Request 496769 (accepted)
Add two distro patches to make LXD/docker snaps working
Submit package home:mrmorph:branches:system:snappy / snapd to package system:snappy / snapd
| [-] [+] | Changed | snapd.changes |
| [-] [+] | Changed | snapd.spec ^ |
| [-] [+] | Added | 0003-cmd-snap-confine-do-not-share-etc-ssl-with-the-host.patch ^ |
| @@ -0,0 +1,76 @@ +From 7ba9c6c4e245f791cf593c365b6ab58131081b29 Mon Sep 17 00:00:00 2001 +From: Simon Fels <simon.fels@canonical.com> +Date: Fri, 19 May 2017 13:45:49 +0200 +Subject: [PATCH] cmd/snap-confine: do not share /etc/ssl with the host + +--- + cmd/snap-confine/mount-support.c | 36 +++++++++++++++++++------------ + cmd/snap-confine/snap-confine.apparmor.in | 2 ++ + 2 files changed, 24 insertions(+), 14 deletions(-) + +diff --git a/cmd/snap-confine/mount-support.c b/cmd/snap-confine/mount-support.c +index 6bf38e1..ee63c19 100644 +--- a/cmd/snap-confine/mount-support.c ++++ b/cmd/snap-confine/mount-support.c +@@ -341,20 +341,28 @@ static void sc_bootstrap_mount_namespace(const struct sc_mount_config *config) + sc_do_mount("none", dst, NULL, MS_REC | MS_SLAVE, NULL); + } + } +- // Since we mounted /etc from the host filesystem to the scratch directory, +- // we may need to put /etc/alternatives from the desired root filesystem +- // (e.g. the core snap) back. This way the behavior of running snaps is not +- // affected by the alternatives directory from the host, if one exists. +- // +- // https://bugs.launchpad.net/snap-confine/+bug/1580018 +- const char *etc_alternatives = "/etc/alternatives"; +- if (access(etc_alternatives, F_OK) == 0) { +- sc_must_snprintf(src, sizeof src, "%s%s", config->rootfs_dir, +- etc_alternatives); +- sc_must_snprintf(dst, sizeof dst, "%s%s", scratch_dir, +- etc_alternatives); +- sc_do_mount(src, dst, NULL, MS_BIND, NULL); +- sc_do_mount("none", dst, NULL, MS_SLAVE, NULL); ++ if (config->on_classic_distro) { ++ // Since we mounted /etc from the host filesystem to the scratch directory, ++ // we may need to put certain directories from the desired root filesystem ++ // (e.g. the core snap) back. This way the behavior of running snaps is not ++ // affected by the alternatives directory from the host, if one exists. ++ // ++ // Fixes the following bugs: ++ // - https://bugs.launchpad.net/snap-confine/+bug/1580018 ++ // - https://bugzilla.opensuse.org/show_bug.cgi?id=1028568 ++ const char *dirs_from_core[] = ++ { "/etc/alternatives", "/etc/ssl", NULL }; ++ for (const char **dirs = dirs_from_core; *dirs != NULL; dirs++) { ++ const char *dir = *dirs; ++ if (access(dir, F_OK) == 0) { ++ sc_must_snprintf(src, sizeof src, "%s%s", ++ config->rootfs_dir, dir); ++ sc_must_snprintf(dst, sizeof dst, "%s%s", ++ scratch_dir, dir); ++ sc_do_mount(src, dst, NULL, MS_BIND, NULL); ++ sc_do_mount("none", dst, NULL, MS_SLAVE, NULL); ++ } ++ } + } + // Bind mount the directory where all snaps are mounted. The location of + // the this directory on the host filesystem may not match the location in +diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in +index a999f46..9e8064f 100644 +--- a/cmd/snap-confine/snap-confine.apparmor.in ++++ b/cmd/snap-confine/snap-confine.apparmor.in +@@ -160,9 +160,11 @@ + mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/, + # /etc/alternatives (classic) + mount options=(rw bind) @SNAP_MOUNT_DIR@/{,ubuntu-}core/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, ++ mount options=(rw bind) @SNAP_MOUNT_DIR@/{,ubuntu-}core/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/, + # /etc/alternatives (core) + mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/, + mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/alternatives/, ++ mount options=(rw slave) -> /tmp/snap.rootfs_*/etc/ssl/, + # the /snap directory + mount options=(rw rbind) @SNAP_MOUNT_DIR@/ -> /tmp/snap.rootfs_*/snap/, + mount options=(rw rslave) -> /tmp/snap.rootfs_*/snap/, +-- +2.7.4 + | ||
| [-] [+] | Added | 0004-interfaces-seccomp-allow-bind-for-Fedora.patch ^ |
| @@ -0,0 +1,28 @@ +From a604e6e94cca5251a1a1ae31907832e023b38fa7 Mon Sep 17 00:00:00 2001 +From: Simon Fels <simon.fels@canonical.com> +Date: Wed, 17 May 2017 16:18:54 +0200 +Subject: [PATCH] interfaces/seccomp: allow bind() for Fedora and openSUSE + +--- + interfaces/seccomp/template.go | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/interfaces/seccomp/template.go b/interfaces/seccomp/template.go +index f9a0ed6..a52ab6f 100644 +--- a/interfaces/seccomp/template.go ++++ b/interfaces/seccomp/template.go +@@ -548,4 +548,14 @@ pwritev + # This is an older interface and single entry point that can be used instead + # of socket(), bind(), connect(), etc individually. + socketcall ++ ++# Allow bind() as the golang net package uses this on initialization when ++# loaded the first time and on systems without an LSM system this kills ++# snapctl when executed in a hook when the network-bind interface isn't ++# plugged. See https://forum.snapcraft.io/t/hooks-calling-snapctl-are-broken-with-just-seccomp-enabled/658/ ++# for more details. ++# ++# NOTE: This is only meant for Fedora and openSUSE and shouldn't be ++# applied upstream. ++bind + `) | ||
Comments for request 496769 (0)
There's nothing to be done right now
