interfaces/udev: generate rules with deprecated command line (#13882)
Snapd from the snap generate udev rules that executes snap-device-helper
from the host. In cases when the snap is newer than the package, the
new command line is rejected by the old snap-device-helper from the
package. Because the new snap-device-helper accepts old command-line,
but just ignores the extra parameters, it is safer for now to generate
rules with the old command line.
tests/regression: skip lp-1848567 if internal parser is used (#13874)
The test uses host parser unconditionally, which may not understand
future syntax that is present in cases when apparmor is carried
by snapd snap package.
Signed-off-by: Zygmunt Krynicki <email address hidden>
data/selinux: update policy to allow stat of /run/systemd/container (#13872)
Since 3cfa28a0fc snap-confine checks if the system is running in a container. It
does so by reading /run/systemd/container. Extend the SELinux to allow basic
search operations within /run/systemd. It is unlikely anyone runs snapd in a
container where the SELinux is enabled on the host, so the actual file read
permissions are likely not needed.
Signed-off-by: Maciej Borzecki <email address hidden>
cmd/snap-confine: skip device cgroup setup when running inside a container (#13859)
* cmd/libsnap-confine-private: helper for detecting if executing inside a container
Add a helper which attempts to detect if the current process is executing inside
a container environment. Specifically, look for /run/systemd/container and check
whether it is non empty.
Signed-off-by: Maciej Borzecki <email address hidden>
* cmd/snap-confine: do not setup device cgroup if running inside a container
Do not set up a device cgroup filter, if we're running inside the container. The
rationale is that the container environment has already shut down device access
sufficiently, and especially if running in unprivileged container, we may not be
able to set it up correctly anyway.
Signed-off-by: Maciej Borzecki <email address hidden>
* cmd/snap-confine: allow reading of /run/systemd/container
Allow snap-confine to read /run/system/container to implement container
execution check.
Signed-off-by: Maciej Borzecki <email address hidden>
* cmd/snap-confine: use strnlen for sc_is_container
Signed-off-by: Zygmunt Krynicki <email address hidden>
---------
Signed-off-by: Maciej Borzecki <email address hidden>
Signed-off-by: Zygmunt Krynicki <email address hidden>
Co-authored-by: Zygmunt Krynicki <email address hidden>
Given that snap-update-ns must access mount profiles and contains code to
safely traverse a path without any symbolic links, I think the extra
permissions is acceptable.
I did not audit the code to pinpoint the exact cause.
Signed-off-by: Zygmunt Krynicki <email address hidden>
i/apparmor: fix snap-update-ns with ecrypfs home (#13857)
Ever since snapd 2.62 was released, snap-update-ns requires opening the home
directory of the user for some validation and sanity checking. This is now
affected by a bug in base policy regarding ecryptfs. Add the similar workaround
we have in other templates.
