-
Notifications
You must be signed in to change notification settings - Fork 574
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
many: add components to interfaces.SnapAppSet #13837
many: add components to interfaces.SnapAppSet #13837
Conversation
ad8a7c7
to
8145020
Compare
8145020
to
5f5b3ab
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks, here I see an issue with unit tests? missing a dirs.SetRootDir?
func NewSnapAppSet(info *snap.Info, components []*snap.ComponentInfo) (*SnapAppSet, error) { | ||
for _, c := range components { | ||
if c.Component.SnapName != info.SnapName() { | ||
return nil, fmt.Errorf("internal error: snap %q does not own component %q", info.SnapName(), c.Component) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we want a test for this?
interfaces/snap_app_set_test.go
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm getting:
FAIL: snap_app_set_test.go:155: snapAppSetSuite.TestPlugSecurityTags
snap_app_set_test.go:168:
compInfo := snaptest.MockComponent(c, "component: name+comp\ntype: test\nversion: 1", info)
/home/pedronis/canonical/go-ws/src/github.com/snapcore/snapd/snap/snaptest/snaptest.go:102:
c.Assert(err, check.IsNil)
... value *fs.PathError = &fs.PathError{Op:"mkdir", Path:"/snap/name", Err:0xd} ("mkdir /snap/name: permission denied")
overlord/ifacestate/helpers.go
Outdated
@@ -175,7 +175,13 @@ func (m *InterfaceManager) regenerateAllSecurityProfiles(tm timings.Measurer) er | |||
// TODO: should snapsWithSecurityProfiles return app sets instead of snap infos? | |||
appSets := make([]*interfaces.SnapAppSet, 0, len(snaps)) | |||
for _, sn := range snaps { | |||
appSets = append(appSets, interfaces.NewSnapAppSet(sn)) | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure we need/want this newline
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thank you
aeb321c
to
55c399a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks. Just a small question.
@andrewphelpsj can you please merge or rebase to reduce the diff and see how it fares on latest code please? |
0f3233b
to
ae6e4f2
Compare
@zyga rebased! would like to get this merged soon if I can get a clean test run. |
The diff is still 2500 lines or so, is that expected? |
Unfortunately yes, there were a lot of unit tests to update for all of the different interfaces. The actual code changes are pretty small:
|
… components from the wrong snap
… from the wrong snap
ae6e4f2
to
ad61f0a
Compare
Rebased again to bring in 58dfc18 so that spread can pass on amazon linux. |
…components to interfaces.SnapAppSet (canonical#13837))
* sandbox/apparmor: add GenerateAAREExclusionPatterns This function is generic (and complex) enough to be able to handle all of the overlapping and wildcard behavior we need in docker-support, and it could also serve to replace numerous other places in the codebase where we need this sort of complex behavior. It is a generalization of the existing aareExclusionPatterns helper, though it's actually unclear if this exact implementation will currently be able to serve the use case from that helper directly or if more options/adjustments are needed to enable that use case as well. To keep the diff smaller, this patch does not actually change any of the profiles/interfaces, just TODO's are left for where to use it. Note that the generated rules are slightly more condensed in terms of number of rules but significantly more verbose in terms of alternations, not sharing more of repeated substrings between alternations inside the patterns. This was done explicitly to keep the generating code simpler and easier to understand, but it may prove to have performance effects, either detrimental or benevolent but that should be measured before deciding to make the generation code even more complex than it already is. Signed-off-by: Ian Johnson <[email protected]> * interfaces/docker-support: generate AARE exclusion patterns with helper func Signed-off-by: Ian Johnson <[email protected]> * sandbox/apparmor: unexport helper functions These were not meant to be exported, only the fully generic one is meant to be exported. Signed-off-by: Ian Johnson <[email protected]> * sandbox/apparmor: fix bug mis-sorting capitalized letters in AARE exclude patt Thanks to Alberto for spotting this :-) Signed-off-by: Ian Johnson <[email protected]> * sandbox/apparmor: fix format issues introduced during rebase * sandbox/apparmor: simplify generateAAREExclusionPatternsGenericImpl * sandbox/apparmor: add checks for unsupported cases and improve documentation * sandbox/apparmor: update tests to compare the apparmor binary instead of source * interfaces/builtin/docker_support: check if userns is supported before adding it to the profile * interfaces/builtin/docker_support: fix dependencies * sandbox/apparmor: use placeholders * i/b/docker_support_test: update TestGenerateAAREExclusionPatterns to use SnapAppSet * testutil/apparmor: use go crypto/sha1 module instead of system sha1sum command * {sandbox,testutil}/apparmor: minor format fixes * move helper to find common prefix to strutil * add copyright info * use string builder * i/b/docker_support_test.go: update accordingly to 277fbc2 (many: add components to interfaces.SnapAppSet (#13837)) * strutil/commonprefix.go: remove extra empty line * sandbox/apparmor/apparmor.go: sort prefixes to ensure profile is always the same * sandbox/apparmor/apparmor.go: remove extra empty line * i/b/docker_support_test: skip TestGenerateAAREExclusionPatterns is apparmor_parser is not usable --------- Signed-off-by: Ian Johnson <[email protected]> Co-authored-by: Ian Johnson <[email protected]>
This change adds components to interfaces.SnapAppSet, and it adds an error to be returned from interfaces.NewSnapAppSet. This error currently is currently only used to indicate if any components added to the app set are not from the snap that the app set is based off of.
Based on #13774, first relevant commit is 58a0ab3