Merge pull request #3814 from zyga/feature/partial-apparmor

interfaces: enable partial apparmor support
canonical · Sep 19, 2017 · 702d1f4 · 702d1f4
2 parents 4876a2a + fce9c0e
commit 702d1f4
Show file tree

Hide file tree

Showing 11 changed files with 333 additions and 270 deletions.
diff --git a/apparmor/probe.go b/apparmor/probe.go
diff --git a/apparmor/probe_test.go b/apparmor/probe_test.go
diff --git a/interfaces/apparmor/backend.go b/interfaces/apparmor/backend.go
@@ -216,7 +216,11 @@ func (b *Backend) deriveContent(spec *Specification, snapInfo *snap.Info, opts i
 
 func addContent(securityTag string, snapInfo *snap.Info, opts interfaces.ConfinementOptions, snippetForTag string, content map[string]*osutil.FileState) {
 	var policy string
-	if opts.Classic && !opts.JailMode {
+	// When partial AppArmor is detected, use the classic template for now. We could
+	// use devmode, but that could generate confusing log entries for users running
+	// snaps on systems with partial AppArmor support.
+	level := release.AppArmorLevel()
+	if level == release.PartialAppArmor || (opts.Classic && !opts.JailMode) {
 		policy = classicTemplate
 	} else {
 		policy = defaultTemplate
@@ -232,13 +236,12 @@ func addContent(securityTag string, snapInfo *snap.Info, opts interfaces.Confine
 			return fmt.Sprintf("profile \"%s\"", securityTag)
 		case "###SNIPPETS###":
 			var tagSnippets string
-
 			if opts.Classic && opts.JailMode {
 				// Add a special internal snippet for snaps using classic confinement
 				// and jailmode together. This snippet provides access to the core snap
 				// so that the dynamic linker and shared libraries can be used.
 				tagSnippets = classicJailmodeSnippet + "\n" + snippetForTag
-			} else if opts.Classic && !opts.JailMode {
+			} else if level == release.PartialAppArmor || (opts.Classic && !opts.JailMode) {
 				// When classic confinement (without jailmode) is in effect we
 				// are ignoring all apparmor snippets as they may conflict with
 				// the super-broad template we are starting with.

diff --git a/interfaces/apparmor/backend_test.go b/interfaces/apparmor/backend_test.go
@@ -293,6 +293,9 @@ func (s *backendSuite) TestUpdatingSnapToOneWithFewerHooks(c *C) {
 }
 
 func (s *backendSuite) TestRealDefaultTemplateIsNormallyUsed(c *C) {
+	restore := release.MockAppArmorLevel(release.FullAppArmor)
+	defer restore()
+
 	snapInfo := snaptest.MockInfo(c, ifacetest.SambaYamlV1, nil)
 	// NOTE: we don't call apparmor.MockTemplate()
 	err := s.Backend.Setup(snapInfo, interfaces.ConfinementOptions{}, s.Repo)
@@ -366,6 +369,9 @@ snippet
 }}
 
 func (s *backendSuite) TestCombineSnippets(c *C) {
+	restore := release.MockAppArmorLevel(release.FullAppArmor)
+	defer restore()
+
 	// NOTE: replace the real template with a shorter variant
 	restoreTemplate := apparmor.MockTemplate("\n" +
 		"###VAR###\n" +

diff --git a/interfaces/backends/backends.go b/interfaces/backends/backends.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2017 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -20,6 +20,8 @@
 package backends
 
 import (
+	"fmt"
+
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/apparmor"
 	"github.com/snapcore/snapd/interfaces/dbus"
@@ -31,18 +33,40 @@ import (
 	"github.com/snapcore/snapd/release"
 )
 
-// append when a new security backend is added
-var All = []interfaces.SecurityBackend{
-	&systemd.Backend{},
-	&seccomp.Backend{},
-	&dbus.Backend{},
-	&udev.Backend{},
-	&mount.Backend{},
-	&kmod.Backend{},
-}
+var All []interfaces.SecurityBackend = backends()
+
+func backends() []interfaces.SecurityBackend {
+	all := []interfaces.SecurityBackend{
+		&systemd.Backend{},
+		&seccomp.Backend{},
+		&dbus.Backend{},
+		&udev.Backend{},
+		&mount.Backend{},
+		&kmod.Backend{},
+	}
+
+	// This should be logger.Noticef but due to ordering of initialization
+	// calls, the logger is not ready at this point yet and the message goes
+	// nowhere. Per advice from other snapd developers, we just print it
+	// directly.
+	//
+	// TODO: on this should become a user-visible message via the user-warning
+	// framework, so that users are aware that we have non-strict confinement.
+	// By printing this directly we ensure it will end up the journal for the
+	// snapd.service. This aspect should be retained even after the switch to
+	// user-warning.
+	fmt.Printf("AppArmor status: %s\n", release.AppArmorSummary())
 
-func init() {
-	if !release.ReleaseInfo.ForceDevMode() {
-		All = append(All, &apparmor.Backend{})
+	// Enable apparmor backend if there is any level of apparmor support,
+	// including partial feature set. This will allow snap-confine to always
+	// link to apparmor and check if it is enabled on boot, knowing that there
+	// is always *some* profile to apply to each snap process.
+	//
+	// When some features are missing the backend will generate more permissive
+	// profiles that keep applications operational, in forced-devmode.
+	switch release.AppArmorLevel() {
+	case release.FullAppArmor, release.PartialAppArmor:
+		all = append(all, &apparmor.Backend{})
 	}
+	return all
 }