github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/maliit_test.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin_test 21 22 import ( 23 . "gopkg.in/check.v1" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/interfaces/builtin" 28 "github.com/snapcore/snapd/interfaces/seccomp" 29 "github.com/snapcore/snapd/release" 30 "github.com/snapcore/snapd/snap" 31 "github.com/snapcore/snapd/snap/snaptest" 32 "github.com/snapcore/snapd/testutil" 33 ) 34 35 type MaliitInterfaceSuite struct { 36 iface interfaces.Interface 37 slotInfo *snap.SlotInfo 38 slot *interfaces.ConnectedSlot 39 plugInfo *snap.PlugInfo 40 plug *interfaces.ConnectedPlug 41 } 42 43 var _ = Suite(&MaliitInterfaceSuite{ 44 iface: builtin.MustInterface("maliit"), 45 }) 46 47 func (s *MaliitInterfaceSuite) SetUpTest(c *C) { 48 const mockPlugSnapInfoYaml = `name: other 49 version: 1.0 50 apps: 51 app: 52 command: foo 53 plugs: [maliit] 54 ` 55 const mockCoreSlotSnapInfoYaml = `name: maliit 56 version: 1.0 57 apps: 58 maliit: 59 command: foo 60 slots: [maliit] 61 ` 62 slotSnap := snaptest.MockInfo(c, mockCoreSlotSnapInfoYaml, nil) 63 s.slotInfo = slotSnap.Slots["maliit"] 64 s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil) 65 plugSnap := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil) 66 s.plugInfo = plugSnap.Plugs["maliit"] 67 s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil) 68 } 69 70 func (s *MaliitInterfaceSuite) TestName(c *C) { 71 c.Assert(s.iface.Name(), Equals, "maliit") 72 } 73 74 // The label glob when all apps are bound to the maliit slot 75 func (s *MaliitInterfaceSuite) TestConnectedPlugSnippetUsesSlotLabelAll(c *C) { 76 app1 := &snap.AppInfo{Name: "app1"} 77 app2 := &snap.AppInfo{Name: "app2"} 78 slot := interfaces.NewConnectedSlot(&snap.SlotInfo{ 79 Snap: &snap.Info{ 80 SuggestedName: "maliit", 81 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2}, 82 }, 83 Name: "maliit", 84 Interface: "maliit", 85 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2}, 86 }, nil, nil) 87 88 apparmorSpec := &apparmor.Specification{} 89 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot) 90 c.Assert(err, IsNil) 91 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other.app"}) 92 c.Assert(apparmorSpec.SnippetForTag("snap.other.app"), testutil.Contains, `peer=(label="snap.maliit.*"),`) 93 } 94 95 // The label uses alternation when some, but not all, apps are bound to the maliit slot 96 func (s *MaliitInterfaceSuite) TestConnectedPlugSnippetUsesSlotLabelSome(c *C) { 97 app1 := &snap.AppInfo{Name: "app1"} 98 app2 := &snap.AppInfo{Name: "app2"} 99 app3 := &snap.AppInfo{Name: "app3"} 100 slot := interfaces.NewConnectedSlot(&snap.SlotInfo{ 101 Snap: &snap.Info{ 102 SuggestedName: "maliit", 103 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2, "app3": app3}, 104 }, 105 Name: "maliit", 106 Interface: "maliit", 107 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2}, 108 }, nil, nil) 109 110 apparmorSpec := &apparmor.Specification{} 111 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot) 112 c.Assert(err, IsNil) 113 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other.app"}) 114 c.Assert(apparmorSpec.SnippetForTag("snap.other.app"), testutil.Contains, `peer=(label="snap.maliit.{app1,app2}"),`) 115 } 116 117 func (s *MaliitInterfaceSuite) TestConnectedPlugSecComp(c *C) { 118 seccompSpec := &seccomp.Specification{} 119 err := seccompSpec.AddConnectedPlug(s.iface, s.plug, s.slot) 120 c.Assert(err, IsNil) 121 c.Assert(seccompSpec.SecurityTags(), HasLen, 0) 122 } 123 124 // The label uses short form when exactly one app is bound to the maliit slot 125 func (s *MaliitInterfaceSuite) TestConnectedPlugSnippetUsesSlotLabelOne(c *C) { 126 app := &snap.AppInfo{Name: "app"} 127 slot := interfaces.NewConnectedSlot(&snap.SlotInfo{ 128 Snap: &snap.Info{ 129 SuggestedName: "maliit", 130 Apps: map[string]*snap.AppInfo{"app": app}, 131 }, 132 Name: "maliit", 133 Interface: "maliit", 134 Apps: map[string]*snap.AppInfo{"app": app}, 135 }, nil, nil) 136 137 apparmorSpec := &apparmor.Specification{} 138 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot) 139 c.Assert(err, IsNil) 140 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other.app"}) 141 c.Assert(apparmorSpec.SnippetForTag("snap.other.app"), testutil.Contains, `peer=(label="snap.maliit.app"),`) 142 } 143 144 // The label glob when all apps are bound to the maliit plug 145 func (s *MaliitInterfaceSuite) TestConnectedSlotSnippetUsesPlugLabelAll(c *C) { 146 app1 := &snap.AppInfo{Name: "app1"} 147 app2 := &snap.AppInfo{Name: "app2"} 148 plug := interfaces.NewConnectedPlug(&snap.PlugInfo{ 149 Snap: &snap.Info{ 150 SuggestedName: "maliit", 151 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2}, 152 }, 153 Name: "maliit", 154 Interface: "maliit", 155 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2}, 156 }, nil, nil) 157 158 apparmorSpec := &apparmor.Specification{} 159 err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.slot) 160 c.Assert(err, IsNil) 161 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.maliit.maliit"}) 162 c.Assert(apparmorSpec.SnippetForTag("snap.maliit.maliit"), testutil.Contains, `peer=(label="snap.maliit.