sandbox/apparmor: don't let vendored apparmor conflict with system (#12909)
* sandbox/apparmor: don't let vendored apparmor conflict with system
Don't enable the vendored apparmor if the system installed apparmor will try and
load policy that would be generated by the vendored apparmor and hence may
conflict with that by using newer features not supported by the system installed
apparmor (LP: 2024637)
Signed-off-by: Alex Murray <email address hidden>
* apparmor: add unit testing for SystemAppArmorLoadsSnapPolicy()
* tests: add test that checks regression in lp-2024637
* apparmor: only log non ENOENT errors in systemAppArmorLoadsSnapPolicy
* tests: fix snapd-snap test on 14.04-18.04
This commit will skip apparmor vendor testing if /lib/apparmor/functions
still references /var/lib/snapd/apparmor/.
* i/apparmor: allow read of /lib/apparmor/functions in snap-update-ns
Snapd at startup will inspect this file now to ensure that the
vendored apparmor can be used. So the snap-update-ns profile
also needs to get updated as this happens during an early init().
---------
Signed-off-by: Alex Murray <email address hidden>
Co-authored-by: Michael Vogt <email address hidden>
gadget/update: set parts in laid out data from the ones matched
by EnsureVolumeCompatibility (when creating disk traits), as
LaidoutStructure.OnDiskStructure is not valid until we have the real
disk data (especially when we have a range of sizes/offsets).