From 60e7dc79c8f0939c769282c189dfef920f99b69c Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Thu, 19 Jul 2018 22:20:09 -0400 Subject: [PATCH 1/6] scripts: don't setup a dedicated AppArmor profile anymore --- scripts/container-manager.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/scripts/container-manager.sh b/scripts/container-manager.sh index 46216fd..06a11a4 100755 --- a/scripts/container-manager.sh +++ b/scripts/container-manager.sh @@ -53,11 +53,6 @@ start() { # lib directory as explicit search target here. export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$SNAP/usr/lib/$ARCH" - if [ -d /sys/kernel/security/apparmor ] ; then - # Load the profile for our Android container - "$SNAP"/sbin/apparmor_parser -r "$SNAP"/apparmor/anbox-container.aa - fi - enable_debug="$(snapctl get debug.enable)" if [ "$enable_debug" = true ]; then export ANBOX_LOG_LEVEL=debug From 120ba1c701bcb113082343db9bc084ab160f03b0 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Thu, 19 Jul 2018 22:21:28 -0400 Subject: [PATCH 2/6] snap: add set of plugs and slots necessary for confinement --- snap/snapcraft.yaml | 60 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 53 insertions(+), 7 deletions(-) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 3bb9485..78efa03 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -16,25 +16,44 @@ grade: devel architectures: [amd64] slots: - # Depending on in which environment we're running we either need - # to use the system or session DBus so we also need to have one - # slot for each. - dbus-session: + dbus-session-slot: interface: dbus - bus: system + bus: session name: org.anbox - dbus-system: + +plugs: + dbus-session-plug: interface: dbus - bus: system + bus: session name: org.anbox apps: anbox: command: desktop-launch $SNAP/bin/anbox-wrapper.sh + slots: + - dbus-session-slot + plugs: + - x11 + - unity7 + - network + - opengl + - wayland + - pulseaudio + - home + - process-control + - desktop + container-manager: command: bin/container-manager.sh start stop-command: bin/container-manager.sh stop daemon: simple + plugs: + - firewall-control + - kernel-module-control + - mount-observe + - network-control + - network-bind + collect-bug-info: command: bin/collect-bug-info.sh shell: @@ -42,9 +61,36 @@ apps: android-settings: command: desktop-launch $SNAP/bin/app-android-settings.sh desktop: desktop/android-settings.desktop + slots: + - dbus-session-slot + plugs: + - dbus-session-plug + - x11 + - unity7 + - network + - opengl + - wayland + - pulseaudio + - home + - process-control + - desktop + appmgr: command: desktop-launch $SNAP/bin/app-appmgr.sh desktop: desktop/appmgr.desktop + slots: + - dbus-session-slot + plugs: + - dbus-session-plug + - x11 + - unity7 + - network + - opengl + - wayland + - pulseaudio + - home + - process-control + - desktop parts: android: From 643ede2b9062937d6482b4bb36cd7e8e053dd7bb Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Thu, 19 Jul 2018 22:22:03 -0400 Subject: [PATCH 3/6] container: use cgroup snap-confine already setup --- src/anbox/container/lxc_container.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/anbox/container/lxc_container.cpp b/src/anbox/container/lxc_container.cpp index c257582..0490577 100644 --- a/src/anbox/container/lxc_container.cpp +++ b/src/anbox/container/lxc_container.cpp @@ -266,6 +266,11 @@ void LxcContainer::start(const Configuration &configuration) { set_config_item("lxc.init.cmd", "/anbox-init.sh"); + // If we're running inside the snap environment snap-confine already created a + // cgroup for us we need to use as otherwise presevering a namespace wont help. + if (utils::is_env_set("SNAP")) + set_config_item("lxc.namespace.keep", "cgroup"); + auto rootfs_path = SystemConfiguration::instance().rootfs_dir(); if (rootfs_overlay_) rootfs_path = SystemConfiguration::instance().combined_rootfs_dir(); From 82e9cbc43e73348dbfde597cd91ef6dfc6362284 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Thu, 19 Jul 2018 22:37:46 -0400 Subject: [PATCH 4/6] Enable snap confinement