interfaces/apparmor: allow access to core snap #2413
Conversation
This patch changes the default apparmor template to allow read access to the core snap (at any revision). This is required to allow classic snaps that use the dynamic linker or libraries when they were forcibly confined with jailmode. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
|
Based on conversations with @zyga, jailmode with --classic has been defined as strict mode plus read-only access to all of the core snap. As such, please:
This makes the intent of the default template clear that it is (still) a subset of core and makes policy audits clearer. |
|
Thanks for the review @jdstrand. I'll document the whole confinement story on the wiki. As for the extra core rule, I can do that via a fake snippet. I'll ping you for a second look. |
|
Thanks! I think it will also help us future-proof a bit-- I have a suspicion that we'll want to add another rule or two for classic that may not be appropriate for regular strict mode and this will facilitate that. |
This patch tweaks earlier code so that when both jailmode and classic confinement is used a special snippet is internally added. This snippet provides read only access to the core snap so that the dynamic linker and runtime libraries can be accessed. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
There was a problem hiding this comment.
Per our discussion in the channel, LGTM as long as this is opened up only if --jailmode is actually used. We currently don't allow normal snaps to read all of core in its usual mount point, so it wouldn't make a lot of sense to allow them to read it only in an alternative path in general (either it's okay to read, or it's not).
|
Sorry, to be clear, --jailmode and --classic, not just --jailmode. |
| // Add a special internal snippet for snaps using classic confinement | ||
| // and jailmode together. This snippet provides access to the core snap | ||
| // so that the dynamic linker and shared libraries can be used. | ||
| tagSnippets = append(tagSnippets, classicJailmodeSnippet) |
There was a problem hiding this comment.
I think it'd make more sense to have this before the custom snippets.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
| } else { | ||
| tagSnippets = snippets[securityTag] | ||
| } | ||
| return bytes.Join(tagSnippets, []byte("\n")) |
There was a problem hiding this comment.
Thank you for this addition. @niemeyer was right to point out that we only want to give read access to the core snap when using --classic with --jailmode (thanks for that!). With strict, we don't want this rule. With just --classic, we don't need this rule. With --devmode plus --jailmode, we don't want this rule. Only with --classic plus --jailmode do we need it.
LGTM but please add this comment above 'if opts.Classic && opts.JailMode {':
# Only add the classicJailmodeSnippet when using --classic plus --jailmode. Why?
# - normal strict mode shouldn't have it since we don't want to subvert the default
# template
# - --devmode with or without --jailmode shouldn't have it since it wouldn't
# accurately represent complain-mode strict
# - --classic without --jailmode doesn't need it since it uses different (non-strict)
# policy
# - --classic with --jailmode is defined as strict policy plus read-only access to the
# core snap
This patch changes the default apparmor template to allow read access to
the core snap (at any revision). This is required to allow classic snaps
that use the dynamic linker or libraries when they were forcibly
confined with jailmode.
Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com