snap-confine

Merge lp://qastaging/~jdstrand/snap-confine/ubuntu-core-launcher.pts into lp://qastaging/~snappy-dev/snap-confine/trunk

  1. ubuntu-core-launcher.pts
  2. Merge into trunk
Proposed by Jamie Strandboge
Status: Merged
Merged at revision: 100
Proposed branch: lp://qastaging/~jdstrand/snap-confine/ubuntu-core-launcher.pts
Merge into: lp://qastaging/~snappy-dev/snap-confine/trunk
Prerequisite: lp://qastaging/~jdstrand/snap-confine/ubuntu-core-launcher.nnp-off
Diff against target: 80 lines (+41/-0)
3 files modified
debian/changelog (+2/-0)
debian/usr.bin.ubuntu-core-launcher (+2/-0)
src/main.c (+37/-0)
To merge this branch: bzr merge lp://qastaging/~jdstrand/snap-confine/ubuntu-core-launcher.pts
Reviewer Review Type Date Requested Status
Seth Arnold Approve
Review via email: mp+289686@code.qastaging.launchpad.net

This proposal supersedes a proposal from 2016-03-21.

Description of the change

Setup private /dev/pts

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

This looks good with a few caveats:

- AppArmor "ought to" support something like "options=newinstance" so that
  we can reject any mounts that may violate our expectations. "Ought to"
  since it looks like the parser and kernel were written with this in mind
  but I can't figure out how to make it work.

- We really shouldn't be afraid to modify our startup routines to do the
  right thing. We can either adjust now and deal with the fallout or we
  can continue to live on the assumption that no one will ever screw up,
  ever. Setting -o newinstance on the very first mount sounds like the
  best way to reduce our long-term technical debt.

- I'm not sure the gid=5 is correct if a gid map is in place
  (/proc/pid/guid_map). I can't find documentation on this one way or
  another. I thought I'd call this out in case things don't look correct
  elsewhere (say, gids are wrong in containers) then this may be recalled.

Thanks

review: Approve
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the review:

> - AppArmor "ought to" support something like "options=newinstance" so that
> we can reject any mounts that may violate our expectations. "Ought to"
> since it looks like the parser and kernel were written with this in mind
> but I can't figure out how to make it work.

When AppArmor handles this, we can adjust the policy accordingly.

> - We really shouldn't be afraid to modify our startup routines to do the
> right thing. We can either adjust now and deal with the fallout or we
> can continue to live on the assumption that no one will ever screw up,
> ever. Setting -o newinstance on the very first mount sounds like the
> best way to reduce our long-term technical debt.

I wasn't afraid per se to change the startup routines, but Debian and Ubuntu are currently set as 'single-instance' and this is the recommendation on systems in general. I was aiming for the simplest code and simply punting on legacy systems (unlike lxc which will convert a legacy mode to a multi-instance) while working on both single-instance and multi-instance with simple code. Creating a delta with Debian seemed unneeded when the code itself works fine in either mode.

> - I'm not sure the gid=5 is correct if a gid map is in place
> (/proc/pid/guid_map). I can't find documentation on this one way or
> another. I thought I'd call this out in case things don't look correct
> elsewhere (say, gids are wrong in containers) then this may be recalled.

Thanks-- I wondered about this myself but saw the lxc hard-coded this as gid=5 too. Considering its extensive use of nesting and user containers, I just went with it and like you said, figured we could revisit as needed.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches