canonical · sergiusens · Jul 15, 2020 · Jul 15, 2020 · Jul 15, 2020 · Jul 15, 2020
diff --git a/snapcraft/internal/build_providers/_lxd/_lxd.py b/snapcraft/internal/build_providers/_lxd/_lxd.py
@@ -207,6 +207,12 @@ def _launch(self) -> None:
 
         self._start()
 
+    def _supports_syscall_interception(self) -> bool:
+        # syscall interception relies on the seccomp_listener kernel feature
+        environment = self._lxd_client.host_info.get("environment", {})
+        kernel_features = environment.get("kernel_features", {})
+        return kernel_features.get("seccomp_listener", "false") == "true"
+
     def _start(self):
         if not self._lxd_client.containers.exists(self.instance_name):
             raise errors.ProviderInstanceNotFoundError(instance_name=self.instance_name)
@@ -221,6 +227,10 @@ def _start(self):
         self._container.config["raw.idmap"] = "both {!s} 0".format(
             os.stat(self.project._project_dir).st_uid
         )
+        # If possible, allow container to make safe mknod calls. Documented at
+        # https://linuxcontainers.org/lxd/docs/master/syscall-interception
+        if self._supports_syscall_interception():
+            self._container.config["security.syscalls.intercept.mknod"] = "true"
         self._container.save(wait=True)
 
         if self._container.status.lower() != "running":

diff --git a/tests/spread/build-providers/lxd-mknod/task.yaml b/tests/spread/build-providers/lxd-mknod/task.yaml
@@ -0,0 +1,40 @@
+summary: Verify LXD builds can make (some) device nodes
+
+systems:
+  - -ubuntu-16.04*    # kernel does not support syscall interception
+
+environment:
+  SNAP_DIR: ../snaps/devices
+
+prepare: |
+  #shellcheck source=tests/spread/tools/snapcraft-yaml.sh
+  . "$TOOLS_DIR/snapcraft-yaml.sh"
+  set_base "$SNAP_DIR/snap/snapcraft.yaml"
+
+restore: |
+  cd "$SNAP_DIR"
+
+  # Unset SNAPCRAFT_BUILD_ENVIRONMENT=host.
+  unset SNAPCRAFT_BUILD_ENVIRONMENT
+
+  snapcraft clean --use-lxd
+  rm -f ./*.snap
+
+  #shellcheck source=tests/spread/tools/snapcraft-yaml.sh
+  . "$TOOLS_DIR/snapcraft-yaml.sh"
+  restore_yaml "snap/snapcraft.yaml"
+
+execute: |
+  cd "$SNAP_DIR"
+
+  # Unset SNAPCRAFT_BUILD_ENVIRONMENT=host.
+  unset SNAPCRAFT_BUILD_ENVIRONMENT
+
+  snapcraft --use-lxd
+  sudo snap install devices_*.snap --dangerous
+
+  # Check that the snap includes the expected character device files
+  [ -c /snap/devices/current/dev/null ]
+  [ -c /snap/devices/current/dev/zero ]
+  [ -c /snap/devices/current/dev/random ]
+  [ -c /snap/devices/current/dev/urandom ]
diff --git a/tests/spread/build-providers/snaps/devices/snap/snapcraft.yaml b/tests/spread/build-providers/snaps/devices/snap/snapcraft.yaml
@@ -0,0 +1,20 @@
+name: devices
+version: '0.1'
+summary: Help verify (some) device files can be created in LXD builds
+description: ...
+
+grade: devel
+base: core18
+confinement: strict
+
+parts:
+  test:
+    plugin: nil
+    build-packages:
+      - coreutils
+    override-build: |
+      mkdir -p $SNAPCRAFT_PART_INSTALL/dev
+      mknod $SNAPCRAFT_PART_INSTALL/dev/null c 1 3
+      mknod $SNAPCRAFT_PART_INSTALL/dev/zero c 1 5
+      mknod $SNAPCRAFT_PART_INSTALL/dev/random c 1 8
+      mknod $SNAPCRAFT_PART_INSTALL/dev/urandom c 1 9
diff --git a/tests/unit/build_providers/lxd/test_lxd.py b/tests/unit/build_providers/lxd/test_lxd.py
@@ -143,6 +143,9 @@ def create(self, config: Dict[str, Any], wait: bool) -> FakeContainer:
 class FakePyLXDClient:
     def __init__(self) -> None:
         self.containers = FakeContainers()
+        self.host_info = {
+            "environment": {"kernel_features": {"seccomp_listener": "true"}}
+        }
 
 
 class LXDBaseTest(BaseProviderBaseTest):
@@ -200,6 +203,7 @@ def test_create(self):
             config={
                 "name": "snapcraft-project-name",
                 "raw.idmap": f"both {os.getuid()} 0",
+                "security.syscalls.intercept.mknod": "true",
                 "source": {
                     "mode": "pull",
                     "type": "image",
@@ -776,6 +780,7 @@ def test_create_for_type_base(self):
             config={
                 "name": "snapcraft-core18",
                 "raw.idmap": f"both {os.getuid()} 0",
+                "security.syscalls.intercept.mknod": "true",
                 "source": {
                     "mode": "pull",
                     "type": "image",
@@ -794,6 +799,30 @@ def test_create_invalid_base(self):
 
         self.assertRaises(errors.ProviderInvalidBaseError, instance.create)
 
+    def test_create_without_syscall_intercept(self):
+        self.fake_pylxd_client.host_info["environment"]["kernel_features"][
+            "seccomp_listener"
+        ] = "false"
+
+        instance = LXDTestImpl(project=self.project, echoer=self.echoer_mock)
+
+        instance.create()
+
+        self.fake_pylxd_client.containers.create_mock.assert_called_once_with(
+            config={
+                "name": "snapcraft-project-name",
+                "raw.idmap": f"both {os.getuid()} 0",
+                "source": {
+                    "mode": "pull",
+                    "type": "image",
+                    "server": "https://cloud-images.ubuntu.com/buildd/daily",
+                    "protocol": "simplestreams",
+                    "alias": "16.04",
+                },
+            },
+            wait=True,
+        )
+
 
 class LXDLaunchedTest(LXDBaseTest):
     def setUp(self):