interfaces/apparmor: expand @{APP_PKGNAME} to just snap name

[zyga]

This patch drops the .developer suffix from APP_PKGNAME since this is
the current filesystem layout.

NOTE: this was tested with actual device. :-)

Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com

[mvo5]

👍 makes me wonder a bit why old-security did not break. but maybe we updated that already and I forgot :)

[zyga]

@mvo5 old-security is not a real interface and I suspect that we did change the old code at the time

[zyga]

Pinging @jdstrand for review

[niemeyer]

LGTM

[jdstrand]

This should be changed too.

[jdstrand]

ditto

[jdstrand]

APP_PKGNAME_DBUS and APP_ID_DBUS should be changed as well.

[jdstrand]

I see that snap/info.go has a modified SecurityTag() that does:
return fmt.Sprintf("snap.%s.%s", app.Snap.Name(), app.Name)

As such, PROFILEATTACH is going to be snap.%s.%s. That means that any apparmor rules that use the profile attach label (ie, signal, ptrace, unix, dbus) are now broken between that change and this change. Ie, in template.go:

unix peer=(label=@{APP_PKGNAME}_*),
signal peer=@{APP_PKGNAME}_*,

These need to be changed to:

unix peer=(label=snap.@{APP_PKGNAME}.*),
signal peer=snap.@{APP_PKGNAME}.*,

Note I both prepended 'snap.' and changed the '_' to '.'

The current builtins are all ok, but future policy like bluez will need to use similar rules.

[zyga]

@jdstrand thanks for pointing out the subtle tweak in apparmor rules. I'll keep an eye out for this in bluez reviews. I'll iterate with updates to variables but I'd like to actually drop existing variables and replace them with just SNAP_NAME SNAP_REVISION and not much else. Is that doable?

[jdstrand]

With modern variables use:

unix peer=(label=snap.@{SNAP_NAME}.*),
signal peer=snap.@{SNAP_NAME}.*,

[jdstrand]

In fact, with that change you can remove legacyVariables altogether.

[jdstrand]

Oh wait, I spoke too soon. Don't remove legacyVariables yet-- the file rules still need to be updated for modern variables.