From 3cd309d29ba00164836e2ca22bd34dfa23014276 Mon Sep 17 00:00:00 2001 From: James Henstridge Date: Wed, 15 Jul 2020 11:34:44 +0800 Subject: [PATCH] build_providers: create LXD containers with security.syscalls.intercept.mknod=true --- snapcraft/internal/build_providers/_lxd/_lxd.py | 8 +++++++- tests/unit/build_providers/lxd/test_lxd.py | 2 ++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/snapcraft/internal/build_providers/_lxd/_lxd.py b/snapcraft/internal/build_providers/_lxd/_lxd.py index 5f2c45db71d..1a552bae33f 100644 --- a/snapcraft/internal/build_providers/_lxd/_lxd.py +++ b/snapcraft/internal/build_providers/_lxd/_lxd.py @@ -194,7 +194,13 @@ def _launch(self) -> None: provider_name=self._get_provider_name(), build_base=build_base ) - config = {"name": self.instance_name, "source": source} + config = { + "name": self.instance_name, + "source": source, + # Allow container to make safe mknod calls, as documented at + # https://linuxcontainers.org/lxd/docs/master/syscall-interception + "security.syscalls.intercept.mknod": "true", + } try: container = self._lxd_client.containers.create(config, wait=True) diff --git a/tests/unit/build_providers/lxd/test_lxd.py b/tests/unit/build_providers/lxd/test_lxd.py index 5dab839dd52..d51ac10661a 100644 --- a/tests/unit/build_providers/lxd/test_lxd.py +++ b/tests/unit/build_providers/lxd/test_lxd.py @@ -200,6 +200,7 @@ def test_create(self): config={ "name": "snapcraft-project-name", "raw.idmap": f"both {os.getuid()} 0", + "security.syscalls.intercept.mknod": "true", "source": { "mode": "pull", "type": "image", @@ -776,6 +777,7 @@ def test_create_for_type_base(self): config={ "name": "snapcraft-core18", "raw.idmap": f"both {os.getuid()} 0", + "security.syscalls.intercept.mknod": "true", "source": { "mode": "pull", "type": "image",