Merge pull request #9024 from mvo5/feature/cloud-init-restrict-4
sysconfig/cloudinit: add RestrictCloudInit
RestrictCloudInit will implement the cloud-init specific bits of mitigation against CVE-2020-11933, insofar as it will disable importing of cloud-init NoCloud datasources from arbitrary filesystems that an attacker could control and put malicious cloud-init data on as well as always limit the datasource for cloud-init to use on subsequent boots to the detected datasource.
We have to parse the cloud-init status.json file in order to determine what datasource was used because while the cloud-init status does give us the same information, it is in a less useful format that is harder to parse than the JSON here, and the JSON here is in a stable v1 structure that can be relied upon.
This is #3 from the snapd-private repo used to address the cloud-init fix.
Merge pull request #9018 from stolowski/preseed-reset-check-dir
cmd/snap-preseed: check that target path exists and is a directory on --reset
Followup to #9015
The reset logic uses globs to find and remove any preseeding artifacts, but doesn't check that target directory exists. This doesn't cause any errors but may be confusing if wrong path is given by mistake - globs don't match anything and snap-preseed --reset /invalid/path returns silently. This PR fixes this.
