The default cipher/keysize on armhf is different from the other platforms. This commit ensures this is taken into account in the `testEncryptPartitions()` test.
sandbox/apparmor: don't let vendored apparmor conflict with system (#12909)
* sandbox/apparmor: don't let vendored apparmor conflict with system
Don't enable the vendored apparmor if the system installed apparmor will try and load policy that would be generated by the vendored apparmor and hence may conflict with that by using newer features not supported by the system installed apparmor (LP: 2024637)
Signed-off-by: Alex Murray <email address hidden>
* apparmor: add unit testing for SystemAppArmorLoadsSnapPolicy()
* tests: add test that checks regression in lp-2024637
* apparmor: only log non ENOENT errors in systemAppArmorLoadsSnapPolicy
* tests: fix snapd-snap test on 14.04-18.04
This commit will skip apparmor vendor testing if /lib/apparmor/functions still references /var/lib/snapd/apparmor/.
* i/apparmor: allow read of /lib/apparmor/functions in snap-update-ns
Snapd at startup will inspect this file now to ensure that the vendored apparmor can be used. So the snap-update-ns profile also needs to get updated as this happens during an early init().
---------
Signed-off-by: Alex Murray <email address hidden> Co-authored-by: Michael Vogt <email address hidden>
gadget/update: set parts in laid out data from the ones matched
by EnsureVolumeCompatibility (when creating disk traits), as LaidoutStructure.OnDiskStructure is not valid until we have the real disk data (especially when we have a range of sizes/offsets).
many: move SnapConfineAppArmorDir from dirs to sandbox/apparmor (#12906)
* many: move SnapConfineAppArmorDir from dirs to sandbox/apparmor
Then when using the internal vendored AppArmor, use a different location for SnapConfineAppArmorDir so that we don't interfere with the system installed AppArmor.
In Ubuntu, the snapd deb includes an AppArmor profile for /usr/lib/snapd/snap-confine that includes any profile snippets from the hard-coded directory of /var/lib/snapd/apparmor/snap-confine. When we use the snapd snap with the vendored AppArmor, this may contain newer features and so would create snippets under /var/lib/snapd/apparmor/snap-confine that then may not be supported by the system installed AppArmor. When the system installed apparmor.service would run on boot, it would try and load the snap-confine AppArmor profile shipped in the snapd deb, which would then try and include these snippets generated by the newer vendored AppArmor and could fail to load them as they would use new features not supported by the system AppArmor.
So instead, when using the vendored AppArmor, have snapd use a different directory for the snap-confine profile snippets and then have the snapd-generated AppArmor profiles for snap-confine reference this location instead. This should allow to support both use-cases simultaneously.
Signed-off-by: Alex Murray <email address hidden>
* apparmor: add unit test that ensures that snap-confine include snippet is rewriten
* sandbox/apparmor: add unit test around setupConfCacheDirs()
* tests: add check check in snapd-snap for /v/l/snapd/apparmor/snap-confine.internal path usage
* tests: fix spread test to look at the right profiles
* i/apparmor: allow read of /usr/lib/snapd/info in snap-update-ns profile
---------
Signed-off-by: Alex Murray <email address hidden> Co-authored-by: Michael Vogt <email address hidden>
aspects: add a Transaction wrapper for aspect databags
Add a Transaction object that can be used to perform multiple get/set on a databag atomically. Transactions implement the DataBag interface so they can be used with the Aspects transparently.
Signed-off-by: Miguel Pires <email address hidden>