support conditionally --- CMakeLists.txt | 6 ++++++ snap/snapcraft.yaml | 3 +++ src/anbox/container/lxc_container.cpp | 12 +++++++----- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 302934b..31c219a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -119,6 +119,12 @@ if (NOT "${HOST_CMAKE_C_COMPILER}" STREQUAL "") message(STATUS "Host C compiler: ${HOST_CMAKE_CXX_COMPILER}") endif() +option(SNAP_CONFINEMENT "Enable snap confinement support" OFF) +if (SNAP_CONFINEMENT) + message(STATUS "Building with support for snap confinement") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DENABLE_SNAP_CONFINEMENT") +endif() + install(FILES data/ui/loading-screen.png DESTINATION ${ANBOX_RESOURCE_DIR}/ui) # uninstall target diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 78efa03..86f245f 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -241,6 +241,9 @@ parts: # that is fixed we can avoid using a prefix here. - -DCMAKE_INSTALL_PREFIX:PATH=/usr - -DANBOX_VERSION=$SNAPCRAFT_PROJECT_VERSION + # FIXME: Once we have everything in place for full snap confinement we + # can securely enable this. + # - -DSNAP_CONFINEMENT=ON build-packages: - build-essential - cmake diff --git a/src/anbox/container/lxc_container.cpp b/src/anbox/container/lxc_container.cpp index 0490577..992dd7d 100644 --- a/src/anbox/container/lxc_container.cpp +++ b/src/anbox/container/lxc_container.cpp @@ -266,10 +266,12 @@ void LxcContainer::start(const Configuration &configuration) { set_config_item("lxc.init.cmd", "/anbox-init.sh"); +#if ENABLE_SNAP_CONFINEMENT // If we're running inside the snap environment snap-confine already created a // cgroup for us we need to use as otherwise presevering a namespace wont help. if (utils::is_env_set("SNAP")) set_config_item("lxc.namespace.keep", "cgroup"); +#endif auto rootfs_path = SystemConfiguration::instance().rootfs_dir(); if (rootfs_overlay_) @@ -288,11 +290,11 @@ void LxcContainer::start(const Configuration &configuration) { setup_network(); -#if 0 - set_config_item("lxc.apparmor.profile", "anbox-container"); - - const auto seccomp_profile_path = fs::path(utils::get_env_value("SNAP", "/etc/anbox")) / "seccomp" / "anbox.sc"; - set_config_item("lxc.seccomp.profile", seccomp_profile_path.string().c_str()); +#if ENABLE_SNAP_CONFINEMENT + // We take the AppArmor profile snapd has defined for us as part of the + // anbox-support interface. The container manager itself runs within a + // child profile snap.anbox.container-manager//lxc too. + set_config_item("lxc.apparmor.profile", "snap.anbox.container-manager//container"); #else set_config_item("lxc.apparmor.profile", "unconfined"); #endif From 71772c7a43d04c307f97303a57c1f2fcaa255bc5 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Thu, 19 Jul 2018 22:38:06 -0400 Subject: [PATCH 5/6] snap: upgrade to lxc 3.0.1 --- snap/snapcraft.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 86f245f..28c1c73 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -148,7 +148,7 @@ parts: lxc: source: https://github.com/lxc/lxc source-type: git - source-tag: lxc-3.0.0 + source-tag: lxc-3.0.1 build-packages: - libapparmor-dev - libcap-dev From 2b83d922fe67133234ca004e5b89c84959c7eeed Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Thu, 19 Jul 2018 22:38:36 -0400 Subject: [PATCH 6/6] snap: patch lxc with minor patch for Anbox specific Apparmor child profile handling --- snap/snapcraft.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 28c1c73..30ed3a1 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -171,6 +171,16 @@ parts: - --enable-capabilities - --with-rootfs-path=/var/snap/anbox/common/lxc/ - --libexecdir=/snap/anbox/current/libexec/ + override-build: | + set -ex + git config user.email "buildbot@anbox.io" + git config user.name "Anbox Buildbot" + git remote add anbox https://github.com/anbox/lxc + git fetch anbox + # apparmor: don't require a transition for Anbox child profiles + git cherry-pick 2f81fb7c91560b32e506bb874f8cd63e37985906 + set +ex + snapcraftctl build organize: snap/anbox/current/libexec: libexec prime: