15.04
Ubuntu Core 15.04 has a number of differences from what is described in https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement for 16.04.
Click compat
Historically (no longer on 16.04 and higher) snappy used click-apparmor to generate security policy for AppArmor (seccomp always used the native format, above). When debugging on a 15.04 system the following may be useful:
- click security manifests for apparmor are installed to /var/lib/apparmor/clicks for templated policy and /var/lib/apparmor/snappy/profiles for hand-crafted policy
- apparmor profiles are generated in /var/lib/apparmor/profiles
use aa-clickhook -f to regenerate all templated policy (those not using security-policy)
use aa-profile-hook -f to regenerate all custom policy (those using security-policy)
security-override
security-override in 15.04 is quite different from in 16.04 because the 15.04 implementation was difficult to use. Apps may optionally specify security-override to specify high level overrides to use when security-template’ and caps’ are not sufficient. The path specified by security-override is a custom security manifest. Use of this will trigger manual review in the Ubuntu store. Consider the following package.yaml:
services: - name: bar start: bin/bar caps: - network-client - name: baz start: bin/baz security-overrides: apparmor: path/to/security.override seccomp: path/to/filter.override
This says to use path/to/security.override for apparmor policy and path/to/filter.override for seccomp policy.
If path/to/security.override has (it's format is that of the click security manifest:
{ "policy_vendor": "ubuntu-core", "policy_version": 15.04, "template": "default", "policy_groups": [ "network-client" ], "read_path": [ "/bar" ] }
For example, if path/to/filter.override that contains (yaml):
policy-vendor: ubuntu-core policy-version: 15.04 security-template: default caps: - network-client syscalls: - clock_adjtime
then upon install the default policy will be used, the 'network-client' cap will be used, '/bar' will be added to the apparmor policy and 'clock_adjtime' will be added to the seccomp filter policy.
You may not use security-override with security-template, caps or security-policy.
SecurityTeam/Specifications/SnappyConfinement/15.04 (last edited 2016-02-03 16:20:46 by jdstrand)