Snappy Confinement and AppArmor

Jamie Strandboge jamie at canonical.com
Mon Feb 23 15:31:36 UTC 2015 

On 02/22/2015 02:17 PM, Víctor Mayoral Vilches wrote:
> Hi everyone,
> 
> Been playing a bit creating simple snappy apps, services and reading about
> AppArmor over the weekend. Here're some thoughts:
> 
>   * Creating snaps is super easy. This would encourage many users to jump over
>     snappy quickly. I quite like it.
>   * Hardware access in snaps is still not ready (please point out otherwise) but
>     can be bypassed manually by launching systemd services (root/sudo needed).
>     Example here <https://github.com/erlerobot/erle-apm-copter.erle>.

The work discussed in '[RFC] Improving hardware access for snaps' from is
actively bing worked on and will be available soon.

>   * I have not been able to use AppArmor appropriately and some help might be
>     appreciated.
>     I started creating a /simple snap
>     <https://github.com/erlerobot/erle-apparmor.erle> that writes the date in a
>     */home/ubuntu/date.txt*/ file. This seems to require special permissions so
>     i tried using the unconfined template
>     <https://github.com/erlerobot/erle-apparmor.erle/blob/master/meta/package.yaml#L8> which
>     didn't allow me neither:
> 
> /ubuntu at localhost:~$ erle-apparmor.erle.script.sh
> <http://erle-apparmor.erle.script.sh> /
> 
> //apps/erle-apparmor.erle/1.0/src/script.sh: line 3: /home/ubuntu/date.txt:
> Permission denied/
> 
> /date: Thu Feb 19 17:32:45 UTC 2015 printed to file/
> 
> I kept trying hand-modifiying
> */var/lib/apparmor/profiles/click_erle-apparmor.erle_script.sh_1.0* and adding
> something like:
> 
> /  # Writable area/
> 
> /  owner /home/ubuntu/   w,/
> 
As mentioned by Oliver, apps already have access to files as described in
https://developer.ubuntu.com/en/snappy/guides/filesystem-layout/

(that page should be updated to include the various SNAPP_* variables. I filed
https://bugs.launchpad.net/snappy-ubuntu/+bug/1424687 for this just now).

> Which didn't work either. Could anyone point out how could i re-write the snap
> so that it can write in /home/ubuntu directory? I presume accessing hardware
> abstractions/files (e.g.: GPIOs) would be pretty much the same, right?

Ping me on irc (jdstrand) and I can help you with this. The short answer is
'yes, you can do what you've been doing for this' but 1) I suspect there is a
bug there related to 'owner' match and 2) we should make sure everything is
working how it is supposed so you don't need to fiddle with your security policy
in this manner at all.

> While going through AppArmor and the SnappyConfinement
> <https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement> articles
> and i noted that the last 2 link of the Introduction point to somewhere they
> should not.
> 
> Jamie or whoever maintains the docs might like to modify it.
> 
Yes, things have evolved since I wrote that-- thanks for the reminder to clean
that up.


-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20150223/441a4eab/attachment.pgp>

More information about the snappy-devel mailing list