build_providers: create LXD containers with security.syscalls.interce…

…pt.mknod=true
canonical · Jul 15, 2020 · 3cd309d · 3cd309d
1 parent d03ffa4
commit 3cd309d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/snapcraft/internal/build_providers/_lxd/_lxd.py b/snapcraft/internal/build_providers/_lxd/_lxd.py
@@ -194,7 +194,13 @@ def _launch(self) -> None:
                 provider_name=self._get_provider_name(), build_base=build_base
             )
 
-        config = {"name": self.instance_name, "source": source}
+        config = {
+            "name": self.instance_name,
+            "source": source,
+            # Allow container to make safe mknod calls, as documented at
+            # https://linuxcontainers.org/lxd/docs/master/syscall-interception
+            "security.syscalls.intercept.mknod": "true",
+        }
 
         try:
             container = self._lxd_client.containers.create(config, wait=True)

diff --git a/tests/unit/build_providers/lxd/test_lxd.py b/tests/unit/build_providers/lxd/test_lxd.py
@@ -200,6 +200,7 @@ def test_create(self):
             config={
                 "name": "snapcraft-project-name",
                 "raw.idmap": f"both {os.getuid()} 0",
+                "security.syscalls.intercept.mknod": "true",
                 "source": {
                     "mode": "pull",
                     "type": "image",
@@ -776,6 +777,7 @@ def test_create_for_type_base(self):
             config={
                 "name": "snapcraft-core18",
                 "raw.idmap": f"both {os.getuid()} 0",
+                "security.syscalls.intercept.mknod": "true",
                 "source": {
                     "mode": "pull",
                     "type": "image",