Snappy Confinement and AppArmor

Víctor Mayoral Vilches victor at erlerobot.com
Sun Feb 22 20:17:28 UTC 2015 

Hi everyone,

Been playing a bit creating simple snappy apps, services and reading about
AppArmor over the weekend. Here're some thoughts:

   - Creating snaps is super easy. This would encourage many users to jump
   over snappy quickly. I quite like it.
   - Hardware access in snaps is still not ready (please point out
   otherwise) but can be bypassed manually by launching systemd services
   (root/sudo needed). Example here
   <https://github.com/erlerobot/erle-apm-copter.erle>.
   - I have not been able to use AppArmor appropriately and some help might
   be appreciated.
   I started creating a *simple snap
   <https://github.com/erlerobot/erle-apparmor.erle> that writes the date in a
   /home/ubuntu/date.txt* file. This seems to require special permissions
   so i tried using the unconfined template
   <https://github.com/erlerobot/erle-apparmor.erle/blob/master/meta/package.yaml#L8>
which
   didn't allow me neither:

*ubuntu at localhost:~$ erle-apparmor.erle.script.sh
<http://erle-apparmor.erle.script.sh> *

*/apps/erle-apparmor.erle/1.0/src/script.sh: line 3: /home/ubuntu/date.txt:
Permission denied*

*date: Thu Feb 19 17:32:45 UTC 2015 printed to file*
I kept trying hand-modifiying
*/var/lib/apparmor/profiles/click_erle-apparmor.erle_script.sh_1.0* and
adding something like:

*  # Writable area*

*  owner /home/ubuntu/   w,*
Which didn't work either. Could anyone point out how could i re-write the
snap so that it can write in /home/ubuntu directory? I presume accessing
hardware abstractions/files (e.g.: GPIOs) would be pretty much the same,
right?



While going through AppArmor and the SnappyConfinement
<https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement>
articles and i noted that the last 2 link of the Introduction point to
somewhere they should not.

Jamie or whoever maintains the docs might like to modify it.
Cheers,

*Víctor Mayoral Vilches*
CTO & Co-Founder



*Erle Robotics*
erlerobotics.com | victor at erlerobot.com
+34 616151561
*skype*: v.mayoral
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20150222/72273596/attachment.html>

More information about the snappy-devel mailing list