* build-aux: update vendored apparmor to 4.0.1 release
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* build-aux: add autoconf-archive to apparmor/build-packages
Unlike the Launchpad tarball, the one from apparmor gitlab tarball
requires this to be present as it is just a snapshot of the git tree,
not a release tarball like those provided by Launchpad.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* build-aux: remove apparmor parser performance patch
This was already included upstream as part of the 3.1.0 release and
hence is included in the 4.0.1 release which we are now vendoring.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* build-aux: remove remote patch application logic
They are already included in apparmor 4.x release.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* build-aux: remove local patch application logic
All local patches are now merged in the 4.x release.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* cmd/configure.ac: expect apparmor 4.0.1 when building as a snap
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* sandbox/apparmor: use apparmor 4.0 abi with vendored parser
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* sandbox/apparmor: add debug logging when probing parser features
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* sandbox/apparmor: log apparmor_parser version when probing features
This is helpful when trying to debug why certain features may not be supported.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* tests/main: update for new vendored apparmor 4.0
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* Reapply "i/builtin: allow docker-support to use mqueue (#13738)" (#13765)
This reverts commit ce298864e3.
* interfaces: adjust docker-support test to handle mqueue
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* sandbox/apparmor: mask mqueue feature until apparmor 4.0.1
It seems that mediation of mqueue is miscompiled by apparmor_parser
4.0.0~beta3 that was present in Ubuntu 24.04 until the 10th of July
2024. Detect this and mask the presence of mqueue unless apparmor parser
4.0.1, or newer, is used.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* sandbox/apparmor: support bundled 3.0 or 4.0 (preferred) abi
Mirror the logic used in apparmor-from-the-host to apparmor-from-snapd-snap.
This mainly fixes tests that repackage old snapd snap without touching
apparmor, but in general seems like the right thing to do.
The logic is such, that abi 4 is preferred.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* sandbox/apparmor: unify test mocking logic
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* sandbox/apparmor: refactor appArmorParserVersion not to clobber cmd
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* sandbox/apparmor: fix pair of typos
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
---------
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Co-authored-by: Alex Murray <alex.murray@canonical.com>
Make sure that snap refresh/install does not crash if a change has no
api data. This is not happening in usual interactions with the store,
but it does in some cases when we use the fakestore, which is breaking
some integration tests.
* sandbox/apparmor: add GenerateAAREExclusionPatterns
This function is generic (and complex) enough to be able to handle all of the
overlapping and wildcard behavior we need in docker-support, and it could also
serve to replace numerous other places in the codebase where we need this sort
of complex behavior. It is a generalization of the existing
aareExclusionPatterns helper, though it's actually unclear if this exact
implementation will currently be able to serve the use case from that helper
directly or if more options/adjustments are needed to enable that use case as
well.
To keep the diff smaller, this patch does not actually change any of the
profiles/interfaces, just TODO's are left for where to use it.
Note that the generated rules are slightly more condensed in terms of number of
rules but significantly more verbose in terms of alternations, not sharing more
of repeated substrings between alternations inside the patterns. This was done
explicitly to keep the generating code simpler and easier to understand, but it
may prove to have performance effects, either detrimental or benevolent but
that should be measured before deciding to make the generation code even more
complex than it already is.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/docker-support: generate AARE exclusion patterns with helper func
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* sandbox/apparmor: unexport helper functions
These were not meant to be exported, only the fully generic one is meant to be
exported.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* sandbox/apparmor: fix bug mis-sorting capitalized letters in AARE exclude patt
Thanks to Alberto for spotting this :-)
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* sandbox/apparmor: fix format issues introduced during rebase
* sandbox/apparmor: simplify generateAAREExclusionPatternsGenericImpl
* sandbox/apparmor: add checks for unsupported cases and improve documentation
* sandbox/apparmor: update tests to compare the apparmor binary instead of source
* interfaces/builtin/docker_support: check if userns is supported before adding it to the profile
* interfaces/builtin/docker_support: fix dependencies
* sandbox/apparmor: use placeholders
* i/b/docker_support_test: update TestGenerateAAREExclusionPatterns to use SnapAppSet
* testutil/apparmor: use go crypto/sha1 module instead of system sha1sum command
* {sandbox,testutil}/apparmor: minor format fixes
* move helper to find common prefix to strutil
* add copyright info
* use string builder
* i/b/docker_support_test.go: update accordingly to 277fbc266e (many: add components to interfaces.SnapAppSet (#13837))
* strutil/commonprefix.go: remove extra empty line
* sandbox/apparmor/apparmor.go: sort prefixes to ensure profile is always the same
* sandbox/apparmor/apparmor.go: remove extra empty line
* i/b/docker_support_test: skip TestGenerateAAREExclusionPatterns is apparmor_parser is not usable
---------
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Co-authored-by: Ian Johnson <ian.johnson@canonical.com>
Add a debug command to execute raw queries to the snapd API. This is useful when
trying to query snapd endpoints directly, but curl is other similar tool is not
available.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* daemon: establish a cancelation chain for incoming API requests
Establish a cancelation chain for incoming API requests, to ensure orderly
shutdown. This prevents a situation in which an API request, such as notices
wait can block snapd shtudown for a long time.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* daemon: return 500 when the request context gets canceled
Request's can be canceled based on the code actually issuing a cancel on the
associted context, hence an Internal Server Error seems more appropriate.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* o/snapstate: leave TODOs about using caller provided context
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* daemon: pass down request context where possible
Pass the context from the API request further down.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* daemon: set context in snap instruction for many-snap operation
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* daemon: pass context as an explicit parameter to request handlers
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* daemon: pass context
Thanks to @ZeyadYasser
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* daemon: comment on Start() taking a context.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* daemon: add unit tests targeting context passed to Start()
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* daemon: drop unit test for hijacked context
The test isn't very useful. Another option to trigger this would be to call
Stop() without a prior call to Start(), but this segfaults on
d.standbyOpinions.Stop(), so it'c clear this needs a followup fix or callign
Stop() this way isn't supported.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
---------
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
The symlink /snap -> /var/lib/snapd/snap may be alternatively encoded as /snap
-> var/lib/snapd/snap in order to stay compatible with symlink packaging rules.
