Configuring apparmor / seccomp for a snap to allow sendmsg and mkfifo?

[Didier Roche]

Le 24/10/2016 à 21:52, Dan Kegel a écrit :
> I'm trying to snap a largish package; works fine in devmode,
> but as the app likes to use unix sockets and fifos, it fails in
> confined mode with
>
> $ sudo /snap/bin/snappy-debug.security scanlog
> = AppArmor =
> Time: Oct 24 11:41:09
> Log: apparmor="DENIED" operation="sendmsg" profile="snap.foo" pid=8536
> comm="foo" family="unix" sock_type="dgram" protocol=0
> requested_mask="send" denied_mask="send" addr=none
> peer_addr="@6E7669646961356165373434376600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
> peer="unconfined"
>
> = Seccomp =
> Time: Oct 24 11:41:09
> Log: auid=4294967295 uid=1001 gid=1001 ses=4294967295 pid=8536
> comm="foo" exe="/snap/foo/x7/bin/foo" sig=31 arch=c000003e 133(mknod)
> compat=0 ip=0x7f17f6fb542d code=0x0
> Syscall: mknod
>
> Any suggestions (other than 'don't do that')?
Unix sockets are definitively possible. I'm using sockets based on unix
files for some of my project and write them to $SNAP_DATA (for daemons,
the daemon creating the socket) and it works well. You may want to try this?

On mknod, I don't know if we have any plan for enabling this in some
ways. CCing Jamie for this.

> I imagine there's a way to configure both apparmor and seccomp for
> snaps, but haven't found it yet.
> https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement
> has some clues
> http://askubuntu.com/questions/796809/add-custom-apparmor-rules-to-snap
> seems on topic
> Should I be looking at the snapd source?  (I see there's an apparmor
> interface, but maybe that's internal only...)
>
I don't think we want snaps to ship their own configuration. It's better
to collaborate on a snapd interface that can be reused between snaps,
rather than letting any snap defining its own confinement rules (or said
differently, the confinment may be useless if we allow this).

Cheers,
Didier