/snapd

cmd/snap-confine: add support for classic confinement #2427

Merged
merged 6 commits into from Dec 7, 2016

Conversation

Reviewers

@niemeyer niemeyer

@mvo5 mvo5

@jdstrand jdstrand

Assignees
No one assigned
Labels
Critical
Projects
None yet
Milestone
No milestone
4 participants
@zyga @niemeyer @mvo5 @jdstrand
@zyga
Contributor

zyga commented Dec 7, 2016

This branch adds support for classic confinement in snap-confine.

zyga added some commits Dec 2, 2016

@zyga
Add support for classic confinement 
This patch adds support for classic confinement in snap-confine.  The
main idea is that whenever --classic command line option is given the
mount namespace is not unshared. The application executes in the same
mount namespace as all classic applications would. While not strictly
related to the mount namespace, the devices cgroup is not used and PATH
is not reset.

On the snapd side the application will receive different apparmor and
seccomp profiles. The apprmor profile is wide open and the seccomp
profile uses the special "@unrestricted" command to essentially switch
apparmor off entirely.

NOTE: Using classic confinement is incompatible with nvidia driver
sharing as we cannot bind mount anything into /var/lib/snapd/lib/gl but
at the same time the application can just look at /usr/lib/nvidia for
that.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
fa634da
@zyga
cmd/snap-confine: add support for classic confinement 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
beb5670
@zyga
cmd/snap-confine: add extra comment from jdstrand 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

2 failing and 3 successful checks
@mvo5
yakkety-amd64 — autopkgtest finished (failure)
Details
@mvo5
zesty-amd64 — autopkgtest finished (failure)
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
@mvo5
xenial-amd64 — autopkgtest finished (success)
Details
@mvo5
xenial-i386 — autopkgtest finished (success)
Details
6bd8707

@zyga zyga added the Critical label Dec 7, 2016

@zyga
cmd/snap-confine: fix inverted logic 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

3 failing and 2 successful checks
continuous-integration/travis-ci/pr — The Travis CI build failed
Details
@mvo5
yakkety-amd64 — autopkgtest finished (failure)
Details
@mvo5
zesty-amd64 — autopkgtest finished (failure)
Details
@mvo5
xenial-amd64 — autopkgtest finished (success)
Details
@mvo5
xenial-i386 — autopkgtest finished (success)
Details
e929703

@zyga zyga referenced this pull request Dec 7, 2016

Merged

cmd/snap-confine: add snap-confine command line parser module #2416

cmd/snap-confine/snap-confine.c
- if (group_name == NULL) {
- die("SNAP_NAME is not set");
+ if (!classic_confinement) {
+ /* 'classic confinement' is designed to run without the sandbox
@mvo5

mvo5 Dec 7, 2016

Collaborator

Can we move the comment above maybe? When I first saw the comment I assume it was meant for the following code.

@mvo5

mvo5 approved these changes Dec 7, 2016
View changes

Looks good.

@zyga
cmd/snap-confine: move comment around 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

3 failing and 2 successful checks
@mvo5
xenial-i386 — autopkgtest finished (failure)
Details
@mvo5
yakkety-amd64 — autopkgtest finished (failure)
Details
@mvo5
zesty-amd64 — autopkgtest finished (failure)
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
@mvo5
xenial-amd64 — autopkgtest finished (success)
Details
1f5ae1d
@niemeyer

niemeyer approved these changes Dec 7, 2016
View changes

LGTM

@jdstrand

jdstrand approved these changes Dec 7, 2016
View changes

LGTM with one very minor request

cmd/snap-confine/snap-confine.c
+ * - snap-confine skips using device cgroups
+ * - snapd sets up a lenient AppArmor profile for snap-confine to use
+ * - snapd sets up a lenient seccomp profile for snap-confine to use
+ */
@jdstrand

jdstrand Dec 7, 2016

Contributor

Perhaps add a debug() statement here?

@zyga
cmd/snap-confine: announce classic confinement 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

2 failing and 3 successful checks
@mvo5
yakkety-amd64 — autopkgtest finished (failure)
Details
@mvo5
zesty-amd64 — autopkgtest finished (failure)
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
@mvo5
xenial-amd64 — autopkgtest finished (success)
Details
@mvo5
xenial-i386 — autopkgtest finished (success)
Details
aeed0ee

@zyga zyga merged commit 4af8fa9 into snapcore:master Dec 7, 2016
1 of 5 checks passed

1 of 5 checks passed

xenial-amd64 autopkgtest running
Details
xenial-i386 autopkgtest running
Details
yakkety-amd64 autopkgtest running
Details
zesty-amd64 autopkgtest running
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@zyga zyga deleted the zyga:snap-confine-simple-classic branch Dec 7, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment