interfaces: enable partial apparmor support

[zyga]

This branch is inspired by an idea from @jdstrand to allow working with
mainline apparmor support by using the classic template (which gives broad
permissions) on such systems.

This has three direct consequences:

First, snap-confine can now be built with apparmor support on Debian and
OpenSUSE and those systems will gracefully degrade to devmode before all
apparmor features are available but will work with strict confinement as soon
as a compatible kernel is available.

The second advantage is that we may expand this concept to allow specific
interfaces to offer specific snippets if a given apparmor feature is present.
This would allow to create a level of confinement above devmode. Where, for
example, file rules are enforced on a wide number of systems. Certain
interfaces (e.g. those controlling IPC) would necessarily be more open than we
would like but it would improve the effective level of the sandbox for many
people.

Lastly this change will allow us to enable re-exec support on openSUSE as
snap-confine built from the core snap will now be compatible.

All those improvements will be proposed separately for consideration.

Signed-off-by: Zygmunt Krynicki me@zygoon.pl

[codecov-io]

Codecov Report

Merging #3814 into master will increase coverage by 0.06%.
The diff coverage is 88.23%.

@@            Coverage Diff             @@
##           master    #3814      +/-   ##
==========================================
+ Coverage   75.86%   75.92%   +0.06%     
==========================================
  Files         403      417      +14     
  Lines       34835    36025    +1190     
==========================================
+ Hits        26427    27352     +925     
- Misses       6535     6755     +220     
- Partials     1873     1918      +45

Impacted Files	Coverage Δ
interfaces/backends/backends.go	100% <100%> (ø)
apparmor/probe.go	86.44% <100%> (ø)	⬆️
interfaces/apparmor/backend.go	72.04% <100%> (+0.53%)	⬆️
release/release.go	87.83% <63.63%> (-12.17%)	⬇️
httputil/logger.go	81.48% <0%> (-7.65%)	⬇️
overlord/configstate/config/transaction.go	80.4% <0%> (-4.78%)	⬇️
asserts/sysdb/generic.go	73.33% <0%> (-3.94%)	⬇️
corecfg/corecfg.go	50% <0%> (-1.62%)	⬇️
overlord/snapstate/check_snap.go	79.18% <0%> (-1.53%)	⬇️
interfaces/builtin/i2c.go	65.95% <0%> (-1.39%)	⬇️
... and 80 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3aa2420...0face42. Read the comment docs.

[mvo5]

Why are we using aa.ProbeKernel().Evaluate()" instead of just "aa.Evaluate()" and hidding the "ProbeKernel()" as an implementation detail in aa ?

[zyga]

Because later on we'll get the result of ProbeKernel from the backend itself and specific interfaces will be able to get it from there.

[mwhudson]

This looks sane from my outside perspective. Didn't Jamie ask for loud logging when the wide open policy is being used? I don't see that.

Also, once this is done, I think snap-confine can lose the --disable-apparmor option entirely (in general, because we want snap-confine to be usable from the core snap on all systems, it can't really have compile time options!).

[jdstrand]

This looks fine-- looking forward to followup PRs since I'd prefer we not overuse the classic template for forced devmode. I do wonder why we just don't go to straight strict mode here-- IME, all partial is really important for in comparison with strict is logging that certain things aren't mediated.

[jdstrand]

This comment isn't quite right. Note that classicTemplate has bare rules for all the modern rules so an old parser will always choke on them. This means that partial confinement must have new tools, and those new tools know how to work with all kernels. As such, this should read as:

// When partial AppArmor is detected, use the classic template for now. We could
// use devmode, but that could generate confusing log entries for users running
// snaps on systems with partial AppArmor support.

[zyga]

+1, thank you.

[jdstrand]

Typo 'nowehre'

[zyga]

Thanks :-) I need to sync my vimrc and :set spell there :)

[jdstrand]

By printing directly, this means that it will end up in journalctl, which is important since we want syslog to show this as well. Please mention that here as part of your comment.

[zyga]

Will do!

[zyga]

@mwhudson the --disable-apparmor option must stay for some time since apparmor is not available as a library in Fedora (last time I checked). As for the "loud logging" that's the Printf there, in the future I will switch that to the warning framework where casual users will actually see it (not just the people that ... casually read their syslog).

[zyga]

Updated per review feedback. Would love to see this in 2.28 if we can pull it off @mvo5 :-)

[jdstrand]

Thanks for the updates!

When will you be implementing the change for using strict mode with logging instead of just using the classic template?

[zyga]

Soon, as time allows :)

[niemeyer]

This is going in a nice direction, thanks for bringing that up. That said, let's please talk through that API, and the logging also needs fixing.

