Affected by GO-2024-2468 and 4 other vulnerabilities

GO-2024-2468: snapd Race Condition vulnerability in github.com/snapcore/snapd

GO-2024-2906: CVE-2024-5138 in github.com/snapcore/snapd

GO-2024-3007: snapd failed to restrict writes to the $HOME/bin path in github.com/snapcore/snapd

GO-2024-3008: snapd failed to properly check the file type when extracting a snap in github.com/snapcore/snapd

GO-2024-3009: snapd failed to properly check the destination of symbolic links when extracting a snap in github.com/snapcore/snapd

install

package

v0.0.0-...-3e1460c Latest Latest Go to latest Published: Feb 24, 2025 License: GPL-3.0 Imports: 28 Imported by: 3

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/snapcore/snapd

Documentation ¶

Overview ¶

Package install implements installation logic details for UC20+ systems. It is meant for use by overlord/devicestate and the single-reboot installation code in snap-bootstrap.

Index ¶

func ApplyPreseededData(preseedSeed seed.PreseedCapable, writableDir string) error
func BuildInstallObserver(model *asserts.Model, gadgetDir string, useEncryption bool) (observer gadget.ContentObserver, ...)
func CheckEncryptionSupport(model *asserts.Model, tpmMode secboot.TPMProvisionMode, kernelInfo *snap.Info, ...) (device.EncryptionType, error)
func MockSecbootCheckTPMKeySealingSupported(f func(tpmMode secboot.TPMProvisionMode) error) (restore func())
func PrepareEncryptedSystemData(model *asserts.Model, ...) error
func PrepareRunSystemData(model *asserts.Model, gadgetDir string, perfTimings timings.Measurer) error
type BuildKernelBootInfoOpts
type ComponentSeedInfo
type EncryptionSupportInfo
- func GetEncryptionSupportInfo(model *asserts.Model, tpmMode secboot.TPMProvisionMode, kernelInfo *snap.Info, ...) (EncryptionSupportInfo, error)
type KernelBootInfo
- func BuildKernelBootInfo(kernInfo *snap.Info, compSeedInfos []ComponentSeedInfo, kernMntPoint string, ...) KernelBootInfo
type SystemSnapdVersions

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ApplyPreseededData ¶

func ApplyPreseededData(preseedSeed seed.PreseedCapable, writableDir string) error

ApplyPreseededData applies the preseed payload from the given seed, including installing snaps, to the given target system filesystem.

func BuildInstallObserver ¶

func BuildInstallObserver(model *asserts.Model, gadgetDir string, useEncryption bool) (
	observer gadget.ContentObserver, trustedObserver boot.TrustedAssetsInstallObserver, err error)

BuildInstallObserver creates an observer for gadget assets if applicable, otherwise the returned gadget.ContentObserver is nil. The observer if any is also returned as non-nil trustedObserver if encryption is in use.

func CheckEncryptionSupport ¶

func CheckEncryptionSupport(
	model *asserts.Model,
	tpmMode secboot.TPMProvisionMode,
	kernelInfo *snap.Info,
	gadgetInfo *gadget.Info,
	runSetupHook fde.RunSetupHookFunc,
) (device.EncryptionType, error)

CheckEncryptionSupport checks the type of encryption support for disks available if any and returns the corresponding device.EncryptionType, internally it uses GetEncryptionSupportInfo with the provided parameters.

func MockSecbootCheckTPMKeySealingSupported ¶

func MockSecbootCheckTPMKeySealingSupported(f func(tpmMode secboot.TPMProvisionMode) error) (restore func())

MockSecbootCheckTPMKeySealingSupported mocks secboot.CheckTPMKeySealingSupported usage by the package for testing.

func PrepareEncryptedSystemData ¶

func PrepareEncryptedSystemData(
	model *asserts.Model, installKeyForRole map[string]secboot.BootstrappedContainer,
	volumesAuth *device.VolumesAuthOptions, trustedInstallObserver boot.TrustedAssetsInstallObserver,
) error

