~mvo/snappy/snappy-lp1460152-workaround-15.04 : revision 433

8

packages and builds upon the packaging declaration as defined in `meta.md`.

9

10

## How policy is applied

11

Application authors should not have to know about or understand the lowlevel

12

implementation details on how security policy is enforced. Instead, security

13

policy is typically defined by declaring a security template to use and any

14

additional security caps to extend the policy provided by the template. If

11

Security policy is typically defined by declaring a security template and any

12

additional security groups to extend the policy provided by the template. If

15

13

unspecified, default confinement allows the snap to run as a network client.

16

14

17

15

Applications are tracked by the system by using the concept of an

18

16

ApplicationId. The `APP_ID is` the composition of the package name, the app's

19

origin from the store if applicable -- only snaps of `type: app` (the

20

default) use an origin to compose the `APP_ID`), the

17

origin namespace from the store (if applicable-- only snaps of `type: app` (the

18

default) have an origin namespace as part of their `APP_ID`), the

21

19

service/binary name and package version. The `APP_ID` takes the form of

22

`<pkgname>.<origin>_<appname>_<version>`. For example, if this is in

20

`<pkgname>.<namespace>_<appname>_<version>`. For example, if this is in

23

21

`package.yaml`:

24

22

25

23

name: foo

29

27

- name: bar

30

28

start: bin/bar

31

29

32

and the app was uploaded to the `myorigin` origin in the store, then the

30

and the app was uploaded to the `myorigin` namespace in the store, then the

33

31

`APP_ID` for the `bar` service is `foo.myorigin_bar_0.1`. The `APP_ID` is used

34

32

throughout the system including in the enforcement of security policy by the

35

app launcher.

36

37

Under the hood, the launcher:

38

39

* sets up various environment variables (eg, `SNAP_APP_ARCH`,

33

app launcher. The launcher will:

34

35

* setup various environment variables (eg, `SNAP_APP_ARCH`,

40

36

`SNAP_APP_DATA_PATH`, `SNAP_APP_PATH`, `SNAP_APP_TMPDIR`,

41

37

`SNAP_APP_USER_DATA_PATH`, `SNAP_OLD_PWD`, `HOME` and `TMPDIR` (set to

42

38

`SNAP_APP_TMPDIR`). See the

43

39

[snappy FHS](https://developer.ubuntu.com/en/snappy/guides/filesystem-layout/) for details.

44

* changes directory to `SNAP_APP_PATH` (the install directory)

45

* sets up a device cgroup with default devices (eg, /dev/null, /dev/urandom,

46

etc) and any devices which are assigned to this app via OEM snaps or

47

`snappy hw-assign` (eg, `snappy hw-assign foo.myorigin /dev/bar`).

48

* sets up the seccomp filter

49

* executes the app under an AppArmor profile under a default nice value

50

51

The launcher is used when launching both services and CLI binaries. The

52

security policy and launcher enforce application isolation as per the snappy

53

FHS.

54

55

This combination of restrictive AppArmor profiles (which mediate file access,

56

application execution, Linux capabilities(7), mount, ptrace, IPC, signals,

57

coarse-grained networking), clearly defined application-specific filesystem

58

areas, whitelist syscall filtering via seccomp and device cgroups provides for

59

strong application confinement and isolation (see below for future work).

40

* chdir to `SNAP_APP_PATH` (the install directory)

41

* setup a device cgroup and add any devices which are assigned to this app

42

* setup the seccomp filter

43

* exec the app under AppArmor profile under a default nice value

44

45

The launcher will be used when launching both services and when using CLI

46

binaries. The launcher enforces application isolation as per the snappy FHS.

60

47

61

48

### AppArmor

62

49

Upon snap package install, `package.yaml` is examined and AppArmor profiles are

81

68

Specify `caps: []` to indicate no additional `caps`. When `caps` and

82

69

`security-template` are not specified, `caps` defaults to client networking.

83

70

Not compatible with `security-override` or `security-policy`.

84

* AppArmor access is deny by default and apps are restricted to

85

their app-specific directories, libraries, etc (enforcing ro,

86

rw, etc). Additional access beyond what is allowed by the

87

declared `security-template` is declared via this option

88

* seccomp is deny by default. Enough safe syscalls are allowed so

89

that apps using the declared `security-template` should

90

work. Additional access beyond what is allowed by the

91

`security-template` is declared via this option

71

* AppArmor access is deny by default and apps are restricted to their

72

app-specific directories, libraries, etc (enforcing ro, rw, etc).

