gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/network_manager_test.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin_test 21 22 import ( 23 "fmt" 24 25 . "gopkg.in/check.v1" 26 27 "gitee.com/mysnapcore/mysnapd/dirs" 28 "gitee.com/mysnapcore/mysnapd/interfaces" 29 "gitee.com/mysnapcore/mysnapd/interfaces/apparmor" 30 "gitee.com/mysnapcore/mysnapd/interfaces/builtin" 31 "gitee.com/mysnapcore/mysnapd/interfaces/dbus" 32 "gitee.com/mysnapcore/mysnapd/interfaces/seccomp" 33 "gitee.com/mysnapcore/mysnapd/interfaces/udev" 34 "gitee.com/mysnapcore/mysnapd/release" 35 "gitee.com/mysnapcore/mysnapd/snap" 36 "gitee.com/mysnapcore/mysnapd/snap/snaptest" 37 "gitee.com/mysnapcore/mysnapd/testutil" 38 ) 39 40 type NetworkManagerInterfaceSuite struct { 41 iface interfaces.Interface 42 slotInfo *snap.SlotInfo 43 slot *interfaces.ConnectedSlot 44 plugInfo *snap.PlugInfo 45 plug *interfaces.ConnectedPlug 46 } 47 48 const netmgrMockPlugSnapInfoYaml = `name: network-manager-client 49 version: 1.0 50 plugs: 51 network-manager: 52 interface: network-manager 53 apps: 54 nmcli: 55 command: foo 56 plugs: 57 - network-manager 58 ` 59 const netmgrMockSlotSnapInfoYaml = `name: network-manager 60 version: 1.0 61 apps: 62 nm: 63 command: foo 64 slots: [network-manager] 65 ` 66 67 var _ = Suite(&NetworkManagerInterfaceSuite{ 68 iface: builtin.MustInterface("network-manager"), 69 }) 70 71 func (s *NetworkManagerInterfaceSuite) SetUpTest(c *C) { 72 plugSnap := snaptest.MockInfo(c, netmgrMockPlugSnapInfoYaml, nil) 73 s.plugInfo = plugSnap.Plugs["network-manager"] 74 s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil) 75 76 slotSnap := snaptest.MockInfo(c, netmgrMockSlotSnapInfoYaml, nil) 77 s.slotInfo = slotSnap.Slots["network-manager"] 78 s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil) 79 } 80 81 func (s *NetworkManagerInterfaceSuite) TestName(c *C) { 82 c.Assert(s.iface.Name(), Equals, "network-manager") 83 } 84 85 // The label glob when all apps are bound to the network-manager slot 86 func (s *NetworkManagerInterfaceSuite) TestConnectedPlugSnippetUsesSlotLabelAll(c *C) { 87 app1 := &snap.AppInfo{Name: "app1"} 88 app2 := &snap.AppInfo{Name: "app2"} 89 slot := interfaces.NewConnectedSlot(&snap.SlotInfo{ 90 Snap: &snap.Info{ 91 SuggestedName: "network-manager", 92 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2}, 93 }, 94 Name: "network-manager", 95 Interface: "network-manager", 96 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2}, 97 }, nil, nil) 98 99 release.OnClassic = false 100 101 // connected plugs have a non-nil security snippet for apparmor 102 apparmorSpec := &apparmor.Specification{} 103 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot) 104 c.Assert(err, IsNil) 105 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager-client.nmcli"}) 106 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager-client.nmcli"), testutil.Contains, `peer=(label="snap.network-manager.*"),`) 107 } 108 109 // The label uses alternation when some, but not all, apps is bound to the network-manager slot 110 func (s *NetworkManagerInterfaceSuite) TestConnectedPlugSnippetUsesSlotLabelSome(c *C) { 111 app1 := &snap.AppInfo{Name: "app1"} 112 app2 := &snap.AppInfo{Name: "app2"} 113 app3 := &snap.AppInfo{Name: "app3"} 114 slot := interfaces.NewConnectedSlot(&snap.SlotInfo{ 115 Snap: &snap.Info{ 116 SuggestedName: "network-manager", 117 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2, "app3": app3}, 118 }, 119 Name: "network-manager", 120 Interface: "network-manager", 121 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2}, 122 }, nil, nil) 123 124 release.OnClassic = false 125 126 apparmorSpec := &apparmor.Specification{} 127 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot) 128 c.Assert(err, IsNil) 129 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager-client.nmcli"}) 130 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager-client.nmcli"), testutil.Contains, `peer=(label="snap.network-manager.{app1,app2}"),`) 131 } 132 133 // The label uses short form when exactly one app is bound to the network-manager slot 134 func (s *NetworkManagerInterfaceSuite) TestConnectedPlugSnippetUsesSlotLabelOne(c *C) { 135 app := &snap.AppInfo{Name: "app"} 136 slot := interfaces.NewConnectedSlot(&snap.SlotInfo{ 137 Snap: &snap.Info{ 138 SuggestedName: "network-manager", 139 Apps: map[string]*snap.AppInfo{"app": app}, 140 }, 141 Name: "network-manager", 142 Interface: "network-manager", 143 Apps: map[string]*snap.AppInfo{"app": app}, 144 }, nil, nil) 145 146 release.OnClassic = false 147 apparmorSpec := &apparmor.Specification{} 148 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot) 149 c.Assert(err, IsNil) 150 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager-client.nmcli"}) 151 