Snappy

Merge lp:~jdstrand/snappy/15.04-docs into lp:~snappy-dev/snappy/15.04-deprecated

  1. 15.04-docs
  2. Merge into 15.04-deprecated
Proposed by Jamie Strandboge on 2015-05-26
Status: Merged
Merged at revision: 441
Proposed branch: lp:~jdstrand/snappy/15.04-docs
Merge into: lp:~snappy-dev/snappy/15.04-deprecated
Diff against target: 281 lines (+104/-45)
3 files modified
docs/frameworks.md (+20/-2)
docs/meta.md (+6/-5)
docs/security.md (+78/-38)
To merge this branch: bzr merge lp:~jdstrand/snappy/15.04-docs
Reviewer Review Type Date Requested Status
David Callé (community) Approve on 2015-05-26
Daniel Holbach 2015-05-26 Pending
Review via email: mp+260161@code.launchpad.net
To post a comment you must log in.
lp:~jdstrand/snappy/15.04-docs updated on 2015-05-26
441. By Jamie Strandboge on 2015-05-26

clarify sentence regarding frameworks and origin

David Callé (davidc3) wrote :

lgtm!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'docs/frameworks.md'
2--- docs/frameworks.md 2015-04-23 15:07:47 +0000
3+++ docs/frameworks.md 2015-05-26 14:35:48 +0000
4@@ -8,7 +8,8 @@
5 * Frameworks provide a significant benefit for many users
6 * Frameworks are delivered via snaps
7 * Frameworks can be installed on the same system without conflicts
8-* Frameworks typically will use a toplevel namespace
9+* Frameworks are unique and multiple origins for a framework are not supported
10+ (therefore frameworks must always be referred to without an `origin`)
11 * Framework `binaries` may be used without appending the package name and
12 these binary names are governed by the framework onboarding process (below)
13 * Frameworks must not depend on other frameworks
14@@ -65,15 +66,17 @@
15 ## Usage
16 ### framework yaml
17
18-For frameworks, meta/package.yaml should contain something like:
19+For frameworks, meta/package.yaml might contain something like:
20
21 name: foo
22 version: 1.1.234
23+ vendor: "Some Person <some.person@example.com>"
24 type: framework
25 services:
26 - name: bar
27 description: "desc for bar service"
28 start: bin/bar
29+ bus-name: com.example.foo
30 binaries:
31 - name: bin/baz
32 description: "desc for baz binary"
33@@ -82,6 +85,21 @@
34
35 * `type: framework` - defines the type of snap this is
36
37+#### DBus connection name
38+For framework services that provide a DBus interface, use `bus-name` to specify
39+the DBus connection name the service will bind to on the system bus (only
40+`^[A-Za-z0-9][A-Za-z0-9_-]*(\.[A-Za-z0-9][A-Za-z0-9_-]*)+$` is allowed). To
41+preserve coinstallability, the `bus-name` should typically use the form of one
42+of the following: `<name>`, `<name>.<service name>`, `<reverse domain>.<name>`
43+or `<reverse domain>.<name>.<service name>`. In the above yaml, any of the
44+following can be used:
45+
46+* `bus-name: foo`
47+* `bus-name: foo.bar`
48+* `bus-name: com.example.foo`
49+* `bus-name: com.example.foo.bar`
50+
51+#### Security policy
52 Frameworks will typically need specialized security policy. See `security.md`
53 for details.
54
55
56=== modified file 'docs/meta.md'
57--- docs/meta.md 2015-04-22 13:42:03 +0000
58+++ docs/meta.md 2015-05-26 14:35:48 +0000
59@@ -1,7 +1,7 @@
60 # Package metadata
61
62 This document describes the meta data of a snappy package. All files
63-are located under the `meta/` directory.
64+are located under the `meta/` directory.
65
66 The following files are supported:
67
68@@ -50,7 +50,7 @@
69 * `caps`: (optional) list of additional security policies to add.
70 See `security.md` for details
71 * `security-template`: (optional) alternate security template to use
72- instead of `default`. See `security.md` for details
73+ instead of `default`. See `security.md` for details
74 * `security-override`: (optional) high level overrides to use when
75 `security-template` and `caps` are not
76 sufficient. See security.md for details
77@@ -68,7 +68,8 @@
78 * `port`: (optional) see above
79 * `negotiable`: (optional) see above
80 * `bus-name`: (optional) message bus connection name for the service.
81- May only be specified for snaps of 'type: framework' (see above).
82+ May only be specified for snaps of 'type: framework' (see above). See
83+ frameworks.md for details.
84
85 * `binaries`: the binaries (executables) that the snap provides
86 * `name`: (required) the name of the binary, the user will be able to
87@@ -78,8 +79,8 @@
88 * `caps`: (optional) see entry in `services` (above)
89 * `security-template`: (optional) see entry in `services` (above)
90 * `security-override`: (optional) see entry in `services` (above)
91- * `security-policy`: (optional) see entry in `services` (above)
92-
93+ * `security-policy`: (optional) see entry in `services` (above)
