --classic, we don't need this rule. With --devmode plus --jailmode, we don't want this rule. Only with --classic plus --jailmode do we need it.
LGTM but please add this comment above 'if opts.Classic && opts.JailMode {':
# Only add the classicJailmodeSnippet when using --classic plus --jailmode. Why?
# - normal strict mode shouldn't have it since we don't want to subvert the default
# template
# - --devmode with or without --jailmode shouldn't have it since it wouldn't
# accurately represent complain-mode strict
# - --classic without --jailmode doesn't need it since it uses different (non-strict)
# policy
# - --classic with --jailmode is defined as strict policy plus read-only access to the
# core snap
zyga commentedDec 6, 2016
This patch changes the default apparmor template to allow read access to
the core snap (at any revision). This is required to allow classic snaps
that use the dynamic linker or libraries when they were forcibly
confined with jailmode.
Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com