snap-confine

Merge lp:~chipaca/snap-confine/mktmpdir into lp:~snappy-dev/snap-confine/trunk

Proposed by John Lenton on 2015-05-22

Status:

Merged

Merged at revision:

Proposed branch:

Merge into:

Prerequisite:

Diff against target:

1 file modified

src/main.c (+31/-3)

To merge this branch:

bzr merge lp:~chipaca/snap-confine/mktmpdir

Critical

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Michael Vogt (community)		2015-05-22	Approve on 2015-05-22
Review via email: mp+259908@code.launchpad.net

Make a best-effort attempt at creating the old TMPDIR.

Revision history for this message

Michael Vogt (mvo) wrote on 2015-05-22:

This looks good, thanks!

review: Approve

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

People subscribed via source and target branches

to all changes:

 === modified file 'src/main.c'
 --- src/main.c	2015-05-22 09:39:09 +0000
 +++ src/main.c	2015-05-22 09:39:09 +0000
@@ -232,6 +232,32 @@
+     }
+ }
++// best-effort attempt at creating the old /tmp/snaps/* TMPDIR.
++void mkoldtmpdir() {
++    char *dir = getenv("TMPDIR");
++    if (!dir || !*dir) {
++        // TMPDIR not set, or empty
++        return;
++    }
++
++    if (strncmp(dir, "/tmp/snaps/", strlen("/tmp/snaps/")) != 0) {
++        // TMPDIR is not /tmp/snaps/*
++        return;
++    }
++
++    int n = 4;
++    char buf[MAX_BUF] = "/tmp";
++    char *d = strtok(dir+4, "/");
++    while (d) {
++        n += must_snprintf(buf+n, MAX_BUF-n, "/%s", d);
++        if (mkdir(buf, 01777) < 0) {
++            return;
++        }
++
++        d = strtok(NULL, "/");
++    }
++}
++
  int main(int argc, char **argv)
+ {
     const int NR_ARGS = 3;
@@ -286,9 +312,11 @@
            die("dropping privs did not work");
+     }
--   //https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement#ubuntu-snapp-launch
--
--   int rc = 0;
++    mkoldtmpdir();
++
++    //https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement#ubuntu-snapp-launch
++
++    int rc = 0;
      // set apparmor rules
      rc = aa_change_onexec(aa_profile);
      if (rc != 0) {