94+
95 ## license.txt
96
97 A license text that the user must accept before the snap can be
98
99=== modified file 'docs/security.md'
100--- docs/security.md 2015-04-23 15:02:16 +0000
101+++ docs/security.md 2015-05-26 14:35:48 +0000
102@@ -8,16 +8,18 @@
103 packages and builds upon the packaging declaration as defined in `meta.md`.
104
105 ## How policy is applied
106-Security policy is typically defined by declaring a security template and any
107-additional security groups to extend the policy provided by the template. If
108+Application authors should not have to know about or understand the lowlevel
109+implementation details on how security policy is enforced. Instead, security
110+policy is typically defined by declaring a security template to use and any
111+additional security caps to extend the policy provided by the template. If
112 unspecified, default confinement allows the snap to run as a network client.
113
114 Applications are tracked by the system by using the concept of an
115 ApplicationId. The `APP_ID is` the composition of the package name, the app's
116-origin namespace from the store (if applicable-- only snaps of `type: app` (the
117-default) have an origin namespace as part of their `APP_ID`), the
118+origin from the store if applicable -- only snaps of `type: app` (the
119+default) use an origin to compose the `APP_ID`), the
120 service/binary name and package version. The `APP_ID` takes the form of
121-`<pkgname>.<namespace>_<appname>_<version>`. For example, if this is in
122+`<pkgname>.<origin>_<appname>_<version>`. For example, if this is in
123 `package.yaml`:
124
125 name: foo
126@@ -27,23 +29,34 @@
127 - name: bar
128 start: bin/bar
129
130-and the app was uploaded to the `myorigin` namespace in the store, then the
131+and the app was uploaded to the `myorigin` origin in the store, then the
132 `APP_ID` for the `bar` service is `foo.myorigin_bar_0.1`. The `APP_ID` is used
133 throughout the system including in the enforcement of security policy by the
134-app launcher. The launcher will:
135-
136-* setup various environment variables (eg, `SNAP_APP_ARCH`,
137+app launcher.
138+
139+Under the hood, the launcher:
140+
141+* sets up various environment variables (eg, `SNAP_APP_ARCH`,
142 `SNAP_APP_DATA_PATH`, `SNAP_APP_PATH`, `SNAP_APP_TMPDIR`,
143 `SNAP_APP_USER_DATA_PATH`, `SNAP_OLD_PWD`, `HOME` and `TMPDIR` (set to
144 `SNAP_APP_TMPDIR`). See the
145 [snappy FHS](https://developer.ubuntu.com/en/snappy/guides/filesystem-layout/) for details.
146-* chdir to `SNAP_APP_PATH` (the install directory)
147-* setup a device cgroup and add any devices which are assigned to this app
148-* setup the seccomp filter
149-* exec the app under AppArmor profile under a default nice value
150-
151-The launcher will be used when launching both services and when using CLI
152-binaries. The launcher enforces application isolation as per the snappy FHS.
153+* changes directory to `SNAP_APP_PATH` (the install directory)
154+* sets up a device cgroup with default devices (eg, /dev/null, /dev/urandom,
155+ etc) and any devices which are assigned to this app via OEM snaps or
156+ `snappy hw-assign` (eg, `snappy hw-assign foo.myorigin /dev/bar`).
157+* sets up the seccomp filter
158+* executes the app under an AppArmor profile under a default nice value
159+
160+The launcher is used when launching both services and CLI binaries. The
161+security policy and launcher enforce application isolation as per the snappy
162+FHS.
163+
164+This combination of restrictive AppArmor profiles (which mediate file access,
165+application execution, Linux capabilities(7), mount, ptrace, IPC, signals,
166+coarse-grained networking), clearly defined application-specific filesystem
167+areas, whitelist syscall filtering via seccomp and device cgroups provides for
168+strong application confinement and isolation (see below for future work).
169
170 ### AppArmor
171 Upon snap package install, `package.yaml` is examined and AppArmor profiles are
172@@ -68,14 +81,14 @@
173 Specify `caps: []` to indicate no additional `caps`. When `caps` and
174 `security-template` are not specified, `caps` defaults to client networking.
175 Not compatible with `security-override` or `security-policy`.
176- * AppArmor access is deny by default and apps are restricted to their
177- app-specific directories, libraries, etc (enforcing ro, rw, etc).
178- Additional access beyond what is allowed by the declared `security-template`
179- is declared via this option
180- * seccomp is deny by default. Enough safe syscalls are allowed so that apps
181- using the declared `security-template` should work. Additional access
