New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/snap-confine: lazy set up of device cgroup, only when devices were assigned #10968
cmd/snap-confine: lazy set up of device cgroup, only when devices were assigned #10968
Conversation
…e assigned Historically, a snap process ended up in a device cgroup (with device filtering) only when there were assigned devices for it. On systems where CURRENT_TAGS is supported and set by systemd/udev, snap-confine needs to do 2 passes on the list of assigned devices. It may happen, that despite snap tag being present in the TAGS list, it will not be present in the CURRENT_TAGS, in which case we may end up in a scenario when no devices are actually assigned to the snap. The current code would incorrectly handle such situation, and move the process into device cgroup. The branch introduces a lazy initialization of device cgroup and moves the process to the group (or sets up device filtering on v2) only when there were any assigned device. Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Codecov Report
@@ Coverage Diff @@
## master #10968 +/- ##
==========================================
- Coverage 78.18% 78.17% -0.01%
==========================================
Files 910 910
Lines 102788 102788
==========================================
- Hits 80360 80358 -2
- Misses 17405 17406 +1
- Partials 5023 5024 +1
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
Now that device cgroup assignment when no devices match is done properly, i.e. we do not end up in a cgroup with just the common set of devices if none are assigned, the test needs to be updated as we correctly observe first the AppArmor denial, and then a device cgroup one. Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with nitpicks :-)
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
…fine-cgroup-only-devices-were-assigned
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thanks for catching!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
some unrelated test failers, @mvo5 can you land this branch? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
post merge lgtm, thanks for this
Also I think we should cherry-pick this onto 2.53 for 2.53.1 |
or sorry for 2.53.2 |
Historically, a snap process ended up in a device cgroup (with device filtering)
only when there were assigned devices for it. On systems where CURRENT_TAGS is
supported and set by systemd/udev, snap-confine needs to do 2 passes on the list
of assigned devices. It may happen, that despite snap tag being present in the
TAGS list, it will not be present in the CURRENT_TAGS, in which case we may end
up in a scenario when no devices are actually assigned to the snap. The current
code would incorrectly handle such situation, and move the process into device
cgroup.
The branch introduces a lazy initialization of device cgroup and moves the
process to the group (or sets up device filtering on v2) only when there were
any assigned device.