dgit.raspbian.org Git - snapd.git/commit

author	Alex Murray <alex.murray@canonical.com>
	Mon, 19 Sep 2022 04:20:36 +0000 (13:50 +0930)
committer	Alex Murray <alex.murray@canonical.com>
	Tue, 29 Nov 2022 12:01:21 +0000 (12:01 +0000)
commit	1621f1ff27aeb9596499f034efcc5110a4c74419
tree	ceb9489a06ef7b8d541bd86441e02b96b5ba30ec	tree \| snapshot
parent	7a50a9177539adf2ca8393f491878fcd34228fad	commit \| diff

[PATCH 2/4] many: Use /tmp/snap-private-tmp for per-snap private tmps

Backport of the following upstream patch:
From fe2d2d8471665482628813934d9f19e8ca5e4a1f Mon Sep 17 00:00:00 2001

Backport of the following upstream patch:
From fe2d2d8471665482628813934d9f19e8ca5e4a1f Mon Sep 17 00:00:00 2001
From: Alex Murray <alex.murray@canonical.com>
Date: Mon, 19 Sep 2022 13:50:36 +0930
Subject: [PATCH 2/4] many: Use /tmp/snap-private-tmp for per-snap private tmps

To avoid unprivileged users being able to interfere with the creation of the
private snap mount namespace, instead of creating this as /tmp/snap.$SNAP_NAME/
we can now use the systemd-tmpfiles configuration to do this for us
at boot with a known fixed name (/tmp/snap-private-tmp/) and then use that as
the base dir for creating per-snap private tmp mount
namespaces (eg. /tmp/snap-private-tmp/snap.$SNAP_INSTANCE/tmp) etc.

Signed-off-by: Alex Murray <alex.murray@canonical.com>
Gbp-Pq: Topic cve20223328
Gbp-Pq: Name 0017-cve-2022-3328-2.patch

cmd/snap-confine/mount-support.c		diff \| blob \| history
cmd/snap-confine/snap-confine.apparmor.in		diff \| blob \| history