snapcore · zyga · Jun 24, 2016 · Jun 23, 2016 · Jun 23, 2016 · Jun 23, 2016
diff --git a/spread-tests/regression/lp-1595444/task.yaml b/spread-tests/regression/lp-1595444/task.yaml
@@ -0,0 +1,21 @@
+summary: Regression check for https://bugs.launchpad.net/snap-confine/+bug/1595444
+# This is blacklisted on debian because we first have to get the dpkg-vendor patches
+systems: [-debian-8]
+execute: |
+    echo "Having installed the snapd-hacker-toolbelt snap"
+    snap list | grep -q snapd-hacker-toolbelt || snap install snapd-hacker-toolbelt
+
+    echo "We can go to a location that is available in all snaps (/tmp)"
+    echo "We can run the 'cwd' tool from busybox and it reports /tmp" 
+    [ "$(cd /tmp && /snap/bin/snapd-hacker-toolbelt.busybox pwd)" = "/tmp" ]
+
+    echo "But if we go to a location that is not available to snaps (e.g. $HOME/.cache)"
+    echo "Then the same 'cwd' tool refuses to run the snap"
+    mkdir -p "$HOME/.cache/"
+    cd "$HOME/.cache" || exit 1
+    # pwd doesn't run
+    [ "$(/snap/bin/snapd-hacker-toolbelt.busybox pwd)" = "" ]
+    # there's an accurate error message
+    [ "$(/snap/bin/snapd-hacker-toolbelt.busybox pwd 2>&1)" = "cannot remain in $HOME/.cache, please run this snap from another location" ]
+    # snap-confine returns an error code on exit
+    ! /snap/bin/snapd-hacker-toolbelt.busybox pwd
diff --git a/spread.yaml b/spread.yaml
@@ -19,30 +19,37 @@ prepare: |
     echo "Spread is running as $(id)"
     [ "$REUSE_PROJECT" != 1 ] || exit 0
     release_ID="$( . /etc/os-release && echo "${ID:-linux}" )"
-
     case $release_ID in
         ubuntu)
             # apt update is hanging on security.ubuntu.com with IPv6.
             sysctl -w net.ipv6.conf.all.disable_ipv6=1
             trap "sysctl -w net.ipv6.conf.all.disable_ipv6=0" EXIT
             ;;
         debian)
+            echo "deb http://ftp.de.debian.org/debian sid main" > /etc/apt/sources.list.d/snappy.list
             ;;
     esac
     case $release_ID in
         ubuntu|debian)
-            apt-get purge -y snap-confine || true
             apt-get update
             apt-get install --quiet -y fakeroot
+            # Build a local copy of snap-confine
             apt-get install --quiet -y autoconf automake autotools-dev debhelper dh-apparmor dh-autoreconf indent libapparmor-dev libseccomp-dev libudev-dev pkg-config shellcheck udev
             test -d /home/test || adduser --quiet --disabled-password --gecos '' test
             chown test.test -R ..
             sudo -i -u test /bin/sh -c "cd $PWD && DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage -tc -b -Zgzip"
             dpkg -i ../snap-confine_*.deb || apt-get -f install -y
             dpkg -i ../ubuntu-core-launcher_*.deb || apt-get -f install -y
             rm -f ../snap-confine_*.deb ../ubuntu-core-launcher_*.deb
+            # Install snapd (testes require it)
+            apt-get install -y snapd
             ;;
     esac
+    # Install the core snap
+    snap list | grep -q ubuntu-core || snap install ubuntu-core
+
 suites:
     spread-tests/:
         summary: Full-system tests for snap-confine 
+    spread-tests/regression/:
+        summary: Regression tests for past bug-fixes
diff --git a/src/main.c b/src/main.c
@@ -86,6 +86,13 @@ int main(int argc, char **argv)
 		// this launcher
 		setup_slave_mount_namespace();
 
+		// Get the current working directory before we start fiddling with
+		// mounts and possibly pivot_root.  At the end of the whole process, we
+		// will try to re-locate to the same directory (if possible).
+		char vanilla_cwd[512];
+		if (getcwd(vanilla_cwd, sizeof vanilla_cwd) == NULL) {
+			die("cannot get the current working directory");
+		}
 		// do the mounting if run on a non-native snappy system
 		if (is_running_on_classic_distribution()) {
 			setup_snappy_os_mounts();
@@ -104,6 +111,15 @@ int main(int argc, char **argv)
 		snappy_udev_cleanup(&udev_s);
 #endif				// ifdef STRICT_CONFINEMENT
 
+		// Try to re-locate back to vanilla working directory. This can fail
+		// because that directory is no longer present.
+		if (chdir(vanilla_cwd) != 0) {
+			// NOTE: Use exit rather than die as this produces a more refined error message
+			fprintf(stderr,
+				"cannot remain in %s, please run this snap from another location\n",
+				vanilla_cwd);
+			exit(1);
+		}
 		// the rest does not so temporarily drop privs back to calling
 		// user (we'll permanently drop after loading seccomp)
 		if (setegid(real_gid) != 0)