Merge pull request #189 from alexmurray/support-apparmor-unconfined-mode

snapcraft/{hooks,commands}: handle new AppArmor unconfined profile mode

snapcraft/commands/buginfo

@@ -2,8 +2,11 @@
 set -u
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 # Check that we're root

snapcraft/commands/daemon.activate

@@ -2,14 +2,17 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current 2>/dev/null)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     if ! aa-exec --help >/dev/null 2>&1; then
         echo "The LXD snap was unable to run aa-exec, this usually indicates a LXD sideload." >&2
         echo "When sideloading, make sure to manually connect all interfaces." >&2
         exit 0
     fi
 
     exec aa-exec -p unconfined -- "$0" "$@" || true
+  fi
 fi
 
 # shellcheck disable=SC2155

snapcraft/commands/daemon.reload

@@ -2,8 +2,11 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 echo reload > "${SNAP_COMMON}/state"

snapcraft/commands/daemon.start

@@ -2,8 +2,11 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 echo "=> Preparing the system (${SNAP_REVISION})"

snapcraft/commands/daemon.stop

@@ -2,8 +2,11 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 export LXD_DIR="${SNAP_COMMON}/lxd/"

snapcraft/commands/lxc

@@ -2,8 +2,11 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(while read -r l; do echo "$l"; done < /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(while read -r l; do echo "$l"; done < /proc/self/attr/current)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec /usr/bin/aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 # Check if native and snap installed

snapcraft/commands/lxc-to-lxd

@@ -2,8 +2,11 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 # Check that we're root

snapcraft/commands/lxd

@@ -2,8 +2,11 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 # Check if native and snap installed

snapcraft/commands/lxd-benchmark

@@ -2,8 +2,11 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 # Check if native and snap installed

snapcraft/commands/lxd-check-kernel

@@ -2,8 +2,11 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 exec lxc-checkconfig

snapcraft/commands/lxd-migrate

@@ -2,8 +2,11 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 # shellcheck disable=SC2155

snapcraft/commands/lxd-user

@@ -2,8 +2,11 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 # Set the environment

snapcraft/hooks/configure

@@ -2,8 +2,11 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 # Utility functions

snapcraft/hooks/connect-plug-ceph-conf

@@ -2,8 +2,11 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 # Utility functions

snapcraft/hooks/disconnect-plug-ceph-conf

@@ -2,8 +2,11 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 # Utility functions

snapcraft/hooks/remove

@@ -2,8 +2,11 @@
 set -eu
 
 # Re-exec outside of apparmor confinement
-if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+if [ -d /sys/kernel/security/apparmor ]; then
+  label="$(cat /proc/self/attr/current 2>/dev/null)"
+  if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
     exec aa-exec -p unconfined -- "$0" "$@"
+  fi
 fi
 
 # Unmount potential LXD paths.