apparmor

package

v2.42.5-go-mod+incompa... Latest Latest Go to latest Published: Mar 9, 2020 License: GPL-3.0 Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/ejfinneran/snapd

Documentation ¶

Overview ¶

Package apparmor contains primitives for working with apparmor.

References:

Package apparmor implements integration between snappy and ubuntu-core-launcher around apparmor.

Snappy creates apparmor profiles for each application (for each snap) present in the system. Upon each execution of ubuntu-core-launcher application process is launched under the profile. Prior to that the profile must be parsed, compiled and loaded into the kernel using the support tool "apparmor_parser".

Each apparmor profile contains a simple <header><content><footer> structure. The header specifies the profile name that the launcher will use to launch a process under this profile. Snappy uses "abstract identifiers" as profile names.

The actual profiles are stored in /var/lib/snappy/apparmor/profiles.

NOTE: A systemd job (apparmor.service) loads all snappy-specific apparmor profiles into the kernel during the boot process.

Index ¶

func GenWritableFileProfile(emit func(f string, args ...interface{}), path string, assumedPrefixDepth int)
func GenWritableMimicProfile(emit func(f string, args ...interface{}), path string, assumedPrefixDepth int)
func GenWritableProfile(emit func(f string, args ...interface{}), path string, assumedPrefixDepth int)
func LoadedProfiles() ([]string, error)
func MockIsHomeUsingNFS(new func() (bool, error)) (restore func())
func ValidateNoAppArmorRegexp(s string) error
type Backend
type Specification

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GenWritableFileProfile ¶

func GenWritableFileProfile(emit func(f string, args ...interface{}), path string, assumedPrefixDepth int)

GenWritableFileProfile writes a profile for snap-update-ns for making given file writable.

func GenWritableMimicProfile ¶

func GenWritableMimicProfile(emit func(f string, args ...interface{}), path string, assumedPrefixDepth int)

GenWritableMimicProfile generates apparmor rules for a writable mimic at the given path.

func GenWritableProfile ¶

func GenWritableProfile(emit func(f string, args ...interface{}), path string, assumedPrefixDepth int)

GenWritableProfile generates a profile for snap-update-ns for making given directory writable.

func LoadedProfiles ¶

func LoadedProfiles() ([]string, error)

LoadedProfiles interrogates the kernel and returns a list of loaded apparmor profiles.

Snappy manages apparmor profiles named "snap.*". Other profiles might exist on the system (via snappy dimension) and those are filtered-out.

func MockIsHomeUsingNFS ¶

func MockIsHomeUsingNFS(new func() (bool, error)) (restore func())

MockIsHomeUsingNFS mocks the real implementation of osutil.IsHomeUsingNFS. This is exported so that other packages that indirectly interact with AppArmor backend can mock isHomeUsingNFS.

func ValidateNoAppArmorRegexp ¶

func ValidateNoAppArmorRegexp(s string) error

ValidateNoAppArmorRegexp will check that the given string does not contain AppArmor regular expressions (AARE), double quotes or \0.

Types ¶

type Backend ¶

type Backend struct{}

Backend is responsible for maintaining apparmor profiles for snaps and parts of snapd.

func (*Backend) Initialize ¶

func (b *Backend) Initialize() error

Initialize prepares customized apparmor policy for snap-confine.

func (*Backend) Name ¶

func (b *Backend) Name() interfaces.SecuritySystem

Name returns the name of the backend.

func (*Backend) NewSpecification ¶

func (b *Backend) NewSpecification() interfaces.Specification

NewSpecification returns a new, empty apparmor specification.

func (*Backend) Remove ¶

func (b *Backend) Remove(snapName string) error

Remove removes and unloads apparmor profiles of a given snap.

func (*Backend) SandboxFeatures ¶

func (b *Backend) SandboxFeatures() []string

SandboxFeatures returns the list of apparmor features supported by the kernel.

func (*Backend) Setup ¶

func (b *Backend) Setup(snapInfo *snap.Info, opts interfaces.ConfinementOptions, repo *interfaces.Repository, tm timings.Measurer) error

Setup creates and loads apparmor profiles specific to a given snap. The snap can be in developer mode to make security violations non-fatal to the offending application process.

