On Fri, 2017-02-03 at 19:59 +0800, James Henstridge wrote: > On 1 February 2017 at 22:46, Jamie Strandboge <ja...@canonical.com> wrote: > > > > On Wed, 2017-02-01 at 20:33 +0800, James Henstridge wrote: > > > > > > 2. Use of the libapparmor aa_is_enabled and aa_query_label APIs > > > > > > When deciding whether to do work on behalf of a client, > > > thumbnailer-service uses a couple libapparmor API calls to determine > > > whether the client has access to a file. Neither of these are working > > > under snappy confinement. > > > > > > The first call we use is aa_is_enabled(), but it seems the policy is > > > to strict to let us determine whether AppArmor is enabled or not. > > > > > > Next we use aa_query_label() to perform the file access check. This > > > fails when trying to read /proc/$pid/mounts to determine where > > > securityfs is mounted. If that is fixed, it will likely fail when > > > trying to access the "/sys/kernel/security/apparmor/.access" file > > > within. > > > > > > I've filed a bug for this one here: > > > > > > https://bugs.launchpad.net/snappy/+bug/1660957 > > This needs some more thought since only "trusted helpers" that are doing > > some > > form of mediation themselves need this access. Adding it to the dbus > > interface > > by default isn't correct since, for example, ktuberling shouldn't be asking > > about the security contexts of other snaps (not to mention, this doesn't > > really > > have anything to do with the dbus interface). I've assigned it to me and > > will > > think about it and will comment in the bug/propose a PR where we can discuss > > further. > Since it looked like we'd need a specialised snappy interface for > thumbnailer, I had a go adding the rules necessary to enable > aa_query_label() there. If thumbnailer turns out to be the only snap > needing this API, or the other snaps needing it also require custom > interfaces, then perhaps this is a reasonable place to put the rules. > > Of course, once I got my interface up and running, I ran into > https://bugs.launchpad.net/apparmor/+bug/1620635 again. I've put my > in-progress branch up for review here: > > https://github.com/snapcore/snapd/pull/2783
Thumbnailer isn't the only one that needs this, but I suspect putting the rules in a specialized interface like you did in this PR will be the way to do this. There is an effort to refactor the way interface policy is put together and when doing that we'll do something like 'give me all the seccomp rules needed for connecting to a dbus service'. We can do something similar for the libapparmor access such that each interface that needs libapparmor in this manner can say 'give me all the apparmor rules needed for using libapparmor as a trusted helper'. Thanks for the PR! :) -- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft