o/ifacestate: pass task to buildConfinementOptions

so remodelling scenarios are handled properly.
canonical · Jan 7, 2025 · 71b8ccd · 71b8ccd
1 parent 1cd5576
commit 71b8ccd
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 18 deletions.
diff --git a/overlord/ifacestate/export_test.go b/overlord/ifacestate/export_test.go
@@ -74,8 +74,8 @@ func NewInterfaceManagerWithAppArmorPrompting(useAppArmorPrompting bool) *Interf
 	return m
 }
 
-func (m *InterfaceManager) BuildConfinementOptions(st *state.State, snapInfo *snap.Info, flags snapstate.Flags) (interfaces.ConfinementOptions, error) {
-	return m.buildConfinementOptions(st, snapInfo, flags)
+func (m *InterfaceManager) BuildConfinementOptions(st *state.State, task *state.Task, snapInfo *snap.Info, flags snapstate.Flags) (interfaces.ConfinementOptions, error) {
+	return m.buildConfinementOptions(st, task, snapInfo, flags)
 }
 
 type ConnectOpts = connectOpts

diff --git a/overlord/ifacestate/handlers.go b/overlord/ifacestate/handlers.go
@@ -82,14 +82,14 @@ func getExtraLayouts(st *state.State, snapInfo *snap.Info) ([]snap.Layout, error
 	return extraLayouts, nil
 }
 
-func (m *InterfaceManager) buildConfinementOptions(st *state.State, snapInfo *snap.Info, flags snapstate.Flags) (interfaces.ConfinementOptions, error) {
+func (m *InterfaceManager) buildConfinementOptions(st *state.State, task *state.Task, snapInfo *snap.Info, flags snapstate.Flags) (interfaces.ConfinementOptions, error) {
 	extraLayouts, err := getExtraLayouts(st, snapInfo)
 	if err != nil {
 		return interfaces.ConfinementOptions{}, fmt.Errorf("cannot get extra mount layouts of snap %q: %s", snapInfo.InstanceName(), err)
 	}
 
 	kernelSnap := ""
-	deviceCtx, err := snapstate.DeviceCtx(st, nil, nil)
+	deviceCtx, err := snapstate.DeviceCtx(st, task, nil)
 	if err == nil {
 		kernelSnap = deviceCtx.Kernel()
 	}
@@ -131,7 +131,7 @@ func (m *InterfaceManager) setupAffectedSnaps(task *state.Task, affectingSnap st
 			return fmt.Errorf("building app set for snap %q: %v", affectingSnap, err)
 		}
 
-		opts, err := m.buildConfinementOptions(st, affectedSnapInfo, snapst.Flags)
+		opts, err := m.buildConfinementOptions(st, task, affectedSnapInfo, snapst.Flags)
 		if err != nil {
 			return err
 		}
@@ -177,7 +177,7 @@ func (m *InterfaceManager) doSetupProfiles(task *state.Task, tomb *tomb.Tomb) er
 		return nil
 	}
 
-	opts, err := m.buildConfinementOptions(task.State(), snapInfo, snapsup.Flags)
+	opts, err := m.buildConfinementOptions(task.State(), task, snapInfo, snapsup.Flags)
 	if err != nil {
 		return err
 	}
@@ -347,7 +347,7 @@ func (m *InterfaceManager) setupProfilesForAppSet(task *state.Task, appSet *inte
 			return fmt.Errorf("building app set for snap %q: %v", name, err)
 		}
 
-		opts, err := m.buildConfinementOptions(st, snapInfo, snapst.Flags)
+		opts, err := m.buildConfinementOptions(st, task, snapInfo, snapst.Flags)
 		if err != nil {
 			return err
 		}
@@ -463,7 +463,7 @@ func (m *InterfaceManager) undoSetupProfiles(task *state.Task, tomb *tomb.Tomb)
 		if err != nil {
 			return err
 		}
-		opts, err := m.buildConfinementOptions(task.State(), snapInfo, snapst.Flags)
+		opts, err := m.buildConfinementOptions(task.State(), task, snapInfo, snapst.Flags)
 		if err != nil {
 			return err
 		}
@@ -698,7 +698,7 @@ func (m *InterfaceManager) doConnect(task *state.Task, _ *tomb.Tomb) (err error)
 		if err != nil {
 			return err
 		}
-		slotOpts, err := m.buildConfinementOptions(st, slotSnapInfo, slotSnapst.Flags)
+		slotOpts, err := m.buildConfinementOptions(st, task, slotSnapInfo, slotSnapst.Flags)
 		if err != nil {
 			return err
 		}
@@ -710,7 +710,7 @@ func (m *InterfaceManager) doConnect(task *state.Task, _ *tomb.Tomb) (err error)
 		if err != nil {
 			return err
 		}
-		plugOpts, err := m.buildConfinementOptions(st, plugSnapInfo, plugSnapst.Flags)
+		plugOpts, err := m.buildConfinementOptions(st, task, plugSnapInfo, plugSnapst.Flags)
 		if err != nil {
 			return err
 		}
@@ -820,7 +820,7 @@ func (m *InterfaceManager) doDisconnect(task *state.Task, _ *tomb.Tomb) error {
 			return fmt.Errorf("building app set for snap %q: %v", snapInfo.InstanceName(), err)
 		}
 
