Security policy generation for 16.04 images

Jamie Strandboge jamie at canonical.com
Thu Nov 19 16:15:52 UTC 2015 

Hi,

Snappy has been using click compatibility hooks for security policy generation
for apparmor. It has long been understood that snappy would move away from click
compatibility so when seccomp was added, it did not use these hooks. As of
today, 16.04 images no longer use click compatibility hooks for apparmor. This
has many benefits:

 * no more reliance on python tools for policy generation
 * clean and consistent implementation for policy generation
 * update for the 'securite-override' mechanism (more on this later) to make it
   more useful and easier to use
 * hardware assignment now works for services and binaries that use
   'security-policy'
 * several bug fixes surrounding image upgrades and shipped system policy
 * enables transition to squashfs format (in progress)
 * enables removal of click compat code (branches pending)
 * review tools checks for snaps can be simplified since they don't have to
   worry about click compat (in progress)

This change does not take into account the evolving capabilities work that is
being discussed on snappy-devel@, but these policy generation changes are
essential to that work. It also does not make (significant) refinements to the
yaml format yet-- these will come once the yaml meta review is completed (see
snappy-devel@ thread and google doc).

The tools-proposed ppa has not been updated yet but AIUI will once the squashfs
changes are ready and the review tools are updated (both in progress).

= What this means for developers =

If you are an app developer, nothing has changed for you unless you used the
'security-override' yaml declaration (which you probably aren't because it was
awkward and hard to use). The new 'security-override' declaration will allow you
to work with confinement more easily by letting you declare overrides in the
yaml that are applied to whatever templated policy you specify. Eg, suppose you
have an app that works fine under default policy except you need one syscall
that isn't included anywhere else:

services:
 - name: foo
   security-override:
     syscalls: [ bar ]

This might be useful, for example, when developing your snap so that you can
test your app under confinement without having to change your code to not use
'foo' immediately. See
https://github.com/ubuntu-core/snappy/blob/master/docs/security.md for details.

If you are so inclined to look at the generated policy, 'snappy install' now
stores it in /var/lib/snappy/apparmor/profiles and all confusing paths in
/var/lib/apparmor are no longer used. The 'snappy policygen' tool can be used to
regenerate security policy from the app's meta/package.yaml (see 'snappy
policygen --help' for details).

snappy-debug snap will be updated accordingly for these changes soon.

Thanks to Michael Vogt for his many contributions to the branch and Gustavo and
John Lenton for their careful reviews.

Enjoy! :)

-- 
Jamie Strandboge                 http://www.ubuntu.com/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20151119/efcfb088/attachment.pgp>

More information about the snappy-devel mailing list