~mvo/snapd/+git/snapd-mvo:snap-confine-scratch-dir-tmpfs-profile-rule

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

Related rock recipes

c3c6905... by Michael Vogt on 2023-05-24

snap-confine: add `tmpfs` mount rule to apparmor profile

After a fresh boot with the lunar proposed kernel 6.2.0-23.23 with the
snapd from `edge/prompting` revision 19342 and 19399 (and the apparmor
userspace build from https://gitlab.com/jjohansen/apparmor.git and the
"prompt" branch). I cannot produce this with the snapd from "edge"
that vendors a slightly older version of apparmor userspace.

I got an error starting snaps:
```
$ firefox
cannot perform operation: mount -t tmpfs /tmp/snap.rootfs_9ftEd8: Permission denied
$ sudo dmesg|tail -n1
[ 43.588251] audit: type=1400 audit(1684915677.455:329): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="/snap/snapd/19342/usr/lib/snapd/snap-confine" name="/tmp/snap.rootfs_9ftEd8/" pid=4741 comm="snap-confine" fstype="tmpfs" srcname="none"
```

Looking at the apparmor profiles we generate for `snap-confine` I could
indeed not find a rule that allows snap-confine to mount the scratch dir
that should be needed in `mount-support.c:sc_bootstrap_mount_namespace()`.

The relevant code looks like this:
```
 sc_do_mount("none", scratch_dir, NULL, MS_UNBINDABLE, NULL);
 if (config->normal_mode) {
  sc_initialize_ns_fstab(config->snap_instance);
  // Create a tmpfs on scratch_dir; we'll them mount all the root
  // directories of the base snap onto it.
  sc_do_mount("none", scratch_dir, "tmpfs", 0, NULL);
  sc_replicate_base_rootfs(scratch_dir, config->rootfs_dir, config->mounts);
```
and indeed `strace` confirms this mount is taking place:
```
[pid 15281] mount("none", "/tmp/snap.rootfs_w5Tw1R", "tmpfs", 0, NULL) = -1 EACCES (Permission denied)
```

Manually adding the following rule to the `snap-confine` profile:
```
    mount fstype=tmpfs none -> /tmp/snap.rootfs_*/,
```
and
```
$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19342
```
made snaps work again.

This is puzzling because AFAICT the rule is really missing and the mount
should be denied but it's only denied with the vendored userapce from
the `edge/prompting` snap.

803c868... by Alfonso Sanchez-Beato on 2023-04-11

gadget: remove LaidOutVolume.Size

As it was not used anymore.

7812317... by Valentin David on 2023-04-13

snap-bootstrap: check when install can be done in initrd

eefba60... by Valentin David on 2023-05-15

cmd/snap-bootstrap: cache loaded seeds

cfa8464... by Michael Vogt on 2023-05-23

github: remove use of `covertool merge` to fix codecov reporting (#12837)

The codecov reporting was broken for a while and after some
slightly painful debugging in PR#12834 it turns out that
the use of `covertool merge` seems to break codecov. Using
this is not needed as codecov can merge reports natively.

This commit removes the use of `covertool merge` and instead
just send the various generated coverage reports to codecov.

d8b212b... by Sergio Cazzolato on 2023-05-23

tests: skip microk8s-smoke test in external devices #12821

The test fails with timeouts caused for lack of resources on those
instances/vms.

The idea is to run this test in google backend where the machines have
4GB of RAM and 2 cores.

89cf737... by ashuntu on 2023-05-23

steam_support: allow /usr access #12823

b7922d6... by Alfonso Sanchez-Beato on 2023-05-17

gadget: restrict offset-write for structures

Now offset-write for a structure will always be absolute. A value for
relative-to will still be accepted only if it refers to a structure
with zero offset.

2b285f1... by Alfonso Sanchez-Beato on 2023-05-16

gadget: remove offset-write from gadget structure content

Using offset-write from an image in a gadget volume structure content
was never implemented by ubuntu-image and does not seem too
useful. Removing it and the related checks therefore.

170b086... by Sergio Cazzolato on 2023-05-22

 tests: remove docker tests in ubuntu trusty and update livepatch #12831

Docker is failing frequently in ubuntu 14.04.

trusty is not supported anymore for snapd, just livepacth is supported.