From: Zygmunt Krynicki Date: Mon, 21 Jan 2019 17:55:12 +0000 (+0100) Subject: interfaces/apparmor: mock presence of overlayfs root X-Git-Tag: archive/raspbian/2.37-3+rpi1^2~2 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=973a13572df41c6c4899fb275b53f74a4299cead;p=snapd.git interfaces/apparmor: mock presence of overlayfs root During the release of the snapd 2.37 we noticed that the Debian builds performed in sbuild are failing on several unit tests. The same source package would build file in pbuilder. Investigation uncovered that sbuild is using overlayfs root internally. This is picked up by the apparmor overlayfs detector and causes snapd to generate an additional configuration file for snap-confine. For reference, the offending entry from /proc/self/mountinfo: 228 23 0:40 / / rw,relatime shared:119 - overlay sid-amd64-sbuild rw,lowerdir=/var/lib/schroot/union/underlay/sid-amd64-sbuild-85592074-da40-4faa-8b25-a354b207cdf2,upperdir=/var/lib/schroot/union/overlay/sid-amd64-sbuild-85592074-da40-4faa-8b25-a354b207cdf2/upper,workdir=/var/lib/schroot/union/overlay/sid-amd64-sbuild-85592074-da40-4faa-8b25-a354b207cdf2/work The extra generated file was upsetting tests that looked at /var/lib/snapd/apparmor/snap-confine. Signed-off-by: Zygmunt Krynicki Gbp-Pq: Name 0009-interfaces-apparmor-mock-presence-of-overlayfs-root.patch --- diff --git a/interfaces/apparmor/backend_test.go b/interfaces/apparmor/backend_test.go index 7cd9555e..14a54c17 100644 --- a/interfaces/apparmor/backend_test.go +++ b/interfaces/apparmor/backend_test.go @@ -939,6 +939,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyNoNFS(c *C) { restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil }) defer restore() + // Make it appear as if overlay was not used. + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() + // Intercept interaction with apparmor_parser cmd := testutil.MockCommand(c, "apparmor_parser", "") defer cmd.Restore() @@ -974,6 +978,10 @@ func (s *backendSuite) testSetupSnapConfineGeneratedPolicyWithNFS(c *C, profileF restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil }) defer restore() + // Make it appear as if overlay was not used. + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() + // Intercept interaction with apparmor_parser cmd := testutil.MockCommand(c, "apparmor_parser", "") defer cmd.Restore() @@ -1031,6 +1039,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyWithNFSAndReExec(c *C) restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil }) defer restore() + // Make it appear as if overlay was not used. + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() + // Intercept interaction with apparmor_parser cmd := testutil.MockCommand(c, "apparmor_parser", "") defer cmd.Restore() @@ -1072,6 +1084,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError1(c *C) { restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, fmt.Errorf("broken") }) defer restore() + // Make it appear as if overlay was not used. + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() + // Intercept interaction with apparmor_parser cmd := testutil.MockCommand(c, "apparmor_parser", "") defer cmd.Restore() @@ -1108,6 +1124,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError2(c *C) { restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil }) defer restore() + // Make it appear as if overlay was not used. + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() + // Intercept interaction with apparmor_parser cmd := testutil.MockCommand(c, "apparmor_parser", "") defer cmd.Restore() @@ -1137,6 +1157,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError3(c *C) { restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil }) defer restore() + // Make it appear as if overlay was not used. + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() + // Intercept interaction with apparmor_parser and make it fail. cmd := testutil.MockCommand(c, "apparmor_parser", "echo testing; exit 1") defer cmd.Restore() @@ -1193,6 +1217,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError5(c *C) { restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil }) defer restore() + // Make it appear as if overlay was not used. + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() + // Intercept interaction with apparmor_parser and make it fail. cmd := testutil.MockCommand(c, "apparmor_parser", "") defer cmd.Restore() @@ -1559,6 +1587,8 @@ func (s *backendSuite) TestPtraceTraceRule(c *C) { defer restore() restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil }) defer restore() + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() needle := `deny ptrace (trace),` for _, tc := range []struct { @@ -1704,6 +1734,8 @@ func (s *backendSuite) TestHomeIxRule(c *C) { defer restore() restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil }) defer restore() + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() for _, tc := range []struct { opts interfaces.ConfinementOptions