The documentation on Security has some tips on fine tuning AppArmor policies and as a final step advises to copy the policy to the interface code ,but there is no resource or link on how to create our own custom interfaces. Can any one share any info regarding the same , please ?
When fine-tuning AppArmor policy, it is often easiest to install the snap in strict mode then modify the AppArmor policy in place on the target system, then copying it back. Eg, these steps might be:
build your snap
copy your snap to your target device and install it (or use snap try)
use the snap (perhaps using snap run --shell .), monitoring /var/log/syslog for denials
modifying /var/lib/snapd/apparmor/profiles/snap.. as needed (eg, adding rules before the final })and running sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.. to load the policy into the kernel
use sudo service snap.. stop/start/etc as needed for daemons
repeat until satisfied
The same process as above holds for seccomp except the seccomp policy is in /var/lib/snapd/seccomp/profiles/snap.. and there is no command to load the policy (you simply have to relaunch the command or snap run --shell). The seccomp policy language is considerably simpler and is essentially a list of allowed syscalls.
When done, copy any changes you make to /var/lib/snapd/apparmor/profiles/snap.. or /var/lib/snapd/seccomp/profiles/snap.. to your interface code.
Any one , any help with this ?
There isn’t a mechanism to create a custom interface for only your system. Currently interfaces are encoded into snapd such that they are either implicitly provided by the core snap (in which case they may exist only on core, only on classic, or on both. An example is ‘network’) or are exposed via a providing slot implementation (eg, when the mir-kiosk snap is installed, the ‘mir’ interface is available to plug).
If you need additional access, you can submit a PR for snapd against an existing interface, create a new implicit interface or create a slot interface for access to your snap. @zyga-snapd has documentation on this: http://www.zygoon.pl/2016/08/creating-your-first-snappy-interface.html, but quite a few things have changed since he wrote that, so it might be simpler to simply copy existing interfaces/builtin/<interface>.go and interfaces/builtin/<interface>_test.go files to something appropriately named, modify them and make sure the tests pass (see HACKING.md). Then you can build snapd and test it on your target device (also see HACKING.md).
2 Likes
And if you need hands-on feedback just join us on IRC, on freenode in the #snappy channel.
Most interfaces can be made very very short using the commonInterface type we have as a helper. Look at how interfaces are implemented (not in detail, just broadly) and you will notice that there are some very complex ones that use lots of custom code and many many trivial ones that just define some static data.
@jdstrand, @zyga-snapd Thanks for the hints, will check and get back If I hit a dead end again.
1 Like
