Snapcraft

Merge lp:~sergiusens/snapcraft/1503495 into lp:~snappy-dev/snapcraft/core

  1. 1503495
  2. Merge into core
Proposed by Sergio Schvezov
Status: Merged
Approved by: John Lenton
Approved revision: 235
Merged at revision: 235
Proposed branch: lp:~sergiusens/snapcraft/1503495
Merge into: lp:~snappy-dev/snapcraft/core
Diff against target: 139 lines (+58/-24)
2 files modified
snapcraft/repo.py (+15/-2)
snapcraft/tests/test_repo.py (+43/-22)
To merge this branch: bzr merge lp:~sergiusens/snapcraft/1503495
Reviewer Review Type Date Requested Status
John Lenton (community) Approve
Review via email: mp+274031@code.launchpad.net

Commit message

Removing suid/guid bits from extracted debs

To post a comment you must log in.
lp:~sergiusens/snapcraft/1503495 updated
235. By Sergio Schvezov

Removing suid/guid bits from extracted debs

Revision history for this message
John Lenton (chipaca) wrote :

Yes.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'snapcraft/repo.py'
--- snapcraft/repo.py 2015-10-08 19:25:43 +0000
+++ snapcraft/repo.py 2015-10-09 21:50:28 +0000
@@ -22,6 +22,7 @@
22import platform22import platform
23import string23import string
24import shutil24import shutil
25import stat
25import subprocess26import subprocess
26import urllib27import urllib
27import urllib.request28import urllib.request
@@ -133,7 +134,7 @@
133 except subprocess.CalledProcessError:134 except subprocess.CalledProcessError:
134 raise UnpackError(pkg)135 raise UnpackError(pkg)
135136
136 _fix_symlinks(rootdir)137 _fix_contents(rootdir)
137138
138 def _manifest_dep_names(self):139 def _manifest_dep_names(self):
139 manifest_dep_names = set()140 manifest_dep_names = set()
@@ -223,11 +224,14 @@
223 return apt_cache, progress224 return apt_cache, progress
224225
225226
226def _fix_symlinks(debdir):227def _fix_contents(debdir):
227 '''228 '''
228 Sometimes debs will contain absolute symlinks (e.g. if the relative229 Sometimes debs will contain absolute symlinks (e.g. if the relative
229 path would go all the way to root, they just do absolute). We can't230 path would go all the way to root, they just do absolute). We can't
230 have that, so instead clean those absolute symlinks.231 have that, so instead clean those absolute symlinks.
232
233 Some unpacked items will also contain suid binaries which we do not want in
234 the resulting snap.
231 '''235 '''
232 for root, dirs, files in os.walk(debdir):236 for root, dirs, files in os.walk(debdir):
233 # Symlinks to directories will be in dirs, while symlinks to237 # Symlinks to directories will be in dirs, while symlinks to
@@ -244,6 +248,15 @@
244 continue248 continue
245 os.remove(path)249 os.remove(path)
246 os.symlink(os.path.relpath(target, root), path)250 os.symlink(os.path.relpath(target, root), path)
251 elif os.path.exists(path):
252 _fix_filemode(path)
253
254
255def _fix_filemode(path):
256 mode = stat.S_IMODE(os.stat(path).st_mode)
257 if mode & 0o4000 or mode & 0o2000:
258 logger.debug('Removing suid/guid from {}'.format(path))
259 os.chmod(path, mode & 0o1777)
247260
248261
249_skip_list = None262_skip_list = None
250263
=== modified file 'snapcraft/tests/test_repo.py'
--- snapcraft/tests/test_repo.py 2015-10-08 19:25:43 +0000