[niemeyer]

Agree with Michael: this interface is too complicated for how trivial this is. What is the expected result of probing for a kernel and what does it mean to Evaluate it?

How about: aa.SupportLevel() == aa.PartialSupport?

The fact we need to compute and cache should remain inside the apparmor package itself. The release package may help with some ideas on that regard.

Also, what would "partial" mean in this case, and why do we expect what is inside classic to work while what is in strict won't? It would be better to be more clear about what is supported on not, and if possible have that gradient explicit in the terminology.

As a side note, Michael is extremely polite.. when he raises something on my code or ideas, I think three times before dismissing it.

[niemeyer]

In fact, that's all the apparmor package does right now. This would be better as release.ApparmorSupport instead, I think.

[zyga]

Please bare with me, the result of ProbeKernel will be stored in the apparmor backend. From there we will call Evaluate in one spot and access available features in several spots. I can bring this patch earlier. Partial means, as it is documented, that apparmor is enabled but some of the required features are missing. As discussed with jdstrand classic is used because it works on every release of apparmor and allows us to take the first step. The next step will be to switch to the actual strict template and teach specific interfaces about any extra deficiencies or incompatibilities that resulted from how apparmor enforcement works when a particular feature is present or absent. We already have the gradient you are talking about - we can ask, through SupportsFeature if a given feature is enabled or not.

[niemeyer]

@zyga I understood this proposal from your earlier comments. My points above already take it into account.

[niemeyer]

release.ApparmorSupports(feature) sounds nice, btw.

[niemeyer]

Code that prints on import seems pretty bad. Let's please drop this and the long apologetic comment. :)

We can easily log in the real log, and in a proper place, if we want to.

[zyga]

We cannot log the warning to the real log because of initialization order of our logger. This does the right thing because stdout is properly logged into the journal.

[niemeyer]

❤️

[zyga]

Hmm?

[zyga]

Ah :-)

[zyga]

I'll clean up this PR shortly.

[jdstrand]

I reviewed the new commits since my last review and have a few questions, so marking back to 'Request changes' for now.

[jdstrand]

It feels a little weird that this function is called SupportLevel() and it takes an argument of type SupportLevel. Should the function be called GetSupportLevel()?

[niemeyer]

Yes, this is all overcomplexity that should go away.

[jdstrand]

The mixture of 'aa.Foo' and 'apparmor.Foo' here and elsewhere in the PR seems weird to me. Is there a reason why you aren't consistently using one over the other?

[jdstrand]

I realize that you are returning the equivalent of before, but this (forcing devmode if not full support) seems inconsistent with interfaces/backends/backends.go init() where now add the apparmor backend if there is any level of support. Perhaps at least the comment needs to be adjusted?

[niemeyer]

Let's please not change this here. ForceDevMode as an idea should hopefully die altogether, but this PR is lingering for too long on issues which are related to its implementation. Let's keep unrelated fixes for follow ups please.

[jdstrand]

I agree it should be in a future PR, but felt the inconsistency should at least be pointed out (so we know to change it going forward! :) and that perhaps the comment should change.

[niemeyer]

Sorry, but it feels super strange to have such trivial helpers to our own trivial helpers (!) that are sitting across two different packages, and having one of those two packages consistently entirely of the trivial helpers.

Since this is taking a bit longer than it should for such a simple change, here is a more clear path for LGTM:

• The level function becomes release.AppArmorLevel
• The type becomes release.AppArmorLevelType
• The summary becomes release.AppArmorSummary
• All of that inside release/apparmor{,_test}.go
• KernelSupport dies. All of that functionality fits inside a tiny init function that runs once during execution and stores single two global variables: one level, one summary.
• apparmor package dies. Its whole point is that funcionality today.

[niemeyer]

Ah, and consts might be release.{No,Partial,Full}AppArmor.

[jdstrand]

Since @niemeyer addressed my questions, is driving the design and I agree with that design, I'll mark my bits as approved now.

[mvo5]

This should be ready for a re-review.

[niemeyer]

Thanks for sorting this out, @mvo5!

LGTM.. just re-running tests now.

[niemeyer]

The broken test looks unrelated, btw. Seems to be an unrelated Debian issue:

dpkg: error processing archive /tmp/apt-dpkg-install-HCzLFj/39-manpages-dev_4.13-2_all.deb (--unpack):
 trying to overwrite '/usr/share/man/man4/console_ioctl.4.gz', which is also in package manpages 4.10-2
Errors were encountered while processing:
 /tmp/apt-dpkg-install-HCzLFj/39-manpages-dev_4.13-2_all.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
quiet: end of output.