8
8
packages and builds upon the packaging declaration as defined in `meta.md`.
10
10
## How policy is applied
11
Application authors should not have to know about or understand the lowlevel
12
implementation details on how security policy is enforced. Instead, security
13
policy is typically defined by declaring a security template to use and any
14
additional security caps to extend the policy provided by the template. If
11
Security policy is typically defined by declaring a security template and any
12
additional security groups to extend the policy provided by the template. If
15
13
unspecified, default confinement allows the snap to run as a network client.
17
15
Applications are tracked by the system by using the concept of an
18
16
ApplicationId. The `APP_ID is` the composition of the package name, the app's
19
origin from the store if applicable -- only snaps of `type: app` (the
20
default) use an origin to compose the `APP_ID`), the
17
origin namespace from the store (if applicable-- only snaps of `type: app` (the
18
default) have an origin namespace as part of their `APP_ID`), the
21
19
service/binary name and package version. The `APP_ID` takes the form of
22
`<pkgname>.<origin>_<appname>_<version>`. For example, if this is in
20
`<pkgname>.<namespace>_<appname>_<version>`. For example, if this is in
32
and the app was uploaded to the `myorigin` origin in the store, then the
30
and the app was uploaded to the `myorigin` namespace in the store, then the
33
31
`APP_ID` for the `bar` service is `foo.myorigin_bar_0.1`. The `APP_ID` is used
34
32
throughout the system including in the enforcement of security policy by the
37
Under the hood, the launcher:
39
* sets up various environment variables (eg, `SNAP_APP_ARCH`,
33
app launcher. The launcher will:
35
* setup various environment variables (eg, `SNAP_APP_ARCH`,
40
36
`SNAP_APP_DATA_PATH`, `SNAP_APP_PATH`, `SNAP_APP_TMPDIR`,
41
37
`SNAP_APP_USER_DATA_PATH`, `SNAP_OLD_PWD`, `HOME` and `TMPDIR` (set to
42
38
`SNAP_APP_TMPDIR`). See the
43
39
[snappy FHS](https://developer.ubuntu.com/en/snappy/guides/filesystem-layout/) for details.
44
* changes directory to `SNAP_APP_PATH` (the install directory)
45
* sets up a device cgroup with default devices (eg, /dev/null, /dev/urandom,
46
etc) and any devices which are assigned to this app via OEM snaps or
47
`snappy hw-assign` (eg, `snappy hw-assign foo.myorigin /dev/bar`).
48
* sets up the seccomp filter
49
* executes the app under an AppArmor profile under a default nice value
51
The launcher is used when launching both services and CLI binaries. The
52
security policy and launcher enforce application isolation as per the snappy
55
This combination of restrictive AppArmor profiles (which mediate file access,
56
application execution, Linux capabilities(7), mount, ptrace, IPC, signals,
57
coarse-grained networking), clearly defined application-specific filesystem
58
areas, whitelist syscall filtering via seccomp and device cgroups provides for
59
strong application confinement and isolation (see below for future work).
40
* chdir to `SNAP_APP_PATH` (the install directory)
41
* setup a device cgroup and add any devices which are assigned to this app
42
* setup the seccomp filter
43
* exec the app under AppArmor profile under a default nice value
45
The launcher will be used when launching both services and when using CLI
46
binaries. The launcher enforces application isolation as per the snappy FHS.
62
49
Upon snap package install, `package.yaml` is examined and AppArmor profiles are
81
68
Specify `caps: []` to indicate no additional `caps`. When `caps` and
82
69
`security-template` are not specified, `caps` defaults to client networking.
83
70
Not compatible with `security-override` or `security-policy`.
84
* AppArmor access is deny by default and apps are restricted to
85
their app-specific directories, libraries, etc (enforcing ro,
86
rw, etc). Additional access beyond what is allowed by the
87
declared `security-template` is declared via this option
88
* seccomp is deny by default. Enough safe syscalls are allowed so
89
that apps using the declared `security-template` should
90
work. Additional access beyond what is allowed by the
91
`security-template` is declared via this option
71
* AppArmor access is deny by default and apps are restricted to their
72
app-specific directories, libraries, etc (enforcing ro, rw, etc).
