From 82e9cbc43e73348dbfde597cd91ef6dfc6362284 Mon Sep 17 00:00:00 2001
From: Simon Fels <morphis@gravedo.de>
Date: Thu, 19 Jul 2018 22:37:46 -0400
Subject: [PATCH] Enable snap confinement support conditionally

---
 CMakeLists.txt                        |  6 ++++++
 snap/snapcraft.yaml                   |  3 +++
 src/anbox/container/lxc_container.cpp | 12 +++++++-----
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 302934b..31c219a 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -119,6 +119,12 @@ if (NOT "${HOST_CMAKE_C_COMPILER}" STREQUAL "")
   message(STATUS "Host C compiler: ${HOST_CMAKE_CXX_COMPILER}")
 endif()
 
+option(SNAP_CONFINEMENT "Enable snap confinement support" OFF)
+if (SNAP_CONFINEMENT)
+  message(STATUS "Building with support for snap confinement")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SNAP_CONFINEMENT")
+endif()
+
 install(FILES data/ui/loading-screen.png DESTINATION ${ANBOX_RESOURCE_DIR}/ui)
 
 # uninstall target
diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
index 78efa03..86f245f 100644
--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@@ -241,6 +241,9 @@ parts:
       # that is fixed we can avoid using a prefix here.
       - -DCMAKE_INSTALL_PREFIX:PATH=/usr
       - -DANBOX_VERSION=$SNAPCRAFT_PROJECT_VERSION
+      # FIXME: Once we have everything in place for full snap confinement we
+      # can securely enable this.
+      # - -DSNAP_CONFINEMENT=ON
     build-packages:
       - build-essential
       - cmake
diff --git a/src/anbox/container/lxc_container.cpp b/src/anbox/container/lxc_container.cpp
index 0490577..992dd7d 100644
--- a/src/anbox/container/lxc_container.cpp
+++ b/src/anbox/container/lxc_container.cpp
@@ -266,10 +266,12 @@ void LxcContainer::start(const Configuration &configuration) {
 
   set_config_item("lxc.init.cmd", "/anbox-init.sh");
 
+#if ENABLE_SNAP_CONFINEMENT
   // If we're running inside the snap environment snap-confine already created a
   // cgroup for us we need to use as otherwise presevering a namespace wont help.
   if (utils::is_env_set("SNAP"))
     set_config_item("lxc.namespace.keep", "cgroup");
+#endif
 
   auto rootfs_path = SystemConfiguration::instance().rootfs_dir();
   if (rootfs_overlay_)
@@ -288,11 +290,11 @@ void LxcContainer::start(const Configuration &configuration) {
 
   setup_network();
 
-#if 0
-  set_config_item("lxc.apparmor.profile", "anbox-container");
-
-  const auto seccomp_profile_path = fs::path(utils::get_env_value("SNAP", "/etc/anbox")) / "seccomp" / "anbox.sc";
-  set_config_item("lxc.seccomp.profile", seccomp_profile_path.string().c_str());
+#if ENABLE_SNAP_CONFINEMENT
+  // We take the AppArmor profile snapd has defined for us as part of the
+  // anbox-support interface. The container manager itself runs within a
+  // child profile snap.anbox.container-manager//lxc too.
+  set_config_item("lxc.apparmor.profile", "snap.anbox.container-manager//container");
 #else
   set_config_item("lxc.apparmor.profile", "unconfined");
 #endif