diff --git a/CMakeLists.txt b/CMakeLists.txt index 302934b..31c219a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -119,6 +119,12 @@ if (NOT "${HOST_CMAKE_C_COMPILER}" STREQUAL "") message(STATUS "Host C compiler: ${HOST_CMAKE_CXX_COMPILER}") endif() +option(SNAP_CONFINEMENT "Enable snap confinement support" OFF) +if (SNAP_CONFINEMENT) + message(STATUS "Building with support for snap confinement") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SNAP_CONFINEMENT") +endif() + install(FILES data/ui/loading-screen.png DESTINATION ${ANBOX_RESOURCE_DIR}/ui) # uninstall target diff --git a/scripts/container-manager.sh b/scripts/container-manager.sh index 46216fd..06a11a4 100755 --- a/scripts/container-manager.sh +++ b/scripts/container-manager.sh @@ -53,11 +53,6 @@ start() { # lib directory as explicit search target here. export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$SNAP/usr/lib/$ARCH" - if [ -d /sys/kernel/security/apparmor ] ; then - # Load the profile for our Android container - "$SNAP"/sbin/apparmor_parser -r "$SNAP"/apparmor/anbox-container.aa - fi - enable_debug="$(snapctl get debug.enable)" if [ "$enable_debug" = true ]; then export ANBOX_LOG_LEVEL=debug diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 3883cd3..67075b7 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -16,25 +16,44 @@ grade: devel architectures: [amd64] slots: - # Depending on in which environment we're running we either need - # to use the system or session DBus so we also need to have one - # slot for each. - dbus-session: + dbus-session-slot: interface: dbus - bus: system + bus: session name: org.anbox - dbus-system: + +plugs: + dbus-session-plug: interface: dbus - bus: system + bus: session name: org.anbox apps: anbox: command: desktop-launch $SNAP/bin/anbox-wrapper.sh + slots: + - dbus-session-slot + plugs: + - x11 + - unity7 + - network + - opengl + - wayland + - pulseaudio + - home + - process-control + - desktop + container-manager: command: bin/container-manager.sh start stop-command: bin/container-manager.sh stop daemon: simple + plugs: + - firewall-control + - kernel-module-control + - mount-observe + - network-control + - network-bind + collect-bug-info: command: bin/collect-bug-info.sh shell: @@ -42,9 +61,36 @@ apps: android-settings: command: desktop-launch $SNAP/bin/app-android-settings.sh desktop: desktop/android-settings.desktop + slots: + - dbus-session-slot + plugs: + - dbus-session-plug + - x11 + - unity7 + - network + - opengl + - wayland + - pulseaudio + - home + - process-control + - desktop + appmgr: command: desktop-launch $SNAP/bin/app-appmgr.sh desktop: desktop/appmgr.desktop + slots: + - dbus-session-slot + plugs: + - dbus-session-plug + - x11 + - unity7 + - network + - opengl + - wayland + - pulseaudio + - home + - process-control + - desktop parts: android: @@ -102,7 +148,7 @@ parts: lxc: source: https://github.com/lxc/lxc source-type: git - source-tag: lxc-3.0.0 + source-tag: lxc-3.0.1 build-packages: - libapparmor-dev - libcap-dev @@ -125,6 +171,16 @@ parts: - --enable-capabilities - --with-rootfs-path=/var/snap/anbox/common/lxc/ - --libexecdir=/snap/anbox/current/libexec/ + override-build: | + set -ex + git config user.email "buildbot@anbox.io" + git config user.name "Anbox Buildbot" + git remote add anbox https://github.com/anbox/lxc + git fetch anbox + # apparmor: don't require a transition for Anbox child profiles + git cherry-pick 2f81fb7c91560b32e506bb874f8cd63e37985906 + set +ex + snapcraftctl build organize: snap/anbox/current/libexec: libexec prime: @@ -195,6 +251,9 @@ parts: # that is fixed we can avoid using a prefix here. - -DCMAKE_INSTALL_PREFIX:PATH=/usr - -DANBOX_VERSION=$SNAPCRAFT_PROJECT_VERSION + # FIXME: Once we have everything in place for full snap confinement we + # can securely enable this. + # - -DSNAP_CONFINEMENT=ON build-packages: - build-essential - cmake diff --git a/src/anbox/container/lxc_container.cpp b/src/anbox/container/lxc_container.cpp index c257582..992dd7d 100644 --- a/src/anbox/container/lxc_container.cpp +++ b/src/anbox/container/lxc_container.cpp @@ -266,6 +266,13 @@ void LxcContainer::start(const Configuration &configuration) { set_config_item("lxc.init.cmd", "/anbox-init.sh"); +#if ENABLE_SNAP_CONFINEMENT + // If we're running inside the snap environment snap-confine already created a + // cgroup for us we need to use as otherwise presevering a namespace wont help. + if (utils::is_env_set("SNAP")) + set_config_item("lxc.namespace.keep", "cgroup"); +#endif + auto rootfs_path = SystemConfiguration::instance().rootfs_dir(); if (rootfs_overlay_) rootfs_path = SystemConfiguration::instance().combined_rootfs_dir(); @@ -283,11 +290,11 @@ void LxcContainer::start(const Configuration &configuration) { setup_network(); -#if 0 - set_config_item("lxc.apparmor.profile", "anbox-container"); - - const auto seccomp_profile_path = fs::path(utils::get_env_value("SNAP", "/etc/anbox")) / "seccomp" / "anbox.sc"; - set_config_item("lxc.seccomp.profile", seccomp_profile_path.string().c_str()); +#if ENABLE_SNAP_CONFINEMENT + // We take the AppArmor profile snapd has defined for us as part of the + // anbox-support interface. The container manager itself runs within a + // child profile snap.anbox.container-manager//lxc too. + set_config_item("lxc.apparmor.profile", "snap.anbox.container-manager//container"); #else set_config_item("lxc.apparmor.profile", "unconfined"); #endif