data: Add systemd-tmpfiles configuration to create private tmp dir

Use systemd-tmpfiles to create the private tmp mount namespace root dir (/tmp/snap-private-tmp) on boot as owned by root with restrictive permissions. We can use this as a known location to then create per-snap private tmp mount namespace dirs (/tmp/snap-private-tmp/snap.$SNAP_INSTANCE) etc. Signed-off-by: Alex Murray <alex.murray@canonical.com>
canonical · Nov 21, 2022 · 6226cdc · 6226cdc
1 parent 84b525e
commit 6226cdc
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 0 deletions.
diff --git a/data/Makefile b/data/Makefile
@@ -2,6 +2,7 @@ all install clean:
 	$(MAKE) -C systemd $@
 	$(MAKE) -C systemd-user $@
 	$(MAKE) -C systemd-env $@
+	$(MAKE) -C systemd-tmpfiles $@
 	$(MAKE) -C dbus $@
 	$(MAKE) -C env $@
 	$(MAKE) -C desktop $@
diff --git a/data/systemd-tmpfiles/Makefile b/data/systemd-tmpfiles/Makefile
@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2022 Canonical Ltd
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+LIBEXECDIR := /usr/lib
+TMPFILESDIR := $(LIBEXECDIR)/tmpfiles.d
+
+TMPFILES_CONF = $(wildcard *.conf)
+
+.PHONY: all
+all: $(TMPFILES_CONF)
+
+.PHONY: install
+install: $(TMPFILES_CONF)
+	install -d -m 0755 $(DESTDIR)/$(TMPFILESDIR)
+	install -m 0644 -t $(DESTDIR)/$(TMPFILESDIR) $^
+
+.PHONY: clean
+clean:
+	echo "Nothing to see here."
diff --git a/data/systemd-tmpfiles/snapd.conf b/data/systemd-tmpfiles/snapd.conf
@@ -0,0 +1 @@
+D! /tmp/snap-private-tmp 0700 root root -
diff --git a/packaging/fedora/snapd.spec b/packaging/fedora/snapd.spec
@@ -92,6 +92,7 @@
 %{!?_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
 %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
 %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d}
 
 # Fedora selinux-policy includes 'map' permission on a 'file' class. However,
 # Amazon Linux 2 does not have the updated policy containing the fix for
@@ -619,6 +620,7 @@ install -d -p %{buildroot}%{_mandir}/man8
 install -d -p %{buildroot}%{_environmentdir}
 install -d -p %{buildroot}%{_systemdgeneratordir}
 install -d -p %{buildroot}%{_systemd_system_env_generator_dir}
+install -d -p %{buildroot}%{_tmpfilesdir}
 install -d -p %{buildroot}%{_unitdir}
 install -d -p %{buildroot}%{_userunitdir}
 install -d -p %{buildroot}%{_sysconfdir}/profile.d
@@ -824,6 +826,7 @@ popd
 %{_sysconfdir}/profile.d/snapd.sh
 %{_mandir}/man8/snapd-env-generator.8*
 %{_systemd_system_env_generator_dir}/snapd-env-generator
+%{_tmpfilesdir}/snapd.conf
 %{_unitdir}/snapd.socket
 %{_unitdir}/snapd.service
 %{_unitdir}/snapd.autoimport.service

diff --git a/packaging/opensuse/snapd.spec b/packaging/opensuse/snapd.spec
@@ -47,6 +47,7 @@
 %{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators}
 %{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
 %{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators}
+%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d}
 
 # This is fixed in SUSE Linux 15
 # Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396
@@ -416,6 +417,7 @@ fi
 %dir %{_sharedstatedir}/snapd/sequence
 %dir %{_sharedstatedir}/snapd/snaps
 %dir %{_systemd_system_env_generator_dir}
+%dir %{_tmpfilesdir}
 %dir %{_systemdgeneratordir}
 %dir %{_userunitdir}
 %dir %{snap_mount_dir}
@@ -474,6 +476,7 @@ fi
 %{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
 %{_systemd_system_env_generator_dir}/snapd-env-generator
 %{_systemdgeneratordir}/snapd-generator
+%{_tmpfilesdir}/snapd.conf
 %{_unitdir}/snapd.failure.service
 %{_unitdir}/snapd.seeded.service
 %{_unitdir}/snapd.service