snapd icon indicating copy to clipboard operation
snapd copied to clipboard
verified publisher icon snapcore

cmd/libsnap-confine-private: fix apparmor kernel with apparmor-less userspace in container

Open zyga opened this issue 1 year ago • 3 comments

The set of patches allow snap-confine built on Ubuntu to work in a Fedora container, unmodified, paving the way for better technical support for re-execution across systems.

There are some drive-by patches to haandle EBUSY, fix aa_is_enabled comparison (wrong type), and use sc_streq instead of strcmp.

Jira: SNAPDENG-18847

zyga avatar Jun 12 '24 15:06 zyga

google:ubuntu-24.04-64:tests/main/security-setuid-root fails with

++ os.paths snap-mount-dir
+ SNAP_MOUNT_DIR=/snap
+ su test -c 'sh -c "SNAP_NAME=test-snapd-sh SNAP_INSTANCE_NAME=test-snapd-sh /snap/core/current/usr/lib/snapd/snap-confine snap.test-snapd-sh.sh -c '\''/bin/true'\'' 2>/dev/null"'
+ su test -c 'sh -c "SNAP_NAME=test-snapd-sh SNAP_INSTANCE_NAME=test-snapd-sh /snap/core/current/usr/lib/snapd/snap-confine snap.test-snapd-sh.sh -c '\''/bin/true'\'' 2>&1"'
+ MATCH 'Refusing to continue to avoid permission escalation attacks'
grep error: pattern not found, got:
execv failed: No such file or directory

Meulengracht avatar Jun 24 '24 07:06 Meulengracht

@alexmurray @Meulengracht I realized why this is failing and I'm a bit puzzled what to do about it:

We are running an unconifned snap-confine on Fedora, even though we have apparmor in the kernel and in the userspace snap-confine program originally built on Ubuntu. This is what I "fixed" - to allow snap-confine to run even though it has no apparmor in the distro and is really running unconfined.

I will break out some of the cleanups/fixes (I separately found that the test has a bug that was also masking the true failure). I may close this and revisit once we have more complete capability to re-execute on Fedora natively, with Fedora kernel (not like I tested, with the Fedora userspace in a container on Ubuntu)

zyga avatar Jun 25 '24 06:06 zyga

@alexmurray I think we should adjust the test and actually allow this. This would also unlock running snapd in LXC (not LXD) where apparmor is not exposed (not mounted in sysfs) but the kernel technically has it.

zyga avatar Jul 17 '24 12:07 zyga

This is no longer required. Some of this was fixed as a part of the work on re-execution support for Fedora.

zyga avatar Aug 13 '25 07:08 zyga