mirror of
https://github.com/token2/snapd.git
synced 2026-03-13 11:15:47 -07:00
252b795393
* Revert "apparmor: disable vendoring again"
This reverts commit 9ad372eae0.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* overlord: Remove all snap AppArmor profiles on snapd downgrade
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* overlord: Remove system-key too when downgrading from snapd
This should ensure they get regenerated when the new snapd is restarted.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* tests/main/security-device-cgroups-helper: Respect vendored apparmor
When snapd is using a vendored AppArmor then the tests should use this too
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* overlord: If preeseding don't remove AppArmor profiles on downgrade
Otherwise we also remove the system-key which breaks pre-seeding
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* tests: Respect vendored apparmor parser
When snapd is using a vendored AppArmor then the tests should use this too
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* overlord: Don't remove AppArmor profiles if not preseeded
The system is not yet in an operational state so we shouldn't go removing out
the profiles or system-key until it is in a known good state.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* sandbox/apparmor: Rename UnloadProfiles() to RemoveCachedProfiles()
UnloadProfiles() never actually removed the AppArmor profile from the kernel as
snapd in general cannot be certain that all the services of a given snap are
stopped at that time. So make this clear by renaming this function and updating
the various comments that refer to it etc.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces/apparmor: remove snap-update-ns profiles too
Ensure that RemoveAllSnapAppArmorProfiles() removes the per-snap snap-update-ns
profiles as well as the per-snap snap profiles and the snap-confine profiles.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces/apparmor: Add unit test for RemoveAllSnapAppArmorProfiles()
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* many: fixup comments as request by pedronis
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces: add test for RemoveSystemKey()
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* overlord/snapstate: add comment for snapd downgrade behaviour
Ensure it is clear what we are checking for and why in this case.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* overlord/snapstore: mock snapd version when testing downgrade
Mock snapd version when testing downgrade of snapd version with vendored
AppArmor to ensure that it is more robust.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces: use testutil.FilePresent/Absent instead of os.Stat
Use the FilePresent/Absent checkers in testutil to check for presence / absence
of system key file during unit tests rather than os.Stat() etc.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* tests/main/snapd-snap: try avoid hitting apparmor kernel mem leak
This is seen on trusty and others - as more snapd interfaces get added this will
likely need to be ramped down even further but hopefully this will do for now.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces: check no error when removing non-existent system-key
As suggested by @meulengracht
Signed-off-by: Alex Murray <alex.murray@canonical.com>
---------
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Co-authored-by: Michael Vogt <mvo@ubuntu.com>