[PATCH 12/36] cmd/libsnap-confine-private: Don't fail open on apparmor confinement

aa_is_enabled() can be made to fail by setting low open file limits or
similar - in this case, snap-confine would continue executing as though it
were unconfined. However, this can be detected by checking errno more
closely - so only fail open when we know AppArmor either is not supported
or has been explicitly disabled at boot and otherwise fail closed.

Signed-off-by: Alex Murray <alex.murray@canonical.com>
Gbp-Pq: Topic cve202144730
Gbp-Pq: Name 0012-cmd-libsnap-confine-private-Don-t-fail-open-on-appar.patch

diff --git a/cmd/libsnap-confine-private/apparmor-support.c b/cmd/libsnap-confine-private/apparmor-support.c
index eac0912d3e64992a2a23afd1fb155f2ba3e71613..9930e4216888b11274617f86356be37bda25a7b3 100644 (file)
--- a/cmd/libsnap-confine-private/apparmor-support.c
+++ b/cmd/libsnap-confine-private/apparmor-support.c
@@ -53,18 +53,24 @@ void sc_init_apparmor_support(struct sc_apparmor *apparmor)
                        debug
                            ("apparmor is available on the system but has been disabled at boot");
                        break;
-               case ENOENT:
-                       debug
-                           ("apparmor is available but the interface but the interface is not available");
-                       break;
                case EPERM:
                        // NOTE: fall-through
                case EACCES:
                        debug
                            ("insufficient permissions to determine if apparmor is enabled");
-                       break;
+                       // since snap-confine is setuid root this should
+                       // never happen so likely someone is trying to
+                       // manipulate our execution environment - fail hard
+
+                       // fall-through
+               case ENOENT:
+               case ENOMEM:
                default:
-                       debug("apparmor is not enabled: %s", strerror(errno));
+                       // this shouldn't happen under normal usage so it
+                       // is possible someone is trying to manipulate our
+                       // execution environment - fail hard
+                       die("aa_is_enabled() failed unexpectedly (%s)",
+                           strerror(errno));
                        break;
                }
                apparmor->is_confined = false;