Next Generation Checkbox (CLI)

Merge ~sylvain-pineau/checkbox-ng:fix-CVE-2021-44731 into checkbox-ng:master

  1. Git
  2. lp:~sylvain-pineau/checkbox-ng
  3. fix-CVE-2021-44731
  4. Merge into master
Proposed by Sylvain Pineau
Status: Merged
Approved by: Sylvain Pineau
Approved revision: 96116055eba4336b8f6370982b14e6b688a0fa0c
Merged at revision: 1941bac47541c5b6b052be64cc8a4b5ddfc11ab1
Proposed branch: ~sylvain-pineau/checkbox-ng:fix-CVE-2021-44731
Merge into: checkbox-ng:master
Diff against target: 38 lines (+10/-10)
1 file modified
plainbox/impl/session/restart.py (+10/-10)
Reviewer Review Type Date Requested Status
Sylvain Pineau (community) Approve
Review via email: mp+417166@code.launchpad.net

Description of the change

CVE-2021-44731 adjustments in checkbox.

The systemd service unit responsible to start the `checkbox-cli service` command now runs outside confinement but still provide SNAP and SNAP_DATA env var.

The logic to establish which restart strategy to adopt must change. the deb restart strategy must be evaluated first since the new service unit will be named as for debs.

Doing so will prevent the use of the on_ubuntucore() method (which selects a strategy assuming a real snap runtime).

To post a comment you must log in.
Revision history for this message
Sylvain Pineau (sylvain-pineau) wrote :

self-approved

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/plainbox/impl/session/restart.py b/plainbox/impl/session/restart.py
2index b3c72cd..2cc9c8b 100644
3--- a/plainbox/impl/session/restart.py
4+++ b/plainbox/impl/session/restart.py
5@@ -269,6 +269,16 @@ def detect_restart_strategy(session=None) -> IRestartStrategy:
6 :raises LookupError:
7 When no such object can be found.
8 """
9+ # debian and unconfined checkbox-ng.service
10+ if session_type == "checkbox-slave":
11+ try:
12+ subprocess.run(
13+ ['systemctl', 'is-active', '--quiet', 'checkbox-ng.service'],
14+ check=True)
15+ return RemoteDebRestartStrategy()
16+ except subprocess.CalledProcessError:
17+ pass
18+
19 # XXX: RemoteSnappyRestartStrategy debug
20 remote_restart_stragegy_debug = os.getenv('REMOTE_RESTART_DEBUG')
21 if remote_restart_stragegy_debug:
22@@ -313,16 +323,6 @@ def detect_restart_strategy(session=None) -> IRestartStrategy:
23 else:
24 return SnappyRestartStrategy()
25
26- # debian checkbox-ng.service
27- if session_type == "checkbox-slave":
28- try:
29- subprocess.run(
30- ['systemctl', 'is-active', '--quiet', 'checkbox-ng.service'],
31- check=True)
32- return RemoteDebRestartStrategy()
33- except subprocess.CalledProcessError:
34- pass
35-
36 if os.path.isdir('/etc/xdg/autostart'):
37 # NOTE: Assume this is a terminal application
38 return XDGRestartStrategy(app_terminal=True)

Subscribers

People subscribed via source and target branches