snapcore / snap-confine Goto Github PK
View Code? Open in Web Editor NEWLow-level tool for setting up and confining snap application processes
Low-level tool for setting up and confining snap application processes
To make development of the whole stack smoother and benefit from the advanced QA done on the snapd tree we've decided to merge snap-confine into snapd effective immediately.
This project will be updated to contain a shim README file when the move is complete.
please add an option to disable test compilation and not require glib2 devel files,
it's a pain to compile glib2 (and all its dependencies) on openwrt
Bind mounting /var/lib/snapd/seccomp also seems to fail with this:
DEBUG: bind mounting /var/lib/snapd/seccomp to /tmp/snap.rootfs_TjFah9/var/lib/snapd/seccomp
cannot bind mount /var/lib/snapd/seccomp to /tmp/snap.rootfs_TjFah9/var/lib/snapd/seccomp. errmsg: No such file or directory
The checkbox test-runner includes a couple of tests where we run other snaps commands.
With recent versions it stopped working and the common error msg is:
cannot open mount namespace file for namespace group tpm. errmsg: Permission denied
Here tpm is just because I was calling tpm commands, but hit the same msg with docker commands.
For security reasons, my system only allows root to view dmesg, so 3 of the snap-confine tests fail with an "Operation not permitted" error. Is there a way the checks could be modified so this doesn't result in failures? Here is the test-suite.log:
/===============================================
snap-confine 1.0.34: tests/test-suite.log
/===============================================
/# TOTAL: 19
/# PASS: 16
/# SKIP: 0
/# XFAIL: 0
/# FAIL: 3
/# XPASS: 0
/# ERROR: 0
.. contents:: :depth: 2
FAIL: test_complain_missed
/==========================
Test that near misses of complain fail./test_complain_missed: line 30: 15052 Bad system call "$L" snap.name.app /bin/true 2> /dev/null
dmesg: read kernel buffer failed: Operation not permitted
: FAIL
FAIL test_complain_missed (exit status: 1)
FAIL: test_restrictions
/=======================
Test that seccomp filtering kills processes./test_restrictions: line 25: 15064 Bad system call "$L" snap.name.app /bin/true 2> /dev/null
dmesg: read kernel buffer failed: Operation not permitted
: FAIL
FAIL test_restrictions (exit status: 1)
FAIL: test_unrestricted_missed
/==============================
Test that near misses of unrestricted fail./test_unrestricted_missed: line 30: 15166 Bad system call "$L" snap.name.app /bin/true 2> /dev/null
dmesg: read kernel buffer failed: Operation not permitted
: FAIL
FAIL test_unrestricted_missed (exit status: 1)
mount-support.c:362]: (style) Array index 'offset' is used before limits check.
mount-support.c:362]: (style) Array index 'offset' is used before limits check.
Suggest sanity check array indexes before use, not after.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.