This method should be called after changing plug, slots, connections between them or application present in the snap.

type Specification ¶

type Specification struct {
	// contains filtered or unexported fields
}

Specification assists in collecting apparmor entries associated with an interface.

func (*Specification) AddConnectedPlug ¶

func (spec *Specification) AddConnectedPlug(iface interfaces.Interface, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error

AddConnectedPlug records apparmor-specific side-effects of having a connected plug.

func (*Specification) AddConnectedSlot ¶

func (spec *Specification) AddConnectedSlot(iface interfaces.Interface, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error

AddConnectedSlot records mount-specific side-effects of having a connected slot.

func (*Specification) AddLayout ¶

func (spec *Specification) AddLayout(si *snap.Info)

AddLayout adds apparmor snippets based on the layout of the snap.

The per-snap snap-update-ns profiles are composed via a template and snippets for the snap. The snippets may allow (depending on the snippet):

mount profiles via the content interface
creating missing mount point directories under $SNAP* (the 'tree' of permissions is needed for SecureMkDirAll that uses open(..., O_NOFOLLOW) and mkdirat() using the resulting file descriptor)
creating a placeholder directory in /tmp/.snap/ in the per-snap mount namespace to support writable mimic which uses tmpfs and bind mount to poke holes in arbitrary read-only locations
mounting/unmounting any part of $SNAP into placeholder directory
mounting/unmounting tmpfs over the original $SNAP/** location
mounting/unmounting from placeholder back to $SNAP/** (for reconstructing the data)

Importantly, the above mount operations are happening within the per-snap mount namespace.

func (*Specification) AddOvername ¶

func (spec *Specification) AddOvername(si *snap.Info)

AddOvername adds AppArmor snippets allowing remapping of snap directories for parallel installed snaps

Specifically snap-update-ns will apply the following bind mounts - /snap/foo_bar -> /snap/foo - /var/snap/foo_bar -> /var/snap/foo - /home/joe/snap/foo_bar -> /home/joe/snap/foo

func (*Specification) AddPermanentPlug ¶

func (spec *Specification) AddPermanentPlug(iface interfaces.Interface, plug *snap.PlugInfo) error

AddPermanentPlug records mount-specific side-effects of having a plug.

func (*Specification) AddPermanentSlot ¶

func (spec *Specification) AddPermanentSlot(iface interfaces.Interface, slot *snap.SlotInfo) error

AddPermanentSlot records mount-specific side-effects of having a slot.

func (*Specification) AddSnippet ¶

func (spec *Specification) AddSnippet(snippet string)

AddSnippet adds a new apparmor snippet to all applications and hooks using the interface.

func (*Specification) AddUpdateNS ¶

func (spec *Specification) AddUpdateNS(snippet string)

AddUpdateNS adds a new apparmor snippet for the snap-update-ns program.

func (*Specification) EmitUpdateNSFunc ¶

func (spec *Specification) EmitUpdateNSFunc() func(f string, args ...interface{})

EmitUpdateNSFunc returns a function for emitting update-ns snippets.

func (*Specification) SecurityTags ¶

func (spec *Specification) SecurityTags() []string

SecurityTags returns a list of security tags which have a snippet.

func (*Specification) SetSuppressHomeIx ¶

func (spec *Specification) SetSuppressHomeIx()

SetSuppressHomeIx to request explicit ptrace deny rules

func (*Specification) SetSuppressPtraceTrace ¶

func (spec *Specification) SetSuppressPtraceTrace()

SetSuppressPtraceTrace to request explicit ptrace deny rules

func (*Specification) SetUsesPtraceTrace ¶

func (spec *Specification) SetUsesPtraceTrace()

SetUsesPtraceTrace records when to omit explicit ptrace deny rules

func (*Specification) SnippetForTag ¶

func (spec *Specification) SnippetForTag(tag string) string

SnippetForTag returns a combined snippet for given security tag with individual snippets joined with newline character. Empty string is returned for non-existing security tag.

func (*Specification) Snippets ¶

func (spec *Specification) Snippets() map[string][]string

Snippets returns a deep copy of all the added application snippets.

func (*Specification) SuppressHomeIx ¶

func (spec *Specification) SuppressHomeIx() bool

func (*Specification) SuppressPtraceTrace ¶

func (spec *Specification) SuppressPtraceTrace() bool

func (*Specification) UpdateNS ¶

func (spec *Specification) UpdateNS() []string

UpdateNS returns a deep copy of all the added snap-update-ns snippets.

func (*Specification) UpdateNSIndexOf ¶

func (spec *Specification) UpdateNSIndexOf(snippet string) (idx int, ok bool)

UpdateNSIndexOf returns the index of a previously added snippet.

func (*Specification) UsesPtraceTrace ¶

func (spec *Specification) UsesPtraceTrace() bool

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL