Enable snap confinement support conditionally

2018-07-19 22:37:46 -04:00 · 2018-07-19 22:37:46 -04:00 · 82e9cbc43e
commit 82e9cbc43e
parent 643ede2b90
3 changed files with 16 additions and 5 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -119,6 +119,12 @@ if (NOT "${HOST_CMAKE_C_COMPILER}" STREQUAL "")
  message(STATUS "Host C compiler: ${HOST_CMAKE_CXX_COMPILER}")
 endif()

+option(SNAP_CONFINEMENT "Enable snap confinement support" OFF)
+if (SNAP_CONFINEMENT)
+  message(STATUS "Building with support for snap confinement")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SNAP_CONFINEMENT")
+endif()
+
 install(FILES data/ui/loading-screen.png DESTINATION ${ANBOX_RESOURCE_DIR}/ui)

 # uninstall target
--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@ -241,6 +241,9 @@ parts:
      # that is fixed we can avoid using a prefix here.
      - -DCMAKE_INSTALL_PREFIX:PATH=/usr
      - -DANBOX_VERSION=$SNAPCRAFT_PROJECT_VERSION
+      # FIXME: Once we have everything in place for full snap confinement we
+      # can securely enable this.
+      # - -DSNAP_CONFINEMENT=ON
    build-packages:
      - build-essential
      - cmake
--- a/src/anbox/container/lxc_container.cpp
+++ b/src/anbox/container/lxc_container.cpp
@ -266,10 +266,12 @@ void LxcContainer::start(const Configuration &configuration) {

  set_config_item("lxc.init.cmd", "/anbox-init.sh");

+#if ENABLE_SNAP_CONFINEMENT
  // If we're running inside the snap environment snap-confine already created a
  // cgroup for us we need to use as otherwise presevering a namespace wont help.
  if (utils::is_env_set("SNAP"))
    set_config_item("lxc.namespace.keep", "cgroup");
+#endif

  auto rootfs_path = SystemConfiguration::instance().rootfs_dir();
  if (rootfs_overlay_)
@ -288,11 +290,11 @@ void LxcContainer::start(const Configuration &configuration) {

  setup_network();

-#if 0
-  set_config_item("lxc.apparmor.profile", "anbox-container");
-
-  const auto seccomp_profile_path = fs::path(utils::get_env_value("SNAP", "/etc/anbox")) / "seccomp" / "anbox.sc";
-  set_config_item("lxc.seccomp.profile", seccomp_profile_path.string().c_str());
+#if ENABLE_SNAP_CONFINEMENT
+  // We take the AppArmor profile snapd has defined for us as part of the
+  // anbox-support interface. The container manager itself runs within a
+  // child profile snap.anbox.container-manager//lxc too.
+  set_config_item("lxc.apparmor.profile", "snap.anbox.container-manager//container");
 #else
  set_config_item("lxc.apparmor.profile", "unconfined");
 #endif