PrepareEncryptedSystemData executes preparations related to encrypted system data: * provides trustedInstallObserver with the chosen keys * uses trustedInstallObserver to track any trusted assets in ubuntu-seed * save keys and markers for ubuntu-data being able to safely open ubuntu-save It is the responsibility of the caller to call ObserveExistingTrustedRecoveryAssets on trustedInstallObserver.

func PrepareRunSystemData ¶

func PrepareRunSystemData(model *asserts.Model, gadgetDir string, perfTimings timings.Measurer) error

PrepareRunSystemData prepares the run system: * it writes the model to ubuntu-boot * sets up/copies any allowed and relevant cloud init configuration * plus other details

Types ¶

type BuildKernelBootInfoOpts ¶

type BuildKernelBootInfoOpts struct {
	// IsCore is true for UC, and false for hybrid systems
	IsCore bool
	// NeedsDriversTree is true if we need a drivers tree (UC/hybrid 24+)
	NeedsDriversTree bool
}

BuildKernelBootInfoOpts contains options for BuildKernelBootInfo.

type ComponentSeedInfo ¶

type ComponentSeedInfo struct {
	Info *snap.ComponentInfo
	Seed *seed.Component
}

ComponentSeedInfo contains information for a component from the seed and from its metadata.

type EncryptionSupportInfo ¶

type EncryptionSupportInfo struct {
	// Disabled is set to true if encryption was forcefully
	// disabled (e.g. via the seed partition), if set the rest
	// of the struct content is not relevant.
	Disabled bool

	// StorageSafety describes the level safety properties
	// requested by the model
	StorageSafety asserts.StorageSafety
	// Available is set to true if encryption is available on this device
	// with the used gadget.
	Available bool

	// Type is set to the EncryptionType that can be used if
	// Available is true.
	Type device.EncryptionType

	// UnvailableErr is set if the encryption support availability of
	// the this device and used gadget do not match the
	// storage safety requirements.
	UnavailableErr error
	// UnavailbleWarning describes why encryption support is not
	// available in case it is optional.
	UnavailableWarning string

	// PassphraseAuthAvailable is set if the passphrase authentication
	// is supported.
	PassphraseAuthAvailable bool

	// PINAuthAvailable is set if the pin authentication is supported.
	PINAuthAvailable bool
}

EncryptionSupportInfo describes what encryption is available and needed for the current device.

func GetEncryptionSupportInfo ¶

func GetEncryptionSupportInfo(model *asserts.Model, tpmMode secboot.TPMProvisionMode, kernelInfo *snap.Info, gadgetInfo *gadget.Info, systemSnapdVersions *SystemSnapdVersions, runSetupHook fde.RunSetupHookFunc) (EncryptionSupportInfo, error)

GetEncryptionSupportInfo returns the encryption support information for the given model, TPM provision mode, kernel and gadget information and system hardware. It uses runSetupHook to invoke the kernel fde-setup hook if any is available, leaving the caller to decide how, based on the environment.

type KernelBootInfo ¶

type KernelBootInfo struct {
	KSnapInfo     *gadgetInstall.KernelSnapInfo
	BootableKMods []boot.BootableKModsComponents
}

KernelBootInfo contains information related to the kernel used on installation.

func BuildKernelBootInfo ¶

func BuildKernelBootInfo(kernInfo *snap.Info, compSeedInfos []ComponentSeedInfo, kernMntPoint string, mntPtForComps map[string]string, opts BuildKernelBootInfoOpts) KernelBootInfo

BuildKernelBootInfo constructs a KernelBootInfo.

type SystemSnapdVersions ¶

type SystemSnapdVersions struct {
	// SnapdVersion is the version of snapd in a given system
	SnapdVersion string
	// SnapdInitramfsVersion is the version of snapd related component, which participates
	// in the boot process and performs unlocking. Typically snap-bootstrap in the kernel snap.
	SnapdInitramfsVersion string
}

SystemSnapdVersions describes the snapd versions in a given systems.

Source Files ¶

View all Source files

install.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL