// Setup creates a conf file with list of kernel modules required by given snap, // writes it in /etc/modules-load.d/ directory and immediately loads the modules // using /sbin/modprobe. The devMode is ignored. // // If the method fails it should be re-tried (with a sensible strategy) by the caller. func (b *Backend) Setup(snapInfo *snap.Info, confinement interfaces.ConfinementOptions, repo *interfaces.Repository) error { snapName := snapInfo.Name() // Get the snippets that apply to this snap snippets, err := repo.SecuritySnippetsForSnap(snapInfo.Name(), interfaces.SecurityKMod) if err != nil { return fmt.Errorf("cannot obtain kmod security snippets for snap %q: %s", snapName, err) } // Get the files that this snap should have glob := interfaces.SecurityTagGlob(snapName) content, modules, err := b.combineSnippets(snapInfo, snippets) if err != nil { return fmt.Errorf("cannot obtain expected security files for snap %q: %s", snapName, err) } dir := dirs.SnapKModModulesDir if err := os.MkdirAll(dir, 0755); err != nil { return fmt.Errorf("cannot create directory for kmod files %q: %s", dir, err) } changed, _, err := osutil.EnsureDirState(dirs.SnapKModModulesDir, glob, content) if err != nil { return err } if len(changed) > 0 { return loadModules(modules) } return nil }
// Remove removes seccomp profiles of a given snap. func (b *Backend) Remove(snapName string) error { glob := interfaces.SecurityTagGlob(snapName) _, _, err := osutil.EnsureDirState(dirs.SnapSeccompDir, glob, nil) if err != nil { return fmt.Errorf("cannot synchronize security files for snap %q: %s", snapName, err) } return nil }
// Remove removes dbus configuration files of a given snap. // // This method should be called after removing a snap. func (b *Backend) Remove(snapName string) error { glob := fmt.Sprintf("%s.conf", interfaces.SecurityTagGlob(snapName)) _, _, err := osutil.EnsureDirState(dirs.SnapBusPolicyDir, glob, nil) if err != nil { return fmt.Errorf("cannot synchronize DBus configuration files for snap %q: %s", snapName, err) } return nil }
// Remove removes and unloads apparmor profiles of a given snap. func (b *Backend) Remove(snapName string) error { glob := interfaces.SecurityTagGlob(snapName) _, removed, errEnsure := osutil.EnsureDirState(dirs.SnapAppArmorDir, glob, nil) errUnload := unloadProfiles(removed) if errEnsure != nil { return fmt.Errorf("cannot synchronize security files for snap %q: %s", snapName, errEnsure) } return errUnload }
// Setup creates seccomp profiles specific to a given snap. // The snap can be in developer mode to make security violations non-fatal to // the offending application process. // // This method should be called after changing plug, slots, connections between // them or application present in the snap. func (b *Backend) Setup(snapInfo *snap.Info, devMode bool, repo *interfaces.Repository) error { snapName := snapInfo.Name() // Get the snippets that apply to this snap snippets, err := repo.SecuritySnippetsForSnap(snapInfo.Name(), interfaces.SecuritySecComp) if err != nil { return fmt.Errorf("cannot obtain security snippets for snap %q: %s", snapName, err) } // Get the files that this snap should have content, err := b.combineSnippets(snapInfo, devMode, snippets) if err != nil { return fmt.Errorf("cannot obtain expected security files for snap %q: %s", snapName, err) } glob := interfaces.SecurityTagGlob(snapName) dir := dirs.SnapSeccompDir if err := os.MkdirAll(dir, 0755); err != nil { return fmt.Errorf("cannot create directory for seccomp profiles %q: %s", dir, err) } _, _, err = osutil.EnsureDirState(dir, glob, content) if err != nil { return fmt.Errorf("cannot synchronize security files for snap %q: %s", snapName, err) } return nil }
// Setup creates dbus configuration files specific to a given snap. // // DBus has no concept of a complain mode so confinment type is ignored. func (b *Backend) Setup(snapInfo *snap.Info, opts interfaces.ConfinementOptions, repo *interfaces.Repository) error { snapName := snapInfo.Name() // Get the snippets that apply to this snap snippets, err := repo.SecuritySnippetsForSnap(snapInfo.Name(), interfaces.SecurityDBus) if err != nil { return fmt.Errorf("cannot obtain DBus security snippets for snap %q: %s", snapName, err) } // Get the files that this snap should have content, err := b.combineSnippets(snapInfo, snippets) if err != nil { return fmt.Errorf("cannot obtain expected DBus configuration files for snap %q: %s", snapName, err) } glob := fmt.Sprintf("%s.conf", interfaces.SecurityTagGlob(snapName)) dir := dirs.SnapBusPolicyDir if err := os.MkdirAll(dir, 0755); err != nil { return fmt.Errorf("cannot create directory for DBus configuration files %q: %s", dir, err) } _, _, err = osutil.EnsureDirState(dir, glob, content) if err != nil { return fmt.Errorf("cannot synchronize DBus configuration files for snap %q: %s", snapName, err) } return nil }
// Setup creates and loads apparmor profiles specific to a given snap. // The snap can be in developer mode to make security violations non-fatal to // the offending application process. // // This method should be called after changing plug, slots, connections between // them or application present in the snap. func (b *Backend) Setup(snapInfo *snap.Info, opts interfaces.ConfinementOptions, repo *interfaces.Repository) error { snapName := snapInfo.Name() // Get the snippets that apply to this snap snippets, err := repo.SecuritySnippetsForSnap(snapName, interfaces.SecurityAppArmor) if err != nil { return fmt.Errorf("cannot obtain security snippets for snap %q: %s", snapName, err) } // Get the files that this snap should have content, err := b.combineSnippets(snapInfo, opts, snippets) if err != nil { return fmt.Errorf("cannot obtain expected security files for snap %q: %s", snapName, err) } glob := interfaces.SecurityTagGlob(snapInfo.Name()) dir := dirs.SnapAppArmorDir if err := os.MkdirAll(dir, 0755); err != nil { return fmt.Errorf("cannot create directory for apparmor profiles %q: %s", dir, err) } _, removed, errEnsure := osutil.EnsureDirState(dir, glob, content) // NOTE: load all profiles instead of just the changed profiles. We're // relying on apparmor cache to make this efficient. This gives us // certainty that each call to Setup ends up with working profiles. all := make([]string, 0, len(content)) for name := range content { all = append(all, name) } sort.Strings(all) errReload := reloadProfiles(all) errUnload := unloadProfiles(removed) if errEnsure != nil { return fmt.Errorf("cannot synchronize security files for snap %q: %s", snapName, errEnsure) } if errReload != nil { return errReload } return errUnload }
// Remove removes modules config file specific to a given snap. // // This method should be called after removing a snap. // // If the method fails it should be re-tried (with a sensible strategy) by the caller. func (b *Backend) Remove(snapName string) error { glob := interfaces.SecurityTagGlob(snapName) _, _, err := osutil.EnsureDirState(dirs.SnapKModModulesDir, glob, nil) return err }