Request 496769 - openSUSE Build Service

Overview

Request 496769 (accepted)

Add two distro patches to make LXD/docker snaps working

Created by mrmorph 8 months ago
In state accepted

Submit snapd

Submit package home:mrmorph:branches:system:snappy / snapd to package system:snappy / snapd

[-] [+]	Changed	snapd.changes
@@ -1,4 +1,12 @@ ------------------------------------------------------------------- +Wed May 19 14:35:29 UTC 2017 - morphis@gravedo.de + +- Add bind() syscall to default seccomp policy to allow execution + of snap hooks. +- Do not share /etc/ssl with the host but use the one from the core + snap. + +------------------------------------------------------------------- Wed May 10 12:24:44 UTC 2017 - morphis@gravedo.de - Update to upstream release 2.25
[-] [+]	Changed	snapd.spec ^
@@ -23,7 +23,7 @@ %define systemd_services_list snapd.refresh.timer snapd.refresh.service snapd.socket snapd.service snapd.autoimport.service snapd.system-shutdown.service Name: snapd Version: 2.25 -Release: 1 +Release: 2 Summary: Tools enabling systems to work with .snap files License: GPL-3.0 Group: System/Packages @@ -32,6 +32,8 @@ Source1: snapd-rpmlintrc Patch0: 0001-cmd-use-libtool-for-the-internal-library.patch Patch1: 0002-cmd-disable-c-style-checks-as-intent-works-different.patch +Patch2: 0003-cmd-snap-confine-do-not-share-etc-ssl-with-the-host.patch +Patch3: 0004-interfaces-seccomp-allow-bind-for-Fedora.patch # TODO: make this enabled only on Leap 42.2+ # BuildRequires: ShellCheck BuildRequires: autoconf @@ -96,6 +98,8 @@ %setup -q -n %{name}-%{version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 # Set the version that is compiled into the various executables ./mkversion.sh %{version}-%{release}
[-] [+]	Added	0003-cmd-snap-confine-do-not-share-etc-ssl-with-the-host.patch ^
@@ -0,0 +1,76 @@ +From 7ba9c6c4e245f791cf593c365b6ab58131081b29 Mon Sep 17 00:00:00 2001 +From: Simon Fels <simon.fels@canonical.com> +Date: Fri, 19 May 2017 13:45:49 +0200 +Subject: [PATCH] cmd/snap-confine: do not share /etc/ssl with the host + +--- + cmd/snap-confine/mount-support.c \| 36 +++++++++++++++++++------------ + cmd/snap-confine/snap-confine.apparmor.in \| 2 ++ + 2 files changed, 24 insertions(+), 14 deletions(-) + +diff --git a/cmd/snap-confine/mount-support.c b/cmd/snap-confine/mount-support.c +index 6bf38e1..ee63c19 100644 +--- a/cmd/snap-confine/mount-support.c ++++ b/cmd/snap-confine/mount-support.c +@@ -341,20 +341,28 @@ static void sc_bootstrap_mount_namespace(const struct sc_mount_config config) + sc_do_mount("none", dst, NULL, MS_REC \| MS_SLAVE, NULL); + } + } +- // Since we mounted /etc from the host filesystem to the scratch directory, +- // we may need to put /etc/alternatives from the desired root filesystem +- // (e.g. the core snap) back. This way the behavior of running snaps is not +- // affected by the alternatives directory from the host, if one exists. +- // +- // https://bugs.launchpad.net/snap-confine/+bug/1580018 +- const char etc_alternatives = "/etc/alternatives"; +- if (access(etc_alternatives, F_OK) == 0) { +- sc_must_snprintf(src, sizeof src, "%s%s", config->rootfs_dir, +- etc_alternatives); +- sc_must_snprintf(dst, sizeof dst, "%s%s", scratch_dir, +- etc_alternatives); +- sc_do_mount(src, dst, NULL, MS_BIND, NULL); +- sc_do_mount("none", dst, NULL, MS_SLAVE, NULL); ++ if (config->on_classic_distro) { ++ // Since we mounted /etc from the host filesystem to the scratch directory, ++ // we may need to put certain directories from the desired root filesystem ++ // (e.g. the core snap) back. This way the behavior of running snaps is not ++ // affected by the alternatives directory from the host, if one exists. ++ // ++ // Fixes the following bugs: ++ // - https://bugs.launchpad.net/snap-confine/+bug/1580018 ++ // - https://bugzilla.opensuse.org/show_bug.cgi?id=1028568 ++ const char dirs_from_core[] = ++ { "/etc/alternatives", "/etc/ssl", NULL }; ++ for (const char dirs = dirs_from_core; dirs != NULL; dirs++) { ++ const char dir = dirs; ++ if (access(dir, F_OK) == 0) { ++ sc_must_snprintf(src, sizeof src, "%s%s", ++ config->rootfs_dir, dir); ++ sc_must_snprintf(dst, sizeof dst, "%s%s", ++ scratch_dir, dir); ++ sc_do_mount(src, dst, NULL, MS_BIND, NULL); ++ sc_do_mount("none", dst, NULL, MS_SLAVE, NULL); ++ } ++ } + } + // Bind mount the directory where all snaps are mounted. The location of + // the this directory on the host filesystem may not match the location in +diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in +index a999f46..9e8064f 100644 +--- a/cmd/snap-confine/snap-confine.apparmor.in ++++ b/cmd/snap-confine/snap-confine.apparmor.in +@@ -160,9 +160,11 @@ + mount options=(rw rslave) -> /tmp/snap.rootfs_/usr/src/, + # /etc/alternatives (classic) + mount options=(rw bind) @SNAP_MOUNT_DIR@/{,ubuntu-}core//etc/alternatives/ -> /tmp/snap.rootfs_/etc/alternatives/, ++ mount options=(rw bind) @SNAP_MOUNT_DIR@/{,ubuntu-}core//etc/ssl/ -> /tmp/snap.rootfs_/etc/ssl/, + # /etc/alternatives (core) + mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_/etc/alternatives/, + mount options=(rw slave) -> /tmp/snap.rootfs_/etc/alternatives/, ++ mount options=(rw slave) -> /tmp/snap.rootfs_/etc/ssl/, + # the /snap directory + mount options=(rw rbind) @SNAP_MOUNT_DIR@/ -> /tmp/snap.rootfs_/snap/, + mount options=(rw rslave) -> /tmp/snap.rootfs_/snap/, +-- +2.7.4 +
[-] [+]	Added	0004-interfaces-seccomp-allow-bind-for-Fedora.patch ^
@@ -0,0 +1,28 @@ +From a604e6e94cca5251a1a1ae31907832e023b38fa7 Mon Sep 17 00:00:00 2001 +From: Simon Fels <simon.fels@canonical.com> +Date: Wed, 17 May 2017 16:18:54 +0200 +Subject: [PATCH] interfaces/seccomp: allow bind() for Fedora and openSUSE + +--- + interfaces/seccomp/template.go \| 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/interfaces/seccomp/template.go b/interfaces/seccomp/template.go +index f9a0ed6..a52ab6f 100644 +--- a/interfaces/seccomp/template.go ++++ b/interfaces/seccomp/template.go +@@ -548,4 +548,14 @@ pwritev + # This is an older interface and single entry point that can be used instead + # of socket(), bind(), connect(), etc individually. + socketcall ++ ++# Allow bind() as the golang net package uses this on initialization when ++# loaded the first time and on systems without an LSM system this kills ++# snapctl when executed in a hook when the network-bind interface isn't ++# plugged. See https://forum.snapcraft.io/t/hooks-calling-snapctl-are-broken-with-just-seccomp-enabled/658/ ++# for more details. ++# ++# NOTE: This is only meant for Fedora and openSUSE and shouldn't be ++# applied upstream. ++bind + `)

Comments for request 496769 (0)

There's nothing to be done right now

Request History

mrmorph	created request	1495199840 8 months ago
Add two distro patches to make LXD/docker snaps [+]
zyga	Review got accepted	1495441523 8 months ago
zyga	Request got reviewed	1495441523 8 months ago
zyga	Request got accepted	1495441531 8 months ago

Request 496769 (accepted)

Comments for request 496769 (0)

Request History

0 Package Maintainers