p62978453
/
docs
forked from openkylin/docs
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

update en/Development-And-Common-Documents/snap.md. 

Signed-off-by: wucaiheng <11866284+wucaiheng@user.noreply.gitee.com>
This commit is contained in:
wucaiheng 2023-03-22 02:39:13 +00:00 committed by Gitee
parent fa2e1c042a
commit f58f64f130
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
en/Development-And-Common-Documents/snap.md
View File

@ -76,12 +76,12 @@ SNAP_USER_DATA=/home/kylin/snap/hello/20
SNAP_DATA=/var/snap/hello/20
Writeable directory for all user-specified versions of the application
As can be seen, the directories to which a snap application has write access are extremely limited, and each snap application has its own separate writable directory. snap file system's configuration of permissions for snap application-related directories illustrates that this approach achieves isolation between application and application, and application and system.
As can be seen, the directories to which a snap application has write access are extremely limited, and each snap application has its separate writable directory. snap file system's configuration of permissions for snap application-related directories illustrates that this approach achieves isolation between application and application, and application and system.
At the same time, this approach provides good support for upgrade and rollback of snap applications. To upgrade, you only need to copy the relevant directory of the determined version to the corresponding directory of the higher version, and to rollback, you only need to delete the directory of the higher version.
At the same time, this approach provides good support for upgrade and rollback of snap applications. To upgrade, you only need to copy the relevant directory of the determined version to the corresponding directory of the higher version, and to rollback, only need to delete the directory of the higher version.
#### AppArmor
AppArmor is a mandatory access control system that provides control at the kernel level over the resources that processes can access. When a snap application is installed, the system generates its own AppArmor-specific configuration file for each of these commands. The kernel's Capability limits on executable programs can also be configured through Aparmor. When executing a command in an application, the AppArmor mechanism ensures that the command does not override access rights. As a security mechanism in the kernel, AppArmor is also supported in ubuntu classic. Unlike classic, however, the snap system has much stricter access control, basically "only the least privilege required for program execution".
AppArmor is a mandatory access control system that provides control at the kernel level over the resources that processes can access. When a snap application is installed, the system generates its own AppArmor-specific configuration file for each of these commands. The kernel's Capability limits on executable programs can also be configured through Aparmor. When executing a command in an application, the AppArmor mechanism ensures that the command does not override access rights. As a security mechanism in the kernel, AppArmor is also supported in ubuntu classic. However, unlike the classic system, the snap system has stricter access control on the program, basically "only the minimum privileges required for program execution".
#### Seccomp
Seccomp is a kernel interface access filter through which a snap application accesses the kernel interface. Seccomp has a similar role in the snap system to AppArmor, in that it controls the application's access to system resources.
@ -123,7 +123,7 @@ This mode will remove all access restrictions and no overstepping will be record
In classic mode, the snap application can access the files under '/'.
#### Interfaces
In addition to the resources provided by the default security policy, snap applications do not have access to other system resources. If a snap application needs to use system resources or resources provided by other applications, it needs to configure interfaces through the interfaces mechanism. interfaces are divided into two types of interfaces, slot (service provider) and plug (service user).
In addition to the resources provided by the default security policy, snap applications do not have access to other system resources. If a snap application needs to use system resources or resources provided by other applications, it needs to configure interfaces through the interfaces mechanism. Interfaces are divided into two types interfaces, slot (service provider) and plug (service user).
The snap application access to restricted resources is illustrated as follows.
@ -154,7 +154,7 @@ apps:
command: bin/blue
slots: 【bluez】
The above file can be used as a snap package packaging control file for a Bluetooth device driver. When this application is installed, it will be assigned the security policy ID snap.blue.blue and contain the rule: create a bluez slot for blue when it starts.
The above file can be used as a snap package packaging control file for a Bluetooth device driver. When this application is installed, it is assigned the security policy ID snap.blue.blue and contains the rule: create a bluez slot for blue when it starts.
To use the functionality provided by this slot in other applications, the package control file looks like this.
@ -178,4 +178,4 @@ The snap system consists of snap applications, including the system and kernel,
### Summary
The snap system provides a robust security system. Compared to traditional linux distributions, applications in snap systems are more independent and secure, while the configuration of snap application permissions is simpler. In the growing demand of embedded and IoT with the increasingly serious system security situation, snap system shows outstanding advantages over traditional linux distributions.
The snap system provides a robust security system. Compared to traditional Linux distributions, applications in snap systems are more independent and secure, while the configuration of snap application permissions is simpler. In the growing demand of embedded and IoT with the increasingly serious system security situation, snap system shows outstanding advantages over traditional Linux distributions.