Mount cgroup2 type for snapd

LP: 1944004 described an issue where a libc transition caused snapd
seccomp profiles to reference a path that no longer existed, leading to
permission denied errors. The committed fix for snapd then raised an
issue where running `snapd debug seeding` would present a
preseed-system-key and seed-restart-system-key due to a mismatch
between the running kernel capabilities and the profiles being loaded by
snapd. By mounting a cgroup2 type to /sys/fs/cgroup, the capabilities
match for snapd as mounted in the chroot. This is done similarly to
live-build/functions:138-140 where apparmour and seccomp actions are
mounted after updating the buildd.
impish-sru-lp-1946520
John Chittum 3 years ago
parent 271d498ab6
commit 9c3851d401
No known key found for this signature in database
GPG Key ID: FC52138B0F49EA8E

@ -138,6 +138,8 @@ setup_mountpoint() {
# Provide more up to date apparmor features, matching target kernel # Provide more up to date apparmor features, matching target kernel
mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "$mountpoint/sys/kernel/security/apparmor/features/" mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "$mountpoint/sys/kernel/security/apparmor/features/"
mount -o bind /usr/share/livecd-rootfs/live-build/seccomp/generic.actions_avail "$mountpoint/proc/sys/kernel/seccomp/actions_avail" mount -o bind /usr/share/livecd-rootfs/live-build/seccomp/generic.actions_avail "$mountpoint/proc/sys/kernel/seccomp/actions_avail"
# cgroup2 mount for LP: 1944004
mount -t cgroup2 none "$mountpoint/sys/fs/cgroup"
mount -t tmpfs none "$mountpoint/tmp" mount -t tmpfs none "$mountpoint/tmp"
mount -t tmpfs none "$mountpoint/var/lib/apt" mount -t tmpfs none "$mountpoint/var/lib/apt"
mount -t tmpfs none "$mountpoint/var/cache/apt" mount -t tmpfs none "$mountpoint/var/cache/apt"

Loading…
Cancel
Save