From 3af5cf54deb0f3d4431c810a071de6a7b7b3fea3 Mon Sep 17 00:00:00 2001 From: Michael Hudson-Doyle Date: Mon, 28 Nov 2022 10:37:00 +0000 Subject: [PATCH] cherry-pick-pr9936 commit 5c7c00e13285487a472e615d0e483e64b2cfad78 Author: Zygmunt Krynicki Date: Mon Feb 15 17:14:41 2021 +0000 Remove apparmor downgrade feature Apparmor downgrade was automatically enabled when the running kernel supported some, but not all of the features. Since the complete set was never upstreamed, this effectively meant that users had less features than they otherwise would have. Since apparmor is still reported as "partial", nothing changes from the point of view of not sending any misleading messages. For certain classes of snap packages, this improves the effective confinement on systems such as Debian or openSUSE Leap. Perfect confinement is still way off, this doesn't change that. Signed-off-by: Zygmunt Krynicki Gbp-Pq: Name 0013-cherry-pick-pr9936.patch --- interfaces/apparmor/backend.go | 38 -------------- interfaces/apparmor/backend_test.go | 80 +---------------------------- interfaces/apparmor/export_test.go | 1 - 3 files changed, 1 insertion(+), 118 deletions(-) diff --git a/interfaces/apparmor/backend.go b/interfaces/apparmor/backend.go index 1819525c..73b9c3ad 100644 --- a/interfaces/apparmor/backend.go +++ b/interfaces/apparmor/backend.go @@ -55,7 +55,6 @@ import ( "github.com/snapcore/snapd/release" apparmor_sandbox "github.com/snapcore/snapd/sandbox/apparmor" "github.com/snapcore/snapd/snap" - "github.com/snapcore/snapd/strutil" "github.com/snapcore/snapd/timings" ) @@ -611,23 +610,6 @@ func addUpdateNSProfile(snapInfo *snap.Info, opts interfaces.ConfinementOptions, } } -func downgradeConfinement() bool { - kver := osutil.KernelVersion() - switch { - case release.DistroLike("opensuse-tumbleweed"): - if cmp, _ := strutil.VersionCompare(kver, "4.16"); cmp >= 0 { - // As a special exception, for openSUSE Tumbleweed which ships Linux - // 4.16, do not downgrade the confinement template. - return false - } - case release.DistroLike("arch", "archlinux"): - // The default kernel has AppArmor enabled since 4.18.8, the - // hardened one since 4.17.4 - return false - } - return true -} - func addContent(securityTag string, snapInfo *snap.Info, cmdName string, opts interfaces.ConfinementOptions, snippetForTag string, content map[string]osutil.FileState, spec *Specification) { // If base is specified and it doesn't match the core snaps (not // specifying a base should use the default core policy since in this @@ -647,22 +629,6 @@ func addContent(securityTag string, snapInfo *snap.Info, cmdName string, opts in policy = classicTemplate ignoreSnippets = true } - // When partial AppArmor is detected, use the classic template for now. We could - // use devmode, but that could generate confusing log entries for users running - // snaps on systems with partial AppArmor support. - if apparmor_sandbox.ProbedLevel() == apparmor_sandbox.Partial { - // By default, downgrade confinement to the classic template when - // partial AppArmor support is detected. We don't want to use strict - // in general yet because older versions of the kernel did not - // provide backwards compatible interpretation of confinement - // so the meaning of the template would change across kernel - // versions and we have not validated that the current template - // is operational on older kernels. - if downgradeConfinement() { - policy = classicTemplate - ignoreSnippets = true - } - } // If a snap is in devmode (or is using classic confinement) then make the // profile non-enforcing where violations are logged but not denied. // This is also done for classic so that no confinement applies. Just in @@ -774,10 +740,6 @@ func (b *Backend) SandboxFeatures() []string { policy := "default" if apparmor_sandbox.ProbedLevel() == apparmor_sandbox.Partial { level = "partial" - - if downgradeConfinement() { - policy = "downgraded" - } } tags = append(tags, fmt.Sprintf("support-level:%s", level)) tags = append(tags, fmt.Sprintf("policy:%s", policy)) diff --git a/interfaces/apparmor/backend_test.go b/interfaces/apparmor/backend_test.go index 1188dff1..8414a4f2 100644 --- a/interfaces/apparmor/backend_test.go +++ b/interfaces/apparmor/backend_test.go @@ -1106,59 +1106,6 @@ func mockPartalAppArmorOnDistro(c *C, kernelVersion string, releaseID string, re } } -// On openSUSE Tumbleweed partial apparmor