dgit.raspbian.org Git - snapd.git/commit

author	Alex Murray <alex.murray@canonical.com>
	Mon, 19 Sep 2022 04:20:36 +0000 (13:50 +0930)
committer	Markus Koschany <apo@debian.org>
	Tue, 13 Jun 2023 09:28:53 +0000 (10:28 +0100)
commit	6668b03fd0f395c01a818e719a54b1ff8b2f48e9
tree	396d6d2cf1b85ded8f68d2468a2c0d49afcd6193	tree \| snapshot
parent	dd281710fef50bab3bb31b3b4547e30c1567ba26	commit \| diff

[PATCH 2/4] many: Use /tmp/snap-private-tmp for per-snap private tmps

Backport of the following upstream patch:
From fe2d2d8471665482628813934d9f19e8ca5e4a1f Mon Sep 17 00:00:00 2001

Backport of the following upstream patch:
From fe2d2d8471665482628813934d9f19e8ca5e4a1f Mon Sep 17 00:00:00 2001
From: Alex Murray <alex.murray@canonical.com>
Date: Mon, 19 Sep 2022 13:50:36 +0930
Subject: [PATCH 2/4] many: Use /tmp/snap-private-tmp for per-snap private tmps

To avoid unprivileged users being able to interfere with the creation of the
private snap mount namespace, instead of creating this as /tmp/snap.$SNAP_NAME/
we can now use the systemd-tmpfiles configuration to do this for us
at boot with a known fixed name (/tmp/snap-private-tmp/) and then use that as
the base dir for creating per-snap private tmp mount
namespaces (eg. /tmp/snap-private-tmp/snap.$SNAP_INSTANCE/tmp) etc.

Signed-off-by: Alex Murray <alex.murray@canonical.com>
Gbp-Pq: Topic cve20223328
Gbp-Pq: Name 0017-cve-2022-3328-2.patch

cmd/snap-confine/mount-support.c		diff \| blob \| history
cmd/snap-confine/snap-confine.apparmor.in		diff \| blob \| history