+++ snapcraft/tests/test_repo.py 2015-10-09 21:50:28 +0000
@@ -17,6 +17,7 @@
17import fixtures17import fixtures
18import logging18import logging
19import os19import os
20import stat
20import tempfile21import tempfile
21import unittest.mock22import unittest.mock
2223
@@ -26,6 +27,14 @@
2627
27class UbuntuTestCase(tests.TestCase):28class UbuntuTestCase(tests.TestCase):
2829
30 def setUp(self):
31 super().setUp()
32 fake_logger = fixtures.FakeLogger(level=logging.ERROR)
33 self.useFixture(fake_logger)
34 tempdirObj = tempfile.TemporaryDirectory()
35 self.addCleanup(tempdirObj.cleanup)
36 self.tempdir = tempdirObj.name
37
29 @unittest.mock.patch('snapcraft.repo._get_geoip_country_code_prefix')38 @unittest.mock.patch('snapcraft.repo._get_geoip_country_code_prefix')
30 def test_sources_amd64_vivid(self, mock_cc):39 def test_sources_amd64_vivid(self, mock_cc):
31 mock_cc.return_value = 'ar'40 mock_cc.return_value = 'ar'
@@ -66,25 +75,37 @@
66 self.assertFalse(mock_cc.called)75 self.assertFalse(mock_cc.called)
6776
68 def test_fix_symlinks(self):77 def test_fix_symlinks(self):
69 fake_logger = fixtures.FakeLogger(level=logging.ERROR)78 os.makedirs(self.tempdir + '/a')
70 self.useFixture(fake_logger)79 open(self.tempdir + '/1', mode='w').close()
71 tempdirObj = tempfile.TemporaryDirectory()80
72 self.addCleanup(tempdirObj.cleanup)81 os.symlink('a', self.tempdir + '/rel-to-a')
73 tempdir = tempdirObj.name82 os.symlink('/a', self.tempdir + '/abs-to-a')
7483 os.symlink('/b', self.tempdir + '/abs-to-b')
75 os.makedirs(tempdir + '/a')84 os.symlink('1', self.tempdir + '/rel-to-1')
76 open(tempdir + '/1', mode='w').close()85 os.symlink('/1', self.tempdir + '/abs-to-1')
7786
78 os.symlink('a', tempdir + '/rel-to-a')87 repo._fix_contents(debdir=self.tempdir)
79 os.symlink('/a', tempdir + '/abs-to-a')88
80 os.symlink('/b', tempdir + '/abs-to-b')89 self.assertEqual(os.readlink(self.tempdir + '/rel-to-a'), 'a')
81 os.symlink('1', tempdir + '/rel-to-1')90 self.assertEqual(os.readlink(self.tempdir + '/abs-to-a'), 'a')
82 os.symlink('/1', tempdir + '/abs-to-1')91 self.assertEqual(os.readlink(self.tempdir + '/abs-to-b'), '/b')
8392 self.assertEqual(os.readlink(self.tempdir + '/rel-to-1'), '1')
84 repo._fix_symlinks(debdir=tempdir)93 self.assertEqual(os.readlink(self.tempdir + '/abs-to-1'), '1')
8594
86 self.assertEqual(os.readlink(tempdir + '/rel-to-a'), 'a')95 def test_fix_suid(self):
87 self.assertEqual(os.readlink(tempdir + '/abs-to-a'), 'a')96 files = {
88 self.assertEqual(os.readlink(tempdir + '/abs-to-b'), '/b')97 'suid_file': (0o4765, 0o0765),
89 self.assertEqual(os.readlink(tempdir + '/rel-to-1'), '1')98 'guid_file': (0o2777, 0o0777),
90 self.assertEqual(os.readlink(tempdir + '/abs-to-1'), '1')99 'suid_guid_file': (0o6744, 0o0744),
100 'suid_guid_sticky_file': (0o7744, 0o1744),
101 }
102
103 for key in files:
104 with self.subTest(key=key):
105 file = os.path.join(self.tempdir, key)
106 open(file, mode='w').close()
107 os.chmod(file, files[key][0])
108
109 repo._fix_contents(debdir=self.tempdir)
110 self.assertEqual(
111 stat.S_IMODE(os.stat(file).st_mode), files[key][1])

Subscribers

People subscribed via source and target branches