Merge pull request #6327 from kubiko/socket-validation-fix

wrappers: allow sockets under $XDG_RUNTIME_DIR
snapcore · Jun 24, 2019 · e8aef1c · e8aef1c
2 parents 8dfd358 + aaa19eb
commit e8aef1c
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 4 deletions.
diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te
@@ -199,6 +199,10 @@ getattr_files_pattern(snappy_t, snappy_var_run_t, snappy_var_run_t)
 gen_require(` type user_tmp_t; ')
 allow snappy_t user_tmp_t:dir { read };
 
+# Allow snapd to clean up /run/user sockets
+userdom_manage_tmp_dirs(snappy_t)
+userdom_manage_tmp_sockets(snappy_t)
+
 gen_require(` type systemd_unit_file_t; ')
 allow snappy_t systemd_unit_file_t:dir { rmdir };
 

diff --git a/snap/validate.go b/snap/validate.go
@@ -200,9 +200,9 @@ func validateSocketAddrPath(socket *SocketInfo, fieldName string, path string) e
 		return fmt.Errorf("invalid %q: %q should be written as %q", fieldName, path, clean)
 	}
 
-	if !(strings.HasPrefix(path, "$SNAP_DATA/") || strings.HasPrefix(path, "$SNAP_COMMON/")) {
+	if !(strings.HasPrefix(path, "$SNAP_DATA/") || strings.HasPrefix(path, "$SNAP_COMMON/") || strings.HasPrefix(path, "$XDG_RUNTIME_DIR/")) {
 		return fmt.Errorf(
-			"invalid %q: must have a prefix of $SNAP_DATA or $SNAP_COMMON", fieldName)
+			"invalid %q: must have a prefix of $SNAP_DATA, $SNAP_COMMON or $XDG_RUNTIME_DIR", fieldName)
 	}
 
 	return nil

diff --git a/snap/validate_test.go b/snap/validate_test.go
@@ -218,6 +218,7 @@ func (s *ValidateSuite) TestValidateAppSocketsValidListenStreamAddresses(c *C) {
 		// socket paths using variables as prefix
 		"$SNAP_DATA/my.socket",
 		"$SNAP_COMMON/my.socket",
+		"$XDG_RUNTIME_DIR/my.socket",
 		// abstract sockets
 		"@snap.mysnap.my.socket",
 		// addresses and ports
@@ -273,7 +274,7 @@ func (s *ValidateSuite) TestValidateAppSocketsInvalidListenStreamPathPrefix(c *C
 		err := ValidateApp(app)
 		c.Assert(
 			err, ErrorMatches,
-			`invalid definition of socket "sock": invalid "listen-stream": must have a prefix of \$SNAP_DATA or \$SNAP_COMMON`)
+			`invalid definition of socket "sock": invalid "listen-stream": must have a prefix of \$SNAP_DATA, \$SNAP_COMMON or \$XDG_RUNTIME_DIR`)
 	}
 }
 

diff --git a/tests/lib/snaps/socket-activation/meta/snap.yaml b/tests/lib/snaps/socket-activation/meta/snap.yaml
@@ -12,3 +12,9 @@ apps:
       sock-other:
         listen-stream: $SNAP_COMMON/other/socket-other
         socket-mode: 0640
+      sock-data:
+        listen-stream: $SNAP_DATA/socket-data
+        socket-mode: 0640
+      sock-xdg:
+        listen-stream: $XDG_RUNTIME_DIR/socket-xdg
+        socket-mode: 0640
diff --git a/wrappers/services.go b/wrappers/services.go
@@ -32,6 +32,7 @@ import (
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/osutil/sys"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/systemd"
 	"github.com/snapcore/snapd/timeout"
@@ -600,6 +601,11 @@ func generateSnapSocketFiles(app *snap.AppInfo) (*map[string][]byte, error) {
 func renderListenStream(socket *snap.SocketInfo) string {
 	snap := socket.App.Snap
 	listenStream := strings.Replace(socket.ListenStream, "$SNAP_DATA", snap.DataDir(), -1)
+	// TODO: when we support User/Group in the generated systemd unit,
+	// adjust this accordingly
+	serviceUserUid := sys.UserID(0)
+	runtimeDir := snap.UserXdgRuntimeDir(serviceUserUid)
+	listenStream = strings.Replace(listenStream, "$XDG_RUNTIME_DIR", runtimeDir, -1)
 	return strings.Replace(listenStream, "$SNAP_COMMON", snap.CommonDataDir(), -1)
 }
 

diff --git a/wrappers/services_test.go b/wrappers/services_test.go
@@ -245,7 +245,7 @@ func (s *servicesTestSuite) TestNoStartDisabledServices(c *C) {
 	if [ "$1" = "--root" ]; then
 	    shift 2
 	fi
-	
+
 	case "$1" in
 	    is-enabled)
 	        if [ "$2" = "snap.hello-snap.svc1.service" ]; then
@@ -421,10 +421,14 @@ func (s *servicesTestSuite) TestAddSnapSocketFiles(c *C) {
       socket-mode: 0666
     sock2:
       listen-stream: $SNAP_DATA/sock2.socket
+    sock3:
+      listen-stream: $XDG_RUNTIME_DIR/sock3.socket
+
 `, &snap.SideInfo{Revision: snap.R(12)})
 
 	sock1File := filepath.Join(s.tempdir, "/etc/systemd/system/snap.hello-snap.svc1.sock1.socket")
 	sock2File := filepath.Join(s.tempdir, "/etc/systemd/system/snap.hello-snap.svc1.sock2.socket")
+	sock3File := filepath.Join(s.tempdir, "/etc/systemd/system/snap.hello-snap.svc1.sock3.socket")
 
 	err := wrappers.AddSnapServices(info, nil)
 	c.Assert(err, IsNil)
@@ -447,6 +451,15 @@ ListenStream=%s
 
 `, filepath.Join(s.tempdir, "/var/snap/hello-snap/12/sock2.socket"))
 	c.Check(sock2File, testutil.FileContains, expected)
+
+	expected = fmt.Sprintf(
+		`[Socket]
+Service=snap.hello-snap.svc1.service
+FileDescriptorName=sock3
+ListenStream=%s
+
+`, filepath.Join(s.tempdir, "/run/user/0/snap.hello-snap/sock3.socket"))
+	c.Check(sock3File, testutil.FileContains, expected)
 }
 
 func (s *servicesTestSuite) TestStartSnapMultiServicesFailStartCleanup(c *C) {