73
Additional access beyond what is allowed by the declared `security-template`
74
is declared via this option
75
* seccomp is deny by default. Enough safe syscalls are allowed so that apps
76
using the declared `security-template` should work. Additional access
77
beyond what is allowed by the `security-template` is declared via this
92
79
* `security-template`: (optional) alternate security template to use instead of
93
80
`default`. When specified without `caps`, `caps` defaults to being empty. Not
94
81
compatible with `security-override` or `security-policy`.
97
84
[advanced usage](https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement)
98
85
for details. Not compatible with `caps`, `security-template` or
100
* `apparmor: path/to/security.override`
101
* `seccomp: path/to/filter.override`
87
* `apparmor: path/to/security.override`
88
* `seccomp: path/to/filter.override`
102
89
* `security-policy`: (optional) hand-crafted low-level raw security policy to
103
90
use instead of using default template-based security policy. Not compatible
104
91
with `caps`, `security-template` or `security-override`.
105
* `apparmor: path/to/profile`
106
* `seccomp: path/to/filter`
92
* `apparmor: path/to/profile`
93
* `seccomp: path/to/filter`
108
95
Eg, consider the following:
170
157
The available templates and policy groups of the target system can be seen by
171
158
running `snappy-security list` on the target system.
174
To check to see if you have any denials:
176
$ sudo grep audit /var/log/syslog
178
An AppArmor denial will look something like:
180
audit: type=1400 audit(1431384420.408:319): apparmor="DENIED" operation="mkdir" profile="foo_bar_0.1" name="/var/lib/foo" pid=637 comm="bar" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
182
If there are no AppArmor denials, AppArmor isn't blocking the app.
184
A seccomp denial will look something like:
186
audit: type=1326 audit(1430766107.122:16): auid=1000 uid=1000 gid=1000 ses=15 pid=1491 comm="env" exe="/bin/bash" sig=31 arch=40000028 syscall=983045 compat=0 ip=0xb6fb0bd6 code=0x0
188
The `syscall=983045` can be resolved with the `scmp_sys_resolver` command:
190
$ scmp_sys_resolver 983045
193
If there are no seccomp denials, seccomp isn't blocking the app.
195
For more information, please see
196
[debugging](https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement#Debugging).
199
161
The following is planned:
202
* utilize syscall argument filtering
203
* setup additional cgroups (tag network traffic, memory)
204
* setup iptables using cgroup tags (for internal app access)
205
* drop privileges to uid of service
206
* fine-grained network mediation via AppArmor
164
* setup additional cgroups (tag network traffic, memory)
165
* setup iptables using cgroup tags (for internal app access)
166
* drop privileges to uid of service
207
167
* `sockets`: (optional) `AF_UNIX` abstract socket definition for coordinated
208
168
snap communications. Abstract sockets will be namespaced and yaml is such
209
169
that (client) apps wanting to use the socket don't have to declare anything
210
170
extra, but they don't have access unless the (server) binary declaring the
211
171
socket says that app is ok).
212
* `names`: (optional) list of abstract socket names
213
(`<name>_<binaryname>` is prepended)
214
* `allowed-clients`: `<name>.<origin>` or
215
`<name>.<origin>_<binaryname>` (ie, omit version and
216
`binaryname` to allow all from snap `<name>.<origin>` or omit
217
version to allow only `binaryname` from snap `<name>`)
172
* `names`: (optional) list of abstract socket names (`<name>_<binaryname>` is
174
* `allowed-clients`: `<name>.<namespace>` or `<name>.<namespace>_<binaryname>`
175
(ie, omit version and `binaryname` to allow all from snap
176
`<name>.<namespace>` or omit version to allow only `binaryname` from snap