github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/browser_support_test.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin_test 21 22 import ( 23 . "gopkg.in/check.v1" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/interfaces/builtin" 28 "github.com/snapcore/snapd/interfaces/seccomp" 29 "github.com/snapcore/snapd/snap" 30 "github.com/snapcore/snapd/snap/snaptest" 31 "github.com/snapcore/snapd/testutil" 32 ) 33 34 type BrowserSupportInterfaceSuite struct { 35 iface interfaces.Interface 36 slot *interfaces.ConnectedSlot 37 slotInfo *snap.SlotInfo 38 plug *interfaces.ConnectedPlug 39 plugInfo *snap.PlugInfo 40 } 41 42 const browserMockPlugSnapInfoYaml = `name: other 43 version: 1.0 44 apps: 45 app2: 46 command: foo 47 plugs: [browser-support] 48 ` 49 50 var _ = Suite(&BrowserSupportInterfaceSuite{ 51 iface: builtin.MustInterface("browser-support"), 52 }) 53 54 func (s *BrowserSupportInterfaceSuite) SetUpTest(c *C) { 55 s.slotInfo = &snap.SlotInfo{ 56 Snap: &snap.Info{SuggestedName: "core", SnapType: snap.TypeOS}, 57 Name: "browser-support", 58 Interface: "browser-support", 59 } 60 s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil) 61 plugSnap := snaptest.MockInfo(c, browserMockPlugSnapInfoYaml, nil) 62 s.plugInfo = plugSnap.Plugs["browser-support"] 63 s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil) 64 } 65 66 func (s *BrowserSupportInterfaceSuite) TestName(c *C) { 67 c.Assert(s.iface.Name(), Equals, "browser-support") 68 } 69 70 func (s *BrowserSupportInterfaceSuite) TestSanitizeSlot(c *C) { 71 c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil) 72 } 73 74 func (s *BrowserSupportInterfaceSuite) TestSanitizePlugNoAttrib(c *C) { 75 c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil) 76 } 77 78 func (s *BrowserSupportInterfaceSuite) TestSanitizePlugWithAttrib(c *C) { 79 const mockSnapYaml = `name: browser-support-plug-snap 80 version: 1.0 81 plugs: 82 browser-support: 83 allow-sandbox: true 84 ` 85 info := snaptest.MockInfo(c, mockSnapYaml, nil) 86 plug := info.Plugs["browser-support"] 87 c.Assert(interfaces.BeforePreparePlug(s.iface, plug), IsNil) 88 } 89 90 func (s *BrowserSupportInterfaceSuite) TestSanitizePlugWithBadAttrib(c *C) { 91 const mockSnapYaml = `name: browser-support-plug-snap 92 version: 1.0 93 plugs: 94 browser-support: 95 allow-sandbox: bad 96 ` 97 info := snaptest.MockInfo(c, mockSnapYaml, nil) 98 plug := info.Plugs["browser-support"] 99 c.Assert(interfaces.BeforePreparePlug(s.iface, plug), ErrorMatches, 100 "browser-support plug requires bool with 'allow-sandbox'") 101 } 102 103 func (s *BrowserSupportInterfaceSuite) TestConnectedPlugSnippetWithoutAttrib(c *C) { 104 apparmorSpec := &apparmor.Specification{} 105 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot) 106 c.Assert(err, IsNil) 107 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other.app2"}) 108 snippet := apparmorSpec.SnippetForTag("snap.other.app2") 109 c.Assert(string(snippet), testutil.Contains, `# Description: Can access various APIs needed by modern browsers`) 110 c.Assert(string(snippet), Not(testutil.Contains), `capability sys_admin,`) 111 112 seccompSpec := &seccomp.Specification{} 113 err = seccompSpec.AddConnectedPlug(s.iface, s.plug, s.slot) 114 c.Assert(err, IsNil) 115 c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.other.app2"}) 116 secCompSnippet := seccompSpec.SnippetForTag("snap.other.app2") 117 c.Assert(secCompSnippet, testutil.Contains, `# Description: Can access various APIs needed by modern browsers`) 118 c.Assert(secCompSnippet, Not(testutil.Contains), `chroot`) 119 } 120 