From b195abb7beacbc28b46feaaa5c993b83f4e9b066 Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Sun, 5 Nov 2023 13:57:12 +0400 Subject: [PATCH 1/4] snapcraft/{hooks,commands}: handle new AppArmor unconfined profile mode AppArmor supports a new unconfined profile mode which essentially acts like the unconfined label - when a profile is in this mode the label contains the suffix "(unconfined)" - so treat this the same as the "unconfined" label and don't try and break out of confinement in this case. Signed-off-by: Alex Murray --- snapcraft/commands/buginfo | 5 ++++- snapcraft/commands/daemon.activate | 5 ++++- snapcraft/commands/daemon.reload | 5 ++++- snapcraft/commands/daemon.start | 5 ++++- snapcraft/commands/daemon.stop | 5 ++++- snapcraft/commands/lxc | 7 +++++-- snapcraft/commands/lxc-to-lxd | 5 ++++- snapcraft/commands/lxd | 5 ++++- snapcraft/commands/lxd-benchmark | 5 ++++- snapcraft/commands/lxd-check-kernel | 5 ++++- snapcraft/commands/lxd-migrate | 5 ++++- snapcraft/commands/lxd-user | 5 ++++- snapcraft/hooks/configure | 5 ++++- snapcraft/hooks/connect-plug-ceph-conf | 5 ++++- snapcraft/hooks/disconnect-plug-ceph-conf | 5 ++++- snapcraft/hooks/remove | 5 ++++- 16 files changed, 65 insertions(+), 17 deletions(-) diff --git a/snapcraft/commands/buginfo b/snapcraft/commands/buginfo index bbf222d42..cc31568a7 100755 --- a/snapcraft/commands/buginfo +++ b/snapcraft/commands/buginfo @@ -2,8 +2,11 @@ set -u # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" + fi fi # Check that we're root diff --git a/snapcraft/commands/daemon.activate b/snapcraft/commands/daemon.activate index f4737523d..d1bf2caee 100755 --- a/snapcraft/commands/daemon.activate +++ b/snapcraft/commands/daemon.activate @@ -2,7 +2,9 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current 2>/dev/null)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then if ! aa-exec --help >/dev/null 2>&1; then echo "The LXD snap was unable to run aa-exec, this usually indicates a LXD sideload." >&2 echo "When sideloading, make sure to manually connect all interfaces." >&2 @@ -10,6 +12,7 @@ if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current 2>/d fi exec aa-exec -p unconfined -- "$0" "$@" || true + fi fi # shellcheck disable=SC2155 diff --git a/snapcraft/commands/daemon.reload b/snapcraft/commands/daemon.reload index 5731b7ccd..b2edbe73c 100755 --- a/snapcraft/commands/daemon.reload +++ b/snapcraft/commands/daemon.reload @@ -2,8 +2,11 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" + fi fi echo reload > "${SNAP_COMMON}/state" diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index ac944cae1..34559aa07 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -2,8 +2,11 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" + fi fi echo "=> Preparing the system (${SNAP_REVISION})" diff --git a/snapcraft/commands/daemon.stop b/snapcraft/commands/daemon.stop index ee0c2f438..6c0e5a277 100755 --- a/snapcraft/commands/daemon.stop +++ b/snapcraft/commands/daemon.stop @@ -2,8 +2,11 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" + fi fi export LXD_DIR="${SNAP_COMMON}/lxd/" diff --git a/snapcraft/commands/lxc b/snapcraft/commands/lxc index e01ccda93..4383b3843 100755 --- a/snapcraft/commands/lxc +++ b/snapcraft/commands/lxc @@ -2,8 +2,11 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(while read -r l; do echo "$l"; done < /proc/self/attr/current)" != "unconfined" ]; then - exec /usr/bin/aa-exec -p unconfined -- "$0" "$@" +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then + exec aa-exec -p unconfined -- "$0" "$@" + fi fi # Check if native and snap installed diff --git a/snapcraft/commands/lxc-to-lxd b/snapcraft/commands/lxc-to-lxd index d492d0ab8..db1233570 100755 --- a/snapcraft/commands/lxc-to-lxd +++ b/snapcraft/commands/lxc-to-lxd @@ -2,8 +2,11 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" + fi fi # Check that we're root diff --git a/snapcraft/commands/lxd b/snapcraft/commands/lxd index 4a1684ce8..026b0160f 100755 --- a/snapcraft/commands/lxd +++ b/snapcraft/commands/lxd @@ -2,8 +2,11 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" + fi fi # Check if native and snap installed diff --git a/snapcraft/commands/lxd-benchmark b/snapcraft/commands/lxd-benchmark index 