/snap-confine

Add snap-discard-ns #135

Merged
merged 8 commits into from Sep 12, 2016

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@zyga @tyhicks
@zyga
Collaborator

zyga commented Sep 12, 2016

This branch adds the snap-discard-ns program that does as the name suggests. It is a part of the namespace sharing feature. This program will be used by snap-confine spread tests before the appropriate branch lands in snapd (snapcore/snapd#1847)

zyga added some commits Sep 12, 2016

@zyga
Add the snap-discard-ns executable 
This executable uses the namespace group API to discard a possibly
existing mount namespace. The program is not run as setuid root and thus
has no apparmor profile at this time.

The dependencies could be a little bit weaker. It pulls in libseccomp
just because it is used by cleanup function. It also pulls in
libapparmor because of the hat changing logic in ns-support.c. This can
be improved later as it has little cost.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
67c201a
@zyga
Add manaul page for snap-discard-ns 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
53ab8bc
@zyga
Add spread test for snap-discard-ns 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
6672bcf
@zyga
Tweak copy-pasted manual page 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
05d9c9c

@zyga zyga referenced this pull request Sep 12, 2016

Closed

Enable snap-confine namespace sharing #134

zyga added some commits Sep 12, 2016

@zyga
Fix typo 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
09362b3
@zyga
Improve spread test 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
296448f
@zyga
Remove lock files on cleanup
edbc0bc
@zyga
Discard needless removal
9c98cc2
@tyhicks
Collaborator

tyhicks commented Sep 12, 2016

This should all be good as long as /run/snapd/ and /run/snapd/ns/ is only writable by root. That's true for /run/snapd/ns/ because sc_initialize_ns_groups() calls mkpath() which does the right thing by creating the directory with the 0755 mode.

snapd must create /run/snapd/. Can you verify that snapd is creating that directory with the right permissions?
@tyhicks
Collaborator

tyhicks commented Sep 12, 2016

@zyga and I discussed my last question in #snappy. He informed me that /run/snapd/ is created by sc_initialize_ns_groups() and we already know that it creates dirs with 0755 mode.

Looks good to me. Thanks!

@zyga zyga merged commit c0b994a into master Sep 12, 2016
1 check passed

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@zyga zyga deleted the snap-discard-ns branch Sep 12, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment