Support usrmerge
  Apertis: https://phabricator.apertis.org/T398



Signed-off-by: Héctor Orón Martínez <hector.oron@collabora.co.uk>
Reviewed-by: Emanuele Aina <emanuele.aina@collabora.com>
Differential Revision: https://phabricator.apertis.org/D7236

If rhosydd-client is running on the same machine as isolation.py is run
on, its network and mount namespaces will cause the test to fail, as it
uses the standard namespaces, and hence makes the test think that an
important part of Rhosydd is (erroneously) using the standard
namespaces.

rhosydd-client itself doesn’t need to use mount namespaces as it doesn’t
have access to any more data than any other consumer of the sensors and
actuators SDK API.

rhosydd-client could be running on the machine while the tests are
running if a developer is doing multiple things at once.

Reviewed-by: Mathieu Duponchelle <mathieu.duponchelle@collabora.co.uk>
Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3725

This should not have been there.

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3547

If a VddAggregateVehicle has a fully-valid cache, but no subscriptions
to any attributes on backend vehicles (because no clients have
subscriptions to attributes on the aggregate vehicle), an incoming
request for an attribute will return a potentially stale value from the
cache, rather than querying the backends.

Fix this by invalidating the cache on incoming requests if suitable
subscriptions are not in place.

New API:
 • rsd_subscription_manager_has_subscription()

This adds an integration test for the failure seen in T2042.

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3546

This will make an upcoming change a bit simpler. This commit introduces
no functional changes.

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3545

It does not make sense for a wildcard subscription to restrict its
signal emissions by period — a period criterion can only apply to a
single attribute, otherwise we can end up with pathological cases where
one attribute is emitted often enough to cause rate limiting; and all
other attributes are emitted rarely enough to be accidentally dropped on
one of the attribute emissions which is rate limited. RsdSubscription is
not set up to allow the emission rates for each attribute to be tracked
individually, which is what’s needed to implement period criteria for
wildcard attributes properly.

Instead, acknowledge that if the client has chosen to use a wildcard,
they aren’t particularly fussy about what attributes they receive, and
just give them everything, with no period limiting.

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3509

Test that the new utility functions in libcroesor work correctly; and
add an integration test for end-to-end unicast signalling.

Note that this requires the teardown check in integration.py to be
removed as it was failing. I have not investigated this yet; disabling
it for now is fairly harmless, but in the long run it should be
investigated to see whether it’s possible to describe the system’s
behaviour down to individual main context iterations, or whether that’s
not worth pursuing.

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3507

It needs to do this to start and stop various Rhosydd services. We allow
systemctl to run unconfined because it has no profile, and adding all
the profile rules for the various things it does would bloat the
integration.py profile. It’s only an integration test.

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3505

Each vehicle has its own clock domain, which all timestamps for
attributes from that vehicle are relative to. This means that the
timestamps for two attributes from a given vehicle can be compared to
see which was updated more recently (and how much more recently, in
microseconds).

However, there was previously no way to compare timestamps between
vehicles, or to compare the timestamp for a given attribute to the
current time. Given that the clock domain for a vehicle could differ
arbitrarily from the system clock domain (g_get_monotonic_time()), this
meant that clients could never work out how long ago (in system clock
terms) an attribute was modified.

Fix that by exposing the current time in the vehicle’s clock domain with
the return value from each RsdVehicle getter which returns a property or
property metadata. This allows each attribute in those results to be
compared to the clock at the time of returning the results, to find out
how old that attribute value is, in microseconds.

This patch deliberately does not expose the current value of each
vehicle’s clock domain as a value by itself (for example, as a
get_current_time() method) as that would both tempt clients to poll it,
and would introduce unavoidable race conditions between getting the
current time and getting a set of attributes.

This breaks a lot of API.

The implementation in VddAggregateVehicle is worth paying attention to
when reviewing, as it needs to aggregate attributes from multiple
vehicles into a single aggregate vehicle. That means adjusting their
last-updated times to be in a single aggregate clock domain. This is
done by defining the aggregate clock domain to be g_get_monotonic_time()
and tracking the difference between that and each of the source
vehicles’ clocks with each value returned from those source vehicles.

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3407

Enable the following flags for the daemon and mock backends:
 • PrivateDevices=yes
 • ProtectSystem=full
 • ProtectHome=yes
 • PrivateTmp=yes

These mount per-process tmpfs file systems at /home, /root,
/run/user, /tmp, /var/tmp; and bind mount restricted views of /dev
and read-only views of /usr, /boot and /etc.

This should minimise the amount of the system which is exposed to the
daemon or its backends. Access to all of these files is already
restricted by AppArmor, so this acts as an additional line of defence.

See:
 • https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 • https://fedoraproject.org/wiki/Changes/PrivateDevicesAndPrivateNetwork
 • https://lwn.net/Articles/531381/

Note that this requires the (attach_disconnected) flag on the AppArmor
profiles, to instruct AppArmor to resolve paths from outside the
process’ mount namespace to be resolved relative to the host root (/).
This is safe, under the assumption that the bind mounts are used only
for exposing parts of the host file system; but is not safe if we start
rearranging views of the file system through bind mounts in future.

See:
 • https://lists.ubuntu.com/archives/apparmor/2010-July/000110.html
 • https://www.suse.com/documentation/sles-12/book_security/data/\


   sec_apparmor_profiles_glob.html#sec_apparmor_profiles_flags

Without this flag, we get audit errors like the following:
   type=AVC msg=audit(1463572311.066:895): apparmor="DENIED"
   operation="sendmsg" info="Failed name lookup - disconnected path"
   error=-13 profile="/usr/bin/rhosydd" name="run/systemd/notify"
   pid=2485 comm="rhosydd" requested_mask="w" denied_mask="w" fsuid=115
   ouid=0

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3197

Enable it for the daemon and both mock backends. This instructs systemd
to clone the processes into their own private network namespaces, which
denies them access to the main network namespace (and hence denies all
network access).

See:
 • https://www.freedesktop.org/software/systemd/man/systemd.exec.html\
   #PrivateNetwork=
 • https://lwn.net/Articles/531381/
 • https://fedoraproject.org/wiki/Changes/\


   PrivateDevicesAndPrivateNetwork

This also adds an integration test to check it’s worked, which is
designed to be expanded to cover other namespaces in future.

Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3196

Add a few more integration tests which check that restarting various
parts of the daemon and its backends don’t cause the others to fail; and
that unconfined clients can’t access the SDK API.

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3168

This expands and completes the AppArmor profiles for the daemon and mock
backends, and adds a new profile for rhosydd-client.

This relies on the new polkit AppArmor profile (T1685).

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3164

While in principle it’s a good idea to have a non-project-specific
generic well-known name to expose services on, this only makes sense if
the object paths, interface names and other naming are also generic,
which they are not for Rhosydd.

Since Rhosydd is (for the foreseeable future) likely to be the only
sensors and actuators daemon on the system, it’s safe to simply use
org.apertis.Rhosydd1 as //the// well-known name for the SDK sensors API.

As the vehicle manager interface has now been removed, which is what was
exposed to backends, there is also no need to keep two sets of objects
exposed separately by the daemon.

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3156

Add a basic integration test which runs as a client on the system, as
installed. It checks basic functionality against the mock backends.

The integration test is written in Python, and exercises some of the
Python bindings for librhosydd. It is executed by autopkgtest, and is
intended to be executed as an installed-test in future, although this is
not currently the case due to it needing to be run as root in order to
get authentication to access the daemon from polkit.

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3145