Add support for confinement property

Bug #1580819 reported by Kyle Fazzari on 2016-05-12
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Click Reviewers tools (obsolete)
Undecided
Unassigned
Snapcraft
Wishlist
Kyle Fazzari
click-reviewers-tools (Ubuntu)
Undecided
Jamie Strandboge
Xenial
Undecided
Jamie Strandboge
Yakkety
Undecided
Jamie Strandboge
snapcraft (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned

Bug Description

[Impact]

 * Snaps need to be able to specify if they require devmode or if they can be run confined. This will allow for snapd to provide reasonable errors if one tries to install a snap that cannot run successfully under confinement.

 * The YAML property should be called "confinement," and it should have two options: "devmode" and "strict." It should be optional, and `snapcraft init` should set it to "devmode."

 * The "confinement" YAML property should be copied into the resulting `snap.yaml`.

* Example YAML:

        name: foo
        version: 1
        summary: foo
        description: foo
        confinement: devmode

        parts:
          foo:
            plugin: nil

[Test Case]

 * Run `snapcraft init`. Make sure "confinement" is "devmode."

 * Create a valid snapcraft.yaml and run `snapcraft` on it. Make sure the "confinement" value gets copied to the `snap.yaml`.

 * Create a valid snapcraft.yaml and remove the "confinement" property. Run `snapcraft`. It should print a hint about defaulting to "strict", and "confinement: strict" should be in the resulting `snap.yaml`.

[Regression Potential]

 * snapcraft.yaml validation could be incorrect (required properties may not be required correctly, etc.)

Kyle Fazzari (kyrofa) on 2016-05-12
summary: - Add support for confinement flag
+ Add support for confinement property
Kyle Fazzari (kyrofa) wrote :
Changed in snapcraft:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Kyle Fazzari (kyrofa)
milestone: none → 2.9
Jamie Strandboge (jdstrand) wrote :

How is this intended to be used? Does the resulting snap.yaml have anything that tells 'snap install' to put into --devmode? If so, I don't see how this doesn't reintroduce "unconfined" which is something Gustavo said should not be supported.

Tyler Hicks (tyhicks) wrote :

@jamie - The snap cannot instruct `snap install` to implicitly install itself in devmode. The user still has to use `snap install --devmode`.

Kyle Fazzari (kyrofa) wrote :

> Does the resulting snap.yaml have anything that tells 'snap install' to put into --devmode?

Sort of-- it does indeed get the "confinement" property, but its purpose will be so the snap can say "Hey, I ONLY work if I'm in devmode" in which case the snap command can say "Hey, you're trying to install a snap that requires devmode. Try using --devmode" (just as an example).

description: updated
Kyle Fazzari (kyrofa) on 2016-05-12
description: updated
Changed in snapcraft:
importance: High → Wishlist
Kyle Fazzari (kyrofa) on 2016-05-19
description: updated
Kyle Fazzari (kyrofa) on 2016-05-19
description: updated
Kyle Fazzari (kyrofa) wrote :

Adding the review tool since it probably requires changes to handle this new property.

Jamie Strandboge (jdstrand) wrote :

I worked on this last week. It is in yakkety, working through SRU in xenial and the store guys will pull it in this week.

Changed in click-reviewers-tools:
status: New → Fix Released
Changed in snapcraft:
status: In Progress → Fix Committed
Changed in snapcraft (Ubuntu Xenial):
milestone: none → xenial-updates

Hello Kyle, or anyone else affected,

Accepted click-reviewers-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/click-reviewers-tools/0.43~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapcraft - 2.9+16.10

---------------
snapcraft (2.9+16.10) yakkety; urgency=medium

  [ Leo Arias ]
  * autopkgtests: run the install examples tests in classic. (#481)
    (LP: #1572764)

  [ Matteo Bertini ]
  * Fix typo in description of the python3 example. (#504)

  [ Jamie Bennett ]
  * Documentation: Use plugs instead of caps. (#507)

  [ Chris Wayne ]
  * Add in bash completion. (#453) (LP: #1570506)

  [ Sergio Schvezov ]
  * Fail validation if plugs or slots are declared at the part level (#514)
    (LP: #1581166)

  [ Kyle Fazzari ]
  * Make pull and build steps dirty if target arch changes. (#450)
    (LP: #1564192)
  * Add support for the confinement property. (#501) (LP: #1580819)
  * Add support for the epoch property. (#502) (LP: #1581113)

 -- Sergio Schvezov <email address hidden> Tue, 24 May 2016 23:32:11 -0300

Changed in snapcraft (Ubuntu Yakkety):
status: New → Fix Released
Chris J Arges (arges) wrote :

Hello Kyle, or anyone else affected,

Accepted snapcraft into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapcraft/2.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in snapcraft (Ubuntu Xenial):
status: New → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Verified that 'confinement: strict' properly errors with 'plugs: [ network-control ]':
Errors
------
 - security-snap-v2:plug_safe:network-control:network-control
 reserved interface 'network-control' for vetted applications only

and that 'confinement: devmode' shows no error with 'plugs: [ network-control ]'

Changed in click-reviewers-tools (Ubuntu Yakkety):
status: New → Fix Released
Changed in click-reviewers-tools (Ubuntu Xenial):
status: New → Fix Committed
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in click-reviewers-tools (Ubuntu Yakkety):
assignee: nobody → Jamie Strandboge (jdstrand)
tags: added: verification-done
removed: verification-needed
Changed in snapcraft:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapcraft - 2.9

---------------
snapcraft (2.9) xenial; urgency=medium

  [ Leo Arias ]
  * autopkgtests: run the install examples tests in classic. (#481)
    (LP: #1572764)

  [ Matteo Bertini ]
  * Fix typo in description of the python3 example. (#504)

  [ Jamie Bennett ]
  * Documentation: Use plugs instead of caps. (#507)

  [ Chris Wayne ]
  * Add in bash completion. (#453) (LP: #1570506)

  [ Sergio Schvezov ]
  * Fail validation if plugs or slots are declared at the part level (#514)
    (LP: #1581166)

  [ Kyle Fazzari ]
  * Make pull and build steps dirty if target arch changes. (#450)
    (LP: #1564192)
  * Add support for the confinement property. (#501) (LP: #1580819)
  * Add support for the epoch property. (#502) (LP: #1581113)

 -- Sergio Schvezov <email address hidden> Tue, 24 May 2016 23:32:11 -0300

Changed in snapcraft (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for snapcraft has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package click-reviewers-tools - 0.43~14.04.1

---------------
click-reviewers-tools (0.43~14.04.1) xenial-proposed; urgency=medium

  [ Jamie Strandboge ]
  * sr_lint.py:
    - kernel snaps may have external symlinks
    - handle top-level plugs and slots with yaml data as 'null' (LP: #1579201)
    - add epoch checks (LP: #1583298)
    - .pyc are arch-independent, so don't complain about them
    - add confinement checks (LP: #1580819)
  * data/apparmor-easyprof-ubuntu.json:
    - add opengl interface as 'common' (LP: #1572140)
    - add reserved bluez, network-manager and location-observe interfaces
  * sr_security.py:
    - remove last reference to 'cap'
    - turn resquash test into info for now until the squashfs-tools bugs are
      fixed and this is a reliable check
  * when 'confinement' is 'devmode', override the result type to 'info'
    - common.py: add override_result_type to allow in support of 'confinement'
      overrides
    - sr_common.py: add _devmode_override()
    - sr_security.py: use override_result_type if in devmode
    - LP: #1584231

 -- Jamie Strandboge <email address hidden> Fri, 20 May 2016 16:06:55 -0500

Changed in click-reviewers-tools (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers