Merge remote-tracking branch 'upstream/master' into HEAD

HACKING.md

@@ -57,7 +57,7 @@ dependent packages will also be available inside `$GOPATH`.
 
 ### Dependencies handling
 
-Dependencies are handled via `govendor`. Get it via:
+Go dependencies are handled via `govendor`. Get it via:
 
     go get -u github.com/kardianos/govendor
 
@@ -75,6 +75,12 @@ If a dependency need updating
 
     govendor fetch github.com/path/of/dependency
 
+Other dependencies are handled via distribution packages and you should ensure
+that dependencies for your distribution are installed. For example, on Ubuntu,
+run:
+
+    sudo apt-get build-dep ./
+
 ### Building
 
 To build, once the sources are available and `GOPATH` is set, you can just run

daemon/api_test.go

@@ -1085,7 +1085,7 @@ func (s *apiSuite) TestLogoutUser(c *check.C) {
 	state.Lock()
 	_, err = auth.User(state, user.ID)
 	state.Unlock()
-	c.Check(err, check.ErrorMatches, "invalid user")
+	c.Check(err, check.Equals, auth.ErrInvalidUser)
 }
 
 func (s *apiSuite) TestLoginUserBadRequest(c *check.C) {

interfaces/builtin/dbus.go

@@ -28,6 +28,7 @@ import (
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/apparmor"
 	"github.com/snapcore/snapd/interfaces/dbus"
+	"github.com/snapcore/snapd/interfaces/seccomp"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 )
@@ -137,6 +138,13 @@ const dbusPermanentSlotDBus = `
 </policy>
 `
 
+const dbusPermanentSlotSecComp = `
+# Description: Allow owning a name and listening on DBus public bus
+listen
+accept
+accept4
+`
+
 const dbusConnectedSlotAppArmor = `
 # allow snaps to introspect us. This allows clients to introspect all
 # DBus interfaces of this service (but not use them).
@@ -374,6 +382,11 @@ func (iface *dbusInterface) AppArmorPermanentSlot(spec *apparmor.Specification,
 	return nil
 }
 
+func (iface *dbusInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error {
+	spec.AddSnippet(dbusPermanentSlotSecComp)
+	return nil
+}
+
 func (iface *dbusInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
 	bus, name, err := iface.getAttribs(slot)
 	if err != nil {

interfaces/builtin/dbus_test.go

@@ -26,6 +26,7 @@ import (
 	"github.com/snapcore/snapd/interfaces/apparmor"
 	"github.com/snapcore/snapd/interfaces/builtin"
 	"github.com/snapcore/snapd/interfaces/dbus"
+	"github.com/snapcore/snapd/interfaces/seccomp"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
@@ -384,6 +385,24 @@ func (s *DbusInterfaceSuite) TestPermanentSlotDBusSystem(c *C) {
 	c.Check(snippet, testutil.Contains, "<policy context=\"default\">\n    <allow send_destination=\"org.test-system-slot\"/>")
 }
 
+func (s *DbusInterfaceSuite) TestPermanentSlotSecCompSystem(c *C) {
+	seccompSpec := &seccomp.Specification{}
+	err := seccompSpec.AddPermanentSlot(s.iface, s.systemSlotInfo)
+	c.Assert(err, IsNil)
+	c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.test-dbus.test-system-provider"})
+	snippet := seccompSpec.SnippetForTag("snap.test-dbus.test-system-provider")
+	c.Check(snippet, testutil.Contains, "listen\naccept\naccept4\n")
+}
+
+func (s *DbusInterfaceSuite) TestPermanentSlotSecCompSession(c *C) {
+	seccompSpec := &seccomp.Specification{}
+	err := seccompSpec.AddPermanentSlot(s.iface, s.sessionSlotInfo)
+	c.Assert(err, IsNil)
+	c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.test-dbus.test-session-provider"})
+	snippet := seccompSpec.SnippetForTag("snap.test-dbus.test-session-provider")
+	c.Check(snippet, testutil.Contains, "listen\naccept\naccept4\n")
+}
+
 func (s *DbusInterfaceSuite) TestConnectedSlotAppArmorSession(c *C) {
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedSlot(s.iface, s.connectedSessionPlug, s.connectedSessionSlot)

overlord/auth/auth.go

@@ -158,11 +158,16 @@ func NewUser(st *state.State, username, email, macaroon string, discharges []str
 	return &authenticatedUser, nil
 }
 
+var ErrInvalidUser = errors.New("invalid user")
+
 // RemoveUser removes a user from the state given its ID
 func RemoveUser(st *state.State, userID int) error {
 	var authStateData AuthState
 
 	err := st.Get("auth", &authStateData)
+	if err == state.ErrNoState {
+		return ErrInvalidUser
+	}
 	if err != nil {
 		return err
 	}
@@ -179,7 +184,7 @@ func RemoveUser(st *state.State, userID int) error {
 		}
 	}
 
-	return fmt.Errorf("invalid user")
+	return ErrInvalidUser
 }
 
 func Users(st *state.State) ([]*UserState, error) {
@@ -205,6 +210,9 @@ func User(st *state.State, id int) (*UserState, error) {
 	var authStateData AuthState
 
 	err := st.Get("auth", &authStateData)
+	if err == state.ErrNoState {
+		return nil, ErrInvalidUser
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -214,14 +222,17 @@ func User(st *state.State, id int) (*UserState, error) {
 			return &user, nil
 		}
 	}
-	return nil, fmt.Errorf("invalid user")
+	return nil, ErrInvalidUser
 }
 
 // UpdateUser updates user in state
 func UpdateUser(st *state.State, user *UserState) error {
 	var authStateData AuthState
 
 	err := st.Get("auth", &authStateData)
+	if err == state.ErrNoState {
+		return ErrInvalidUser
+	}
 	if err != nil {
 		return err
 	}
@@ -234,7 +245,7 @@ func UpdateUser(st *state.State, user *UserState) error {
 		}
 	}
 
-	return fmt.Errorf("invalid user")
+	return ErrInvalidUser
 }
 
 // Device returns the device details from the state.

overlord/auth/auth_test.go

@@ -272,7 +272,7 @@ func (as *authSuite) TestUserForNoAuthInState(c *C) {
 	as.state.Lock()
 	userFromState, err := auth.User(as.state, 42)
 	as.state.Unlock()
-	c.Check(err, NotNil)
+	c.Check(err, Equals, auth.ErrInvalidUser)
 	c.Check(userFromState, IsNil)
 }
 
@@ -284,6 +284,7 @@ func (as *authSuite) TestUserForNonExistent(c *C) {
 
 	as.state.Lock()
 	userFromState, err := auth.User(as.state, 42)
+	c.Check(err, Equals, auth.ErrInvalidUser)
 	c.Check(err, ErrorMatches, "invalid user")
 	c.Check(userFromState, IsNil)
 }
@@ -335,7 +336,7 @@ func (as *authSuite) TestUpdateUserInvalid(c *C) {
 	as.state.Lock()
 	err := auth.UpdateUser(as.state, user)
 	as.state.Unlock()
-	c.Assert(err, ErrorMatches, "invalid user")
+	c.Assert(err, Equals, auth.ErrInvalidUser)
 }
 
 func (as *authSuite) TestRemove(c *C) {
@@ -357,12 +358,12 @@ func (as *authSuite) TestRemove(c *C) {
 	as.state.Lock()
 	_, err = auth.User(as.state, user.ID)
 	as.state.Unlock()
-	c.Check(err, ErrorMatches, "invalid user")
+	c.Check(err, Equals, auth.ErrInvalidUser)
 
 	as.state.Lock()
 	err = auth.RemoveUser(as.state, user.ID)
 	as.state.Unlock()
-	c.Assert(err, ErrorMatches, "invalid user")
+	c.Assert(err, Equals, auth.ErrInvalidUser)
 }
 
 func (as *authSuite) TestSetDevice(c *C) {
@@ -447,7 +448,7 @@ func (as *authSuite) TestAuthContextUpdateUserAuthInvalid(c *C) {
 
 	authContext := auth.NewAuthContext(as.state, nil)
 	_, err := authContext.UpdateUserAuth(user, nil)
-	c.Assert(err, ErrorMatches, "invalid user")
+	c.Assert(err, Equals, auth.ErrInvalidUser)
 }
 
 func (as *authSuite) TestAuthContextDeviceForNonExistent(c *C) {

overlord/snapstate/autorefresh.go

@@ -208,8 +208,7 @@ func (m *autoRefresh) launchAutoRefresh() error {
 		return nil
 	case 1:
 		msg = fmt.Sprintf(i18n.G("Auto-refresh snap %q"), updated[0])
-	case 2:
-	case 3:
+	case 2, 3:
 		quoted := strutil.Quoted(updated)
 		// TRANSLATORS: the %s is a comma-separated list of quoted snap names
 		msg = fmt.Sprintf(i18n.G("Auto-refresh snaps %s"), quoted)

packaging/arch/PKGBUILD

@@ -5,7 +5,7 @@
 
 pkgbase=snapd
 pkgname=snapd-git
-pkgver=2.29.4.1.r959.g0d9c50d2c
+pkgver=2.30
 pkgrel=1
 arch=('i686' 'x86_64')
 url="https://github.com/snapcore/snapd"