many: add components to interfaces.SnapAppSet #13837
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
Needs Documentation -auto-
andrewphelpsj
force-pushed
the
components-in-app-set
branch
from
ad8a7c7
to
8145020
Compare
andrewphelpsj
force-pushed
the
components-in-app-set
branch
from
8145020
to
5f5b3ab
Compare
github-actions
bot
removed
the
Needs Documentation -auto-
pedronis
reviewed
Apr 17, 2024
| func NewSnapAppSet(info *snap.Info, components []*snap.ComponentInfo) (*SnapAppSet, error) { | ||
| for _, c := range components { | ||
| if c.Component.SnapName != info.SnapName() { | ||
| return nil, fmt.Errorf("internal error: snap %q does not own component %q", info.SnapName(), c.Component) |
There was a problem hiding this comment.
do we want a test for this?
interfaces/snap_app_set_test.go
Outdated
There was a problem hiding this comment.
I'm getting:
FAIL: snap_app_set_test.go:155: snapAppSetSuite.TestPlugSecurityTags
snap_app_set_test.go:168:
compInfo := snaptest.MockComponent(c, "component: name+comp\ntype: test\nversion: 1", info)
/home/pedronis/canonical/go-ws/src/github.com/snapcore/snapd/snap/snaptest/snaptest.go:102:
c.Assert(err, check.IsNil)
... value *fs.PathError = &fs.PathError{Op:"mkdir", Path:"/snap/name", Err:0xd} ("mkdir /snap/name: permission denied")
overlord/ifacestate/helpers.go
Outdated
| @@ -175,7 +175,13 @@ func (m *InterfaceManager) regenerateAllSecurityProfiles(tm timings.Measurer) er | |||
| // TODO: should snapsWithSecurityProfiles return app sets instead of snap infos? | |||
| appSets := make([]*interfaces.SnapAppSet, 0, len(snaps)) | |||
| for _, sn := range snaps { | |||
| appSets = append(appSets, interfaces.NewSnapAppSet(sn)) | |||
|
|
|||
There was a problem hiding this comment.
not sure we need/want this newline
andrewphelpsj
force-pushed
the
components-in-app-set
branch
from
aeb321c
to
55c399a
Compare
alfonsosanchezbeato
approved these changes
May 2, 2024
|
@andrewphelpsj can you please merge or rebase to reduce the diff and see how it fares on latest code please? |
andrewphelpsj
force-pushed
the
components-in-app-set
branch
from
0f3233b
to
ae6e4f2
Compare
|
@zyga rebased! would like to get this merged soon if I can get a clean test run. |
The diff is still 2500 lines or so, is that expected? |
|
Unfortunately yes, there were a lot of unit tests to update for all of the different interfaces. The actual code changes are pretty small: |
… components from the wrong snap
… from the wrong snap
andrewphelpsj
force-pushed
the
components-in-app-set
branch
from
ae6e4f2
to
ad61f0a
Compare
|
Rebased again to bring in 58dfc18 so that spread can pass on amazon linux. |
jslarraz
added a commit
to jslarraz/snapd
that referenced
this pull request
Jun 10, 2024
…components to interfaces.SnapAppSet (canonical#13837))
ernestl
pushed a commit
that referenced
this pull request
Jul 4, 2024
* sandbox/apparmor: add GenerateAAREExclusionPatterns This function is generic (and complex) enough to be able to handle all of the overlapping and wildcard behavior we need in docker-support, and it could also serve to replace numerous other places in the codebase where we need this sort of complex behavior. It is a generalization of the existing aareExclusionPatterns helper, though it's actually unclear if this exact implementation will currently be able to serve the use case from that helper directly or if more options/adjustments are needed to enable that use case as well. To keep the diff smaller, this patch does not actually change any of the profiles/interfaces, just TODO's are left for where to use it. Note that the generated rules are slightly more condensed in terms of number of rules but significantly more verbose in terms of alternations, not sharing more of repeated substrings between alternations inside the patterns. This was done explicitly to keep the generating code simpler and easier to understand, but it may prove to have performance effects, either detrimental or benevolent but that should be measured before deciding to make the generation code even more complex than it already is. Signed-off-by: Ian Johnson <[email protected]> * interfaces/docker-support: generate AARE exclusion patterns with helper func Signed-off-by: Ian Johnson <[email protected]> * sandbox/apparmor: unexport helper functions These were not meant to be exported, only the fully generic one is meant to be exported. Signed-off-by: Ian Johnson <[email protected]> * sandbox/apparmor: fix bug mis-sorting capitalized letters in AARE exclude patt Thanks to Alberto for spotting this :-) Signed-off-by: Ian Johnson <[email protected]> * sandbox/apparmor: fix format issues introduced during rebase * sandbox/apparmor: simplify generateAAREExclusionPatternsGenericImpl * sandbox/apparmor: add checks for unsupported cases and improve documentation * sandbox/apparmor: update tests to compare the apparmor binary instead of source * interfaces/builtin/docker_support: check if userns is supported before adding it to the profile * interfaces/builtin/docker_support: fix dependencies * sandbox/apparmor: use placeholders * i/b/docker_support_test: update TestGenerateAAREExclusionPatterns to use SnapAppSet * testutil/apparmor: use go crypto/sha1 module instead of system sha1sum command * {sandbox,testutil}/apparmor: minor format fixes * move helper to find common prefix to strutil * add copyright info * use string builder * i/b/docker_support_test.go: update accordingly to 277fbc2 (many: add components to interfaces.SnapAppSet (#13837)) * strutil/commonprefix.go: remove extra empty line * sandbox/apparmor/apparmor.go: sort prefixes to ensure profile is always the same * sandbox/apparmor/apparmor.go: remove extra empty line * i/b/docker_support_test: skip TestGenerateAAREExclusionPatterns is apparmor_parser is not usable --------- Signed-off-by: Ian Johnson <[email protected]> Co-authored-by: Ian Johnson <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change adds components to interfaces.SnapAppSet, and it adds an error to be returned from interfaces.NewSnapAppSet. This error currently is currently only used to indicate if any components added to the app set are not from the snap that the app set is based off of.
Based on #13774, first relevant commit is 58a0ab3