support doesn't change apparmor template to classic. -// Strict confinement template, along with snippets, are used. -func (s *backendSuite) TestCombineSnippetsOpenSUSETumbleweed(c *C) { - restore := mockPartalAppArmorOnDistro(c, "4.16-10-1-default", "opensuse-tumbleweed") - defer restore() - s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error { - spec.AddSnippet("snippet") - return nil - } - s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1) - profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd") - c.Check(profile, testutil.FileEquals, commonPrefix+"\nprofile \"snap.samba.smbd\" (attach_disconnected) {\nsnippet\n}\n") -} - -// On openSUSE Tumbleweed running older kernel partial apparmor support changes -// apparmor template to classic. -func (s *backendSuite) TestCombineSnippetsOpenSUSETumbleweedOldKernel(c *C) { - restore := mockPartalAppArmorOnDistro(c, "4.14", "opensuse-tumbleweed") - defer restore() - s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error { - spec.AddSnippet("snippet") - return nil - } - s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1) - profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd") - c.Check(profile, testutil.FileEquals, "\n#classic"+commonPrefix+"\nprofile \"snap.samba.smbd\" (attach_disconnected) {\n\n}\n") -} - -func (s *backendSuite) TestCombineSnippetsArchOldIDSufficientHardened(c *C) { - restore := mockPartalAppArmorOnDistro(c, "4.18.2.a-1-hardened", "arch", "archlinux") - defer restore() - s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error { - spec.AddSnippet("snippet") - return nil - } - s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1) - profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd") - c.Check(profile, testutil.FileEquals, commonPrefix+"\nprofile \"snap.samba.smbd\" (attach_disconnected) {\nsnippet\n}\n") -} - -func (s *backendSuite) TestCombineSnippetsArchSufficientHardened(c *C) { - restore := mockPartalAppArmorOnDistro(c, "4.18.2.a-1-hardened", "archlinux") - defer restore() - s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error { - spec.AddSnippet("snippet") - return nil - } - - s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1) - profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd") - c.Check(profile, testutil.FileEquals, commonPrefix+"\nprofile \"snap.samba.smbd\" (attach_disconnected) {\nsnippet\n}\n") -} - const coreYaml = `name: core version: 1 type: os @@ -1994,7 +1941,7 @@ func (s *backendSuite) TestSandboxFeaturesPartial(c *C) { restore = osutil.MockKernelVersion("4.14.1-default") defer restore() - c.Assert(s.Backend.SandboxFeatures(), DeepEquals, []string{"kernel:foo", "kernel:bar", "parser:baz", "parser:norf", "support-level:partial", "policy:downgraded"}) + c.Assert(s.Backend.SandboxFeatures(), DeepEquals, []string{"kernel:foo", "kernel:bar", "parser:baz", "parser:norf", "support-level:partial", "policy:default"}) } func (s *backendSuite) TestParallelInstanceSetupSnapUpdateNS(c *C) { @@ -2019,31 +1966,6 @@ apps: `) } -func (s *backendSuite) TestDowngradeConfinement(c *C) { - - restore := apparmor_sandbox.MockLevel(apparmor_sandbox.Partial) - defer restore() - - for _, tc := range []struct { - distro string - kernel string - expected bool - }{ - {"opensuse-tumbleweed", "4.16.10-1-default", false}, - {"opensuse-tumbleweed", "4.14.1-default", true}, - {"arch", "4.18.2.a-1-hardened", false}, - {"arch", "4.18.8-arch1-1-ARCH", false}, - {"archlinux", "4.18.2.a-1-hardened", false}, - } { - c.Logf("trying: %+v", tc) - restore := release.MockReleaseInfo(&release.OS{ID: tc.distro}) - defer restore() - restore = osutil.MockKernelVersion(tc.kernel) - defer restore() - c.Check(apparmor.DowngradeConfinement(), Equals, tc.expected, Commentf("unexpected result for %+v", tc)) - } -} - func (s *backendSuite) TestPtraceTraceRule(c *C) { restoreTemplate := apparmor.MockTemplate("template\n###SNIPPETS###\n") defer restoreTemplate() diff --git a/interfaces/apparmor/export_test.go b/interfaces/apparmor/export_test.go index b6bf4a10..cb77ae17 100644 --- a/interfaces/apparmor/export_test.go +++ b/interfaces/apparmor/export_test.go @@ -30,7 +30,6 @@ var ( NsProfile = nsProfile ProfileGlobs = profileGlobs SnapConfineFromSnapProfile = snapConfineFromSnapProfile - DowngradeConfinement = downgradeConfinement LoadProfiles = loadProfiles UnloadProfiles = unloadProfiles MaybeSetNumberOfJobs = maybeSetNumberOfJobs -- 2.30.2