"github.com/snapcore/snapd/release"
apparmor_sandbox "github.com/snapcore/snapd/sandbox/apparmor"
"github.com/snapcore/snapd/snap"
- "github.com/snapcore/snapd/strutil"
"github.com/snapcore/snapd/timings"
)
}
}
-func downgradeConfinement() bool {
- kver := osutil.KernelVersion()
- switch {
- case release.DistroLike("opensuse-tumbleweed"):
- if cmp, _ := strutil.VersionCompare(kver, "4.16"); cmp >= 0 {
- // As a special exception, for openSUSE Tumbleweed which ships Linux
- // 4.16, do not downgrade the confinement template.
- return false
- }
- case release.DistroLike("arch", "archlinux"):
- // The default kernel has AppArmor enabled since 4.18.8, the
- // hardened one since 4.17.4
- return false
- }
- return true
-}
-
func addContent(securityTag string, snapInfo *snap.Info, cmdName string, opts interfaces.ConfinementOptions, snippetForTag string, content map[string]osutil.FileState, spec *Specification) {
// If base is specified and it doesn't match the core snaps (not
// specifying a base should use the default core policy since in this
policy = classicTemplate
ignoreSnippets = true
}
- // When partial AppArmor is detected, use the classic template for now. We could
- // use devmode, but that could generate confusing log entries for users running
- // snaps on systems with partial AppArmor support.
- if apparmor_sandbox.ProbedLevel() == apparmor_sandbox.Partial {
- // By default, downgrade confinement to the classic template when
- // partial AppArmor support is detected. We don't want to use strict
- // in general yet because older versions of the kernel did not
- // provide backwards compatible interpretation of confinement
- // so the meaning of the template would change across kernel
- // versions and we have not validated that the current template
- // is operational on older kernels.
- if downgradeConfinement() {
- policy = classicTemplate
- ignoreSnippets = true
- }
- }
// If a snap is in devmode (or is using classic confinement) then make the
// profile non-enforcing where violations are logged but not denied.
// This is also done for classic so that no confinement applies. Just in
policy := "default"
if apparmor_sandbox.ProbedLevel() == apparmor_sandbox.Partial {
level = "partial"
-
- if downgradeConfinement() {
- policy = "downgraded"
- }
}
tags = append(tags, fmt.Sprintf("support-level:%s", level))
tags = append(tags, fmt.Sprintf("policy:%s", policy))
}
}
-// On openSUSE Tumbleweed partial apparmor support doesn't change apparmor template to classic.
-// Strict confinement template, along with snippets, are used.
-func (s *backendSuite) TestCombineSnippetsOpenSUSETumbleweed(c *C) {
- restore := mockPartalAppArmorOnDistro(c, "4.16-10-1-default", "opensuse-tumbleweed")
- defer restore()
- s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error {
- spec.AddSnippet("snippet")
- return nil
- }
- s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1)
- profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
- c.Check(profile, testutil.FileEquals, commonPrefix+"\nprofile \"snap.samba.smbd\" (attach_disconnected) {\nsnippet\n}\n")
-}
-
-// On openSUSE Tumbleweed running older kernel partial apparmor support changes
-// apparmor template to classic.
-func (s *backendSuite) TestCombineSnippetsOpenSUSETumbleweedOldKernel(c *C) {
- restore := mockPartalAppArmorOnDistro(c, "4.14", "opensuse-tumbleweed")
- defer restore()
- s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error {
- spec.AddSnippet("snippet")
- return nil
- }
- s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1)
- profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
- c.Check(profile, testutil.FileEquals, "\n#classic"+commonPrefix+"\nprofile \"snap.samba.smbd\" (attach_disconnected) {\n\n}\n")
-}
-
-func (s *backendSuite) TestCombineSnippetsArchOldIDSufficientHardened(c *C) {
- restore := mockPartalAppArmorOnDistro(c, "4.18.2.a-1-hardened", "arch", "archlinux")
- defer restore()
- s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error {
- spec.AddSnippet("snippet")
- return nil
- }
- s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1)
- profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
- c.Check(profile, testutil.FileEquals, commonPrefix+"\nprofile \"snap.samba.smbd\" (attach_disconnected) {\nsnippet\n}\n")
-}
-
-func (s *backendSuite) TestCombineSnippetsArchSufficientHardened(c *C) {
- restore := mockPartalAppArmorOnDistro(c, "4.18.2.a-1-hardened", "archlinux")
- defer restore()
- s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error {
- spec.AddSnippet("snippet")
- return nil
- }
-
- s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1)
- profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
- c.Check(profile, testutil.FileEquals, commonPrefix+"\nprofile \"snap.samba.smbd\" (attach_disconnected) {\nsnippet\n}\n")
-}
-
const coreYaml = `name: core
version: 1
type: os
restore = osutil.MockKernelVersion("4.14.1-default")
defer restore()
- c.Assert(s.Backend.SandboxFeatures(), DeepEquals, []string{"kernel:foo", "kernel:bar", "parser:baz", "parser:norf", "support-level:partial", "policy:downgraded"})
+ c.Assert(s.Backend.SandboxFeatures(), DeepEquals, []string{"kernel:foo", "kernel:bar", "parser:baz", "parser:norf", "support-level:partial", "policy:default"})
}
func (s *backendSuite) TestParallelInstanceSetupSnapUpdateNS(c *C) {
`)
}
-func (s *backendSuite) TestDowngradeConfinement(c *C) {
-
- restore := apparmor_sandbox.MockLevel(apparmor_sandbox.Partial)
- defer restore()
-
- for _, tc := range []struct {
- distro string
- kernel string
- expected bool
- }{
- {"opensuse-tumbleweed", "4.16.10-1-default", false},
- {"opensuse-tumbleweed", "4.14.1-default", true},
- {"arch", "4.18.2.a-1-hardened", false},
- {"arch", "4.18.8-arch1-1-ARCH", false},
- {"archlinux", "4.18.2.a-1-hardened", false},
- } {
- c.Logf("trying: %+v", tc)
- restore := release.MockReleaseInfo(&release.OS{ID: tc.distro})
- defer restore()
- restore = osutil.MockKernelVersion(tc.kernel)
- defer restore()
- c.Check(apparmor.DowngradeConfinement(), Equals, tc.expected, Commentf("unexpected result for %+v", tc))
- }
-}
-
func (s *backendSuite) TestPtraceTraceRule(c *C) {
restoreTemplate := apparmor.MockTemplate("template\n###SNIPPETS###\n")
defer restoreTemplate()
projects / snapd.git / commitdiff