Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: add test to run snap inside lxd as a user #4230

Closed
wants to merge 47 commits into from
Closed

tests: add test to run snap inside lxd as a user #4230

wants to merge 47 commits into from

Commits on Nov 16, 2017

  1. tests: add test to run snap inside lxd as a user

    @mvo5
    mvo5 committed Nov 16, 2017
    Configuration menu
    Copy the full SHA
    1ab5b67 View commit details
    Browse the repository at this point in the history

Commits on Nov 17, 2017

  1. cmd,packaging: make snap-confine setgid root 

    This patch makes snap-confine also setgid root (after being setuid-root
since forever). This is required to manipulate cgroups inside LXD
containers.

To limit the scope of the change, snap-confine hides the setgid aspect
for most of the code and only restores it for the cgroup manipulation.

Forum: https://forum.snapcraft.io/t/snapcraft-adt-failures-with-the-new-core-release/2850
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga
    zyga committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    7722c04 View commit details
    Browse the repository at this point in the history

  2. cmd/snap-update-ns: address review feedback 

    Thanks to jdstrand for the quick patch.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga
    zyga committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    c382f9a View commit details
    Browse the repository at this point in the history

  3. cmd/snap-update-ns: check real_gid too, thanks jdstrand 

    Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga
    zyga committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    0edd01c View commit details
    Browse the repository at this point in the history

  4. cmd/snap-update-ns: add secureMkfileAll 

    This patch adds a function similar to secureMkdirAll that instead of
creating a number of directories instead creates a number of directories
and a final leaf file.

The purpose of this function is to create empty files as bind mount
targets for files present in a read-only location that needs to become
writable.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga @mvo5
    zyga authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    ead87d6 View commit details
    Browse the repository at this point in the history

  5. interfaces/builtin/account_control: drop group filter from seccomp rules 

    The /etc/shadow file is owned by user root across all supported distributions.
However, the group owning that file is either 'shadow' or 'root' (Arch). Drop
the group filter to avoid the need for detecting the right group at runtime.

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo @mvo5
    bboozzoo authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    0c7027f View commit details
    Browse the repository at this point in the history

  6. interfaces/builtin/account_control: add catchall group rule in fchown… 

    …* seccomp rule

The make sure there is a rule to ignore group ID.

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo @mvo5
    bboozzoo authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    b8fd197 View commit details
    Browse the repository at this point in the history

  7. interfaces/account_control: use /etc/shadow to obtain group informati… 

    …on for seccomp rules

Some distributions may not use the 'shadow' group. In such case, seccomp rules
will be incorrect, thus account-control interface may not work as expected.
Instead of assuming a particular group, obtain this information by directly
finding the owning group of /etc/shadow.

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo @mvo5
    bboozzoo authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    bd5da06 View commit details
    Browse the repository at this point in the history

  8. interfaces/account_control: update seccomp rule comments on chown 

    Be more specific about required chown() call on /etc/shadow.

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo @mvo5
    bboozzoo authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    28150e1 View commit details
    Browse the repository at this point in the history

  9. interfaces/builtin/account_control: use base 10 when formatting group ID 

    Use proper base when formatting group ID for seccomp template

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo @mvo5
    bboozzoo authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    8fdffab View commit details
    Browse the repository at this point in the history

  10. interfaces/builtin/account_control: simplify code in SecCompConnected… 

    …Plug()

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo @mvo5
    bboozzoo authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    074af4c View commit details
    Browse the repository at this point in the history

  11. interfaces/account_control: cache seccomp snippet on first successful… 

    … run

In order to avoid stat()ing /etc/shadow too frequently, cache the snippet on
first successful run.

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo @mvo5
    bboozzoo authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    285db54 View commit details
    Browse the repository at this point in the history

  12. intefaces/builtin/account_control: leave a note that the seccomp snip… 

    …pet is cached

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo @mvo5
    bboozzoo authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    fcae222 View commit details
    Browse the repository at this point in the history

  13. interfaces/builtin/account_control: reformat registerIface() call 

    Reformat the call to registerIface() in hope for smaller deltas when applying
auto-refactoring in the future.

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo @mvo5
    bboozzoo authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    1aba545 View commit details
    Browse the repository at this point in the history

  14. Fix path in snap install

    @asalminen @mvo5
    asalminen authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    7946031 View commit details
    Browse the repository at this point in the history

  15. cmd/snap-update-ns: detect read only filesystems in SecureMkfileAll 

    Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga @mvo5
    zyga authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    7925f2d View commit details
    Browse the repository at this point in the history

  16. cmd/snap-update-ns: tweak comment 

    Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga @mvo5
    zyga authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    578fd3a View commit details
    Browse the repository at this point in the history

  17. cmd/snap-update-ns: add smoke test for behavior of filepath.Clean 

    Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga @mvo5
    zyga authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    f45b4b1 View commit details
    Browse the repository at this point in the history

  18. cmd/snap-update-ns: tweak comment 

    Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga @mvo5
    zyga authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    633233a View commit details
    Browse the repository at this point in the history

  19. cmd/snap-update-ns: fix typo 

    Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga @mvo5
    zyga authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    576faba View commit details
    Browse the repository at this point in the history

  20. cmd/snap-update-ns: document secureMkFile 

    Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga @mvo5
    zyga authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    1930a82 View commit details
    Browse the repository at this point in the history

  21. cmd/snap-update-ns: add splitIntoSegments 

    This patch adds a small helper that is used by SecureMk{File,Dir}All to
ensure there's consistent behavior on unclean paths.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga @mvo5
    zyga authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    6e264c2 View commit details
    Browse the repository at this point in the history

