Merge pull request #827 from morphis/snap-confinement-phase1

Initial support for full snap confinement

Merge pull request #827 from morphis/snap-confinement-phase1
Initial support for full snap confinement
baedea8d · Simon Fels · GitHub · bc2cf304 · 2b83d922 · baedea8d
4 changed file
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -119,6 +119,12 @@ if (NOT "${HOST_CMAKE_C_COMPILER}" STREQUAL "")
  message(STATUS "Host C compiler: ${HOST_CMAKE_CXX_COMPILER}")
 endif()

+option(SNAP_CONFINEMENT "Enable snap confinement support" OFF)
+if (SNAP_CONFINEMENT)
+  message(STATUS "Building with support for snap confinement")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SNAP_CONFINEMENT")
+endif()
+
 install(FILES data/ui/loading-screen.png DESTINATION ${ANBOX_RESOURCE_DIR}/ui)

 # uninstall target

--- a/scripts/container-manager.sh
+++ b/scripts/container-manager.sh
@@ -53,11 +53,6 @@ start() {
 	# lib directory as explicit search target here.
 	export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$SNAP/usr/lib/$ARCH"

-	if [ -d /sys/kernel/security/apparmor ] ; then
-		# Load the profile for our Android container
-		"$SNAP"/sbin/apparmor_parser -r "$SNAP"/apparmor/anbox-container.aa
-	fi
-
 	enable_debug="$(snapctl get debug.enable)"
 	if [ "$enable_debug" = true ]; then
 		export ANBOX_LOG_LEVEL=debug

--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@@ -16,25 +16,44 @@ grade: devel
 architectures: [amd64]

 slots:
-  # Depending on in which environment we're running we either need
-  # to use the system or session DBus so we also need to have one
-  # slot for each.
-  dbus-session:
+  dbus-session-slot:
    interface: dbus
-    bus: system
+    bus: session
    name: org.anbox
-  dbus-system:
+
+plugs:
+  dbus-session-plug:
    interface: dbus
-    bus: system
+    bus: session
    name: org.anbox

 apps:
  anbox:
    command: desktop-launch $SNAP/bin/anbox-wrapper.sh
+    slots:
+      - dbus-session-slot
+    plugs:
+      - x11
+      - unity7
+      - network
+      - opengl
+      - wayland
+      - pulseaudio
+      - home
+      - process-control
+      - desktop
+
  container-manager:
    command: bin/container-manager.sh start
    stop-command: bin/container-manager.sh stop
    daemon: simple
+    plugs:
+      - firewall-control
+      - kernel-module-control
+      - mount-observe
+      - network-control
+      - network-bind
+
  collect-bug-info:
    command: bin/collect-bug-info.sh
  shell:
@@ -42,9 +61,36 @@ apps:
  android-settings:
    command: desktop-launch $SNAP/bin/app-android-settings.sh
    desktop: desktop/android-settings.desktop
+    slots:
+      - dbus-session-slot
+    plugs:
+      - dbus-session-plug
+      - x11
+      - unity7
+      - network
+      - opengl
+      - wayland
+      - pulseaudio
+      - home
+      - process-control
+      - desktop
+
  appmgr:
    command: desktop-launch $SNAP/bin/app-appmgr.sh
    desktop: desktop/appmgr.desktop
+    slots:
+      - dbus-session-slot
+    plugs:
+      - dbus-session-plug
+      - x11
+      - unity7
+      - network
+      - opengl
+      - wayland
+      - pulseaudio
+      - home
+      - process-control
+      - desktop

 parts:
  android:
@@ -102,7 +148,7 @@ parts:
  lxc:
    source: https://github.com/lxc/lxc
    source-type: git
-    source-tag: lxc-3.0.0
+    source-tag: lxc-3.0.1
    build-packages:
      - libapparmor-dev
      - libcap-dev
@@ -125,6 +171,16 @@ parts:
      - --enable-capabilities
      - --with-rootfs-path=/var/snap/anbox/common/lxc/
      - --libexecdir=/snap/anbox/current/libexec/
+    override-build: |
+      set -ex
+      git config user.email "buildbot@anbox.io"
+      git config user.name "Anbox Buildbot"
+      git remote add anbox https://github.com/anbox/lxc
+      git fetch anbox
+      # apparmor: don't require a transition for Anbox child profiles
+      git cherry-pick 2f81fb7c91560b32e506bb874f8cd63e37985906
+      set +ex
+      snapcraftctl build
    organize:
      snap/anbox/current/libexec: libexec
    prime:
@@ -195,6 +251,9 @@ parts:
      # that is fixed we can avoid using a prefix here.
      - -DCMAKE_INSTALL_PREFIX:PATH=/usr
      - -DANBOX_VERSION=$SNAPCRAFT_PROJECT_VERSION
+      # FIXME: Once we have everything in place for full snap confinement we
+      # can securely enable this.
+      # - -DSNAP_CONFINEMENT=ON
    build-packages:
      - build-essential
      - cmake

--- a/src/anbox/container/lxc_container.cpp
+++ b/src/anbox/container/lxc_container.cpp
@@ -266,6 +266,13 @@ void LxcContainer::start(const Configuration &configuration) {

  set_config_item("lxc.init.cmd", "/anbox-init.sh");

+#if ENABLE_SNAP_CONFINEMENT
+  // If we're running inside the snap environment snap-confine already created a
+  // cgroup for us we need to use as otherwise presevering a namespace wont help.
+  if (utils::is_env_set("SNAP"))
+    set_config_item("lxc.namespace.keep", "cgroup");
+#endif
+
  auto rootfs_path = SystemConfiguration::instance().rootfs_dir();
  if (rootfs_overlay_)
    rootfs_path = SystemConfiguration::instance().combined_rootfs_dir();
@@ -283,11 +290,11 @@ void LxcContainer::start(const Configuration &configuration) {

  setup_network();

-#if 0
-  set_config_item("lxc.apparmor.profile", "anbox-container");
-
-  const auto seccomp_profile_path = fs::path(utils::get_env_value("SNAP", "/etc/anbox")) / "seccomp" / "anbox.sc";
-  set_config_item("lxc.seccomp.profile", seccomp_profile_path.string().c_str());
+#if ENABLE_SNAP_CONFINEMENT
+  // We take the AppArmor profile snapd has defined for us as part of the
+  // anbox-support interface. The container manager itself runs within a
+  // child profile snap.anbox.container-manager//lxc too.
+  set_config_item("lxc.apparmor.profile", "snap.anbox.container-manager//container");
 #else
  set_config_item("lxc.apparmor.profile", "unconfined");
 #endif