Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
interfaces/many, cmd/snap-confine: miscellaneous policy updates #3634
Conversation
jdstrand
added some commits
Jul 25, 2017
| + # snap-confine sets the directory up correctly, so simply silence the | ||
| + # denial since we don't want to grant the capability as a whole to | ||
| + # snap-confine. | ||
| + deny capability fsetid, |
|
Note that finding what caused the denial was tricky because:
To determine the cause (and recording here for posterity), I:
Reading |
codecov-io
commented
Jul 28, 2017
•
Codecov Report
@@ Coverage Diff @@
## master #3634 +/- ##
==========================================
+ Coverage 75.19% 75.21% +0.02%
==========================================
Files 386 387 +1
Lines 33418 33453 +35
==========================================
+ Hits 25127 25161 +34
Misses 6480 6480
- Partials 1811 1812 +1
Continue to review full report at Codecov.
|
jdstrand
added some commits
Jul 31, 2017
chipaca
approved these changes
Aug 1, 2017
LGTM, and feel free to land as is despite my comments which are no more than nitpicking.
| @@ -175,7 +175,7 @@ | ||
| mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, | ||
| mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/, | ||
| pivot_root, | ||
| - # cleanup | ||
| + # cleanup |
| @@ -281,6 +281,14 @@ | ||
| mount options=(ro rbind) /snap/{,ubuntu-}core/*/var/lib/** -> /var/lib/**, | ||
| umount /var/lib/snapd/, | ||
| mount options=(move) /tmp/snapd.quirks_*/ -> /var/lib/snapd/, | ||
| + # On classic systems with a setuid root snap-confine when run by non-root |
jdstrand
Aug 1, 2017
Contributor
I like to group like rules together with different rule groups separated by spaces (I may not be 100% consistent with this, but it is what I like to do and did here). This rule is about silencing something related to quirks, so I put it there, without a space.
| @@ -36,6 +36,25 @@ const firewallControlConnectedPlugAppArmor = ` | ||
| #include <abstractions/nameservice> | ||
| +# systemd-resolved (not yet included in nameservice abstraction) |
jdstrand
Aug 1, 2017
•
Contributor
Upstream decided that while this is suited for the nameservice abstraction, they felt that since non-Ubuntu (and Ubuntu derivatives) don't have dbus mediation, they didn't want to have it in there yet. I did commit it to the Ubuntu archive, but it isn't available anywhere except 17.10. In cases like this I try to push the change upstream (eg, apparmor, Ubuntu, etc) and snapd, then at some future point (series 18?) we can evaluate if we can just use the abstraction.
|
Have two +1s and the zesty autopkgtest failure is unrelated. Committing. |
jdstrand
merged commit 4b73774
into
snapcore:master
Aug 1, 2017
6 of 7 checks passed
|
@mvo5 - can you consider this PR for 2.27 inclusion? |
|
Thanks for the reviews! :) |
jdstrand commentedJul 28, 2017
•
Edited 1 time
-
jdstrand
Jul 31, 2017
The fsetid denial is caused because the newly created /var/lib mimicked directory is created with non-root group (since snap-confine is setuid, not setgid). The chmod() in sc_quirk_create_writable_mimic() causes the denial. The denial is harmless since the capability isn't needed to perform the chmod(), so silence the denial to avoid user confusion since we don't want snap-confine to have the extra permissions.