Strict Confinement in Revenge OS/Arch Based Distro

Hello, I am trying to get strict confinement to work in Revenge OS, which is based on Arch Linux. I would like to ship snap support by default in Revenge OS, and I really want it to work as intended, with strict confinement out of the box. In testing, I have compiled an Apparmor enable kernel (version 4.13.3), and I do have Apparmor running. I then built the package for Arch Linux from the Github release page (version 2.27.5-1). When building the snapd package, I removed the --disable-apparmor option.

However, when I try to run any snap package with this setup, I receive an error stating “snap-confine has elevated permissions and is not confined but should be …” From looking up others who have had this error it appears that there is no apparmor profile for snap-confine? I am seeking advice about how to proceed from here.

I forgot to mention, that without apparmor running snaps work as expected, running in devmode as in Arch Linux. Thank you for the work that you guys have done here!

2 Likes

@zyga-snapd can surely help here …

Hey!

Welcome on board :slight_smile:

To get strict confinement you need to get apparmor enabled on boot but also synchronize your /security/apparmor directory. You can look at @ikey’s work on Solus on how this can be done.
Snapd will detect the confinement at runtime. Running snap debug confinement should tell you strict rather than partial if you got that part right.

Unless you want to deviate from our recommended default location of the snap mount directory (/snap directory) you don’t have to change anything in snapd proper.

In packaging however you have to still do a few more things (those are not done by the arch package). You need to install the apparmor profile of snap-confine to /etc/apparmor.d and load it after installing the package. The profile should also automatically load on boot assuming that apparmor is doing its thing.

You may also need to (I don’t know really) look at changing apparmor to load generated profiles from /var/lib/snapd/apparmor/profiles. I know Ubuntu does this but I don’t know if this is in the upstream apparmor init system integration.

Thank you so much for the quick answer!

@zyga-snapd wanted to give you an update. Strict confinement is now working with Revenge OS https://plus.google.com/105766777757312490532/posts/HdfkpEvUJbU. I’m still testing it, and I’m sure there will be a few issues to handle, but the major hurdle has been jumped, so to speak.

I wanted to introduce myself. I’m Jody James, lead developer of Revenge OS. Again, thank you so much for pointing me in the right direction and for all you guys have done here!

@zyga-snapd I’m now seeing this error when trying to run a snap:

/usr/lib/snapd/snap-confine: error while loading shared libraries: libudev.so.1: failed to map segment from shared object

I double checked that apparmor is loading the profiles from /var/lib/snapd/apparmor/profiles and we are using the default location of /snap for the mount directory. Do you happen to know what might be causing this error?

Thanks again!

This sounds likes snap-confine's own apparmor profile not letting it load the libudev.so.1 shared library. There is a rule in the profile that should allow this, but perhaps the library is somewhere else on your system?

/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr,

Does that sound plausible?

That does sound plausible. I’d like to know what ldd /usr/lib/snapd/snap-confine says.

ldd /usr/lib/snapd/snap-confine
returns

linux-vdso.so.1 (0x00007fffe61db000)
libudev.so.1 => /usr/lib/libudev.so.1 (0x00007f4981f6c000)
libcap.so.2 => /usr/lib/libcap.so.2 (0x00007f4981d68000)
libapparmor.so.1 => /usr/lib/libapparmor.so.1 (0x00007f4981b57000)
libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f4981939000)
libc.so.6 => /usr/lib/libc.so.6 (0x00007f4981582000)
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f4982399000)

I checked and the path appears to be correct /usr/lib/libudev.so.1

Can you show me the apparmor denial? They usually go to the audit log can have the word DENIED

Ok, I’m sure that the issue is with the apparmor profiles. I fixed the issues with the shared libraries (it applied to all of them) by changing the paths in the snap-confine apparmor profile. Now I am getting this error:

cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied

The last entry in the log for the apparmor denial shows:
type=AVC msg=audit(1506612383.468:55): apparmor=“DENIED” operation=“capable” profile="/usr/lib/snapd/snap-confine" pid=1289 comm=“snap-confine” capability=19 capname=“sys_ptrace”

I’m sorry to keep bothering you guys. I will keep working to remedy the errors. Thanks again.

So, I’m curious, did you take the Ubuntu kernel apparmor patches and add them to Revenge OS or are you using the vanilla upstream kernel? EDIT: Because the profile is written for the patched kernel and will probably not work without some changes.

I synced the /security/apparmor directory but did not apply any more patches in the kernel build.

Can you paste what you changed? (ideally as a diff)

Sure, here are the changes that I made to the snap-confine apparmor profile:

If needed I can rebuild the kernel and apply another Ubuntu kernel patch rather than just syncing the /security/apparmor directory.

Thanks again for your help.

Ah, these changes are in newer snapd. Thanks for the paste.

I’ve a very easy patch here you can nick for the 4.13 series kernel to apply to a stock kernel which will introduce the full AppArmor confinement required by snapd:

https://dev.solus-project.com/source/linux-current/browse/master/files/security/0001-Sync-Ubuntu-Artful-jj-s-kernel-s-apparmor-4.13-outof.patch

You can check our git history there and we also had 4.12 syncs that worked fine. They’re always in our files/security directory. You’ll need to make oldconfig && make menuconfig after to ensure all the relevant AppArmor options are now enabled.

Thank you, much appreciated!

1 Like

No worries :slight_smile: We also stripped down our apparmor package basically to purely serve snapd for now, feel free to prod (just search for apparmor from the same dev site I linked earlier)

Good luck - nice to see more distros embracing snaps :slight_smile:

Hey, how is this effort coming along?