From 9c3851d4012c2028bf688b0cea13b0b189e509fc Mon Sep 17 00:00:00 2001 From: John Chittum Date: Tue, 28 Sep 2021 16:08:55 -0500 Subject: [PATCH] Mount cgroup2 type for snapd LP: 1944004 described an issue where a libc transition caused snapd seccomp profiles to reference a path that no longer existed, leading to permission denied errors. The committed fix for snapd then raised an issue where running `snapd debug seeding` would present a preseed-system-key and seed-restart-system-key due to a mismatch between the running kernel capabilities and the profiles being loaded by snapd. By mounting a cgroup2 type to /sys/fs/cgroup, the capabilities match for snapd as mounted in the chroot. This is done similarly to live-build/functions:138-140 where apparmour and seccomp actions are mounted after updating the buildd. --- live-build/functions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/live-build/functions b/live-build/functions index 9b048c08..8a6777f2 100644 --- a/live-build/functions +++ b/live-build/functions @@ -138,6 +138,8 @@ setup_mountpoint() { # Provide more up to date apparmor features, matching target kernel mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "$mountpoint/sys/kernel/security/apparmor/features/" mount -o bind /usr/share/livecd-rootfs/live-build/seccomp/generic.actions_avail "$mountpoint/proc/sys/kernel/seccomp/actions_avail" + # cgroup2 mount for LP: 1944004 + mount -t cgroup2 none "$mountpoint/sys/fs/cgroup" mount -t tmpfs none "$mountpoint/tmp" mount -t tmpfs none "$mountpoint/var/lib/apt" mount -t tmpfs none "$mountpoint/var/cache/apt"