systemd: add snapd.core-fixup.service unit #3557

Merged
merged 2 commits into from Jul 5, 2017
Jump to file or symbol
Failed to load files and symbols.
+62 −0
Split
View
@@ -34,6 +34,7 @@ all: ${SYSTEMD_UNITS}
install: $(SYSTEMD_UNITS)
install -D -m 0644 -t ${DESTDIR}/${SYSTEMDSYSTEMUNITDIR} $^
+ install -D -m 0755 -t ${DESTDIR}/${LIBEXECDIR}/snapd snapd.core-fixup.sh
clean:
rm -f ${SYSTEMD_UNITS_GENERATED}
@@ -0,0 +1,15 @@
+[Unit]
+Description=Automatically repair incorrect owner/permissions on core devices
+Before=snapd.service
+ConditionPathExists=/writable/system-data
+ConditionPathExists=!/var/lib/snapd/device/ownership-change.after
+Documentation=man:snap(1)
+
+[Service]
+Type=oneshot
+ExecStart=@libexecdir@/snapd/snapd.core-fixup.sh
+RemainAfterExit=true
@stolowski

stolowski Jul 5, 2017

Contributor

I've read the doc on this flag but it's not clear to me why we don't want the default here ("false")?

@mvo5

mvo5 Jul 5, 2017

Collaborator

This is mostly so that its easy to see the output of the command via systemctl status snapd.core-fixup.service.

+
+[Install]
+WantedBy=multi-user.target
+
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -e
+
+if ! grep -q "ID=ubuntu-core" /etc/os-release; then
+ # this code is only relevant on ubuntu-core devices
+ #
+ # this script will only run via systemd if /writable/system-data
+ # exists however we still add this check here in case people run
+ # it manually
+ exit 0
+fi
+
+# store important data in case we need it later
+if [ ! -f /var/lib/snapd/device/ownership-change.before ]; then
+ mkdir -p /var/lib/snapd/device
+ find /etc/cloud /var/lib/cloud /var/lib/snapd -printf '%M %U %G %p\n' > /var/lib/snapd/device/ownership-change.before.tmp || true
+ find /writable/system-data /writable/system-data/var /writable/system-data/var/lib /writable/system-data/boot /writable/system-data/etc -maxdepth 0 -printf '%M %U %G %p\n' >> /var/lib/snapd/device/ownership-change.before.tmp || true
+ mv /var/lib/snapd/device/ownership-change.before.tmp /var/lib/snapd/device/ownership-change.before
+fi
+
+# cleanup read/write files and directories (CVE-2017-10600)
+for i in /etc/cloud /var/lib/cloud /var/lib/snapd ; do
+ # restore ownership to root:root
+ find "$i" \( -type f -o -type d -o -type l \) -a \( \! -uid 0 -o \! -gid 0 \) -print0 | \
+ xargs -0 --no-run-if-empty chown -c --no-dereference root:root -- || true
@zyga

zyga Jul 5, 2017

Contributor

Thank you for the -- :-)

+done
+
+# cleanup a few /writable directories without descending
+for i in /writable/system-data /writable/system-data/var /writable/system-data/var/lib /writable/system-data/boot /writable/system-data/etc ; do
+ # restore ownership to root:root
+ find "$i" -maxdepth 0 \( \! -uid 0 -o \! -gid 0 -o -type l \) -print0 | \
+ xargs -0 --no-run-if-empty chown -c --no-dereference root:root -- || true
+done
+
+# store permissions after manipulation, this is also used as the stamp file
+# for the systemd service to ensure it is only run once
+find /etc/cloud /var/lib/cloud /var/lib/snapd -printf '%M %U %G %p\n' > /var/lib/snapd/device/ownership-change.after.tmp
+find /writable/system-data /writable/system-data/var /writable/system-data/var/lib /writable/system-data/boot /writable/system-data/etc -maxdepth 0 -printf '%M %U %G %p\n' >> /var/lib/snapd/device/ownership-change.after.tmp
+mv /var/lib/snapd/device/ownership-change.after.tmp /var/lib/snapd/device/ownership-change.after
@chipaca

chipaca Jul 5, 2017

Member

I'm going to be a terrible bore, but could we have a sync at the end of it all?

@mvo5

mvo5 Jul 5, 2017

Collaborator

I do a followup, I don't want to wait for the tests ;)

@mvo5

mvo5 Jul 5, 2017

Collaborator

But :+100:

@@ -161,6 +161,9 @@ override_dh_systemd_enable:
dh_systemd_enable \
-psnapd \
data/systemd/snapd.system-shutdown.service
+ dh_systemd_enable \
+ -psnapd \
+ data/systemd/snapd.core-fixup.service
override_dh_systemd_start:
# we want to start the auto-update timer
@@ -183,6 +186,9 @@ override_dh_systemd_start:
dh_systemd_start \
-psnapd \
data/systemd/snapd.autoimport.service
+ dh_systemd_start \
+ -psnapd \
+ data/systemd/snapd.core-fixup.service
override_dh_install:
# we do not need this in the package, its just needed during build