snapd icon indicating copy to clipboard operation
snapd copied to clipboard
verified publisher icon snapcore

interfaces/apparmor/template: add setpriv to the base template

Open userMaximilian opened this issue 1 year ago • 2 comments

The Snapcraft documentation on system usernames states that snap developers can use setpriv to drop privileges and run a snapped daemon as a non-root user, such as _daemon_.

Whilst setpriv is present in the core20/core22/core24 base snaps, it isn't possible to run the base snap's copy within the environment of a strictly confined snap. (The documentation doesn't refer to this particular issue, but it does suggest that developers add the util-linux package to the daemon snap.) This PR seeks to overcome this issue by adding /usr/bin/setpriv to the AppArmor template.

If there are any reasons against doing this - particularly if there is a better way to run a snapped daemon as a non-root user (or if there will be a better way soon) - then please let me know, and I would be more than happy for this PR to be closed off.

For completeness, this PR relates to Launchpad issue #2072987.

userMaximilian avatar Aug 14 '24 16:08 userMaximilian

Everyone contributing to this PR have now signed the CLA. Thanks!

github-actions[bot] avatar Aug 14 '24 16:08 github-actions[bot]

For what it's worth, I signed the CLA earlier today - does it take time for the signature to propagate to the database that the GitHub action checks? I'm happy to sign again if needed.

Edit: the CLA checker now states that I'm a signatory.

userMaximilian avatar Aug 14 '24 16:08 userMaximilian

Thanks for the patch and sorry it we missed it before. I tried rebasing the branch on top of current master, but I think the 'changes from maintainers' option is disabled. Can you rebase the branch and force push?

bboozzoo avatar Nov 21 '24 14:11 bboozzoo

Hi @bboozzoo - that's absolutely no problem at all. I have just rebased and force pushed as you suggested. (The reason for force pushing twice was that I needed to undo an accidental merge commit - if anything looks unusual at your end, please let me know.)

userMaximilian avatar Nov 21 '24 20:11 userMaximilian

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 79.03%. Comparing base (96ea7b0) to head (4ec9658). Report is 477 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #14362      +/-   ##
==========================================
+ Coverage   78.95%   79.03%   +0.07%     
==========================================
  Files        1084     1087       +3     
  Lines      146638   147756    +1118     
==========================================
+ Hits       115773   116773    +1000     
- Misses      23667    23751      +84     
- Partials     7198     7232      +34
Flag Coverage Δ
unittests 79.03% <ø> (+0.07%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Nov 22 '24 07:11 codecov[bot]

Thanks! I'm more than happy to work on the documentation too. (See also canonical/open-documentation-academy#93.)

userMaximilian avatar Nov 27 '24 08:11 userMaximilian

Failures:

ernestl avatar Dec 03 '24 16:12 ernestl