From 973a13572df41c6c4899fb275b53f74a4299cead Mon Sep 17 00:00:00 2001 From: Zygmunt Krynicki Date: Mon, 21 Jan 2019 18:55:12 +0100 Subject: [PATCH] interfaces/apparmor: mock presence of overlayfs root During the release of the snapd 2.37 we noticed that the Debian builds performed in sbuild are failing on several unit tests. The same source package would build file in pbuilder. Investigation uncovered that sbuild is using overlayfs root internally. This is picked up by the apparmor overlayfs detector and causes snapd to generate an additional configuration file for snap-confine. For reference, the offending entry from /proc/self/mountinfo: 228 23 0:40 / / rw,relatime shared:119 - overlay sid-amd64-sbuild rw,lowerdir=/var/lib/schroot/union/underlay/sid-amd64-sbuild-85592074-da40-4faa-8b25-a354b207cdf2,upperdir=/var/lib/schroot/union/overlay/sid-amd64-sbuild-85592074-da40-4faa-8b25-a354b207cdf2/upper,workdir=/var/lib/schroot/union/overlay/sid-amd64-sbuild-85592074-da40-4faa-8b25-a354b207cdf2/work The extra generated file was upsetting tests that looked at /var/lib/snapd/apparmor/snap-confine. Signed-off-by: Zygmunt Krynicki Gbp-Pq: Name 0009-interfaces-apparmor-mock-presence-of-overlayfs-root.patch --- interfaces/apparmor/backend_test.go | 32 +++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/interfaces/apparmor/backend_test.go b/interfaces/apparmor/backend_test.go index 7cd9555e..14a54c17 100644 --- a/interfaces/apparmor/backend_test.go +++ b/interfaces/apparmor/backend_test.go @@ -939,6 +939,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyNoNFS(c *C) { restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil }) defer restore() + // Make it appear as if overlay was not used. + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() + // Intercept interaction with apparmor_parser cmd := testutil.MockCommand(c, "apparmor_parser", "") defer cmd.Restore() @@ -974,6 +978,10 @@ func (s *backendSuite) testSetupSnapConfineGeneratedPolicyWithNFS(c *C, profileF restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil }) defer restore() + // Make it appear as if overlay was not used. + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() + // Intercept interaction with apparmor_parser cmd := testutil.MockCommand(c, "apparmor_parser", "") defer cmd.Restore() @@ -1031,6 +1039,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyWithNFSAndReExec(c *C) restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil }) defer restore() + // Make it appear as if overlay was not used. + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() + // Intercept interaction with apparmor_parser cmd := testutil.MockCommand(c, "apparmor_parser", "") defer cmd.Restore() @@ -1072,6 +1084,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError1(c *C) { restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, fmt.Errorf("broken") }) defer restore() + // Make it appear as if overlay was not used. + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() + // Intercept interaction with apparmor_parser cmd := testutil.MockCommand(c, "apparmor_parser", "") defer cmd.Restore() @@ -1108,6 +1124,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError2(c *C) { restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil }) defer restore() + // Make it appear as if overlay was not used. + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() + // Intercept interaction with apparmor_parser cmd := testutil.MockCommand(c, "apparmor_parser", "") defer cmd.Restore() @@ -1137,6 +1157,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError3(c *C) { restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil }) defer restore() + // Make it appear as if overlay was not used. + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() + // Intercept interaction with apparmor_parser and make it fail. cmd := testutil.MockCommand(c, "apparmor_parser", "echo testing; exit 1") defer cmd.Restore() @@ -1193,6 +1217,10 @@ func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError5(c *C) { restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil }) defer restore() + // Make it appear as if overlay was not used. + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() + // Intercept interaction with apparmor_parser and make it fail. cmd := testutil.MockCommand(c, "apparmor_parser", "") defer cmd.Restore() @@ -1559,6 +1587,8 @@ func (s *backendSuite) TestPtraceTraceRule(c *C) { defer restore() restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil }) defer restore() + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() needle := `deny ptrace (trace),` for _, tc := range []struct { @@ -1704,6 +1734,8 @@ func (s *backendSuite) TestHomeIxRule(c *C) { defer restore() restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil }) defer restore() + restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil }) + defer restore() for _, tc := range []struct { opts interfaces.ConfinementOptions -- 2.30.2