The old shell-based snap-device-helper would identify the devices based on
pattern matching the device path. Specifically any device matching */block/*
or */nvme/nvme*/nvme*n* patterns was considered a block device, while all other
devices were considered to be char devices [1].
Bring back the old behavior, but only in a fallback path of the remove action.
Since when devices are removed, it is possible that the symlinks are already
gone by the time we inspect entries in /sys/devices/. However, we would still
like to remove the device from the cgroup.
1. cd99de5594/cmd/snap-confine/snap-device-helper (L55-L68)
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
When producing the output of `snap list`, snaps that are broken (i.e. not
mounted) are printed without their version. This can be confusing when the
output is further processes by shell tools such as sed/awk/cut. Tweak the code
to always include a placeholder, even if the version is empty.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
The path-in-filesystem for bind mounts done on btrfs are a bit different from
what we normally expect and include the subvolume ID as a prefix, eg:
749 63 0:31 /root/var/lib/snapd/snap /var/lib/snapd/snap rw,relatime shared:1 - btrfs /dev/sda5 rw,seclabel,compress=zstd:1,space_cache,subvolid=256,subvol=/root
Tweak the grep expression to match that.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
While looking at our code I noticed that we are a bit inconsistent
in our changeIDMixin about where we accept the "short" form for
a change and where we don't. E.g. for the change type `install-snap`
we support the short form `install` but for others like `revert-snap`
we do not.
This commit unifies this some more and by doing this fixes a bug in
our testsuite along the way where we use `snap watch --last=revert?`
which did not work but will now work with this commit.
snapdtool, many: support additional key/value flags in info file
Also set a new key, SNAPD_APPARMOR_REEXEC, to 0 for now, since this key will be
used shortly with the new apparmor vendoring inside the snapd snap.
While squashfs is always read-only, when mount creates the required
loop device, it does not know that squashfs is a read-only
filesystem. This causes the loop devices for snaps mounted in the
initramfs to be be writable. Since the snaps are stored on
`/run/mnt/data`, it means the `/run/mnt/data` cannot be remounted
read-only.
There is a mount cycle now in Ubuntu Core where `/run/mnt/data` cannot
be unmounted because it contains the snap for the Core snap which is
mounted as root. After switching to the shutdown ramfs, then systemd
tries again to umount the remaining file systems as well as the root
file system. At this point, it still cannot umount `/run/mnt/data`, so
`systemd-shutdown` tries to remount read-only. But since the loop
device for the Core snap that cannot be unmounted is still writable,
then `/run/mnt/data` cannnot be remounted read-only.
This results in Ubuntu Core not properly unmounting `/run/mnt/data`.
This can be seen in the screen or serial console right before powering
off or rebooting:
```
Failed to remount '/oldroot/run/mnt/data' read-only: Device or resource busy
```
With this fix, this error disappears. While other errors about
unmounting are still here, it is safer because everything is
read-only.
The info file is essentially always implicit here, so we can just provide the
dir. Thanks to Samuele for pointing this out.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* daemon,tests: support forgetting device serial via API
this is done by posting {"action":"forget"} to /v2/model/serial
a flag no-registration-until-reboot is also supported
* many: more consistent naming Delete => DeleteByName on keypair mgrs
we actually want to introduce a Delete by key id on some of them now
* asserts: implement KeypairManager.Delete
* devicestate: Unregister deletes the device key pair as well
* tests: test device key deletion in generic-unregister
* asserts: avoid skipping the GPGKeypairManager.Delete test
pair --yes to --batch in the test
* cmd/snap-confine: do not include libglvnd libraries from the host system
* tests: we no longer symlink libGLX.so
* cmd/snap-confine: include glvnd globs for old "base: core" snaps
Ubuntu 16.04 did not include the glvnd driver multiplexing libraries,
and the Mesa version of libGL will not function with the Nvidia X
drivers.
While the glvnd drivers may not be compatible with the libraries in the
snap's sandbox (e.g. we know that Ubuntu 21.10's libEGL uses new glibc
symbols), it is better than the nothing working. In particular, X11
based OpenGL apps will function, which will cover the majority of these
old snaps.
* tests: adjust opengl-nvidia test to use its own test snap.
Also update to run on Ubuntu 20.04, and drop 14.04. Still todo: test
against the core20 test snap.
* cmd/libsnap-confine-private: add a unit test for sc_cleanup_shallow_strv
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* tests: don't specify base for gl-core16 test snap
* tests: show that host system GLVND libraries are not exposed to snaps using newer bases
* tests: do not run the gl-core20 part of the test on i386
* tests: show that the nvidia backend drivers are still available on core20
* tests: adjust spread test
* tests: add back missing canary file
* cmd/snap-confine: only create the globs array if NVIDIA_BIARCH||NVIDIA_MULTIARCH
Co-authored-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Also set a new key, SNAPD_APPARMOR_REEXEC, to 0 for now, since this key will be
used shortly with the new apparmor vendoring inside the snapd snap.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* cmd/libsnap-confine-private: split attaching BPF program to own cgroup
Split attaching the BPF filtering program to own cgroup, such that the process
of setting up the map, loading device acecsses is not mixed with locking down
own cgroup. This makes the cgroup v2 setup even closer to v1, and fixes
snap-device-helper which tried to verify own cgroup during initialization what
prevented it from properly responding to device events.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* tests/main/security-device-cgroups-helper: spread test for snap-device-helper
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* cmd/libsnap-confine-private: tweak variable naming
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* tests/main/security-device-cgroups-helper: comment tweaks
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Some syscalls do not exist on some arches, and for some of these
non-existent syscalls strace doesn't have a mapping either. Meaning
the default syscall filter needs per-arch adjustments. This should
enable strace in snap run on arm and riscv64.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
