diff options
| author | Michael Vogt <mvo@ubuntu.com> | 2019-07-02 07:46:18 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-07-02 07:46:18 +0100 |
| commit | 62bd1cd9592316e2807cff37478e4627b070c065 (patch) | |
| tree | cce075fffb6b37341e655833a453e5770fa91406 /cmd/snap-confine | |
| parent | 7c4087301f189c28adbc0528f97dca2032f171c1 (diff) | |
| parent | b473e5cd46e72607472a3458093102b526367b2d (diff) | |
Merge pull request #7049 from zyga/tweak/udev-before-pivot
cmd/snap-confine: handle device cgroup before pivot
Diffstat (limited to 'cmd/snap-confine')
| -rw-r--r-- | cmd/snap-confine/snap-confine.apparmor.in | 2 | ||||
| -rw-r--r-- | cmd/snap-confine/snap-confine.c | 10 | ||||
| -rw-r--r-- | cmd/snap-confine/udev-support.c | 4 |
3 files changed, 12 insertions, 4 deletions
diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in index eb47c252b1..9fd380c63f 100644 --- a/cmd/snap-confine/snap-confine.apparmor.in +++ b/cmd/snap-confine/snap-confine.apparmor.in @@ -38,6 +38,8 @@ /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so* mr, /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so* mr, + # Needed to run /usr/bin/sh for snap-device-helper. + /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libtinfo.so* mr, @LIBEXECDIR@/snap-confine mr, diff --git a/cmd/snap-confine/snap-confine.c b/cmd/snap-confine/snap-confine.c index d89e1d95ce..f13744e6df 100644 --- a/cmd/snap-confine/snap-confine.c +++ b/cmd/snap-confine/snap-confine.c @@ -572,6 +572,12 @@ static void enter_non_classic_execution_environment(sc_invocation * inv, // Init and check rootfs_dir, apply any fallback behaviors. sc_check_rootfs_dir(inv); + /** Populate and join the device control group. */ + struct snappy_udev udev_s; + if (snappy_udev_init(inv->security_tag, &udev_s) == 0) + setup_devices_cgroup(inv->security_tag, &udev_s); + snappy_udev_cleanup(&udev_s); + /** * is_normal_mode controls if we should pivot into the base snap. * @@ -705,8 +711,4 @@ static void enter_non_classic_execution_environment(sc_invocation * inv, die("cannot set environment variable '%s'", tmpd[i]); } } - struct snappy_udev udev_s; - if (snappy_udev_init(inv->security_tag, &udev_s) == 0) - setup_devices_cgroup(inv->security_tag, &udev_s); - snappy_udev_cleanup(&udev_s); } diff --git a/cmd/snap-confine/udev-support.c b/cmd/snap-confine/udev-support.c index 4781882d41..0c80de1557 100644 --- a/cmd/snap-confine/udev-support.c +++ b/cmd/snap-confine/udev-support.c @@ -73,6 +73,10 @@ _run_snappy_app_dev_add_majmin(struct snappy_udev *udev_s, execle("/usr/lib/snapd/snap-device-helper", "/usr/lib/snapd/snap-device-helper", "add", udev_s->tagname, path, buf, NULL, env); + else if (access("/usr/libexec/snapd/snap-device-helper", X_OK) == 0) + execle("/usr/libexec/snapd/snap-device-helper", + "/usr/libexec/snapd/snap-device-helper", "add", + udev_s->tagname, path, buf, NULL, env); else execle("/lib/udev/snappy-app-dev", "/lib/udev/snappy-app-dev", "add", |