sandbox/apparmor: support bundled 3.0 or 4.0 (preferred) abi

Mirror the logic used in apparmor-from-the-host to apparmor-from-snapd-snap. This mainly fixes tests that repackage old snapd snap without touching apparmor, but in general seems like the right thing to do. The logic is such, that abi 4 is preferred. Signed-off-by: Zygmunt Krynicki <[email protected]>
canonical · Jul 10, 2024 · c5df0af · ernestl · Jul 11, 2024 · ernestl
1 parent 700f794
commit c5df0af
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 7 deletions.
diff --git a/sandbox/apparmor/apparmor.go b/sandbox/apparmor/apparmor.go
@@ -782,16 +782,34 @@ func AppArmorParser() (cmd *exec.Cmd, internal bool, err error) {
 	if path, err := snapdtool.InternalToolPath("apparmor_parser"); err == nil {
 		if osutil.IsExecutable(path) && snapdAppArmorSupportsReexec() && !systemAppArmorLoadsSnapPolicy() {
 			prefix := strings.TrimSuffix(path, "apparmor_parser")
-			// when using the internal apparmor_parser also use
-			// its own configuration and includes etc plus
-			// also ensure we use the 4.0 feature ABI to get
-			// the widest array of policy features across the
-			// widest array of kernel versions
+			snapdAbi30File := filepath.Join(prefix, "/apparmor.d/abi/3.0")
+			snapdAbi40File := filepath.Join(prefix, "/apparmor.d/abi/4.0")
+
+			// When using the internal apparmor_parser also use its own
+			// configuration and includes etc plus also ensure we use the 4.0
+			// feature ABI to get the widest array of policy features across
+			// the widest array of kernel versions.
+			//
+			// In case snapd is injectd into snapd with older apparmor, use
+			// that instead so that things don't generally fail.
+			abiFile := ""
+			fi40, err40 := os.Lstat(snapdAbi40File)
+			fi30, err30 := os.Lstat(snapdAbi30File)
+			switch {
+			case err40 == nil && !fi40.IsDir():
+				abiFile = snapdAbi40File
+			case err30 == nil && !fi30.IsDir():
+				abiFile = snapdAbi30File
+			default:
+				return nil, false, fmt.Errorf("internal snapd apparmor_parser but no abi files")
+			}
+
 			args := []string{
 				"--config-file", filepath.Join(prefix, "/apparmor/parser.conf"),
 				"--base", filepath.Join(prefix, "/apparmor.d"),
-				"--policy-features", filepath.Join(prefix, "/apparmor.d/abi/4.0"),
+				"--policy-features", abiFile,
 			}
+
 			return exec.Command(path, args...), true, nil
 		}
 	}

diff --git a/sandbox/apparmor/apparmor_test.go b/sandbox/apparmor/apparmor_test.go
@@ -75,14 +75,16 @@ func (*apparmorSuite) TestAppArmorParser(c *C) {
 	c.Check(err, Equals, nil)
 }
 
-func (*apparmorSuite) TestAppArmorInternalAppArmorParser(c *C) {
+func (*apparmorSuite) TestAppArmorInternalAppArmorParserAbi3(c *C) {
 	fakeroot := c.MkDir()
 	dirs.SetRootDir(fakeroot)
 
