Mount cgroup2 type for snapd

LP: 1944004 described an issue where a libc transition caused snapd seccomp profiles to reference a path that no longer existed, leading to permission denied errors. The committed fix for snapd then raised an issue where running `snapd debug seeding` would present a preseed-system-key and seed-restart-system-key due to a mismatch between the running kernel capabilities and the profiles being loaded by snapd. By mounting a cgroup2 type to /sys/fs/cgroup, the capabilities match for snapd as mounted in the chroot. This is done similarly to live-build/functions:138-140 where apparmour and seccomp actions are mounted after updating the buildd.
2025-03-04 16:01:24 +00:00 · 2021-09-28 16:08:55 -05:00 · 2021-09-28 16:08:55 -05:00 · 9c3851d401
commit 9c3851d401
parent 271d498ab6
1 changed files with 2 additions and 0 deletions
--- a/live-build/functions
+++ b/live-build/functions
@ -138,6 +138,8 @@ setup_mountpoint() {
    # Provide more up to date apparmor features, matching target kernel
    mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "$mountpoint/sys/kernel/security/apparmor/features/"
    mount -o bind /usr/share/livecd-rootfs/live-build/seccomp/generic.actions_avail "$mountpoint/proc/sys/kernel/seccomp/actions_avail"
+    # cgroup2 mount for LP: 1944004
+    mount -t cgroup2 none "$mountpoint/sys/fs/cgroup"
    mount -t tmpfs none "$mountpoint/tmp"
    mount -t tmpfs none "$mountpoint/var/lib/apt"
    mount -t tmpfs none "$mountpoint/var/cache/apt"