Adjusts tests to handle both variatns and tweak naming to match the non-test code.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Instead of a pre-processed apparmor profile, with a statically compiled /snap
or /var/lib/snapd/snap, use an apparmor parser variable that expands to both
locations.
The sed replacement of @SNAP_MOUNT_DIR@ is now pointless.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Call the probe early in snap-confine's startup logic and display the discovered
value. This triggers all the extra LSM permissions necessary to read through
/proc/1/root.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
There are some concerns as to where snap-repair should be placed, thus
temporarily leave a note about needing to address the FIPS mode until the matter
is resolved.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* snap, s/snaptest: add function for reading the ComponentInfo of the current revision of a component for a snap revision
* s/snapenv, c/snap: add support for component hooks to ExtendEnvForRun
* c/snap: update run to be able to run component hooks
* c/snap: refactor runSnapConfine to operate on a runnable that can represent snap hooks, component hooks, and apps
This commit doesn't need to be here, and things will work without it.
But things were getting a bit complicated in runSnapConfine with
arguments that represented different things based on what we were
running.
* c/snap-exec: handle running component hooks in snap-exec
* c/snap-exec: move parsing of snap-exec target into execHook and execApp
* snap: make error message when failing to parse current component revision a bit better
* c/snap: add IsHook method to runnable type for easier checking
* s/snaptest: use os.Symlink rather than atomic variant in test code
* snap, s/snapdir, c/snap: fix import cycle issue with hook from snapdir into snap
* c/snap, c/snap-exec: docs and panicking default for NewContainerFromDir
* c/snap, c/snap-exec: set up hook for snap.NewContainerFromDir
* c/snap: remove TODO about getting component revision
* c/snap, c/snap-exec: use _ imports rather than initializing hook manually
* s/naming: add ParseComponentRef function
* snap, o/s/backend, daemon: replace ComponentLinkPath and ComponentInstallDate param with naming.ComponentRef
* snap: use ComponentLinkPath helper in ComponentLinkPath
* s/snapdir: add doc comment for NewContainerForDir
* Revert "snap: use ComponentLinkPath helper in ComponentLinkPath"
This reverts commit 9a56c379779490f798613db31aa66b2b177ddd3d.
* Revert "snap, o/s/backend, daemon: replace ComponentLinkPath and ComponentInstallDate param with naming.ComponentRef"
This reverts commit ca39dc1e60174d769ef2345f1e4b58d63f0f7528.
* Revert "s/naming: add ParseComponentRef function"
This reverts commit a3a9130f6d617bc817a76d884a84c1b83282bb46.
* snap: use ComponentLinkPath helper in ComponentLinkPath
* snap: remove whitespace
* snap: update doc comment on ComponentLinkPath to mention usage constraints of the ContainerPlaceInfo param
* snap: replace NOTE with TODO
The global.bin seccomp filter was written before we had support for
explicit deny rules in snap-seccomp. With these rules we can replace
the hard to followup logic of the global filter and just make the
rules part of the standard seccomp template.
The global rules are best summarized in this comment:
```
struct scmp_arg_cmp no_tty_inject = {
/* We learned that existing programs make legitimate requests with all
* bits set in the more significant 32bit word of the 64 bit double
* word. While this kernel behavior remains suspect and presumably
* undesired it is unlikely to change for backwards compatibility
* reasons. As such we cannot block all requests with high-bits set.
*
* When faced with ioctl(fd, request); refuse to proceed when
* request&0xffffffff == TIOCSTI. This specific way to encode the
* filter has the following important properties:
*
* - it blocks ioctl(fd, TIOCSTI, ptr).
* - it also blocks ioctl(fd, (1UL<<32) | TIOCSTI, ptr).
* - it doesn't block ioctl(fd, (1UL<<32) | (request not equal to TIOCSTI), ptr); */
.arg = 1,
.op = SCMP_CMP_MASKED_EQ,
.datum_a = 0xffffffffUL,
.datum_b = TIOCSTI,
};
sc_err = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), sys_ioctl_nr, 1, no_tty_inject);
```
and the same for `TIOCLINUX`.
Add a pair of functions to probe, memoize and return the value of snap mount
directory. The premise is to look at /snap in the initial mount namespace and
depending on its absence or presence and type, and if it is a symbolic link,
link target, either pick /snap, /var/lib/snapd/snap or die.
Jira: SNAPDENG-22335
Spec: SD-179
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
The symbolic link pointed to snap-confine. It used to be used during early
stages of snapd development around 2016, where /snap/bin/ was populated by
generated shell scripts that invoked ubuntu-core-launcher.
Jira: SNAPDENG-23247
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