 	d := filepath.Join(dirs.SnapMountDir, "/snapd/42", "/usr/lib/snapd")
 	c.Assert(os.MkdirAll(d, 0755), IsNil)
 	p := filepath.Join(d, "apparmor_parser")
 	c.Assert(os.WriteFile(p, nil, 0755), IsNil)
+	c.Assert(os.MkdirAll(filepath.Join(d, "apparmor.d/abi"), 755), IsNil)
+	c.Assert(os.WriteFile(filepath.Join(d, "apparmor.d/abi/3.0"), nil, 0644), IsNil)
 	restore := snapdtool.MockOsReadlink(func(path string) (string, error) {
 		c.Assert(path, Equals, "/proc/self/exe")
 		return filepath.Join(d, "snapd"), nil
@@ -98,6 +100,38 @@ func (*apparmorSuite) TestAppArmorInternalAppArmorParser(c *C) {
 		p,
 		"--config-file", filepath.Join(d, "/apparmor/parser.conf"),
 		"--base", filepath.Join(d, "/apparmor.d"),
+		"--policy-features", filepath.Join(d, "/apparmor.d/abi/3.0"),
+	})
+	c.Check(internal, Equals, true)
+}
+
+func (*apparmorSuite) TestAppArmorInternalAppArmorParserAbi4(c *C) {
+	fakeroot := c.MkDir()
+	dirs.SetRootDir(fakeroot)
+
+	d := filepath.Join(dirs.SnapMountDir, "/snapd/42", "/usr/lib/snapd")
+	c.Assert(os.MkdirAll(d, 0755), IsNil)
+	p := filepath.Join(d, "apparmor_parser")
+	c.Assert(os.WriteFile(p, nil, 0755), IsNil)
+	c.Assert(os.MkdirAll(filepath.Join(d, "apparmor.d/abi"), 755), IsNil)
+	c.Assert(os.WriteFile(filepath.Join(d, "apparmor.d/abi/3.0"), nil, 0644), IsNil)
+	c.Assert(os.WriteFile(filepath.Join(d, "apparmor.d/abi/4.0"), nil, 0644), IsNil)
+	restore := snapdtool.MockOsReadlink(func(path string) (string, error) {
+		c.Assert(path, Equals, "/proc/self/exe")
+		return filepath.Join(d, "snapd"), nil
+	})
+	defer restore()
+	restore = apparmor.MockSnapdAppArmorSupportsReexec(func() bool { return true })
+	defer restore()
+
+	cmd, internal, err := apparmor.AppArmorParser()
+	c.Check(err, IsNil)
+	c.Check(cmd.Path, Equals, p)
+	c.Check(cmd.Args, DeepEquals, []string{
+		p,
+		"--config-file", filepath.Join(d, "/apparmor/parser.conf"),
+		"--base", filepath.Join(d, "/apparmor.d"),
+		// 4.0 was preferred.
 		"--policy-features", filepath.Join(d, "/apparmor.d/abi/4.0"),
 	})
 	c.Check(internal, Equals, true)
@@ -439,6 +473,8 @@ func (s *parserFeatureTestSuite) TestInternalParser(c *C) {
 	c.Assert(err, IsNil)
 	err = os.WriteFile(filepath.Join(libSnapdDir, "apparmor_parser"), nil, 0755)
 	c.Assert(err, IsNil)
+	c.Assert(os.MkdirAll(filepath.Join(d, "apparmor.d/abi"), 755), IsNil)
+	c.Assert(os.WriteFile(filepath.Join(d, "apparmor.d/abi/4.0"), nil, 0644), IsNil)
 
 	// Pretend that we are running snapd from that snap location.
 	restore := snapdtool.MockOsReadlink(func(path string) (string, error) {
@@ -690,6 +726,8 @@ func (s *apparmorSuite) TestSetupConfCacheDirsWithInternalApparmor(c *C) {
 	c.Assert(os.MkdirAll(d, 0755), IsNil)
 	p := filepath.Join(d, "apparmor_parser")
 	c.Assert(os.WriteFile(p, nil, 0755), IsNil)
+	c.Assert(os.MkdirAll(filepath.Join(d, "apparmor.d/abi"), 755), IsNil)
+	c.Assert(os.WriteFile(filepath.Join(d, "apparmor.d/abi/4.0"), nil, 0644), IsNil)
 	restore := snapdtool.MockOsReadlink(func(path string) (string, error) {
 		c.Assert(path, Equals, "/proc/self/exe")
 		return filepath.Join(d, "snapd"), nil