* snap: update vendored apparmor to 3.0.8 with userns and mqueue support
Update the snap build to use the latest upstream AppArmor 3.0.8 release and also
add local patches to add support for userns and POSIX mqueue mediation support.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* build-aux/snap: fetch patches during build rather than vendor them
By fetching them during the build *and* using the source of the Ubuntu apparmor
package in lunar (23.04) this allows us to keep these patches in sync with what
is used in Ubuntu and to show their provenance at the same time.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
---------
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Co-authored-by: Michael Vogt <mvo@ubuntu.com>
* cmd/snap: break out 'snap known --remote' fallback logic into helper
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* cmd/snap: introduce '--chain' flag for sign command
This flag causes 'snap sign' to append the account-key and account
assertions that correspond to the specified signing key to the signed
output of the command. This is often critical for creating working
system-user assertions, especially in air-gapped or offline situations.
The '--chain' flag takes one of three optional arguments, 'remote',
'direct', and 'local' which correspond to where it should look for the
assertion. The default is 'remote'.
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* cmd/snap: use assert.Encoder for sign --chain
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* cmd/sign: rework sign chain remote/direct specification, drop local
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* cmd/snap: rework --direct without --chain behavior
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* cmd/sign: fix tests
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* cmd/sign: change --direct error message
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* cmd/sign: fix tests
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* Revert "cmd/snap: break out 'snap known --remote' fallback logic into helper"
This reverts commit 39c8ce6234cf5bf07985af17fde72a1192b259ea.
* cmd/snap: simplify --chain to only retrieve assertions directly
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* cmd/sign: error handling order tweak
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
---------
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
There is a bugfix to make the mount rules more strict/explicit in apparmor 3.0.10, see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.10 - this affects snapd as it's current profile relies on the implicit behavior. With this commit the missing mount rule is added explicitly.
snap-seccomp has always implemented an allow-list approach to syscalls - such
that the listed syscalls are allowed and any non-listed will get
blocked. However, in the case where we want to disallow a syscall with
particular arguments, it is only possible to block one instance of the sycall
with a given argument. If a second similar rule is added, each rule effectively
allows the other and so neither get disallowed as a result.
So introduce the concept of explicitly denying system calls listed in the
seccomp profile by prefixing them with a tilde (~). The seccomp action for these
is then EACCES (since EPERM is the default for unmatched syscalls and seccomp
doesn't allow to specify an action which is the same as the default).
This then allows to specify to block various syscall argument combinations as
expected, and so is used as the mechanism to fix CVE-2023-1523.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* Make sure there are not any snapd service listed after removing snapd
This is to avoid snapd.apparmor.service snapd.mounts.target
snapd.mounts-pre.target are listed after snapd is purged in arch linux.
* Update tests/main/postrm-purge/task.yaml
Co-authored-by: Miguel Pires <miguelpires94@gmail.com>
* Update tests/main/postrm-purge/task.yaml
Co-authored-by: Miguel Pires <miguelpires94@gmail.com>
---------
Co-authored-by: Miguel Pires <miguelpires94@gmail.com>
- Fix bug in marshal/unmarshal and add more tests.
- Better align function.
- Fix CI check failure.
Add new design changes:
- Instead of extracting the superblock, we 're going to keep it in the
dm-verity hash device.
- We will now need to hash the entire integrity data (header + dm-verity
hash device).
- A new DmVerityBlock struct was added that only contains the root hash
for now. This can potentially be extended.
- The magic was changed from 'snap' to 'snapext'.
- Renamed 'IntegrityMetadata' to 'IntegrityDataHeader'.
- Fixed serialization bugs to properly account for the null byte after the
JSON serialized header.
- Add extra tests for the serialization.
Address Samuele's comments.
Make size for IntegrityDataHeader fixed and simplify constructor.
Use Scanner to parse veritysetup output.
Fix internal error message in IntegrityDataHeader.Encode().
Address Alfonso's comments
* Fix postrm-purge test on systems with sytemd v253
Move the removal for the $SNAP_MOUNT_DIR dir after the services are
removed because those errors are making services fail.
test-snapd-service.test-snapd-endure-service[19138]: error: cannot find
installed snap "test-snapd-service" at revision x1: missing file
/var/lib/snapd/snap/test-snapd-service/x1/meta/snap.yaml
Also, added a small wait to make sure the units are already stopped
before continue.
* Update the waiting time for a new service state
* snapstate: notify user when refresh-app-awareness snap refreshed
This is a minimal commit to show a notification when a refresh that
was triggered by the user closing an application is now ready
to use.
* {iface,snap}state: make LinkParticipant pass a *SnapSetup
* snapstate: use notifyLinkParticipant mechanism to trigger finish notification
* agentnotify: move agent notification into their own package
* snapstate: make AutoRefresh() take *AutoRefreshOptions
* agentnotify: import from overlord to ensure linkParticipant handler gets registered
* tests: add new refresh-app-awareness-notify spread test
* snapstate: fix unreachable code
* tests: move from wormhole to test-snapd-sh in refresh-app-awareness-notify
* agentnotify: send notification when snap starts to refresh
* usersession: tweak wording when refresh is ready (thanks to Oliver)
* usersession: actually add the missing finishRefreshNotificationCmd endpoint
* snap: disable graphicalSessionFlow() to avoid confusion
It's unclear if this flow ever worked and the finish-refresh
part for sure never worked because in the userd the API for
finish-notification was not wired in.
This needs to be re-examined when we have a proper UX design.
* usersession: show notification when update is finished (thanks to Oliver)
* agentnotify: remove uneeded notifyUnlinkSnap()
After a quick sync with Oliver the decision was taken to have
just a notification message when the snap refresh is finished
and not when it starts to avoid too many user distractions.
* usersession: tweak wording when refresh is ready (thanks to Oliver)
* agentnotify: remove unneeded comment
* usersession: one more wording tweak (thanks to Oliver)
* agentnotify: add missing unit test
* snapstate: add test that ensures the snapsup.Flags.IsContinuedAutoRefresh is set
* snapstate: add TODO
* many: tweak wordings/comment/variable names (thanks to Miguel)
* tests: simplify refresh-app-awareness-notify test (thanks to Miguel)
* tests: fix quoting in test
* snap: simplify how inhibit worflow inhibited
* tests: tweak tests and ensure "jq" is installed
* agent: fix unit test error