73

Additional access beyond what is allowed by the declared `security-template`

74

is declared via this option

75

* seccomp is deny by default. Enough safe syscalls are allowed so that apps

76

using the declared `security-template` should work. Additional access

77

beyond what is allowed by the `security-template` is declared via this

78

option

92

79

* `security-template`: (optional) alternate security template to use instead of

93

80

`default`. When specified without `caps`, `caps` defaults to being empty. Not

94

81

compatible with `security-override` or `security-policy`.

97

84

[advanced usage](https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement)

98

85

for details. Not compatible with `caps`, `security-template` or

99

86

`security-policy`

100

* `apparmor: path/to/security.override`

101

* `seccomp: path/to/filter.override`

87

* `apparmor: path/to/security.override`

88

* `seccomp: path/to/filter.override`

102

89

* `security-policy`: (optional) hand-crafted low-level raw security policy to

103

90

use instead of using default template-based security policy. Not compatible

104

91

with `caps`, `security-template` or `security-override`.

105

* `apparmor: path/to/profile`

106

* `seccomp: path/to/filter`

92

* `apparmor: path/to/profile`

93

* `seccomp: path/to/filter`

107

94

108

95

Eg, consider the following:

109

96

129

116

- name: cli-exe

130

117

caps: []

131

118

132

If this package is uploaded to the store in the `myorigin` origin, then:

119

If this package is uploaded to the store in the `myorigin` namespace, then:

133

120

134

121

* `APP_ID` for `bar` is `foo.myorigin_bar_1.0`. It uses the `default` template

135

122

and `network-client` (default) cap

170

157

The available templates and policy groups of the target system can be seen by

171

158

running `snappy-security list` on the target system.

172

159

173

## Debugging

174

To check to see if you have any denials:

175

176

$ sudo grep audit /var/log/syslog

177

178

An AppArmor denial will look something like:

179

180

audit: type=1400 audit(1431384420.408:319): apparmor="DENIED" operation="mkdir" profile="foo_bar_0.1" name="/var/lib/foo" pid=637 comm="bar" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

181

182

If there are no AppArmor denials, AppArmor isn't blocking the app.

183

184

A seccomp denial will look something like:

185

186

audit: type=1326 audit(1430766107.122:16): auid=1000 uid=1000 gid=1000 ses=15 pid=1491 comm="env" exe="/bin/bash" sig=31 arch=40000028 syscall=983045 compat=0 ip=0xb6fb0bd6 code=0x0

187

188

The `syscall=983045` can be resolved with the `scmp_sys_resolver` command:

189

190

$ scmp_sys_resolver 983045

191

set_tls

192

193

If there are no seccomp denials, seccomp isn't blocking the app.

194

195

For more information, please see

196

[debugging](https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement#Debugging).

197

198

160

## Future

199

161

The following is planned:

200

162

201

163

* launcher:

202

* utilize syscall argument filtering

203

* setup additional cgroups (tag network traffic, memory)

204

* setup iptables using cgroup tags (for internal app access)

205

* drop privileges to uid of service

206

* fine-grained network mediation via AppArmor

164

* setup additional cgroups (tag network traffic, memory)

165

* setup iptables using cgroup tags (for internal app access)

166

* drop privileges to uid of service

207

167

* `sockets`: (optional) `AF_UNIX` abstract socket definition for coordinated

208

168

snap communications. Abstract sockets will be namespaced and yaml is such

209

169

that (client) apps wanting to use the socket don't have to declare anything

210

170

extra, but they don't have access unless the (server) binary declaring the

211

171

socket says that app is ok).

212

* `names`: (optional) list of abstract socket names

213

(`<name>_<binaryname>` is prepended)

214

* `allowed-clients`: `<name>.<origin>` or

215

`<name>.<origin>_<binaryname>` (ie, omit version and

216

`binaryname` to allow all from snap `<name>.<origin>` or omit

217

version to allow only `binaryname` from snap `<name>`)

172

* `names`: (optional) list of abstract socket names (`<name>_<binaryname>` is

173

prepended)

174

* `allowed-clients`: `<name>.<namespace>` or `<name>.<namespace>_<binaryname>`

175

(ie, omit version and `binaryname` to allow all from snap

176

`<name>.<namespace>` or omit version to allow only `binaryname` from snap

177

`<name>`)

218

178

219

179

Eg:

220

180