/snap-confine

Make snap mount directory configurable #119

Merged
merged 3 commits into from Aug 26, 2016
Commits
Jump to file or symbol
Failed to load files and symbols.
+11 −6
Split
Viewing a subset of changes. View all
Prev

Respect SNAP_MOUNT_DIR in apparmor profile 

This patch changes the apparmor profile to respect the SNAP_MOUNT_DIR
configuration option. It was tested with the default value as testing
other values is difficult right now.

Some of the profile refers to /snap in a genuine way as it runs after
the call to pivot_root. Ideally this would be better separated but I
would like to make this change as small as it can for now.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
  • Loading branch information...
commit c77ce3d7e521b93a2375bbad5019338bb176f9cc @zyga zyga committed Aug 26, 2016
View
2 src/Makefile.am
@@ -96,7 +96,7 @@ fmt:
EXTRA_DIST = 80-snappy-assign.rules snappy-app-dev snap-confine.apparmor.in
snap-confine.apparmor: snap-confine.apparmor.in Makefile
- sed -e 's,[@]LIBEXECDIR[@],$(libexecdir),g' <$< >$@
+ sed -e 's,[@]LIBEXECDIR[@],$(libexecdir),g' -e 's,[@]SNAP_MOUNT_DIR[@],$(SNAP_MOUNT_DIR),' <$< >$@
# NOTE: This makes distcheck fail but it is required for udev, so go figure.
# http://www.gnu.org/software/automake/manual/automake.html#Hard_002dCoded-Install-Paths
View
15 src/snap-confine.apparmor.in
@@ -94,19 +94,21 @@
# for running snaps on classic
mount options=(rw rslave) -> /,
@zyga

zyga Aug 26, 2016

Collaborator

FYI: this is split because in the past the regular expression /{tmp/snap.rootfs_*,}snap/ covered /snap which is no longer a constant.
- /{tmp/snap.rootfs_*,}snap/ r,
- /{tmp/snap.rootfs_*,}snap/** r,
+ /tmp/snap.rootfs_*/snap/ r,
+ /tmp/snap.rootfs_*/snap/** r,
@jdstrand

jdstrand Aug 26, 2016

Contributor

I'm not sure how this change is related to this PR, but the change is fine.

+1 on all changes.

@zyga

zyga Aug 26, 2016

Collaborator

Like this: https://github.com/snapcore/snap-confine/pull/119/files#r76422977
+ @SNAP_MOUNT_DIR@/ r,
+ @SNAP_MOUNT_DIR@/** r,
# mount calls to setup the pivot_root based chroot with the core snap as
# the root filesystem.
- mount options=(rw bind) /snap/ubuntu-core/*/ -> /tmp/snap.rootfs_*/,
+ mount options=(rw bind) @SNAP_MOUNT_DIR@/ubuntu-core/*/ -> /tmp/snap.rootfs_*/,
mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_*/dev/,
mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_*/etc/,
mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_*/home/,
mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_*/root/,
mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_*/proc/,
- mount options=(rw rbind) /snap/ -> /tmp/snap.rootfs_*/snap/,
+ mount options=(rw rbind) @SNAP_MOUNT_DIR@/ -> /tmp/snap.rootfs_*/snap/,
mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_*/sys/,
mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/,
mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/,
@@ -117,13 +119,16 @@
mount options=(rw rbind) {/usr,}/lib/modules/ -> /tmp/snap.rootfs_*/lib/modules/,
mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_*/var/log/,
mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/,
- mount options=(rw bind) /snap/ubuntu-core/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
+ mount options=(rw bind) @SNAP_MOUNT_DIR@/ubuntu-core/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
# Allow to mkdir /var/lib/snapd/hostfs
/var/lib/snapd/hostfs/ rw,
# Allow to mount / as hostfs in the chroot
mount options=(ro bind) / -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
+ # NOTE: at this stage the /snap directory is stable as we have called
+ # pivot_root already.
+
# Support mount profiles via the content interface
mount options=(rw bind) /snap/*/** -> /snap/*/*/**,
mount options=(ro bind) /snap/*/** -> /snap/*/*/**,