Remove removal code or installation code, depending on distribution. In all
cases ubuntu-core-launcher is obsolete and has not been used in nearly a
decade.
Jira: SNAPDENG-23247
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Path pattern matching is implemented via the doublestar package, which
emulates bash's globstar matching. Patterns may include '*' wildcard
characters (which match any number of non-separator characters), '**'
doublestars (which match zero or more subdirectories), '?' wildcard
characters (which match exactly one non-separator character), and nested
groups delimited by '{' and '}'. Notably, path patterns are *not* allowed
to have character classes delimited by '[' and ']', nor inverted
classes of the form "[^abc]".
There is a limit on the number of groups allowed in path patterns, but
up to that limit, groups may be arbitrarily nested or sequential.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
i/prompting: fix typo and add notes to remove test boilerplate
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
i/prompting: use separate test suite for patterns
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
i/prompting: improve unit test coverage
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* i/prompting: count and validate true number of expanded patterns
Rather than counting the number of groups and using it as a heuristic
for the number of patterns into which a given path pattern will expand,
instead compute the true number of expanded patterns and compare it
against a set limit.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* i/prompting: implement path pattern checks in constraints
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* i/prompting: throw error if group depth exceeds maximum expanded patterns
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* packaging: add doublestar dependency for prompting pattern matching
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* i/prompting: remove standalone path pattern validation
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
---------
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
We remove files during build on debian sid, make sure to keep the file which
carries definitions of required structures.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
The Go toolchain only generates a Go build ID, but GNU build IDs are expected to
present almost universally. Make sure to generate GNU build IDs for Go binaries
like we do in Fedora packaging, so that rpmbuild is happy. Note, that not all Go
toolchains we build with support -B gobuildid, hence populate the GNU build ID
with random bytes, but leave a note about a fix we need here.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
There's no need to use sed to remove -lseccomp, the code uses
pkg-config to interrogate for the right build flags.
This was tested with mock (fedora build tool) for EPEL-{7,8,9}
and FC-{39,40,41}.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Do not require fakeroot on Amazon Linux 2, as we do not run unit tests there
anyway, and it's not available in the repositories.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
The amount of logs produced by this is staggering and it's near impossible to
locate errors.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
Have the snapd packaging helper create /var/lib/snapd/environment. This fixes
RPM build on openSUSE:
```
RPM build errors:
Directory not found: /usr/src/packages/BUILDROOT/snapd-1337.2.63-0.x86_64/var/lib/snapd/environment
```
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* gadget: if storage traits is zero sized file, assume traits do not exist (#13719)
This is a safe fallback, as no-existent storage traits is a valid usecase.
Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>
* tests: fix recovery-system-reboot install test that was being interrupted by a system reboot (#13736)
* tests/nested/manual/recovery-system-reboot: fix test that was being interrupted by a system reboot
In the case of an auto-refresh, the system would reboot. This resulted
in some cryptic failures. Make sure to wait for an auto-refresh to
happen before removing the recovery system, and make sure to wait for
the system to reboot once the auto-refresh has finished.
* tests/nested/manual/recovery-system-reboot: add an extra wait to continue waiting after reboot
* sandbox/apparmor: detect but ignore apparmor 4 (#13740)
Due to issues with incorrect behavior to mediate:
stat /dev/mqueue
For applications governed by the profile that allows it via
mqueue,
We cannot yet use apparmor 4, even if one is supported on the host. This does
impact userns mediation but it is better to have the old mediation and not
break snaps, than to have some new mediation in some cases and some unexpected
mediation in other cases.
Once the mqueue, issue is identified and we have updated bundled apparmor to a
stable release of apparmor 4, this patch can be reverted.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* release: 2.62
* NEWS: restore WIP items
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
---------
Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
Co-authored-by: Ondra Kubik <ondrej.kubik@canonical.com>
Co-authored-by: Andrew Phelps <136256549+andrewphelpsj@users.noreply.github.com>
Co-authored-by: Zygmunt Bazyli Krynicki <zygmunt.krynicki@canonical.com>
Co-authored-by: ernestl <ernest.lotter@canonical.com>
The effort to allow Debian to build without bolt support, have been
insufficient, as we have discovered that parts of dh_golang do not support go
build tags.
As an alternative that is brutal but works, remove the single offending file
that causes 'go list -f ...' to enumerate github.com/snapcore/bolt due to
missing -tags nobolt argument that debhelper does not provide.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* dirs: add directory location for storing cgroup policy related flags
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* interfaces/udev: introduce cgroup policy flag for self managed device cgroup
Some snaps, due to their interfaces, are allowed to self manage the device
cgroup. In this case, the assumption was to not emit any rules at all, and
instead rely on the implicit behavior that no rules means no matching devices
and hence no device cgroup filtering. However, with introduction of a device
cgroup by default for all snaps on core24 onward, regardless of any assigned
devices, we need a separate source of information to indicate that a snap can do
self management.
The patch introduces a policy flags under /var/lib/snapd/cgroup, named
snap.<name>.device, eg.
/var/lib/snapd/cgroup/snap.docker.device, which provides a hints for
snap-confine to not set up a device cgroup filtering for apps.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* cmd/snap-confine: support snaps which self-manage device cgroup
Support for snaps for which policy explicitly states that the device cgroup is
self-managed. The typical use case is container like technologies. In such
scenario, there will be a device cgroup configuration file at a known location
which got generated by snapd whenever the relevant interface state changed.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* tests/main/security-device-cgroups-self-manage: spread test
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* cmd/snap-confine: drop base from bases exempt from mandatory device cgroup
We have confirmed that there are no snaps which (ab)use system files and use
bare base to obtain access to devices. As such, the bare base can be dropped
form the list of bases exempt from mandatory device cgroup.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* interfaces/udev: remove snap devices file when removing the snap
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* interfaces/udev: consistent use of fs.ErrNotExist
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* cmd/snap-confine: leave comments
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* interfaces/udev: tweak return path
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* interfaces/udev: improve managed device cgroup unit tests, verify calls to udevadm
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* NEWS: leave a note about mandatory device cgroup
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* tests/main/security-device-cgroups-self-manage: tweak comments
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* interfaces/udev: always write the device file
Always write the device file which serves as a synchronization point between
snap-confine and the snapd udev backend.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* cmd/libsnap-confine-private: add helper for waiting for a file to show up
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* cmd/snap-confine: make cgroup device file mandatory
Make the per-snap /var/lib/snapd/cgroup/snap.*.device file mandatory, such that
it can be used as a synchronization point between snapd calling Setup() of
relevant security backends and the execution path in snap-confine.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* cmd/snap-mgmt: do cleanup of /var/lib/snapd/cgroup
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* packaging: declare /var/lib/snapd/cgroup
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* cmd/snap-confine: use the file wait helper
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* packaging: create cgroup directory
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* tests/main/security-device-cgroups-self-manage: update file check
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* tests/main/security-device-cgroups-required-or-optional: update test to verify device file
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* interfaces/udev: refactor reloading
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* cmd/snap-confine: move device cgroup mode selection to a helper
Extract device cgroup mode selection into a helper function.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
---------
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
