i/apparmor: fix snap-update-ns with ecrypfs home (#13857)
Ever since snapd 2.62 was released, snap-update-ns requires opening the home
directory of the user for some validation and sanity checking. This is now
affected by a bug in base policy regarding ecryptfs. Add the similar workaround
we have in other templates.
i/apparmor: add missing expansion for s-u-n template (#13853)
This fixes access to /etc/apparmor.d/tunables when running from snapd snap.
When snapd snap re-executes, and uses apparmor_parser from snapd snap (those
are separate conditions), then it re-directs the parser away from host
/etc/apparmor.d and we have special code to load tunables from the host anyway.
Those tunables are themselves conditional on the conditional include syntax
that may or may not be supported by apparmor (otherwise the would be explicitly
spelled out in the template, and not dynamically expanded with custom logic).
The problem was introduced along with patch
b98e4af3768cd7bc6e5302372ef19c6762b58f14 (i/apparmor: support for home.d
tunables from /etc/ (#13118)), as the case for snap-update-ns was missed, and
the default expansion is an empty string.
Regression-testing this requires that we re-package snapd snap, so the test
will come in with a separate patch as it requires somewhat more effort to
behave correctly.
This issue was identified by Maciej Borzecki.
Signed-off-by: Zygmunt Krynicki <email address hidden>
o/snapstate: use StartBeforeDriversLoad only for systems with modes
We do not need early mounts for the kernel in UC16/18, and causes
problems with systemd on UC16.
5b5b54f...
by
Andrew Phelps <email address hidden>
daemon, o/snapstate, snap: add hooks to snap.ComponentInfo (#13771)
* daemon, o/snapstate, snap: add hook information to snap.ComponentInfo
* snap: add functions for helping with snap component instances
* snap: return correct security tags from hook if it is a component hook
* s/snaptest: add function for mocking an installed component
* snap: add functions to help with hook and component locations
* snap: add test for ReadComponentInfoFromContainer where component is not found in provided snap.Info
* snap, o/snapstate: move component and snap consistency checks into snap.ReadComponentInfoFromContainer
* snap: remove unneeded json tag
* snap: log if we ignore an unsuppported implicit component hook
* snap: reorder addAndBindImplicitComponentHooksFromContainer args to be more consistent
* snap: add extra component hook to test
* snap: reorder ComponentHooksDir args and implement it using ComponentMountDir
* snap: correct doc comment on SnapComponentName
* snap: use two spaces for indentation in yaml literals
* snap: upgrade debug log for unsupported hook to notice
c679f43...
by
Andrew Phelps <email address hidden>
s/cgroup, systemd: escape systemd unit names in CreateTransientScopeForTracking (#13763)
* systemd: add function that implements "systemd-escape" in addition to already existing "systemd-escape --path"
* s/cgroup: escape created unit name in CreateTransientScopeForTracking
With the addition of component hooks, we'll have unit names that include
a '+', like 'snap.snapname+comp.hook.install'. This causes systemd to
complain that the unit isn't properly escaped. On the command line,
systemd-run will properly escape this for you (with a warning), but the
dbus API doesn't do that.
* s/naming: teach ParseSecurityTag to handle tags from component hooks
* Revert "systemd: add function that implements "systemd-escape" in addition to already existing "systemd-escape --path""
This reverts commit 0521600ec8fa785b69d2b7a85fa8da9be4938a5a.
* systemd: add functions for escaping security tags to valid systemd unit names
We must at least partially escape unit names that are created from
security tags, since they may potentially contain '+' characters from
snap components.
Since we already use unit names with '-' in them, we cannot simply use a
reimplementation of systemd-escape. This is because '-' is escaped by
systemd-escape. Note that '-' is a valid character is a unit name, since
it is used as the replacement for the '/' character by systemd-escapes.
Thus, we have our own functions for converting a security tag to a unit
name, and the inverse. These functions only escape the '+' character
that appears in security tags.
* s/cgroup: use new conversions from security tags to unit names, and the inverse
* systemd: update doc comment on UnitNameFromSecurityTag
Co-authored-by: Maciej Borzecki <email address hidden>
* s/naming: add ComponentName method to HookSecurityTag interface
* systemd: split tests for UnitNameFromSecurityTag and SecurityTagFromUnitName
* s/naming: add test for invalid snap instance that is a part of a component
* s/naming: refactor ParseSecurityTag to clarify that components cannot have apps yet
* systemd, s/cgroup: rename security tag and unit name conversion functions for clarity
---------
Co-authored-by: Maciej Borzecki <email address hidden>
Ship the current version of snap-debug-info.sh script inside the snapd snapd, so
that folks no longer need to download it from snapd github repository.
Signed-off-by: Maciej Borzecki <email address hidden>