mirror of
https://github.com/token2/snapd.git
synced 2026-03-13 11:15:47 -07:00
69528a936a
* dirs: add directory location for storing cgroup policy related flags Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * interfaces/udev: introduce cgroup policy flag for self managed device cgroup Some snaps, due to their interfaces, are allowed to self manage the device cgroup. In this case, the assumption was to not emit any rules at all, and instead rely on the implicit behavior that no rules means no matching devices and hence no device cgroup filtering. However, with introduction of a device cgroup by default for all snaps on core24 onward, regardless of any assigned devices, we need a separate source of information to indicate that a snap can do self management. The patch introduces a policy flags under /var/lib/snapd/cgroup, named snap.<name>.device, eg. /var/lib/snapd/cgroup/snap.docker.device, which provides a hints for snap-confine to not set up a device cgroup filtering for apps. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * cmd/snap-confine: support snaps which self-manage device cgroup Support for snaps for which policy explicitly states that the device cgroup is self-managed. The typical use case is container like technologies. In such scenario, there will be a device cgroup configuration file at a known location which got generated by snapd whenever the relevant interface state changed. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * tests/main/security-device-cgroups-self-manage: spread test Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * cmd/snap-confine: drop base from bases exempt from mandatory device cgroup We have confirmed that there are no snaps which (ab)use system files and use bare base to obtain access to devices. As such, the bare base can be dropped form the list of bases exempt from mandatory device cgroup. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * interfaces/udev: remove snap devices file when removing the snap Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * interfaces/udev: consistent use of fs.ErrNotExist Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * cmd/snap-confine: leave comments Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * interfaces/udev: tweak return path Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * interfaces/udev: improve managed device cgroup unit tests, verify calls to udevadm Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * NEWS: leave a note about mandatory device cgroup Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * tests/main/security-device-cgroups-self-manage: tweak comments Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * interfaces/udev: always write the device file Always write the device file which serves as a synchronization point between snap-confine and the snapd udev backend. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * cmd/libsnap-confine-private: add helper for waiting for a file to show up Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * cmd/snap-confine: make cgroup device file mandatory Make the per-snap /var/lib/snapd/cgroup/snap.*.device file mandatory, such that it can be used as a synchronization point between snapd calling Setup() of relevant security backends and the execution path in snap-confine. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * cmd/snap-mgmt: do cleanup of /var/lib/snapd/cgroup Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * packaging: declare /var/lib/snapd/cgroup Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * cmd/snap-confine: use the file wait helper Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * packaging: create cgroup directory Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * tests/main/security-device-cgroups-self-manage: update file check Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * tests/main/security-device-cgroups-required-or-optional: update test to verify device file Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * interfaces/udev: refactor reloading Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * cmd/snap-confine: move device cgroup mode selection to a helper Extract device cgroup mode selection into a helper function. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> --------- Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>