fix: bind correct apparmor feature for validating snap seed

During Realtime kernel image build, there was an error during
validating snap seed which derivative images copied 5.19
apparmor feature and can't validate when Realtime kernel (5.15)
installed [0].

To prevent this, bind correct apparmor feature with kernel
version.

[0] https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2024639

(cherry picked from commit 6b54faa6be)
meta-squash-fs
Jess Jang 1 year ago
parent 774b7c6c5a
commit 5e96ff013e

@ -756,12 +756,34 @@ snap_preseed() {
snap_validate_seed() { snap_validate_seed() {
local CHROOT_ROOT=$1 local CHROOT_ROOT=$1
if [ -e ${CHROOT_ROOT}/boot/vmlinuz ]; then
local kern_major_min=$(readlink --canonicalize --no-newline ${CHROOT_ROOT}/boot/vmlinuz | grep --extended-regexp --only-matching --max-count 1 '[0-9]+\.[0-9]+')
if [ -d /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} ]; then
# if an Ubuntu version has different kernel apparmor features between LTS and HWE kernels
# a snap pre-seeding issue can occur, where the incorrect apparmor features are reported
# basic copy of a directory structure overriding the "generic" feature set
# which is tied to the LTS kernel
# Bind kernel apparmor directory to feature directory for snap preseeding
umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
mount --bind /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
fi
fi
if [ -e "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" ]; then if [ -e "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" ]; then
snap debug validate-seed "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" snap debug validate-seed "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml"
/usr/lib/snapd/snap-preseed --reset $(realpath "${CHROOT_ROOT}") /usr/lib/snapd/snap-preseed --reset $(realpath "${CHROOT_ROOT}")
/usr/lib/snapd/snap-preseed $(realpath "${CHROOT_ROOT}") /usr/lib/snapd/snap-preseed $(realpath "${CHROOT_ROOT}")
chroot "${CHROOT_ROOT}" apparmor_parser --skip-read-cache --write-cache --skip-kernel-load --verbose -j `nproc` /etc/apparmor.d chroot "${CHROOT_ROOT}" apparmor_parser --skip-read-cache --write-cache --skip-kernel-load --verbose -j `nproc` /etc/apparmor.d
fi fi
# Unmount kernel specific apparmor feature
# mount generic apparmor feature again (cleanup)
if [ -d /build/config/hooks.d/extra/apparmor/${kern_major_min} ]; then
umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
fi
} }
list_packages_from_seed () { list_packages_from_seed () {

Loading…
Cancel
Save