Sanitize systemd user services

In some cases, snapd insists on enabling user services not only
globally, as expected (thus, adding a symlink at `/etc/systemd/user/XXXXX.target.wants`),
but also locally (thus, at $HOME/.config/systemd/user/XXXX.target.wants`).

This means that if an user service is migrated from `default.target`
to `graphical-session.target` (or vice-versa), the soft link at
the user's HOME folder will be in the wrong subfolder.

Unfortunately, the main snapd service seems to not have the
capability of accessing and managing the local user services,
having to rely on the user's local daemon (`snap userd`), which
runs as an user's service. So a change in that daemon (which has
its source code at `usersession/userd` folder) is required to
check the locally enabled user services and ensure that their
soft link is in the right place.

This commit does this by checking the links in the user folder
every time user session daemon is launched, and runs as the user
a `systemctl --user reenable SNAP-SERVICE-NAME` to rebuild the
wrong softlink.

Author: sergio-costas

go.mod

@@ -52,5 +52,6 @@ require (
 	github.com/rogpeppe/go-internal v1.6.1 // indirect
 	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect
 	golang.org/x/term v0.20.0 // indirect
+	gopkg.in/ini.v1 v1.67.1 // indirect
 	maze.io/x/crypto v0.0.0-20190131090603-9b94c9afe066 // indirect
 )

go.sum

@@ -17,7 +17,9 @@ github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981/go.mod h1:
 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/frankban/quicktest v1.2.2 h1:xfmOhhoH5fGPgbEAlhLpJH9p0z/0Qizio9osmvn9IUY=
 github.com/frankban/quicktest v1.2.2/go.mod h1:Qh/WofXFeiAFII1aEBu529AtJo6Zg2VHscnEsbBnJ20=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
@@ -49,6 +51,7 @@ github.com/mvo5/libseccomp-golang v0.9.1-0.20180308152521-f4de83b52afb/go.mod h1
 github.com/pilebones/go-udev v0.9.0 h1:N1uEO/SxUwtIctc0WLU0t69JeBxIYEYnj8lT/Nabl9Q=
 github.com/pilebones/go-udev v0.9.0/go.mod h1:T2eI2tUSK0hA2WS5QLjXJUfQkluZQu+18Cqvem3CaXI=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rogpeppe/clock v0.0.0-20190514195947-2896927a307a h1:3QH7VyOaaiUHNrA9Se4YQIRkDTCw1EJls9xTUCaCeRM=
@@ -63,7 +66,15 @@ github.com/snapcore/maze.io-x-crypto v0.0.0-20190131090603-9b94c9afe066 h1:InG0E
 github.com/snapcore/maze.io-x-crypto v0.0.0-20190131090603-9b94c9afe066/go.mod h1:VuAdaITF1MrGzxPU+8GxagM1HW2vg7QhEFEeGHbmEMU=
 github.com/snapcore/secboot v0.0.0-20260129175210-e638825ef829 h1:9qeADnUPs/YhO0tty+j2zxi9dUI2Bn96y9Nc9XOKTOk=
 github.com/snapcore/secboot v0.0.0-20260129175210-e638825ef829/go.mod h1:BeEYaTJC4cqXVgpjjxajO31p2kVDvXwXJJx3YD7nCaE=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 go.etcd.io/bbolt v1.3.9 h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI=
 go.etcd.io/bbolt v1.3.9/go.mod h1:zaO32+Ti0PK1ivdPtgMESzuzL2VPoIG1PCQNvOdo/dE=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -97,6 +108,8 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/ini.v1 v1.67.1 h1:tVBILHy0R6e4wkYOn3XmiITt/hEVH4TFMYvAX2Ytz6k=
+gopkg.in/ini.v1 v1.67.1/go.mod h1:x/cyOwCgZqOkJoDIJ3c1KNHMo10+nLGAhh+kn3Zizss=
 gopkg.in/macaroon.v1 v1.0.0 h1:BmexIS8QyY02i0uoeXwrtlH8vCS/Rmxq9uzOy4qQvk8=
 gopkg.in/macaroon.v1 v1.0.0/go.mod h1:KeG3in9Jb7Z3RNA/PFngm+mISBo0Q0O9KQeF958zuoQ=
 gopkg.in/retry.v1 v1.0.3 h1:a9CArYczAVv6Qs6VGoLMio99GEs7kY9UzSF9+LD+iGs=
@@ -105,5 +118,6 @@ gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637 h1:yiW+nvdHb9LVqSHQBXfZCieqV
 gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637/go.mod h1:BHsqpu/nsuzkT5BpiH1EMZPLyqSMM8JbIavyFACoFNk=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

