Snappy

Merge lp:~mvo/snappy/snappy-add-apparmor-override into lp:~snappy-dev/snappy/snappy-moved-to-github

  1. snappy-add-apparmor-override
  2. Merge into snappy-moved-to-github
Proposed by Michael Vogt on 2015-04-22
Status: Merged
Approved by: Michael Vogt on 2015-04-22
Approved revision: 418
Merged at revision: 418
Proposed branch: lp:~mvo/snappy/snappy-add-apparmor-override
Merge into: lp:~snappy-dev/snappy/snappy-moved-to-github
Diff against target: 118 lines (+74/-0)
2 files modified
snappy/oem.go (+42/-0)
snappy/oem_test.go (+32/-0)
To merge this branch: bzr merge lp:~mvo/snappy/snappy-add-apparmor-override
Reviewer Review Type Date Requested Status
Jamie Strandboge 2015-04-22 Approve on 2015-04-22
Sergio Schvezov Approve on 2015-04-22
Review via email: mp+257076@code.launchpad.net

Commit Message

Add $PartID.json.additional apparmor files on OEM hardware assign installs.

Description of the Change

This branch adds a $PartID.json.additional file for each OEM hardware
assign package. This way the default apparmor policy can be deny-all
for /dev and we only open that for apps that need /dev - in which case
the launcher will use the device cgroup to grant the specific access.

To post a comment you must log in.
Sergio Schvezov (sergiusens) wrote :

Hey there, this looks good, I added a couple of comments but they may be irrelevant as I haven't been looking at apparmor related tasks.

John Lenton (chipaca) :
Jamie Strandboge (jdstrand) wrote :

How does this work with the 'snappy hw-assign'? Is the idea that the OEM hardware assign adds /dev/** since that implements all the udev tagging, but that hw-assign will still only add just what the user said (along with the udev rules from the other branch)?

review: Needs Information
Michael Vogt (mvo) wrote :

Yes, hwassign adds specific rules, oem all

On 22 April 2015 15:09:43 CEST, Jamie Strandboge <email address hidden> wrote:
>Review: Needs Information
>
>How does this work with the 'snappy hw-assign'? Is the idea that the
>OEM hardware assign adds /dev/** since that implements all the udev
>tagging, but that hw-assign will still only add just what the user said
>(along with the udev rules from the other branch)?
>--
>https://code.launchpad.net/~mvo/snappy/snappy-add-apparmor-override/+merge/257076
>You are the owner of lp:~mvo/snappy/snappy-add-apparmor-override.

--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Michael Vogt (mvo) wrote :

Thanks for the review! I addressed the issues, please let me know if there is anything else I can do or if I missed anything.

Michael Vogt (mvo) wrote :

Branch updated and conflicts resolved.

Sergio Schvezov (sergiusens) :
Sergio Schvezov (sergiusens) wrote :

thanks!

review: Approve
Jamie Strandboge (jdstrand) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'snappy/oem.go'
2--- snappy/oem.go 2015-04-22 08:27:20 +0000
3+++ snappy/oem.go 2015-04-22 14:48:35 +0000
4@@ -24,6 +24,7 @@
5 "errors"
6 "fmt"
7 "io/ioutil"
8+ "log"
9 "os"
10 "os/exec"
11 "path/filepath"
12@@ -145,6 +146,15 @@
13 os.Remove(f)
14 }
15
16+ // cleanup the additional files
17+ for _, h := range m.OEM.Hardware.Assign {
18+ jsonAdditionalPath := filepath.Join(snapAppArmorDir, fmt.Sprintf("%s.json.additional", h.PartID))
19+ err = os.Remove(jsonAdditionalPath)
20+ if err != nil && !os.IsNotExist(err) {
21+ log.Printf("Failed to remove %v: %v", jsonAdditionalPath, err)
22+ }
23+ }
24+
25 return nil
26 }
27
28@@ -188,11 +198,43 @@
29 return runUdevAdm("udevadm", "trigger")
30 }
31
32+const apparmorAdditionalContent = `{
33+ "write_path": [
34+ "/dev/**"
35+ ]
36+}`
37+
38+// writeApparmorAdditionalFile generate a $partID.json.additional file.
39+//
40+// This file grants additional access on top of the existing apparmor json
41+// rules. This is required for the OEM hardware assign code because by
42+// default apparmor will not allow access to /dev. We grant access here
43+// and the ubuntu-core-launcher is then used to generate a confinement
44+// based on the devices cgroup.
45+func writeApparmorAdditionalFile(m *packageYaml) error {
46+ if err := helpers.EnsureDir(snapAppArmorDir, 0755); err != nil {
47+ return err
48+ }
49+
50+ for _, h := range m.OEM.Hardware.Assign {
51+ jsonAdditionalPath := filepath.Join(snapAppArmorDir, fmt.Sprintf("%s.json.additional", h.PartID))
52+ if err := ioutil.WriteFile(jsonAdditionalPath, []byte(apparmorAdditionalContent), 0644); err != nil {
53+ return err
54+ }
55+ }
56+
57+ return nil
58+}
59+
60 func installOemHardwareUdevRules(m *packageYaml) error {
61 if err := writeOemHardwareUdevRules(m); err != nil {
62 return err
63 }
64
65+ if err := writeApparmorAdditionalFile(m); err != nil {
66+ return err
67+ }
68+
69 if err := activateOemHardwareUdevRules(); err != nil {
70 return err
71 }
72
73=== modified file 'snappy/oem_test.go'
74--- snappy/oem_test.go 2015-04-20 21:04:42 +0000
75+++ snappy/oem_test.go 2015-04-22 14:48:35 +0000
76@@ -21,6 +21,11 @@
77 package snappy
78
79 import (
80+ "io/ioutil"
81+ "path/filepath"
82+
83+ "launchpad.net/snappy/helpers"
84+
85 . "launchpad.net/gocheck"
86 )
87
88@@ -57,3 +62,30 @@
89 func (s *OemSuite) TestStoreID(c *C) {
90 c.Assert(StoreID(), Equals, "ninjablocks")
91 }
92+
93+func (s *OemSuite) TestWriteApparmorAdditionalFile(c *C) {
94+ m, err := parsePackageYamlData(hardwareYaml)
95+ c.Assert(err, IsNil)
96+
97+ err = writeApparmorAdditionalFile(m)
98+ c.Assert(err, IsNil)
99+
100+ content, err := ioutil.ReadFile(filepath.Join(snapAppArmorDir, "device-hive-iot-hal.json.additional"))
101+ c.Assert(err, IsNil)
102+ c.Assert(string(content), Equals, apparmorAdditionalContent)
103+}
104+
105+func (s *OemSuite) TestCleanupOemHardwareRules(c *C) {
106+ m, err := parsePackageYamlData(hardwareYaml)
107+ c.Assert(err, IsNil)
108+
109+ err = writeApparmorAdditionalFile(m)
110+ c.Assert(err, IsNil)
111+
112+ additionalFile := filepath.Join(snapAppArmorDir, "device-hive-iot-hal.json.additional")
113+ c.Assert(helpers.FileExists(additionalFile), Equals, true)
114+
115+ err = cleanupOemHardwareUdevRules(m)
116+ c.Assert(err, IsNil)
117+ c.Assert(helpers.FileExists(additionalFile), Equals, false)
118+}

Subscribers

People subscribed via source and target branches