1099c1749..132cf3563 100755 --- a/snapcraft/commands/lxd-benchmark +++ b/snapcraft/commands/lxd-benchmark @@ -2,8 +2,11 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" + fi fi # Check if native and snap installed diff --git a/snapcraft/commands/lxd-check-kernel b/snapcraft/commands/lxd-check-kernel index 5d16d387b..e5f2c4f68 100755 --- a/snapcraft/commands/lxd-check-kernel +++ b/snapcraft/commands/lxd-check-kernel @@ -2,8 +2,11 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" + fi fi exec lxc-checkconfig diff --git a/snapcraft/commands/lxd-migrate b/snapcraft/commands/lxd-migrate index 7a2452754..6907aace0 100755 --- a/snapcraft/commands/lxd-migrate +++ b/snapcraft/commands/lxd-migrate @@ -2,8 +2,11 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" + fi fi # shellcheck disable=SC2155 diff --git a/snapcraft/commands/lxd-user b/snapcraft/commands/lxd-user index 2b272953c..08bfea009 100755 --- a/snapcraft/commands/lxd-user +++ b/snapcraft/commands/lxd-user @@ -2,8 +2,11 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" + fi fi # Set the environment diff --git a/snapcraft/hooks/configure b/snapcraft/hooks/configure index 685ec3278..a5d26f03f 100755 --- a/snapcraft/hooks/configure +++ b/snapcraft/hooks/configure @@ -2,8 +2,11 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" + fi fi # Utility functions diff --git a/snapcraft/hooks/connect-plug-ceph-conf b/snapcraft/hooks/connect-plug-ceph-conf index 7546ddcdd..cafffcdd7 100755 --- a/snapcraft/hooks/connect-plug-ceph-conf +++ b/snapcraft/hooks/connect-plug-ceph-conf @@ -2,8 +2,11 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" + fi fi # Utility functions diff --git a/snapcraft/hooks/disconnect-plug-ceph-conf b/snapcraft/hooks/disconnect-plug-ceph-conf index 519658fd8..e5654fb8b 100755 --- a/snapcraft/hooks/disconnect-plug-ceph-conf +++ b/snapcraft/hooks/disconnect-plug-ceph-conf @@ -2,8 +2,11 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" + fi fi # Utility functions diff --git a/snapcraft/hooks/remove b/snapcraft/hooks/remove index cbf4162a4..55636a62c 100755 --- a/snapcraft/hooks/remove +++ b/snapcraft/hooks/remove @@ -2,8 +2,11 @@ set -eu # Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then +if [ -d /sys/kernel/security/apparmor ]; then + label="$(cat /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" + fi fi # Unmount potential LXD paths. From 1465c1d764ef67e4efec5fdb41affaa217b5a1f9 Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Tue, 7 Nov 2023 10:32:51 +0200 Subject: [PATCH 2/4] snapcraft/commands/lxc: optimise apparmor label reading Signed-off-by: Alex Murray --- snapcraft/commands/lxc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snapcraft/commands/lxc b/snapcraft/commands/lxc index 4383b3843..2eb74a3f8 100755 --- a/snapcraft/commands/lxc +++ b/snapcraft/commands/lxc @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(while read -r l; do echo "$l"; done < /proc/self/attr/current)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi From 923956e73c2c52cebcac1cbc1ac2c4328cb636fb Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Tue, 7 Nov 2023 12:37:58 +0200 Subject: [PATCH 3/4] snapcraft/commands/lxc: microoptimise call to aa-exec by full path Signed-off-by: Alex Murray --- snapcraft/commands/lxc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snapcraft/commands/lxc b/snapcraft/commands/lxc index 2eb74a3f8..905323943 100755 --- a/snapcraft/commands/lxc +++ b/snapcraft/commands/lxc @@ -5,7 +5,7 @@ set -eu if [ -d /sys/kernel/security/apparmor ]; then label="$(while read -r l; do echo "$l"; done < /proc/self/attr/current)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then - exec aa-exec -p unconfined -- "$0" "$@" + exec /usr/bin/aa-exec -p unconfined -- "$0" "$@" fi fi From 1be7337f4724f2c81f8d0b28964fa5a8f1431d8b Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Fri, 10 Nov 2023 13:28:26 +0200 Subject: [PATCH 4/4] snapcraft/{hooks,commands}: omit any errors when reading apparmor label Signed-off-by: Alex Murray --- snapcraft/commands/buginfo | 2 +- snapcraft/commands/daemon.activate | 2 +- snapcraft/commands/daemon.reload | 2 +- snapcraft/commands/daemon.start | 2 +- snapcraft/commands/daemon.stop | 2 +- snapcraft/commands/lxc-to-lxd | 2 +- snapcraft/commands/lxd | 2 +- snapcraft/commands/lxd-benchmark | 2 +- snapcraft/commands/lxd-check-kernel | 2 +- snapcraft/commands/lxd-migrate | 2 +- snapcraft/commands/lxd-user | 2 +- snapcraft/hooks/configure | 2 +- snapcraft/hooks/connect-plug-ceph-conf | 2 +- snapcraft/hooks/disconnect-plug-ceph-conf | 2 +- snapcraft/hooks/remove | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) diff --git a/snapcraft/commands/buginfo b/snapcraft/commands/buginfo index cc31568a7..5ca78a2f3 100755 --- a/snapcraft/commands/buginfo +++ b/snapcraft/commands/buginfo @@ -3,7 +3,7 @@ set -u # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi diff --git a/snapcraft/commands/daemon.activate b/snapcraft/commands/daemon.activate index d1bf2caee..d13795fe1 100755 --- a/snapcraft/commands/daemon.activate +++ b/snapcraft/commands/daemon.activate @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then if ! aa-exec --help >/dev/null 2>&1; then echo "The LXD snap was unable to run aa-exec, this usually indicates a LXD sideload." >&2 diff --git a/snapcraft/commands/daemon.reload b/snapcraft/commands/daemon.reload index b2edbe73c..c06ac4cc5 100755 --- a/snapcraft/commands/daemon.reload +++ b/snapcraft/commands/daemon.reload @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index 34559aa07..e3c64a5b2 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi diff --git a/snapcraft/commands/daemon.stop b/snapcraft/commands/daemon.stop index 6c0e5a277..b964ae0eb 100755 --- a/snapcraft/commands/daemon.stop +++ b/snapcraft/commands/daemon.stop @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi diff --git a/snapcraft/commands/lxc-to-lxd b/snapcraft/commands/lxc-to-lxd index db1233570..11af0038a 100755 --- a/snapcraft/commands/lxc-to-lxd +++ b/snapcraft/commands/lxc-to-lxd @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi diff --git a/snapcraft/commands/lxd b/snapcraft/commands/lxd index 026b0160f..fb383d439 100755 --- a/snapcraft/commands/lxd +++ b/snapcraft/commands/lxd @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi diff --git a/snapcraft/commands/lxd-benchmark b/snapcraft/commands/lxd-benchmark index 132cf3563..5b196d3d3 100755 --- a/snapcraft/commands/lxd-benchmark +++ b/snapcraft/commands/lxd-benchmark @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi diff --git a/snapcraft/commands/lxd-check-kernel b/snapcraft/commands/lxd-check-kernel index e5f2c4f68..ae5077ba5 100755 --- a/snapcraft/commands/lxd-check-kernel +++ b/snapcraft/commands/lxd-check-kernel @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi diff --git a/snapcraft/commands/lxd-migrate b/snapcraft/commands/lxd-migrate index 6907aace0..03a6df1a0 100755 --- a/snapcraft/commands/lxd-migrate +++ b/snapcraft/commands/lxd-migrate @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi diff --git a/snapcraft/commands/lxd-user b/snapcraft/commands/lxd-user index 08bfea009..92a7d7798 100755 --- a/snapcraft/commands/lxd-user +++ b/snapcraft/commands/lxd-user @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi diff --git a/snapcraft/hooks/configure b/snapcraft/hooks/configure index a5d26f03f..e08f4b91e 100755 --- a/snapcraft/hooks/configure +++ b/snapcraft/hooks/configure @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi diff --git a/snapcraft/hooks/connect-plug-ceph-conf b/snapcraft/hooks/connect-plug-ceph-conf index cafffcdd7..6577ba871 100755 --- a/snapcraft/hooks/connect-plug-ceph-conf +++ b/snapcraft/hooks/connect-plug-ceph-conf @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi diff --git a/snapcraft/hooks/disconnect-plug-ceph-conf b/snapcraft/hooks/disconnect-plug-ceph-conf index e5654fb8b..c9a2111f0 100755 --- a/snapcraft/hooks/disconnect-plug-ceph-conf +++ b/snapcraft/hooks/disconnect-plug-ceph-conf @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi diff --git a/snapcraft/hooks/remove b/snapcraft/hooks/remove index 55636a62c..c9e8f1ec0 100755 --- a/snapcraft/hooks/remove +++ b/snapcraft/hooks/remove @@ -3,7 +3,7 @@ set -eu # Re-exec outside of apparmor confinement if [ -d /sys/kernel/security/apparmor ]; then - label="$(cat /proc/self/attr/current)" + label="$(cat /proc/self/attr/current 2>/dev/null)" if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then exec aa-exec -p unconfined -- "$0" "$@" fi