New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
overlord/ifacestate: setup security of snaps affected by auto-connection #2652
Conversation
This patch prevents auto-connect from clobbering the connState.Auto flag when considering auto-connection candidates. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
This patch fixes a bug where snaps that were auto-connected did not have their security setup done. The only reason that this went unnoticed for so long is that the main snap (the one that triggered the operation) was handled separately and that most slots don't need a security setup for an active connection. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@@ -102,7 +102,7 @@ func (m *InterfaceManager) setupProfilesForSnap(task *state.Task, _ *tomb.Tomb, | |||
// - restore connections based on what is kept in the state | |||
// - if a connection cannot be restored then remove it from the state | |||
// - setup the security of all the affected snaps | |||
affectedSnaps, err := m.repo.DisconnectSnap(snapName) | |||
disconnectAffected, err := m.repo.DisconnectSnap(snapName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before I could tell this was a list of snaps that were touched. Now it can be pretty much anything.
How about disconnectedSnaps
and connectedSnaps
below?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, nicer names, thank you.
@@ -200,19 +200,20 @@ func (c *autoConnectChecker) check(plug *interfaces.Plug, slot *interfaces.Slot) | |||
return ic.CheckAutoConnect() == nil | |||
} | |||
|
|||
func (m *InterfaceManager) autoConnect(task *state.Task, snapName string, blacklist map[string]bool) error { | |||
func (m *InterfaceManager) autoConnect(task *state.Task, snapName string, blacklist map[string]bool) ([]string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need a comment for the function, as that first result is impossible to guess.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, I'm sorry for not documenting it earlier.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
This branch corrects a bug where auto-connection would not trigger setup of security for snaps that are on the "far side" of the connection. This was mostly unnoticed because typically those would include the core snap and its various slots that don't have any connection side-effects for the core itself.
Thanks to @albaguirre for highlighting the problem and working on the solution.