182- beyond what is allowed by the `security-template` is declared via this
183- option
184+ * AppArmor access is deny by default and apps are restricted to
185+ their app-specific directories, libraries, etc (enforcing ro,
186+ rw, etc). Additional access beyond what is allowed by the
187+ declared `security-template` is declared via this option
188+ * seccomp is deny by default. Enough safe syscalls are allowed so
189+ that apps using the declared `security-template` should
190+ work. Additional access beyond what is allowed by the
191+ `security-template` is declared via this option
192 * `security-template`: (optional) alternate security template to use instead of
193 `default`. When specified without `caps`, `caps` defaults to being empty. Not
194 compatible with `security-override` or `security-policy`.
195@@ -84,13 +97,13 @@
196 [advanced usage](https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement)
197 for details. Not compatible with `caps`, `security-template` or
198 `security-policy`
199- * `apparmor: path/to/security.override`
200- * `seccomp: path/to/filter.override`
201+ * `apparmor: path/to/security.override`
202+ * `seccomp: path/to/filter.override`
203 * `security-policy`: (optional) hand-crafted low-level raw security policy to
204 use instead of using default template-based security policy. Not compatible
205 with `caps`, `security-template` or `security-override`.
206- * `apparmor: path/to/profile`
207- * `seccomp: path/to/filter`
208+ * `apparmor: path/to/profile`
209+ * `seccomp: path/to/filter`
210
211 Eg, consider the following:
212
213@@ -116,7 +129,7 @@
214 - name: cli-exe
215 caps: []
216
217-If this package is uploaded to the store in the `myorigin` namespace, then:
218+If this package is uploaded to the store in the `myorigin` origin, then:
219
220 * `APP_ID` for `bar` is `foo.myorigin_bar_1.0`. It uses the `default` template
221 and `network-client` (default) cap
222@@ -157,24 +170,51 @@
223 The available templates and policy groups of the target system can be seen by
224 running `snappy-security list` on the target system.
225
226+## Debugging
227+To check to see if you have any denials:
228+
229+ $ sudo grep audit /var/log/syslog
230+
231+An AppArmor denial will look something like:
232+
233+ audit: type=1400 audit(1431384420.408:319): apparmor="DENIED" operation="mkdir" profile="foo_bar_0.1" name="/var/lib/foo" pid=637 comm="bar" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
234+
235+If there are no AppArmor denials, AppArmor isn't blocking the app.
236+
237+A seccomp denial will look something like:
238+
239+ audit: type=1326 audit(1430766107.122:16): auid=1000 uid=1000 gid=1000 ses=15 pid=1491 comm="env" exe="/bin/bash" sig=31 arch=40000028 syscall=983045 compat=0 ip=0xb6fb0bd6 code=0x0
240+
241+The `syscall=983045` can be resolved with the `scmp_sys_resolver` command:
242+
243+ $ scmp_sys_resolver 983045
244+ set_tls
245+
246+If there are no seccomp denials, seccomp isn't blocking the app.
247+
248+For more information, please see
249+[debugging](https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement#Debugging).
250+
251 ## Future
252 The following is planned:
253
254 * launcher:
255- * setup additional cgroups (tag network traffic, memory)
256- * setup iptables using cgroup tags (for internal app access)
257- * drop privileges to uid of service
258+ * utilize syscall argument filtering
259+ * setup additional cgroups (tag network traffic, memory)
260+ * setup iptables using cgroup tags (for internal app access)
261+ * drop privileges to uid of service
262+* fine-grained network mediation via AppArmor
263 * `sockets`: (optional) `AF_UNIX` abstract socket definition for coordinated
264 snap communications. Abstract sockets will be namespaced and yaml is such
265 that (client) apps wanting to use the socket don't have to declare anything
266 extra, but they don't have access unless the (server) binary declaring the
267 socket says that app is ok).
268- * `names`: (optional) list of abstract socket names (`<name>_<binaryname>` is
269- prepended)
270- * `allowed-clients`: `<name>.<namespace>` or `<name>.<namespace>_<binaryname>`
271- (ie, omit version and `binaryname` to allow all from snap
272- `<name>.<namespace>` or omit version to allow only `binaryname` from snap
273- `<name>`)
274+ * `names`: (optional) list of abstract socket names
275+ (`<name>_<binaryname>` is prepended)
276+ * `allowed-clients`: `<name>.<origin>` or
277+ `<name>.<origin>_<binaryname>` (ie, omit version and
278+ `binaryname` to allow all from snap `<name>.<origin>` or omit
279+ version to allow only `binaryname` from snap `<name>`)
280
281 Eg:
282

Subscribers

People subscribed via source and target branches