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager-client.nmcli"), testutil.Contains, `peer=(label="snap.network-manager.app"),`) 152 } 153 154 func (s *NetworkManagerInterfaceSuite) TestConnectedPlugSnippedUsesUnconfinedLabelOnClassic(c *C) { 155 slot := interfaces.NewConnectedSlot(&snap.SlotInfo{}, nil, nil) 156 release.OnClassic = true 157 apparmorSpec := &apparmor.Specification{} 158 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot) 159 c.Assert(err, IsNil) 160 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager-client.nmcli"}) 161 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager-client.nmcli"), testutil.Contains, "peer=(label=unconfined),") 162 } 163 164 func (s *NetworkManagerInterfaceSuite) TestConnectedPlugIntrospectionOnCore(c *C) { 165 release.OnClassic = false 166 apparmorSpec := &apparmor.Specification{} 167 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot) 168 c.Assert(err, IsNil) 169 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager-client.nmcli"}) 170 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager-client.nmcli"), testutil.Contains, "Allow us to introspect the network-manager providing snap") 171 } 172 173 func (s *NetworkManagerInterfaceSuite) TestConnectedSlotIntrospectionOnCore(c *C) { 174 release.OnClassic = false 175 apparmorSpec := &apparmor.Specification{} 176 err := apparmorSpec.AddConnectedSlot(s.iface, s.plug, s.slot) 177 c.Assert(err, IsNil) 178 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager.nm"}) 179 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager.nm"), testutil.Contains, "# Allow plugs to introspect us") 180 } 181 182 func (s *NetworkManagerInterfaceSuite) TestConnectedPlugIntrospectionOnClassic(c *C) { 183 release.OnClassic = true 184 apparmorSpec := &apparmor.Specification{} 185 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot) 186 c.Assert(err, IsNil) 187 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager-client.nmcli"}) 188 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager-client.nmcli"), Not(testutil.Contains), "Allow us to introspect the network-manager providing snap") 189 } 190 191 func (s *NetworkManagerInterfaceSuite) TestConnectedSlotIntrospectionOnClassic(c *C) { 192 release.OnClassic = true 193 apparmorSpec := &apparmor.Specification{} 194 err := apparmorSpec.AddConnectedSlot(s.iface, s.plug, s.slot) 195 c.Assert(err, IsNil) 196 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager.nm"}) 197 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager.nm"), Not(testutil.Contains), "# Allow plugs to introspect us") 198 } 199 200 func (s *NetworkManagerInterfaceSuite) TestConnectedSlotSnippetAppArmor(c *C) { 201 apparmorSpec := &apparmor.Specification{} 202 err := apparmorSpec.AddConnectedSlot(s.iface, s.plug, s.slot) 203 c.Assert(err, IsNil) 204 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager.nm"}) 205 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager.nm"), testutil.Contains, `/org/freedesktop/NetworkManager`) 206 } 207 208 func (s *NetworkManagerInterfaceSuite) TestUsedSecuritySystems(c *C) { 209 apparmorSpec := &apparmor.Specification{} 210 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot) 211 c.Assert(err, IsNil) 212 err = apparmorSpec.AddPermanentSlot(s.iface, s.slotInfo) 213 c.Assert(err, IsNil) 214 c.Assert(apparmorSpec.SecurityTags(), HasLen, 2) 215 216 dbusSpec := &dbus.Specification{} 217 err = dbusSpec.AddPermanentSlot(s.iface, s.slotInfo) 218 c.Assert(err, IsNil) 219 c.Assert(dbusSpec.SecurityTags(), HasLen, 1) 220 221 dbusSpec = &dbus.Specification{} 222 err = dbusSpec.AddConnectedPlug(s.iface, s.plug, s.slot) 223 c.Assert(err, IsNil) 224 c.Assert(dbusSpec.SecurityTags(), HasLen, 0) 225 } 226 227 func (s *NetworkManagerInterfaceSuite) TestSecCompPermanentSlot(c *C) { 228 seccompSpec := &seccomp.Specification{} 229 err := seccompSpec.AddPermanentSlot(s.iface, s.slotInfo) 230 c.Assert(err, IsNil) 231 c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager.nm"}) 232 c.Check(seccompSpec.SnippetForTag("snap.network-manager.nm"), testutil.Contains, "listen\n") 233 } 234 235 func (s *NetworkManagerInterfaceSuite) TestUDevPermanentSlot(c *C) { 236 spec := &udev.Specification{} 237 c.Assert(spec.AddPermanentSlot(s.iface, s.slotInfo), IsNil) 238 c.Assert(spec.Snippets(), HasLen, 2) 239 c.Assert(spec.Snippets(), testutil.Contains, `# network-manager 240 KERNEL=="rfkill", TAG+="snap_network-manager_nm"`) 241 c.Assert(spec.Snippets(), testutil.Contains, fmt.Sprintf(`TAG=="snap_network-manager_nm", RUN+="%v/snap-device-helper $env{ACTION} snap_network-manager_nm $devpath $major:$minor"`, dirs.DistroLibExecDir)) 242 } 243 244 func (s *NetworkManagerInterfaceSuite) TestInterfaces(c *C) { 245 c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface) 246 }