/snapd

dirs,interfaces: create snap-confine.d on demand when re-executing #3955

Merged
merged 2 commits into from Sep 22, 2017
Commits
Jump to file or symbol
Failed to load files and symbols.
+13 −0
Split
View
2 dirs/dirs.go
@@ -42,6 +42,7 @@ var (
SnapAppArmorDir string
AppArmorCacheDir string
SnapAppArmorAdditionalDir string
+ SnapAppArmorConfineDir string
SnapSeccompDir string
SnapMountPolicyDir string
SnapUdevRulesDir string
@@ -176,6 +177,7 @@ func SetRootDir(rootdir string) {
SnapAppArmorDir = filepath.Join(rootdir, snappyDir, "apparmor", "profiles")
AppArmorCacheDir = filepath.Join(rootdir, "/var/cache/apparmor")
SnapAppArmorAdditionalDir = filepath.Join(rootdir, snappyDir, "apparmor", "additional")
+ SnapAppArmorConfineDir = filepath.Join(rootdir, snappyDir, "apparmor", "snap-confine.d")
SnapSeccompDir = filepath.Join(rootdir, snappyDir, "seccomp", "bpf")
SnapMountPolicyDir = filepath.Join(rootdir, snappyDir, "mount")
SnapMetaDir = filepath.Join(rootdir, snappyDir, "meta")
View
7 interfaces/apparmor/backend.go
@@ -118,6 +118,13 @@ func setupSnapConfineReexec(snapInfo *snap.Info) error {
return err
}
+ // create for policy extensions for snap-confine. This is required for the
+ // profiles to compile but distribution package may not yet contain this
+ // directory.
+ if err := os.MkdirAll(dirs.SnapAppArmorConfineDir, 0755); err != nil {
+ return err
+ }
+
// not using apparmor.LoadProfile() because it uses a different cachedir
if output, err := exec.Command("apparmor_parser", "--replace", "--write-cache", apparmorProfilePath, "--cache-loc", dirs.SystemApparmorCacheDir).CombinedOutput(); err != nil {
return fmt.Errorf("cannot replace snap-confine apparmor profile: %v", osutil.OutputErr(output, err))
View
4 interfaces/apparmor/backend_test.go
@@ -491,4 +491,8 @@ func (s *backendSuite) TestSetupHostSnapConfineApparmorForReexecWritesNew(c *C)
{"apparmor_parser", "--replace", "--write-cache", newAA[0], "--cache-loc", dirs.SystemApparmorCacheDir},
})
+ // snap-confine.d was created
+ _, err = os.Stat(dirs.SnapAppArmorConfineDir)
+ c.Check(err, IsNil)
+
}