-
Notifications
You must be signed in to change notification settings - Fork 574
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
c/snap-confine, i/udev, i/ifacetest: update snap-confine and snap-dev…
…ice-helper to understand component hook security tags (#13775) * i/udev, c/snap-confine, c/libsnap-confine-private, c/snap-device-helper: update snap-confine to be able to handle security tags that come from component hooks An example of a security tag from a component hook would be: "snap.name+comp.hook.install" And one with an instance key: "snap.name_instance+comp.hook.install" Something important to note is how these are encoded as udev tags. Currently, when converting a security tag to a udev tag, we replace all '.' characters in the tag with '_' characters because systemd limits udev tags to having only alphanumeric characters, with the addition of the characters '-' and '_'. Since security tags can now contain '+' characters, those will be encoded as two consecutive '_' characters. For example: "snap.name+comp.hook.install" -> "snap_name__comp_hook_install" "snap.name_instance+comp.hook.install" -> "snap_name_instance__comp_hook_install" This allows the conversion to maintain its reversibility. * i/udev, i/ifacetest: create udev tags for component hooks that encode + as __ * c/libsnap-confine-private: update regmatch_t array to have space for all matches * c/libsnap-confine-private: rename sc_snap_or_component_name_validate to validate_as_snap_or_component_name * c/libsnap-confine-private: rework validate_as_snap_or_component_name to take in error details * c/libsnap-confine-private: fix incorrectly named variable * c/libsnap-confine-private: assert size of regex match array * c/libsnap-confine-private: test a few more cases in sc_snap_component_validate Make sure it fails to validate component names with instance keys, test that we fail to validate a component name that matches against a wrong instance key. * c/snap-device-helper: fix variable naming inconsistency * c/libsnap-confine-private: add missing sc_error_free calls to new unit tests * c/snap-confine: add missing free in sc_cleanup_invocation for new struct field * c/libsnap-confine-private: update comment on SC_SNAP_INVALID_COMPONENT * c/libsnap-confine-private: replace sizeof math with anonymous enum as array size * c/libsnap-confine-private: only call strlen on component_name once * c/libsnap-confine-private: add tests for NULL checks in sc_string_split * c/libsnap-confine-private: replace for with while * c/libsnap-confine-private: rename sc_string_split function params for clarity * .woke.yaml: add exclusions for files that contain pre-existing issues
- Loading branch information
1 parent
30be453
commit 98b4e32
Showing
16 changed files
with
909 additions
and
269 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.