get rid of the long-standing fmt.Printf instead of proper logging
given that the backends are a bit stateful nowadays, keeping a fixed set across
managers instantiation didn't completely make sense anyway
this avoids also the oddness of ifacestate having code to mock a global of a
different package
The AppArmor related code was moved to
github.com/snapcore/snapd/sandbox/apparmor package. Update the remaining code to
use the package.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
The 2.36.x release branch was using PartialAppArmor coupled with
additional check for lack of parser features to know that apparmor ought
to be disabled inside snapd. Meanwhile in master a new level,
UnusableAppArmor, was introduced to express that. This patch reconciles
the code to be in sync with master.
While I was at it, I added a test for UnusableAppArmor level.
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
This patch changes logic conditionally adding the apparmor backend to not do so
if the kernel has some support in the case that the userspace parser is too old
to parse the profiles we generate.
In practical terms this means we run without apparmor on openSUSE Leap
42.3 which in turn fixes a bug that prevented snapd from working
correctly with stricter error reporting during startup phase when system
key is considered.
A simple spread test ensures that openSUSE Leap 42.3 is not using
apparmor anymore.
Fixes: https://bugs.launchpad.net/snapd/+bug/1805485
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
AppArmor may be fully or only partially supported on a given system. In
the past when partially supported apparmor was detected then the backend
would not be loaded, leading to very confusing and error-prone behavior
for people switching between mainline (unpatched) and ubuntu (patched)
kernels. Because the backend was not loaded then now-stale profiles were
*not* updated or removed and things behaved oddly, where incorrect
profiles were actually loaded into the kernel (apparmor tries to degrade
gracefully but the profiles were not permissive enough).
With this patch the apparmor backend is loaded as long as the kernel
module is loaded and enabled. This will be coupled with a patch to the
backend, which will generate more permissive profiles for
anything-less-than-full feature set. This patch will allow snapd to
enable apparmor on Debian, openSUSE as well as Ubuntu running pre-4.15
mainline kernels.
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