*"),`) 163 } 164 165 // The label uses alternation when some, but not all, apps is bound to the maliit plug 166 func (s *MaliitInterfaceSuite) TestConnectedSlotSnippetUsesPlugLabelSome(c *C) { 167 app1 := &snap.AppInfo{Name: "app1"} 168 app2 := &snap.AppInfo{Name: "app2"} 169 app3 := &snap.AppInfo{Name: "app3"} 170 plug := interfaces.NewConnectedPlug(&snap.PlugInfo{ 171 Snap: &snap.Info{ 172 SuggestedName: "maliit", 173 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2, "app3": app3}, 174 }, 175 Name: "maliit", 176 Interface: "maliit", 177 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2}, 178 }, nil, nil) 179 180 apparmorSpec := &apparmor.Specification{} 181 c.Assert(s.slot, NotNil) 182 err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.slot) 183 c.Assert(err, IsNil) 184 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.maliit.maliit"}) 185 c.Assert(apparmorSpec.SnippetForTag("snap.maliit.maliit"), testutil.Contains, `peer=(label="snap.maliit.{app1,app2}"),`) 186 } 187 188 // The label uses short form when exactly one app is bound to the maliit plug 189 func (s *MaliitInterfaceSuite) TestConnectedSlotSnippetUsesPlugLabelOne(c *C) { 190 app := &snap.AppInfo{Name: "app"} 191 plug := interfaces.NewConnectedPlug(&snap.PlugInfo{ 192 Snap: &snap.Info{ 193 SuggestedName: "maliit", 194 Apps: map[string]*snap.AppInfo{"app": app}, 195 }, 196 Name: "maliit", 197 Interface: "maliit", 198 Apps: map[string]*snap.AppInfo{"app": app}, 199 }, nil, nil) 200 201 apparmorSpec := &apparmor.Specification{} 202 err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.slot) 203 c.Assert(err, IsNil) 204 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.maliit.maliit"}) 205 c.Assert(apparmorSpec.SnippetForTag("snap.maliit.maliit"), testutil.Contains, `peer=(label="snap.maliit.app"),`) 206 } 207 208 func (s *MaliitInterfaceSuite) TestPermanentSlotSecComp(c *C) { 209 seccompSpec := &seccomp.Specification{} 210 err := seccompSpec.AddPermanentSlot(s.iface, s.slotInfo) 211 c.Assert(err, IsNil) 212 c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.maliit.maliit"}) 213 c.Assert(seccompSpec.SnippetForTag("snap.maliit.maliit"), testutil.Contains, "listen\n") 214 } 215 216 func (s *MaliitInterfaceSuite) TestConnectedPlugSnippetAppArmor(c *C) { 217 release.OnClassic = false 218 219 apparmorSpec := &apparmor.Specification{} 220 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot) 221 c.Assert(err, IsNil) 222 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other.app"}) 223 snippet := apparmorSpec.SnippetForTag("snap.other.app") 224 // verify apparmor connected 225 c.Assert(snippet, testutil.Contains, "#include <abstractions/dbus-session-strict>") 226 // verify classic didn't connect 227 c.Assert(snippet, Not(testutil.Contains), "peer=(label=unconfined),") 228 } 229 230 func (s *MaliitInterfaceSuite) TestPermanentSlotSnippetAppArmor(c *C) { 231 apparmorSpec := &apparmor.Specification{} 232 err := apparmorSpec.AddPermanentSlot(s.iface, s.slotInfo) 233 c.Assert(err, IsNil) 234 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.maliit.maliit"}) 235 c.Assert(apparmorSpec.SnippetForTag("snap.maliit.maliit"), testutil.Contains, "org.maliit.Server.Address") 236 } 237 238 func (s *MaliitInterfaceSuite) TestPermanentSlotSnippetSecComp(c *C) { 239 seccompSpec := &seccomp.Specification{} 240 err := seccompSpec.AddPermanentSlot(s.iface, s.slotInfo) 241 c.Assert(err, IsNil) 242 c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.maliit.maliit"}) 243 c.Check(seccompSpec.SnippetForTag("snap.maliit.maliit"), testutil.Contains, "listen\n") 244 } 245 246 func (s *MaliitInterfaceSuite) TestConnectedSlotSnippetAppArmor(c *C) { 247 apparmorSpec := &apparmor.Specification{} 248 err := apparmorSpec.AddConnectedSlot(s.iface, s.plug, s.slot) 249 c.Assert(err, IsNil) 250 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.maliit.maliit"}) 251 c.Assert(apparmorSpec.SnippetForTag("snap.maliit.maliit"), testutil.Contains, "peer=(label=\"snap.other.app\"") 252 } 253 254 func (s *MaliitInterfaceSuite) TestInterfaces(c *C) { 255 c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface) 256 }