Merge pull request #4084 from mvo5/blow-cache-2.29

interfaces: clean system apparmor cache on core device (2.29)
snapcore · Oct 27, 2017 · 1b7c7bf · 1b7c7bf
2 parents cdd2ef6 + bbefec4
commit 1b7c7bf
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/interfaces/apparmor/backend.go b/interfaces/apparmor/backend.go
@@ -152,6 +152,21 @@ func (b *Backend) Setup(snapInfo *snap.Info, opts interfaces.ConfinementOptions,
 			logger.Noticef("cannot create host snap-confine apparmor configuration: %s", err)
 		}
 	}
+	// core on core devices is also special, the apparmor cache gets
+	// confused too easy, especially at rollbacks, so we delete the cache.
+	// See LP:#1460152 and
+	// https://forum.snapcraft.io/t/core-snap-revert-issues-on-core-devices/
+	if snapName == "core" && !release.OnClassic {
+		if li, err := filepath.Glob(filepath.Join(dirs.SystemApparmorCacheDir, "*")); err == nil {
+			for _, p := range li {
+				if st, err := os.Stat(p); err == nil && st.Mode().IsRegular() {
+					if err := os.Remove(p); err != nil {
+						logger.Noticef("cannot remove %q: %s", p, err)
+					}
+				}
+			}
+		}
+	}
 
 	// Get the files that this snap should have
 	content, err := b.deriveContent(spec.(*Specification), snapInfo, opts)

diff --git a/interfaces/apparmor/backend_test.go b/interfaces/apparmor/backend_test.go
@@ -496,3 +496,31 @@ func (s *backendSuite) TestSetupHostSnapConfineApparmorForReexecWritesNew(c *C)
 	c.Check(err, IsNil)
 
 }
+
+func (s *backendSuite) TestCoreOnCoreCleansApparmorCache(c *C) {
+	restorer := release.MockOnClassic(false)
+	defer restorer()
+
+	err := os.MkdirAll(dirs.SystemApparmorCacheDir, 0755)
+	c.Assert(err, IsNil)
+	// the canary file in the cache will be removed
+	canaryPath := filepath.Join(dirs.SystemApparmorCacheDir, "meep")
+	err = ioutil.WriteFile(canaryPath, nil, 0644)
+	c.Assert(err, IsNil)
+	// but non-regular entries in the cache dir are kept
+	dirsAreKept := filepath.Join(dirs.SystemApparmorCacheDir, "dir")
+	err = os.MkdirAll(dirsAreKept, 0755)
+	c.Assert(err, IsNil)
+	symlinksAreKept := filepath.Join(dirs.SystemApparmorCacheDir, "symlink")
+	err = os.Symlink("some-sylink-target", symlinksAreKept)
+	c.Assert(err, IsNil)
+
+	// install the new core snap on classic triggers a new snap-confine
+	// for this snap-confine on core
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, coreYaml, 111)
+
+	l, err := filepath.Glob(filepath.Join(dirs.SystemApparmorCacheDir, "*"))
+	c.Assert(err, IsNil)
+	// canary is gone, extra stuff is kept
+	c.Check(l, DeepEquals, []string{dirsAreKept, symlinksAreKept})
+}