Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: add test to run snap inside lxd as a user #4230

Closed
wants to merge 47 commits into from
Closed

tests: add test to run snap inside lxd as a user #4230

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
47 commits
Select commit Hold shift + click to select a range
1ab5b67
tests: add test to run snap inside lxd as a user
mvo5 Nov 16, 2017
7722c04
cmd,packaging: make snap-confine setgid root
zyga Nov 16, 2017
c382f9a
cmd/snap-update-ns: address review feedback
zyga Nov 17, 2017
0edd01c
cmd/snap-update-ns: check real_gid too, thanks jdstrand
zyga Nov 17, 2017
ead87d6
cmd/snap-update-ns: add secureMkfileAll
zyga Nov 8, 2017
0c7027f
interfaces/builtin/account_control: drop group filter from seccomp rules
bboozzoo Nov 9, 2017
b8fd197
interfaces/builtin/account_control: add catchall group rule in fchown…
bboozzoo Nov 9, 2017
bd5da06
interfaces/account_control: use /etc/shadow to obtain group informati…
bboozzoo Nov 3, 2017
28150e1
interfaces/account_control: update seccomp rule comments on chown
bboozzoo Nov 9, 2017
8fdffab
interfaces/builtin/account_control: use base 10 when formatting group ID
bboozzoo Nov 10, 2017
074af4c
interfaces/builtin/account_control: simplify code in SecCompConnected…
bboozzoo Nov 8, 2017
285db54
interfaces/account_control: cache seccomp snippet on first successful…
bboozzoo Nov 10, 2017
fcae222
intefaces/builtin/account_control: leave a note that the seccomp snip…
bboozzoo Nov 14, 2017
1aba545
interfaces/builtin/account_control: reformat registerIface() call
bboozzoo Nov 14, 2017
7946031
Fix path in snap install
asalminen Nov 14, 2017
7925f2d
cmd/snap-update-ns: detect read only filesystems in SecureMkfileAll
zyga Nov 15, 2017
578fd3a
cmd/snap-update-ns: tweak comment
zyga Nov 15, 2017
f45b4b1
cmd/snap-update-ns: add smoke test for behavior of filepath.Clean
zyga Nov 15, 2017
633233a
cmd/snap-update-ns: tweak comment
zyga Nov 15, 2017
576faba
cmd/snap-update-ns: fix typo
zyga Nov 15, 2017
1930a82
cmd/snap-update-ns: document secureMkFile
zyga Nov 15, 2017
6e264c2
cmd/snap-update-ns: add splitIntoSegments
zyga Nov 15, 2017
5735b9d
snap/validate: extend socket validation tests
albertodonato Nov 15, 2017
56f6e60
snap/validate: add SocketMode validation and test
albertodonato Nov 15, 2017
0b8a9cd
snap: add test for invalid socket-mode in YAML
albertodonato Nov 15, 2017
fb720e5
tests: add new `fakestore new-snap-{declaration,revision}` helpers
mvo5 Nov 15, 2017
d9d8e38
cmd/snap-update-ns: tweak changePerform
zyga Nov 15, 2017
554c8a9
interfaces,tests: skip unknown plug/slot interfaces
zyga Nov 15, 2017
a733fbc
interfaces: add "refresh-schedule" attribute to snapd-control
mvo5 Oct 30, 2017
5999c8d
remove commonInterface.SanitizePlug() again, YAGNI
mvo5 Nov 14, 2017
f0cbb21
snap/validate: add port range validation
albertodonato Nov 16, 2017
afe7e98
store: add support for flags in ListRefresh()
mvo5 Nov 14, 2017
ff596dd
review comments
albertodonato Nov 16, 2017
612b096
address review feedback
mvo5 Nov 16, 2017
0b20676
Remove invalid plugs/slots from SnapInfo on sanitization.
stolowski Nov 16, 2017
e04d846
Addressed review feedback
stolowski Nov 16, 2017
8a87db7
snap: use field names when initializing composite literals
bboozzoo Nov 16, 2017
409aa13
snap: use proper helper for constructing revision in validation tests
bboozzoo Nov 16, 2017
c2578ab
debian: add missing udev dependency
mvo5 Nov 16, 2017
fcf4bfc
use struct with bools instead of bitflags (thanks Chipaca)
mvo5 Nov 16, 2017
5e9e0cb
address reivew feedback
mvo5 Nov 16, 2017
61d7acf
fakestore: print assertion name in new-snap-{decl,rev}
mvo5 Nov 16, 2017
fa59284
cmd/snap-update-ns: re-enable commented-out test
zyga Nov 16, 2017
2497562
less disruptive adaption
pedronis Nov 16, 2017
be02838
cmd/snap-update-ns: switch to O_RDONLY
zyga Nov 16, 2017
c149809
disabling opensuse until timeout issue is fixed
sergiocazzolato Nov 17, 2017
1e14158
Merge remote-tracking branch 'upstream/master' into lxd-regression-test
mvo5 Nov 17, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 3 additions & 3 deletions cmd/Makefile.am
View file
Open in desktop
Expand Up @@ -52,7 +52,7 @@ fmt: $(foreach dir,$(subdirs),$(wildcard $(srcdir)/$(dir)/*.[ch]))
# installing a fresh copy of snap confine and the appropriate apparmor profile.
.PHONY: hack
hack: snap-confine/snap-confine snap-confine/snap-confine.apparmor snap-update-ns/snap-update-ns snap-seccomp/snap-seccomp
sudo install -D -m 4755 snap-confine/snap-confine $(DESTDIR)$(libexecdir)/snap-confine
sudo install -D -m 6755 snap-confine/snap-confine $(DESTDIR)$(libexecdir)/snap-confine
sudo install -m 644 snap-confine/snap-confine.apparmor $(DESTDIR)/etc/apparmor.d/$(patsubst .%,%,$(subst /,.,$(libexecdir))).snap-confine.real
sudo install -d -m 755 $(DESTDIR)/var/lib/snapd/apparmor/snap-confine/
sudo apparmor_parser -r snap-confine/snap-confine.apparmor
Expand Down Expand Up @@ -321,8 +321,8 @@ if CAPS_OVER_SETUID
# Ensure that snap-confine has CAP_SYS_ADMIN capability
setcap cap_sys_admin=pe $(DESTDIR)$(libexecdir)/snap-confine
else
# Ensure that snap-confine is +s (setuid)
chmod 4755 $(DESTDIR)$(libexecdir)/snap-confine
# Ensure that snap-confine is u+s,g+s (setuid and setgid)
chmod 6755 $(DESTDIR)$(libexecdir)/snap-confine
endif

