* osutil: switch to -u UID:GID for strace-static
This moves us off the custom patch and onto an upstream feature
we've heled develop. The feature is not released yet but the
patch has been integrated into the strace-static snap.
Jira: SNAPDENG-19870
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* tests: make strace test less fragile
The test tried to carefully match the error message to the version of strace
used, which in turn depends on the host OS. It's much easier to just check both
error mesages.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* tests: avoid systemctl kill which has issues on systemd 255
On systemd 255 systemctl kill fails after attempting to kill snapd.service with
the following message:
$ sudo systemctl kill --signal=SIGKILL snapd.service
Failed to kill unit snapd.service: Failed to send signal SIGKILL to auxiliary processes: Invalid argument
Kill the pid by hand to avoid triggering this behavior.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
---------
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Ahead of introduction of CIFS workaround, generalize the names so that we use
more general language rather instead of focusing on NFS.
As a special exception the externally visible wording related to NFS is kept
intact in two places:
- The apparmor "nfs-support" file name
- The system key "nfs-home" key.
From points of view this is all an elaborate internal rename that should nto be
observable outside of snapd, apart from log messages that may no longer speak of
NFS but of remote file systems.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
NFS and CIFS share the same shortcoming, that on kernels older than 6.8 (but I
could be wrong on the version number), accessing files there causes apparmor to
require network permissions even though the process performing the access is
entirely unaware of the fact that network file system is in use.
Snapd contained a work-around for this behavior, with specific detection logic
looking for NFS file system mounted or declared at a specific place. Extend the
logic to handle NFS and CIFS equally, to give better support to SAMBA or
Windows Server-based home directories.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
This commit updates snapd's useage of strace to use the new
--gid/--uid cmdline options instead of -u to work around an
issue that causes issues if strace is statically linked (due
to libnss).
Signed-off-by: Tony Espy <espy@canonical.com>
* i/b: dont have polkit interface being implicit on core read-only filesystems
* i/b: fix TestStaticInfo
* osutil: add some defs for macos
* osutil: update copyright date
* osutil: move to useradd from adduser
adduser is perl based tool. Moving to useradd removes this dependency.
Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>
* osutil: useradd: minor fixes as recomended in PR
Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>
* osutil: useradd: remove redundant userTool variable
Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>
* osutil: useradd: set default tool and alter if needed
Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>
* osutil: move to useradd: improve comment text
Co-authored-by: Maciej Borzecki <maciek.borzecki@gmail.com>
* osutil: remove --badname from the useradd call as it was doing nothing for our use-case. The regex used by snapd is already sufficient and a lot more strict.
Remove + from allowed characters in usernames, both normal and system, as they were not allowed by adduser anyway.
* osutil: fix typo of available
* osutil: remove obsolete part of the comment
Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>
* osutil: mention disabled passwords for useradd
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
---------
Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
Co-authored-by: Maciej Borzecki <maciek.borzecki@gmail.com>
Co-authored-by: Philip Meulengracht <philip.meulengracht@canonical.com>
Co-authored-by: Maciej Borzecki <maciej.borzecki@canonical.com>
Some invocations to external programs used exec.CombinedOutput, that
combines stdout and strerr into a single byte array. This can be an
issue if this output is parsed, as many programs print debug output or
warnings to stderr and that data is unexpected by the parsers. This
patch changes to using osutil.RunSplitOutput or osutil.RunCmd (that
return separately stdout and stderr) when we need to parse stdout, and
also in some other cases when printing separately both streams could
be helpful. Fixes LP #1885597.
* gadget,osutil: support FAT16 as filesystem
Add additional filesystem fat16 in the gadget specification.
* gadget: add method to check if filesystem identified by linux
matches the one in the gadget. This is not an exact match anymore
because of the introduction of fat16 as filesystem in gadget, which is
still seen as vfat by linux (udev shows fat bits in ID_FS_VERSION
while keeping ID_FS_TYPE=vfat).
* gadget,osutil: use vfat-16 instead of fat16, and vfat-32 as
alternative to vfat.
* gadget: add method to convert gadget to linux filesystem
Now the filesystem field in the gadget is not exactly the same as the
string used in Linux, so we need conversions in differente places.
* gadget: replace some simple methods with calls to LinuxFilesystem()
* osutil/epoll: make `e.Wait{,Timeout}()` return immediately when `e.Close()` is called
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* osutil/epoll: make `WaitTimeout()` reference initial time
Previously, the elapsed time was computed as the total time spent
waiting on the `epoll_wait` syscall, but when waiting for a timeout, one
is generally more concerned with the time which has elapsed since
initiating the call, rather than the total time internally spent waiting
on the syscall (to the extent that can even be accurately measured).
This commit ensures that the function returns once the time since the
start of the call exceeds the given duration.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* osutil/epoll: added explicit `IsClosed()` function
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* osutil/epoll: made epoll file descriptor thread safe
Importantly, this change also makes `Close()` thread safe, eliminating
the previous risk that `close(e.closed)` could be called more than once,
thus causing a panic.
Additionally, the `zeroRegisteredFdCount()` function has been removed,
since guaranteeing that `e.registeredFdCount` is `0` after `Close()`
while other threads may be about to increment/decrement the count
requires additional overhead. It may also be useful to query the number
of registered file descriptors at time of close, and the function
otherwise served no purpose.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* osutil/epoll: use `chan struct{}` instead of `chan interface{}`
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* osutil/epoll: make `IsClosed()` atomic
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* osutil/epoll: make `IsClosed()` use `closed` channel
Thus, it is not necessary to set `e.fd = -1` when the channel is closed,
which is redundant information with the `closed` channel and meant that
reads and writes of `e.fd` needed to be atomic. Now, `e.fd` is never
changed after the epoll instance is created, so there is no need for
atomic reads/writes of `e.fd`.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* osutil/epoll: remove public `Fd()` method
Since `e.fd` is no longer modified, there is no need to internally
control reads of it in any special way, and thus no internal need for a
helper function.
Additionally, we very much do not want outside callers to close the
epoll file descriptor directly, as this should always be done via the
`Close()` method. Therefore, by unexporting access to internal `e.fd`,
this discourages users from closing `e.fd` directly.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* osutil/epoll: improved race condition checks in tests
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* osutil/epoll: added doc comment to `IsClosed()`
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* osutil/epoll: adjusted file header
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* osutil/epoll: added `IsClosed()` checks after syscalls
If the epoll instance is closed during a syscall, this could cause the
syscall to return EBADF. However, since closing the epoll instance is
the cause of this, we want to return `ErrEpollClosed` instead of
`EBADF`.
By checking `IsClosed()` immediately after the syscall returns (and
before checking the error returned by the syscall), we are guaranteed to
return `ErrEpollClosed` if the epoll instance was closed during a
syscall, regardless of whether closing the instance was the cause of an
error during the syscall.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* osutil/epoll: Only return ErrEpollClosed if error occurred
For methods which invoke syscalls, the epoll instance may be closed
during the syscall, which may cause the syscall to return an error.
Previously, we checked (after the syscall returned) if the epoll
instance was now closed, and if so, returned ErrEpollClosed. However,
there is a race between the end of the syscall and the check for whether
the epoll instance has been closed, so it may be that the syscall
completed successfully, either because the close occurred after the
syscall completed, or because the close did not trigger an error in the
syscall. Regardless, we should not return an error if no error actually
occurred.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* osutil/epoll: remove unnecessary type from error variable
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
---------
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Replace ioutil.WriteFile with os.WriteFile since the former has been
deprecated since go1.16 and simply calls the latter.
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