-		opts, err := m.buildConfinementOptions(st, snapInfo, snapst.Flags)
+		opts, err := m.buildConfinementOptions(st, task, snapInfo, snapst.Flags)
 		if err != nil {
 			return err
 		}
@@ -944,7 +944,7 @@ func (m *InterfaceManager) undoDisconnect(task *state.Task, _ *tomb.Tomb) error
 	if err != nil {
 		return err
 	}
-	slotOpts, err := m.buildConfinementOptions(st, slotSnapInfo, slotSnapst.Flags)
+	slotOpts, err := m.buildConfinementOptions(st, task, slotSnapInfo, slotSnapst.Flags)
 	if err != nil {
 		return err
 	}
@@ -956,7 +956,7 @@ func (m *InterfaceManager) undoDisconnect(task *state.Task, _ *tomb.Tomb) error
 	if err != nil {
 		return err
 	}
-	plugOpts, err := m.buildConfinementOptions(st, plugSnapInfo, plugSnapst.Flags)
+	plugOpts, err := m.buildConfinementOptions(st, task, plugSnapInfo, plugSnapst.Flags)
 	if err != nil {
 		return err
 	}
@@ -1054,7 +1054,7 @@ func (m *InterfaceManager) undoConnect(task *state.Task, _ *tomb.Tomb) error {
 	if err != nil {
 		return err
 	}
-	slotOpts, err := m.buildConfinementOptions(st, slotSnapInfo, slotSnapst.Flags)
+	slotOpts, err := m.buildConfinementOptions(st, task, slotSnapInfo, slotSnapst.Flags)
 	if err != nil {
 		return err
 	}
@@ -1066,7 +1066,7 @@ func (m *InterfaceManager) undoConnect(task *state.Task, _ *tomb.Tomb) error {
 	if err != nil {
 		return err
 	}
-	plugOpts, err := m.buildConfinementOptions(st, plugSnapInfo, plugSnapst.Flags)
+	plugOpts, err := m.buildConfinementOptions(st, task, plugSnapInfo, plugSnapst.Flags)
 	if err != nil {
 		return err
 	}

diff --git a/overlord/ifacestate/handlers_test.go b/overlord/ifacestate/handlers_test.go
@@ -20,6 +20,7 @@
 package ifacestate_test
 
 import (
+	"errors"
 	"path"
 
 	. "gopkg.in/check.v1"
@@ -146,14 +147,50 @@ func (s *handlersSuite) TestBuildConfinementOptions(c *C) {
 
 		snapInfo := mockInstalledSnap(c, s.st, snapAyaml)
 		flags := snapstate.Flags{}
-		opts, err := m.BuildConfinementOptions(s.st, snapInfo, snapstate.Flags{})
+		opts, err := m.BuildConfinementOptions(s.st, nil, snapInfo, snapstate.Flags{})
 
 		c.Check(err, IsNil)
 		c.Check(len(opts.ExtraLayouts), Equals, 0)
 		c.Check(opts.Classic, Equals, flags.Classic)
 		c.Check(opts.DevMode, Equals, flags.DevMode)
 		c.Check(opts.JailMode, Equals, flags.JailMode)
 		c.Check(opts.AppArmorPrompting, Equals, testAppArmorPrompting)
+		c.Check(opts.KernelSnap, Equals, "")
+	}
+}
+
+func (s *handlersSuite) TestBuildConfinementOptionsWithTask(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	// This test is to check that the task is actually passed down to snapstate.DeviceCtx(),
+	// and that errors there are handled fine.
+	t := s.st.NewTask("foo", "description")
+	s.AddCleanup(func() func() {
+		old := snapstate.DeviceCtx
+		snapstate.DeviceCtx = func(st *state.State, task *state.Task,
+			providedDeviceCtx snapstate.DeviceContext) (snapstate.DeviceContext, error) {
+			c.Check(task, DeepEquals, t)
+			return nil, errors.New("classic, no context")
+		}
+		return func() { snapstate.DeviceCtx = old }
+	}())
+
+	for _, testAppArmorPrompting := range []bool{true, false} {
+		// Create fake InterfaceManager to hold fake AppArmor Prompting value
+		m := ifacestate.NewInterfaceManagerWithAppArmorPrompting(testAppArmorPrompting)
+
+		snapInfo := mockInstalledSnap(c, s.st, snapAyaml)
+		flags := snapstate.Flags{}
+		opts, err := m.BuildConfinementOptions(s.st, t, snapInfo, snapstate.Flags{})
+
+		c.Check(err, IsNil)
+		c.Check(len(opts.ExtraLayouts), Equals, 0)
+		c.Check(opts.Classic, Equals, flags.Classic)
+		c.Check(opts.DevMode, Equals, flags.DevMode)
+		c.Check(opts.JailMode, Equals, flags.JailMode)
+		c.Check(opts.AppArmorPrompting, Equals, testAppArmorPrompting)
+		c.Check(opts.KernelSnap, Equals, "")
 	}
 }
 
@@ -176,7 +213,7 @@ func (s *handlersSuite) TestBuildConfinementOptionsWithLogNamespace(c *C) {
 	c.Assert(err, IsNil)
 
 	flags := snapstate.Flags{}
-	opts, err := m.BuildConfinementOptions(s.st, snapInfo, snapstate.Flags{})
+	opts, err := m.BuildConfinementOptions(s.st, nil, snapInfo, snapstate.Flags{})
 
 	c.Check(err, IsNil)
 	c.Assert(len(opts.ExtraLayouts), Equals, 1)

diff --git a/overlord/ifacestate/helpers.go b/overlord/ifacestate/helpers.go
@@ -219,7 +219,7 @@ func (m *InterfaceManager) regenerateAllSecurityProfiles(tm timings.Measurer) er
 			logger.Noticef("cannot get current info for snap %q: %s", snapName, err)
 			return interfaces.ConfinementOptions{}
 		}
-		opts, err := m.buildConfinementOptions(m.state, snapInfo, snapst.Flags)
+		opts, err := m.buildConfinementOptions(m.state, nil, snapInfo, snapst.Flags)
 		if err != nil {
 			logger.Noticef("cannot get confinement options for snap %q: %s", snapName, err)
 		}