  22. snap/validate: extend socket validation tests 

    Signed-off-by: Alberto Donato <alberto.donato@gmail.com>
    @albertodonato @mvo5
    albertodonato authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    5735b9d View commit details
    Browse the repository at this point in the history

  23. snap/validate: add SocketMode validation and test 

    Signed-off-by: Alberto Donato <alberto.donato@gmail.com>
    @albertodonato @mvo5
    albertodonato authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    56f6e60 View commit details
    Browse the repository at this point in the history

  24. snap: add test for invalid socket-mode in YAML 

    Signed-off-by: Alberto Donato <alberto.donato@gmail.com>
    @albertodonato @mvo5
    albertodonato authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    0b8a9cd View commit details
    Browse the repository at this point in the history

  25. tests: add new fakestore new-snap-{declaration,revision} helpers 

    This allows to create snap-{declaration,revision} assertions signed
with the TestStore keys. This allows us to put arbitrary snaps
into the fakestore for testing.
    @mvo5
    mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    fb720e5 View commit details
    Browse the repository at this point in the history

  26. cmd/snap-update-ns: tweak changePerform 

    As suggested by Chipaca

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga @mvo5
    zyga authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    d9d8e38 View commit details
    Browse the repository at this point in the history

  27. interfaces,tests: skip unknown plug/slot interfaces 

    This patch changes the Repository.AddSnap method to skip unknown
interfaces when adding constituent plugs and slots. This regression
happened because the repository no longer validates the snap, assuming
the loader did. The loader did notice but did not remove the offending
interfaces.

As it is unclear what should happen, this patch implements a minimal
solution to prevent snapd from crashing on nil interface.

Fixes: https://bugs.launchpad.net/snappy/+bug/1732555
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga @mvo5
    zyga authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    554c8a9 View commit details
    Browse the repository at this point in the history

  28. interfaces: add "refresh-schedule" attribute to snapd-control 

    Add a "refresh-schedule" attribute to the snapd-control interface
that can be set to "managed".
    @mvo5
    mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    a733fbc View commit details
    Browse the repository at this point in the history

  29. remove commonInterface.SanitizePlug() again, YAGNI

    @mvo5
    mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    5999c8d View commit details
    Browse the repository at this point in the history

  30. snap/validate: add port range validation 

    Signed-off-by: Alberto Donato <alberto.donato@gmail.com>
    @albertodonato @mvo5
    albertodonato authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    f0cbb21 View commit details
    Browse the repository at this point in the history

  31. store: add support for flags in ListRefresh() 

    For the upcoming snapd control managed code we will need a way
to tell the store that we want the refresh information but that
the actual refresh policy is managed. In preparation for this
add a new "RefreshFlags" to allow expressing this.

Initially we support one flag:
- RefreshManaged which indicates that refreshes are managed by
  a snap via the snapd-control interface
    @mvo5
    mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    afe7e98 View commit details
    Browse the repository at this point in the history

  32. review comments 

    Signed-off-by: Alberto Donato <alberto.donato@gmail.com>
    @albertodonato @mvo5
    albertodonato authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    ff596dd View commit details
    Browse the repository at this point in the history

  33. address review feedback

    @mvo5
    mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    612b096 View commit details
    Browse the repository at this point in the history

  34. Remove invalid plugs/slots from SnapInfo on sanitization.

    @stolowski @mvo5
    stolowski authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    0b20676 View commit details
    Browse the repository at this point in the history

  35. Addressed review feedback

    @stolowski @mvo5
    stolowski authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    e04d846 View commit details
    Browse the repository at this point in the history

  36. snap: use field names when initializing composite literals 

    This makes go vet happy again.

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo @mvo5
    bboozzoo authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    8a87db7 View commit details
    Browse the repository at this point in the history

  37. snap: use proper helper for constructing revision in validation tests 

    Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo @mvo5
    bboozzoo authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    409aa13 View commit details
    Browse the repository at this point in the history

  38. debian: add missing udev dependency 

    We run udevadm in our udev backend. So we need to ensure we have
a dependency on this binary via the "udev" package.
    @mvo5
    mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    c2578ab View commit details
    Browse the repository at this point in the history

  39. use struct with bools instead of bitflags (thanks Chipaca)

    @mvo5
    mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    fcf4bfc View commit details
    Browse the repository at this point in the history

  40. address reivew feedback

    @mvo5
    mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    5e9e0cb View commit details
    Browse the repository at this point in the history

  41. fakestore: print assertion name in new-snap-{decl,rev}

    @mvo5
    mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    61d7acf View commit details
    Browse the repository at this point in the history

  42. cmd/snap-update-ns: re-enable commented-out test 

    Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga @mvo5
    zyga authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    fa59284 View commit details
    Browse the repository at this point in the history

  43. less disruptive adaption

    @pedronis @mvo5
    pedronis authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    2497562 View commit details
    Browse the repository at this point in the history

  44. cmd/snap-update-ns: switch to O_RDONLY 

    We just need to create a file, not write to it, so it's sufficient to
O_RDONLY the open call. Thanks to jdstrand for explanation!

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
    @zyga @mvo5
    zyga authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    be02838 View commit details
    Browse the repository at this point in the history

  45. disabling opensuse until timeout issue is fixed

    @sergiocazzolato @mvo5
    sergiocazzolato authored and mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    c149809 View commit details
    Browse the repository at this point in the history

  46. Merge remote-tracking branch 'upstream/master' into lxd-regression-test

    @mvo5
    mvo5 committed Nov 17, 2017
    Configuration menu
    Copy the full SHA
    1e14158 View commit details
    Browse the repository at this point in the history