~mvo/snapd/+git/snapd-mvo:allow-non-classic-with-classic-2.37

Last commit made on 2019-02-06
Get this branch:
git clone -b allow-non-classic-with-classic-2.37 https://git.launchpad.net/~mvo/snapd/+git/snapd-mvo

Branch merges

Branch information

Name:
allow-non-classic-with-classic-2.37
Repository:
lp:~mvo/snapd/+git/snapd-mvo

Recent commits

313b350... by Michael Vogt

cmd_snap_op: do not use esc.bold (not available yet in 2.37)

6fd2a18... by Maciej Borzecki

cmd/snap, overlord/snapstate: silently ignore classic flag when a snap is strictly confined (#6477)

When installing a strict snap withthe --classic snap like:

    snap install strict-snap --classic

this should be allowed because the user expresses that he/she is willing to install a classic snap.
If the snap is not classic that is even better and no reason to error (a warning is appropriate to
ensure the user is not under the misconception that the snap gets installed with classic confinement).

* overlord/snapstate: silently ignore classic flag when installing a non classic snap

Signed-off-by: Maciej Borzecki <email address hidden>

* cmd/snap: warn when --classic flag was ignored

Signed-off-by: Maciej Borzecki <email address hidden>

* overlord/snapstate: review feedback

Signed-off-by: Maciej Borzecki <email address hidden>

* tests/main/install-errors: verify --classic flag for non-classic snaps

Signed-off-by: Maciej Borzecki <email address hidden>

* cmd/snap: display warning before snap install summary

Signed-off-by: Maciej Borzecki <email address hidden>

* tests/main/install-errors: fix error match

Signed-off-by: Maciej Borzecki <email address hidden>

* travis: quote Go version

Signed-off-by: Maciej Borzecki <email address hidden>

267adf0... by Michael Vogt

snap-confine: remove special handling of /var/lib/jenkins

We added special handling of the jenkins user in dd3c2f4 in
snap-confine by optionally mounting /var/lib/jenkins into the
core snap. However this is only needed to make *confined* snaps
work for the jenkins user which *never* worked.

When trying to run a confined snap (like test-snapd-tools) as
the jenkins user with an older versions of snapd we get the
following message:
```
cannot create user data directory: /var/lib/jenkins/snap/test-snapd-tools/6: Read-only file system
```

So this PR reverts the special handling of jenkins in snap-confine
becuase:
a) its a very special case for something that did not work before
b) it breaks existing users, I got a (private) bugreport that
   people get:
   `cannot perform operation: mount --rbind /var/lib/jenkins`

Note that this does *not* affect classic snaps which keep working
with this change for the special users that have homes in /var/lib.

0fe9aa0... by Zygmunt Krynicki

cmd/snap-confine: handle death of helper process (#6466)

When SIGPIPE is delivered the snap-confine process it would involuntary
terminate. If snap-confine was a part of a startup chain of a systemd
service then systemd would consider the exit as _clean_, as documented
by systemd.service(5), even though the actual snap application was never
invoked. This patch corrects this in the following way.

When the snap-confine helper process terminates due to SIGARLM-based
timeout mechanism the parent would receive SIGPIPE on the attempt to
communicate with the helper.

The disposition of SIGPIPE is set to SIG_IGN, and only in the scope where we
are interacting with the helper process and are possibly using pipes for
communication. This ensures that the helper dies for whatever reason the
parent can just deal with EPIPE (and exiting with a proper error code) instead
of dying because of SIGPIPE.

The patch also contains a regression test, for easier review:

Signed-off-by: Zygmunt Krynicki <email address hidden>

* interfaces/apparmor: allow unconfined to signal snap-update-ns

This patch adds a rule that allows sending signals to snap-update-ns
from the unconfined world. This matches similar rule on snap-confine.

Such signal may be sent by, for example systemd, when a snap service is
being terminated soon after snap installation, when the update namespace
process is still alive.

Signed-off-by: Zygmunt Krynicki <email address hidden>

e19f362... by Michael Vogt

Merge pull request #6474 from mvo5/fix-wal-e-2.37

snap-confine: fix classic snaps for users with /var/lib/* homedirs (2.37)

b1a6d25... by Michael Vogt

packaging: disable systemd environment generator on 18.04 (#6470)

The PATH of systemd services does not contain "/snap/bin" because services
do not read /etc/environment (that's PAM) or login.defs (getty). To fix that
we added a systemd environment generator that would modify PATH
in snapd 2.35.1 and this works successfully in 18.10+ now. Unfortunately
the systemd version in 18.04 has a bug with the handling of the PATH
with the generators which leads to an undesired side effect when the
generator is used: we get a PATH that does no longer
include "/usr/local/{,s}bin which will break existing systems.

