interfaces/apparmor: mock presence of overlayfs root

During the release of the snapd 2.37 we noticed that the Debian
builds performed in sbuild are failing on several unit tests. The same
source package would build file in pbuilder.

Investigation uncovered that sbuild is using overlayfs root internally.
This is picked up by the apparmor overlayfs detector and causes snapd to
generate an additional configuration file for snap-confine.

For reference, the offending entry from /proc/self/mountinfo:

	228 23 0:40 / / rw,relatime shared:119 - overlay sid-amd64-sbuild rw,lowerdir=/var/lib/schroot/union/underlay/sid-amd64-sbuild-85592074-da40-4faa-8b25-a354b207cdf2,upperdir=/var/lib/schroot/union/overlay/sid-amd64-sbuild-85592074-da40-4faa-8b25-a354b207cdf2/upper,workdir=/var/lib/schroot/union/overlay/sid-amd64-sbuild-85592074-da40-4faa-8b25-a354b207cdf2/work

The extra generated file was upsetting tests that looked at
/var/lib/snapd/apparmor/snap-confine.

Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
Gbp-Pq: Name 0009-interfaces-apparmor-mock-presence-of-overlayfs-root.patch

diff --git a/interfaces/apparmor/backend_test.go b/interfaces/apparmor/backend_test.go
index 7cd9555e70e0db15d780c7999f9cc8fa3fd12aa3..14a54c1751ee496e25e9a7e417660e6d223d8d15 100644 (file)
--- a/interfaces/apparmor/backend_test.go
+++ b/interfaces/apparmor/backend_test.go
@@ -939,6 +939,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyNoNFS(c *C) {
        restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
        defer restore()
 
+       // Make it appear as if overlay was not used.
+       restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+       defer restore()
+
        // Intercept interaction with apparmor_parser
        cmd := testutil.MockCommand(c, "apparmor_parser", "")
        defer cmd.Restore()
@@ -974,6 +978,10 @@ func (s *backendSuite) testSetupSnapConfineGeneratedPolicyWithNFS(c *C, profileF
        restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil })
        defer restore()
 
+       // Make it appear as if overlay was not used.
+       restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+       defer restore()
+
        // Intercept interaction with apparmor_parser
        cmd := testutil.MockCommand(c, "apparmor_parser", "")
        defer cmd.Restore()
@@ -1031,6 +1039,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyWithNFSAndReExec(c *C)
        restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil })
        defer restore()
 
+       // Make it appear as if overlay was not used.
+       restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+       defer restore()
+
        // Intercept interaction with apparmor_parser
        cmd := testutil.MockCommand(c, "apparmor_parser", "")
        defer cmd.Restore()
@@ -1072,6 +1084,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError1(c *C) {
        restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, fmt.Errorf("broken") })
        defer restore()
 
+       // Make it appear as if overlay was not used.
+       restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+       defer restore()
+
        // Intercept interaction with apparmor_parser
        cmd := testutil.MockCommand(c, "apparmor_parser", "")
        defer cmd.Restore()
@@ -1108,6 +1124,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError2(c *C) {
        restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil })
        defer restore()
 
+       // Make it appear as if overlay was not used.
+       restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+       defer restore()
+
        // Intercept interaction with apparmor_parser
        cmd := testutil.MockCommand(c, "apparmor_parser", "")
        defer cmd.Restore()
@@ -1137,6 +1157,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError3(c *C) {
        restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil })
        defer restore()
 
+       // Make it appear as if overlay was not used.
+       restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+       defer restore()
+
        // Intercept interaction with apparmor_parser and make it fail.
        cmd := testutil.MockCommand(c, "apparmor_parser", "echo testing; exit 1")
        defer cmd.Restore()
@@ -1193,6 +1217,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError5(c *C) {
        restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
        defer restore()
 
+       // Make it appear as if overlay was not used.
+       restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+       defer restore()
+
        // Intercept interaction with apparmor_parser and make it fail.
        cmd := testutil.MockCommand(c, "apparmor_parser", "")
        defer cmd.Restore()
@@ -1559,6 +1587,8 @@ func (s *backendSuite) TestPtraceTraceRule(c *C) {
        defer restore()
        restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
        defer restore()
+       restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+       defer restore()
 
        needle := `deny ptrace (trace),`
        for _, tc := range []struct {
@@ -1704,6 +1734,8 @@ func (s *backendSuite) TestHomeIxRule(c *C) {
        defer restore()
        restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
        defer restore()
+       restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+       defer restore()
 
        for _, tc := range []struct {
                opts     interfaces.ConfinementOptions