To allow blkid to visit block_devices attributes via low level probing, so that
we can get information like partition table type or PART_ENTRY_UUID
which could be useful for script based snap without parsing
/run/udev/data/b{major}:{minor}.
Signed-off-by: Hsieh-Tseng Shen <woodrow.shen@canonical.com>
* cmd/libsnap-confine-private: do not deny all devices when reusing the device cgroup
With device cgroup v1, when reusing the cgroup (i.e. opening with
SC_DEVICE_CGROUP_FROM_EXISTING flag), we should not deny all devices, as this
will negatively affect the processes that are in the group.
This code path was executed by snap-device-helper, so it is possible that when
processing of real events from device changes the group could have become
broken.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* cmd/libsnap-confine-private/device-cgroup-support.c: add comment
Co-authored-by: Ian Johnson <person.uwsome@gmail.com>
* tests/main/security-device-cgroups-strict-enforced: verify that udev changes do not break device group settings
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* tests/main/security-device-cgroups-strict-enforced: skip triggering events on 14.04
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Co-authored-by: Alberto Mardegan <mardy@users.sourceforge.net>
Co-authored-by: Ian Johnson <person.uwsome@gmail.com>
Add permissions to the connected slot so MM can actually talk to
incoming connections to mbim/qmi proxies. Remove "accept" from the
permanent slot, as it is not actually the right place for it.
The official libnm client library uses the
ObjectManager.GetManagedObjects() DBus interface method to query properties
from NetworkManager, as well as using the InterfacesAdded /
InterfacesRemoved signals, so update this interface to provide access to
that, plus ensure they can also receive the PropertiesChanged signal from
NetworkManager objects as well as this is also required.
This change should also allow Dart applications which use the nm.dart library to
get interface addresses etc without requiring to use the more privileged
network-manager interface, as this library is similar to libnm:
https://forum.snapcraft.io/t/request-auto-connect-network-manager-for-cybear-jinni-app-again/26520
When freezing and thawing cgroups related to a snap, the code would incorrectly
try to operate on cgroups related to mounts, socket, slices if they had the
snap.<name>.<app> prefix.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Now that device cgroup assignment when no devices match is done properly, i.e.
we do not end up in a cgroup with just the common set of devices if none are
assigned, the test needs to be updated as we correctly observe first the
AppArmor denial, and then a device cgroup one.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Historically, a snap process ended up in a device cgroup (with device filtering)
only when there were assigned devices for it. On systems where CURRENT_TAGS is
supported and set by systemd/udev, snap-confine needs to do 2 passes on the list
of assigned devices. It may happen, that despite snap tag being present in the
TAGS list, it will not be present in the CURRENT_TAGS, in which case we may end
up in a scenario when no devices are actually assigned to the snap. The current
code would incorrectly handle such situation, and move the process into device
cgroup.
The branch introduces a lazy initialization of device cgroup and moves the
process to the group (or sets up device filtering on v2) only when there were
any assigned device.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
There are a few issues with the current test:
- the previous attempt to fix the failures (adding the `-q` option to
nc) did not help, because the `-q` option only adds a wait before
exiting the program, and does not delay the closing of the socket.
- the reason why the snapd service was being restarted is that spawning
the client in the background (`&`) does not guarantee that the client
has completed (or even initiated) its request to snapd before we stop
the service.
Here we fix both issues by:
1. Replace nc with a python script that does perform a sleep() *before*
closing the socket.
2. Use a sentinel file to understand when the client request to snapd
has completed and the socket is idle.
* interfaces/dsp: add more ambarella things
As per customer ticket 00321783.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/builtin/dsp_test.go: adjust tests too
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