Hence the systemd environment generator we ship must be disabled
on 18.04 because of the systemd bug #1771858. This was reported for
us as LP: 1814355.

This PR disables the generator on 18.04 (which is most unfortunate)
until we can fix systemd and adds a spread test.

A slightly simpler version of this fix was uploaded to bionic as
2.37.1.1.

103dfdb... by Michael Vogt

snap-confine: fix classic snaps for users with /var/lib/* homedirs (#6471)

When we removed the quirks system in commit [1da9316](https://github.com/snapcore/snapd/commit/1da9316e717d119852b827becb5a17b33713d032) we removed the following apparmor rule as well:

```
     /var/lib/** rw,
```
The unintended side-effect of this change is that we broke snaps
for users with homedirs in /var/lib/ like "postgresql", "jenkins"
and potentially more. They now get the error:

```
cannot create user data directory: /var/lib/postgresql/snap/wal-e/13: Permission denied
```
We added a special case for jenkins which unfortunately is not
enough. This PR makes the snap-confine rule more general which
will unbreak all classic snaps that use /var/lib/* as their
homedir. This will fix the wal-e snap which is classic and needs
to run as the postgresql user to perform its tasks.

We probably still need a followup that deals with confined snaps
like jenkins in a more general manner like the current targeted
jenkins fix.

088dab1... by Michael Vogt

tests: update smoke/sandbox test for armhf

While running the beta validation on the armhf I noticed that the
behaviour of illegal syscalls is different from the other arches
we have. Most arches just give ENOSYS in errno. However on armhf
the process is killed with SIGILL.

This PR updates the test to account for that.

c4afa08... by Zygmunt Krynicki

cmd/snap-confine: refactor and cleanup of seccomp loading (#6426)

* cmd/snap-confine: break down seccomp loading and insertion

We had existing code to load a profile from disk based on a security
tag name, validate a few things, apply that to the current process,
all while handling privilage raising/lowering.

To make the code a little bit more reusable, break the application
of seccomp profile into a new function.

Signed-off-by: Zygmunt Krynicki <email address hidden>

* cmd/snap-confine: reuse sc_apply_seccomp_filter

With the logic to apply a seccomp filter broken out we can now reduce
the size of sc_apply_seccomp_bpf. There's no change in semantics or even
the sequence of system calls involved.

Signed-off-by: Zygmunt Krynicki <email address hidden>

* cmd/snap-confine: tweak signature of sc_apply_seccomp_bpf

The return value of sc_apply_seccomp_bpf is always zero and is never
used by snap-confine. The function always dies in case of problems.

The argument was just the security tag but under an obfuscated name.

Signed-off-by: Zygmunt Krynicki <email address hidden>

* cmd/snap-confine: rename and document seccomp profile loader

The function that loads a seccomp profile for a given security tag
is now called sc_apply_seccomp_profile_for_security_tag. A profile may
be a seccomp BPF filter or the special string "@unrestricted\n". In
addition there is non-trivial behavior when the profile is absent
that was never mentioned in the documentation before.

Signed-off-by: Zygmunt Krynicki <email address hidden>

* cmd/snap-confine: add sc_read_seccomp_filter

This helper just reads a filter to a buffer of a given size.

Signed-off-by: Zygmunt Krynicki <email address hidden>

* cmd/snap-confine: use sc_read_seccomp_filter

Signed-off-by: Zygmunt Krynicki <email address hidden>

* cmd/snap-confine: add a TODO for bpfpath validation

Signed-off-by: Zygmunt Krynicki <email address hidden>

* cmd/snap-seccomp: load global seccomp profile if one exists

Traditionally each snap process would use a custom confinement profile.
This works great since every application and hook can run under an
arbitrary seccomp profile. This doesn't allow us to say, with
confidence, that some basic guarantee applies to all confined processes
though. This patch introduces such capability.

In addition to the per-app or per-hook profile, a global profile is
loaded and attached to each started process. The global profile may be
safely absent, without incurring any errors or startup delays.

Signed-off-by: Zygmunt Krynicki <email address hidden>

* cmd/snap-confine: surface @unrestricted seccomp to main

Signed-off-by: Zygmunt Krynicki <email address hidden>

* cmd/snap-confine: skip global profile when @unrestricted

Signed-off-by: Zygmunt Krynicki <email address hidden>

* tests: adjust tested log pattern

* cmd/snap-confine: rename sys_seccomp back

Signed-off-by: Zygmunt Krynicki <email address hidden>

* cmd/snap-confine: fix indirect pointer SNAFU

Signed-off-by: Zygmunt Krynicki <email address hidden>

* cmd/snap-seccomp: tweak comment

Signed-off-by: Zygmunt Krynicki <email address hidden>

002a386... by Michael Vogt

locking.c: run indent