How do I prevent my snap application from falling in apparmour's complain mode?


#1

Hello.

I’ve built an application via snapcraft for Dell edge gateway(x86 based) machine with confinement devmode.
Ubuntu core-16 is the OS on the device and I want to run OS hardening test cases as per https://secscan.acron.pl/ubuntu1604/start

Before installing my snap(application) on my Dell device, I executed the following command as one of the test case:
# apparmour_status
The response to this command was a set of lines with two specific lines stating:

0 profiles are in complain mode.

0 processes are in complain mode.

But after installing the my application snap, I get a different output to the same command as per the screen shot


Note: snap.gatewayapp.gatewayapp and snap.watchdogapp.watchdogapp are the applications installed by me.

Please help me understand how can I prevent my snap application from falling in apparmour’s complain mode?
What are the limitations or potential issues of application in complain mode?
Please help me understand it.
Thanks in advance. :slight_smile:


#2

A snap will be applied apparmor rules set to complain when you have designated it to be confinement: devmode. You should switch to confinement: strict which will apply the same rules in enforce mode once you’ve worked-out the required interfaces and added them to your snap metadata.