snapcore / snap-confine Goto Github PK

To make development of the whole stack smoother and benefit from the advanced QA done on the snapd tree we've decided to merge snap-confine into snapd effective immediately.

This project will be updated to contain a shim README file when the move is complete.

please add an option to disable test compilation and not require glib2 devel files,
it's a pain to compile glib2 (and all its dependencies) on openwrt

Bind mounting /var/lib/snapd/seccomp also seems to fail with this:
DEBUG: bind mounting /var/lib/snapd/seccomp to /tmp/snap.rootfs_TjFah9/var/lib/snapd/seccomp
cannot bind mount /var/lib/snapd/seccomp to /tmp/snap.rootfs_TjFah9/var/lib/snapd/seccomp. errmsg: No such file or directory

The checkbox test-runner includes a couple of tests where we run other snaps commands.
With recent versions it stopped working and the common error msg is:

cannot open mount namespace file for namespace group tpm. errmsg: Permission denied

Here tpm is just because I was calling tpm commands, but hit the same msg with docker commands.

For security reasons, my system only allows root to view dmesg, so 3 of the snap-confine tests fail with an "Operation not permitted" error. Is there a way the checks could be modified so this doesn't result in failures? Here is the test-suite.log:
/===============================================
snap-confine 1.0.34: tests/test-suite.log
/===============================================

/# TOTAL: 19
/# PASS: 16
/# SKIP: 0
/# XFAIL: 0
/# FAIL: 3
/# XPASS: 0
/# ERROR: 0

.. contents:: :depth: 2

FAIL: test_complain_missed
/==========================

Test that near misses of complain fail./test_complain_missed: line 30: 15052 Bad system call "$L" snap.name.app /bin/true 2> /dev/null
dmesg: read kernel buffer failed: Operation not permitted
: FAIL
FAIL test_complain_missed (exit status: 1)

FAIL: test_restrictions
/=======================

Test that seccomp filtering kills processes./test_restrictions: line 25: 15064 Bad system call "$L" snap.name.app /bin/true 2> /dev/null
dmesg: read kernel buffer failed: Operation not permitted
: FAIL
FAIL test_restrictions (exit status: 1)

FAIL: test_unrestricted_missed
/==============================

Test that near misses of unrestricted fail./test_unrestricted_missed: line 30: 15166 Bad system call "$L" snap.name.app /bin/true 2> /dev/null
dmesg: read kernel buffer failed: Operation not permitted
: FAIL
FAIL test_unrestricted_missed (exit status: 1)

mount-support.c:362]: (style) Array index 'offset' is used before limits check.

mount-support.c:362]: (style) Array index 'offset' is used before limits check.

Suggest sanity check array indexes before use, not after.