Next Generation Checkbox (CLI)

Merge ~sylvain-pineau/checkbox-ng:aa-exec_unconfined into checkbox-ng:master

  1. Git
  2. lp:~sylvain-pineau/checkbox-ng
  3. aa-exec_unconfined
  4. Merge into master
Proposed by Sylvain Pineau
Status: Merged
Approved by: Sylvain Pineau
Approved revision: 5cd07e1ddfe03b3ab68ac9053f9e8a78a3624717
Merged at revision: 7bd5dd16c3ba4fe39a2165307711dfba38f148b8
Proposed branch: ~sylvain-pineau/checkbox-ng:aa-exec_unconfined
Merge into: checkbox-ng:master
Diff against target: 22 lines (+5/-0)
1 file modified
plainbox/impl/execution.py (+5/-0)
Reviewer Review Type Date Requested Status
Jonathan Cave (community) Approve
Review via email: mp+421088@code.launchpad.net

Description of the change

The fix recommended by snapd team, running the commands currently blocked by snap-confine using an unconfined apparmor profile.

Tested with a custom checkbox18 using that branch (successfully)

To post a comment you must log in.
Revision history for this message
Jonathan Cave (jocave) wrote :

This looks good in terms of running all *tests* completely "unconfined". I suppose we need to keep in mind that checkbox itself is still in "complain" mode should any security issues arise in the future.

+1

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/plainbox/impl/execution.py b/plainbox/impl/execution.py
2index e1aa65b..32051a6 100644
3--- a/plainbox/impl/execution.py
4+++ b/plainbox/impl/execution.py
5@@ -37,6 +37,7 @@ from plainbox.abc import IJobResult, IJobRunner
6 from plainbox.i18n import gettext as _
7 from plainbox.impl.color import Colorizer
8 from plainbox.impl.unit.job import supported_plugins
9+from plainbox.impl.unit.unit import on_ubuntucore
10 from plainbox.impl.result import IOLogRecordWriter
11 from plainbox.impl.result import JobResultBuilder
12 from plainbox.impl.runner import CommandOutputWriter
13@@ -568,5 +569,9 @@ def get_execution_command(job, environ, session_id,
14 env.update(extra_env())
15 cmd += ["{key}={value}".format(key=key, value=value)
16 for key, value in sorted(env.items())]
17+ # Run the command unconfined on ubuntu core because of snap-confine fixes
18+ # related to https://ubuntu.com/security/CVE-2021-44731
19+ if on_ubuntucore():
20+ cmd += ['aa-exec', '-p', 'unconfined']
21 cmd += [job.shell, '-c', job.command]
22 return cmd

Subscribers

People subscribed via source and target branches