##
Expand Down
32 changes: 30 additions & 2 deletions cmd/snap-confine/snap-confine.c
View file
Open in desktop
Expand Up @@ -131,9 +131,23 @@ int main(int argc, char **argv)
debug("base snap: %s", base_snap_name);

// Who are we?
uid_t real_uid = getuid();
gid_t real_gid = getgid();
uid_t real_uid, effective_uid, saved_uid;
gid_t real_gid, effective_gid, saved_gid;
getresuid(&real_uid, &effective_uid, &saved_uid);
getresgid(&real_gid, &effective_gid, &saved_gid);
debug("ruid: %d, euid: %d, suid: %d",
real_uid, effective_uid, saved_uid);
debug("rgid: %d, egid: %d, sgid: %d",
real_gid, effective_gid, saved_gid);

// snap-confine runs as both setuid root and setgid root.
// Temporarily drop group privileges here and reraise later
// as needed.
if (effective_gid == 0 && real_gid != 0) {
if (setegid(real_gid) != 0) {
die("cannot set effective group id to %d", real_gid);
}
}
#ifndef CAPS_OVER_SETUID
// this code always needs to run as root for the cgroup/udev setup,
// however for the tests we allow it to run as non-root
Expand Down Expand Up @@ -226,7 +240,21 @@ int main(int argc, char **argv)
// control group. This simplifies testing if any processes
// belonging to a given snap are still alive.
// See the documentation of the function for details.

if (getegid() != 0 && saved_gid == 0) {
// Temporarily raise egid so we can chown the freezer cgroup
// under LXD.
if (setegid(0) != 0) {
die("cannot set effective group id to root");
}
}
sc_cgroup_freezer_join(snap_name, getpid());
if (geteuid() == 0 && real_gid != 0) {
if (setegid(real_gid) != 0) {
die("cannot set effective group id to %d", real_gid);
}
}

sc_unlock(snap_name, snap_lock_fd);

// Reset path as we cannot rely on the path from the host OS to
Expand Down
2 changes: 1 addition & 1 deletion packaging/fedora/snapd.spec
View file
Open in desktop
Expand Up @@ -622,7 +622,7 @@ popd
%dir %{_libexecdir}/snapd
# For now, we can't use caps
# FIXME: Switch to "%%attr(0755,root,root) %%caps(cap_sys_admin=pe)" asap!
%attr(4755,root,root) %{_libexecdir}/snapd/snap-confine
%attr(6755,root,root) %{_libexecdir}/snapd/snap-confine
%{_libexecdir}/snapd/snap-discard-ns
%{_libexecdir}/snapd/snap-seccomp
%{_libexecdir}/snapd/snap-update-ns
Expand Down
2 changes: 1 addition & 1 deletion packaging/opensuse-42.2/snapd.spec
View file
Open in desktop
Expand Up @@ -279,7 +279,7 @@ fi
%dir /var/lib/snapd/seccomp/bpf
%dir /var/lib/snapd/snaps
%dir /var/cache/snapd
%verify(not user group mode) %attr(04755,root,root) %{_libexecdir}/snapd/snap-confine
%verify(not user group mode) %attr(06755,root,root) %{_libexecdir}/snapd/snap-confine
%{_mandir}/man1/snap-confine.1.gz
%{_mandir}/man5/snap-discard-ns.5.gz
%{_udevrulesdir}/80-snappy-assign.rules
Expand Down
1 change: 1 addition & 0 deletions spread.yaml
View file
Open in desktop
Expand Up @@ -73,6 +73,7 @@ backends:
workers: 3
- opensuse-42.2-64:
workers: 2
manual: true
qemu:
systems:
- ubuntu-14.04-32:
Expand Down
5 changes: 4 additions & 1 deletion tests/main/lxd/task.yaml
View file
Open in desktop
Expand Up @@ -82,7 +82,10 @@ execute: |

echo "Ensure we can use snapd inside lxd"
lxd.lxc exec my-ubuntu snap install test-snapd-tools
lxd.lxc exec my-ubuntu test-snapd-tools.echo from-the-inside | MATCH from-the-inside
echo "And we can run snaps as regular users"
lxd.lxc exec my-ubuntu -- su -c "/snap/bin/test-snapd-tools.echo from-the-inside" ubuntu | MATCH from-the-inside
echo "And as root"
lxd.lxc exec my-ubuntu -- test-snapd-tools.echo from-the-inside | MATCH from-the-inside

echo "Install lxd-demo server to exercise the lxd interface"
snap install lxd-demo-server
Expand Down