121 func (s *BrowserSupportInterfaceSuite) TestConnectedPlugSnippetWithAttribFalse(c *C) { 122 const mockSnapYaml = `name: browser-support-plug-snap 123 version: 1.0 124 plugs: 125 browser-support: 126 allow-sandbox: false 127 apps: 128 app2: 129 command: foo 130 plugs: [browser-support] 131 ` 132 133 info := snaptest.MockInfo(c, mockSnapYaml, nil) 134 plug := interfaces.NewConnectedPlug(info.Plugs["browser-support"], nil, nil) 135 136 apparmorSpec := &apparmor.Specification{} 137 err := apparmorSpec.AddConnectedPlug(s.iface, plug, s.slot) 138 c.Assert(err, IsNil) 139 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.browser-support-plug-snap.app2"}) 140 snippet := apparmorSpec.SnippetForTag("snap.browser-support-plug-snap.app2") 141 c.Assert(snippet, testutil.Contains, `# Description: Can access various APIs needed by modern browsers`) 142 c.Assert(snippet, Not(testutil.Contains), `capability sys_admin,`) 143 144 seccompSpec := &seccomp.Specification{} 145 err = seccompSpec.AddConnectedPlug(s.iface, plug, s.slot) 146 c.Assert(err, IsNil) 147 c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.browser-support-plug-snap.app2"}) 148 secCompSnippet := seccompSpec.SnippetForTag("snap.browser-support-plug-snap.app2") 149 c.Assert(secCompSnippet, testutil.Contains, `# Description: Can access various APIs needed by modern browsers`) 150 c.Assert(secCompSnippet, Not(testutil.Contains), `chroot`) 151 } 152 153 func (s *BrowserSupportInterfaceSuite) TestConnectedPlugSnippetWithAttribTrue(c *C) { 154 const mockSnapYaml = `name: browser-support-plug-snap 155 version: 1.0 156 plugs: 157 browser-support: 158 allow-sandbox: true 159 apps: 160 app2: 161 command: foo 162 plugs: [browser-support] 163 ` 164 info := snaptest.MockInfo(c, mockSnapYaml, nil) 165 plug := interfaces.NewConnectedPlug(info.Plugs["browser-support"], nil, nil) 166 167 apparmorSpec := &apparmor.Specification{} 168 err := apparmorSpec.AddConnectedPlug(s.iface, plug, s.slot) 169 c.Assert(err, IsNil) 170 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.browser-support-plug-snap.app2"}) 171 snippet := apparmorSpec.SnippetForTag("snap.browser-support-plug-snap.app2") 172 c.Assert(snippet, testutil.Contains, `# Description: Can access various APIs needed by modern browsers`) 173 c.Assert(snippet, testutil.Contains, `ptrace (trace) peer=snap.@{SNAP_INSTANCE_NAME}.**`) 174 175 seccompSpec := &seccomp.Specification{} 176 err = seccompSpec.AddConnectedPlug(s.iface, plug, s.slot) 177 c.Assert(err, IsNil) 178 c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.browser-support-plug-snap.app2"}) 179 secCompSnippet := seccompSpec.SnippetForTag("snap.browser-support-plug-snap.app2") 180 c.Assert(secCompSnippet, testutil.Contains, `# Description: Can access various APIs needed by modern browsers`) 181 c.Assert(secCompSnippet, testutil.Contains, `chroot`) 182 } 183 184 func (s *BrowserSupportInterfaceSuite) TestUsedSecuritySystems(c *C) { 185 // connected plugs have a non-nil security snippet for apparmor 186 apparmorSpec := &apparmor.Specification{} 187 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot) 188 c.Assert(err, IsNil) 189 c.Assert(apparmorSpec.SecurityTags(), HasLen, 1) 190 191 // connected plugs have a non-nil security snippet for apparmor 192 seccompSpec := &seccomp.Specification{} 193 err = seccompSpec.AddConnectedPlug(s.iface, s.plug, s.slot) 194 c.Assert(err, IsNil) 195 c.Assert(seccompSpec.Snippets(), HasLen, 1) 196 } 197 198 func (s *BrowserSupportInterfaceSuite) TestInterfaces(c *C) { 199 c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface) 200 }