usersession/userd/userd.go

@@ -21,13 +21,20 @@ package userd
 
 import (
 	"fmt"
+	"io/fs"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
 
 	"github.com/godbus/dbus/v5"
 	"github.com/godbus/dbus/v5/introspect"
+	"gopkg.in/ini.v1"
 	"gopkg.in/tomb.v2"
 
 	"github.com/snapcore/snapd/dbusutil"
 	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/systemd"
 )
 
 type dbusInterface interface {
@@ -50,6 +57,92 @@ var userdBusNames = []string{
 	"io.snapcraft.Settings",
 }
 
+func clearBrokenLink(targetPath string) error {
+	_, err := filepath.EvalSymlinks(targetPath)
+	if err != nil {
+		switch err.(type) {
+		case *fs.PathError:
+			logger.Noticef("deleting broken link in snap service %s", targetPath)
+			// it's a broken link; delete it
+			os.Remove(targetPath)
+		default:
+			return err
+		}
+	}
+	return nil
+}
+
+func reenableUserService(serviceName string) error {
+	logger.Noticef("re-enabling user service %s", serviceName)
+	sysd := systemd.New(systemd.UserMode, nil)
+	return sysd.DaemonReEnable([]string{serviceName})
+}
+
+func checkServicePlacement(targetName, snapTarget string) error {
+	snapTargetData, err := os.ReadFile(snapTarget)
+	if err != nil {
+		return err
+	}
+	targetIni, err := ini.Load(snapTargetData)
+	if err != nil {
+		return err
+	}
+	wantedBy := ""
+	if section := targetIni.Section("Install"); section != nil {
+		wantedBy = section.Key("WantedBy").String()
+	}
+	if wantedBy != targetName {
+		// the symlink is in the wrong folder. Re-enable the service
+		// to change it.
+		err := reenableUserService(path.Base(snapTarget))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func sanitizeUserServices() error {
+	// ensure that the user services enabled in the $HOME folder are
+	// correctly placed in the right .target.wants folder. This placement
+	// will be wrong if a service is moved from default.target to
+	// graphical-session.target or vice-versa, so this clean up is required.
+	//
+	// The change can happen in two cases:
+	//
+	// * when migrating from an old version of snapd without "graphical-session.target"
+	//   support, to a new version that supports it: all the user daemons' WantedBy entry
+	//   will be updated, and so these entries will have to be updated too.
+	// * when a snap adds or removes the `desktop` plug in a daemon
+
+	userSystemdQuery := path.Join(os.Getenv("HOME"), ".config", "systemd", "user", "*.target.wants")
+	entries, err := filepath.Glob(userSystemdQuery)
+	if err != nil {
+		return err
+	}
+	for _, targetWantPath := range entries {
+		snapTargetPaths, err := filepath.Glob(path.Join(targetWantPath, "snap.*"))
+		if err != nil {
+			logger.Noticef("cannot get the user service files at %s: %s", targetWantPath, err.Error())
+			continue
+		}
+		for _, snapTarget := range snapTargetPaths {
+			// Remove any broken link (that's a service that was removed)
+			if err = clearBrokenLink(snapTarget); err != nil {
+				logger.Noticef("cannot remove the broken link %s: %s", snapTarget, err.Error())
+				continue
+			}
+			// Check that any snap service is in the right .target.wants
+			targetName := strings.TrimSuffix(targetWantPath, ".wants")
+			if err := checkServicePlacement(path.Base(targetName), snapTarget); err != nil {
+				logger.Noticef("cannot process user service at %s for %s: %s", snapTarget, targetName, err.Error())
+				continue
+			}
+		}
+	}
+	return nil
+}
+
 func (ud *Userd) Init() error {
 	var err error
 
@@ -86,6 +179,8 @@ func (ud *Userd) Init() error {
 			return fmt.Errorf("cannot obtain bus name '%s'", name)
 		}
 	}
+
+	sanitizeUserServices()
 	return nil
 }