snap-confine: advise the user to check the snapd.apparmor service

If the AppArmor profiles for snap-confine or snap-update-ns are not loaded, there's a chance that this is due to the snapd.apparmor systemd unit being disabled. Provide this information as a hint to the user.
mardy · Jun 6, 2022 · 3f6b247 · 3f6b247
1 parent 48ca2e1
commit 3f6b247
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/cmd/libsnap-confine-private/apparmor-support.c b/cmd/libsnap-confine-private/apparmor-support.c
@@ -128,7 +128,14 @@ sc_maybe_aa_change_onexec(struct sc_apparmor *apparmor, const char *profile)
 		int aa_change_onexec_errno = errno;
 		if (secure_getenv("SNAPPY_LAUNCHER_INSIDE_TESTS") == NULL) {
 			errno = aa_change_onexec_errno;
-			die("cannot change profile for the next exec call");
+			if (errno == ENOENT) {
+				fprintf(stderr, "missing profile %s.\n"
+				        "Please make sure that the snapd.apparmor service is enabled\n",
+				        profile);
+				exit(1);
+			} else {
+				die("cannot change profile for the next exec call");
+			}
 		}
 	}
 #endif				// ifdef HAVE_APPARMOR

diff --git a/cmd/snap-confine/snap-confine.c b/cmd/snap-confine/snap-confine.c
@@ -393,9 +393,11 @@ int main(int argc, char **argv)
 		// id is non-root.  This protects against, for example, unprivileged
 		// users trying to leverage the snap-confine in the core snap to
 		// escalate privileges.
+		errno = 0; // errno is insignificant here
 		die("snap-confine has elevated permissions and is not confined"
 		    " but should be. Refusing to continue to avoid"
-		    " permission escalation attacks");
+		    " permission escalation attacks\n"
+		    "Please make sure that the snapd.apparmor service is enabled.");
 	}
 
 	log_startup_stage("snap-confine mount namespace start");