snap-confine: fix snap-confine under lxd #4246

Merged
merged 5 commits into from Nov 17, 2017

Conversation

Projects
None yet
5 participants
Collaborator

mvo5 commented Nov 17, 2017

This reproduces the error reported in https://forum.snapcraft.io/t/snapcraft-adt-failures-with-the-new-core-release/2850/12 and includes a fix for it.

This also includes #4244 to unblock this from landing.

mvo5 and others added some commits Nov 16, 2017

cmd,packaging: make snap-confine setgid root
This patch makes snap-confine also setgid root (after being setuid-root
since forever). This is required to manipulate cgroups inside LXD
containers.

To limit the scope of the change, snap-confine hides the setgid aspect
for most of the code and only restores it for the cgroup manipulation.

Forum: https://forum.snapcraft.io/t/snapcraft-adt-failures-with-the-new-core-release/2850
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
cmd/snap-update-ns: address review feedback
Thanks to jdstrand for the quick patch.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
cmd/snap-update-ns: check real_gid too, thanks jdstrand
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

@mvo5 mvo5 added this to the 2.29 milestone Nov 17, 2017

Contributor

jdstrand commented Nov 17, 2017

Looks good assuming the tests pass.

codecov-io commented Nov 17, 2017

Codecov Report

Merging #4246 into master will decrease coverage by 0.03%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #4246      +/-   ##
==========================================
- Coverage   75.95%   75.92%   -0.04%     
==========================================
  Files         440      438       -2     
  Lines       38427    38404      -23     
==========================================
- Hits        29189    29157      -32     
- Misses       7224     7230       +6     
- Partials     2014     2017       +3
Impacted Files Coverage Δ
cmd/snap-seccomp/main.go 51% <0%> (-3.22%) ⬇️
errtracker/errtracker.go 69.17% <0%> (-2.26%) ⬇️
cmd/snap/cmd_aliases.go 93.33% <0%> (-1.67%) ⬇️
cmd/snap-update-ns/bootstrap.go 85% <0%> (-0.37%) ⬇️
overlord/snapstate/snapstate.go 80.2% <0%> (-0.24%) ⬇️
osutil/group.go 0% <0%> (ø) ⬆️
httputil/redirect17.go
httputil/transport16.go

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update db1fc27...344f660. Read the comment docs.

@mvo5 mvo5 merged commit ac72bc1 into snapcore:master Nov 17, 2017

1 of 2 checks passed

xenial-i386 autopkgtest running
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment