Next Generation Checkbox (CLI)

Merge ~sylvain-pineau/checkbox-ng:fix-CVE-2021-44731 into checkbox-ng:master

  1. Git
  2. lp:~sylvain-pineau/checkbox-ng
  3. fix-CVE-2021-44731
  4. Merge into master
Proposed by Sylvain Pineau
Status: Merged
Approved by: Sylvain Pineau
Approved revision: 96116055eba4336b8f6370982b14e6b688a0fa0c
Merged at revision: 1941bac47541c5b6b052be64cc8a4b5ddfc11ab1
Proposed branch: ~sylvain-pineau/checkbox-ng:fix-CVE-2021-44731
Merge into: checkbox-ng:master
Diff against target: 38 lines (+10/-10)
1 file modified
plainbox/impl/session/restart.py (+10/-10)
Reviewer Review Type Date Requested Status
Sylvain Pineau (community) Approve
Review via email: mp+417166@code.launchpad.net

Description of the change

CVE-2021-44731 adjustments in checkbox.

The systemd service unit responsible to start the `checkbox-cli service` command now runs outside confinement but still provide SNAP and SNAP_DATA env var.

The logic to establish which restart strategy to adopt must change. the deb restart strategy must be evaluated first since the new service unit will be named as for debs.

Doing so will prevent the use of the on_ubuntucore() method (which selects a strategy assuming a real snap runtime).

To post a comment you must log in.
Revision history for this message
Sylvain Pineau (sylvain-pineau) wrote :

self-approved

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/plainbox/impl/session/restart.py b/plainbox/impl/session/restart.py
index b3c72cd..2cc9c8b 100644
--- a/plainbox/impl/session/restart.py
+++ b/plainbox/impl/session/restart.py
@@ -269,6 +269,16 @@ def detect_restart_strategy(session=None) -> IRestartStrategy:
269 :raises LookupError:269 :raises LookupError:
270 When no such object can be found.270 When no such object can be found.
271 """271 """
272 # debian and unconfined checkbox-ng.service
273 if session_type == "checkbox-slave":
274 try:
275 subprocess.run(
276 ['systemctl', 'is-active', '--quiet', 'checkbox-ng.service'],
277 check=True)
278 return RemoteDebRestartStrategy()
279 except subprocess.CalledProcessError:
280 pass
281
272 # XXX: RemoteSnappyRestartStrategy debug282 # XXX: RemoteSnappyRestartStrategy debug
273 remote_restart_stragegy_debug = os.getenv('REMOTE_RESTART_DEBUG')283 remote_restart_stragegy_debug = os.getenv('REMOTE_RESTART_DEBUG')
274 if remote_restart_stragegy_debug:284 if remote_restart_stragegy_debug:
@@ -313,16 +323,6 @@ def detect_restart_strategy(session=None) -> IRestartStrategy:
313 else:323 else:
314 return SnappyRestartStrategy()324 return SnappyRestartStrategy()
315325
316 # debian checkbox-ng.service
317 if session_type == "checkbox-slave":
318 try:
319 subprocess.run(
320 ['systemctl', 'is-active', '--quiet', 'checkbox-ng.service'],
321 check=True)
322 return RemoteDebRestartStrategy()
323 except subprocess.CalledProcessError:
324 pass
325
326 if os.path.isdir('/etc/xdg/autostart'):326 if os.path.isdir('/etc/xdg/autostart'):
327 # NOTE: Assume this is a terminal application327 # NOTE: Assume this is a terminal application
328 return XDGRestartStrategy(app_terminal=True)328 return XDGRestartStrategy(app_terminal=True)

Subscribers

People subscribed via source and target branches