15.04

Ubuntu Core 15.04 has a number of differences from what is described in https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement for 16.04.

Click compat

Historically (no longer on 16.04 and higher) snappy used click-apparmor to generate security policy for AppArmor (seccomp always used the native format, above). When debugging on a 15.04 system the following may be useful:

  • click security manifests for apparmor are installed to /var/lib/apparmor/clicks for templated policy and /var/lib/apparmor/snappy/profiles for hand-crafted policy
  • apparmor profiles are generated in /var/lib/apparmor/profiles

  • use aa-clickhook -f to regenerate all templated policy (those not using security-policy)

  • use aa-profile-hook -f to regenerate all custom policy (those using security-policy)

security-override

security-override in 15.04 is quite different from in 16.04 because the 15.04 implementation was difficult to use. Apps may optionally specify security-override to specify high level overrides to use when security-template’ and caps’ are not sufficient. The path specified by security-override is a custom security manifest. Use of this will trigger manual review in the Ubuntu store. Consider the following package.yaml: 

services:
  - name: bar
    start: bin/bar
    caps:
      - network-client
  - name: baz
    start: bin/baz
    security-overrides:
      apparmor: path/to/security.override
      seccomp: path/to/filter.override

This says to use path/to/security.override for apparmor policy and path/to/filter.override for seccomp policy.

If path/to/security.override has (it's format is that of the click security manifest: 

{
    "policy_vendor": "ubuntu-core",
    "policy_version": 15.04,
    "template": "default",
    "policy_groups": [
      "network-client"
    ],
    "read_path": [
      "/bar"
    ]
}

For example, if path/to/filter.override that contains (yaml): 

policy-vendor: ubuntu-core
policy-version: 15.04
security-template: default
caps:
 - network-client
syscalls:
  - clock_adjtime

then upon install the default policy will be used, the 'network-client' cap will be used, '/bar' will be added to the apparmor policy and 'clock_adjtime' will be added to the seccomp filter policy.

You may not use security-override with security-template, caps or security-policy.

SecurityTeam/Specifications/SnappyConfinement/15.04 (last edited 2016-02-03 16:20:46 by jdstrand)