* snap: update vendored apparmor to 3.0.8 with userns and mqueue support
Update the snap build to use the latest upstream AppArmor 3.0.8 release and also
add local patches to add support for userns and POSIX mqueue mediation support.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* build-aux/snap: fetch patches during build rather than vendor them
By fetching them during the build *and* using the source of the Ubuntu apparmor
package in lunar (23.04) this allows us to keep these patches in sync with what
is used in Ubuntu and to show their provenance at the same time.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
---------
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Co-authored-by: Michael Vogt <mvo@ubuntu.com>
Module loading generates event for devpath /module/<nameofmodule>.
Some modules and devices have the same KERNEL name. For example
rfkill. We need to ignore module insertions. Otherwise we get
error message when trying to run snap-device-helper.
* account_control: allow local user account management
This MR adds support for adding, removing and modifying the users.
It is required for Core Desktop.
* Remove peer entries
* Add peer=(label=unconfined)
It works the same.
* Add extra peer=(label=unconfined)
On some slow external devices the test fails to restart snapd on restore
As the test fails during restore, it means the whole execution fails
forcing re-execution.
The idea is to run this for classic and uc16 in google.
We need to be consistant on what snap-bootstrap mounts as seed and
where UC is installed. There are cases where multiple disks contain UC
seed. snap-bootstrap may choose a disk based on kernel parameters.
With this pointer we can access to "partial" options from the Volume,
with information that we need to check if the structure needs a
filesystem or if it has a partially defined size.
Additionally, rename willHaveFilesystem() to HasFilesystem() and use
it everywhere, as in the end they mean the same: the structure
definition in the gadget expects a filesystem to be there.
When a `proxy.store` is used together with a `device-service.url`
snapd will try to acquire the serial assertion via the proxy
store.
If there was any error from the proxy store snapd would historically
just ignore the proxy store and use the `device-service.url` directly.
However this behavior is not neccessarily correct as the proxy may
just be down or configured incorrectly. So this was changed [1] but
existing customers depend on the old behavior.
For a real fix we need a way to express that a proxy store should
be used in general but that it should not be used for the
`device-service.url`. This is not possible to express right now
and needs design.
So as a short term fix this commit restores the old behavior.
[1] https://github.com/snapcore/snapd/pull/12593/files#diff-def3111c6efb66814e58452672900286c18087b637548fcee28c321ada4a2b6c
The current naming pattern for transient scope units does not yield a
natural way to create systemd drop-in configurations that apply to all
instances of a snap, regardless of the UUID. For example, systemd
drop-in configurations for a unit named foo-bar-baz.scope could be made
by placing .conf snippets in any of the following directories:
/etc/systemd/user/foo-bar-baz.scope.d/
/etc/systemd/user/foo-bar-.scope.d/
/etc/systemd/user/foo-.scope.d/
In other words, successively truncating the unit name after '-' yields
valid drop-in directory names. This feature is specifc to '-', and in
particular does not work with '.'.
It is desirable to have the ability to write drop-in configurations that
apply, for example, to all instances of firefox. To allow this
functionality, modify the pattern used for transient scope units to
snap.<pkg>.<app>-<uuid>.scope (i.e. separate the app name and UUID by a '-').
Both the old and the new patterns are supported in an attempt to make
a smooth transition.
Signed-off-by: Nick Rosbrook <nick.rosbrook@canonical.com>
Shellcheck complains about unreachable code in the hidden-snap-dir
test. This commit comments out that code.
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
It looks like some changes in apparmor 3.1.4 cause issues with
the existing network-control rules. It appears the rules are
stricter now.
Thie commit updates the rules to match the new behavior, see
also https://bugs.launchpad.net/apparmor/+bug/2023025
Adds an error assertion and replaces a deferred restore with
testutil.Backup (follow-up of #12859).
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
