github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/sandbox/apparmor/process_test.go

github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/sandbox/apparmor/process_test.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2020 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package apparmor_test
    21  
    22  import (
    23  	"io/ioutil"
    24  	"os"
    25  	"path/filepath"
    26  
    27  	. "gopkg.in/check.v1"
    28  
    29  	"github.com/snapcore/snapd/sandbox/apparmor"
    30  	"github.com/snapcore/snapd/snap"
    31  )
    32  
    33  func (s *apparmorSuite) TestDecodeLabel(c *C) {
    34  	label := snap.AppSecurityTag("snap_name", "my-app")
    35  	snapName, appName, hookName, err := apparmor.DecodeLabel(label)
    36  	c.Assert(err, IsNil)
    37  	c.Check(snapName, Equals, "snap_name")
    38  	c.Check(appName, Equals, "my-app")
    39  	c.Check(hookName, Equals, "")
    40  
    41  	label = snap.HookSecurityTag("snap_name", "my-hook")
    42  	snapName, appName, hookName, err = apparmor.DecodeLabel(label)
    43  	c.Assert(err, IsNil)
    44  	c.Check(snapName, Equals, "snap_name")
    45  	c.Check(appName, Equals, "")
    46  	c.Check(hookName, Equals, "my-hook")
    47  
    48  	_, _, _, err = apparmor.DecodeLabel("unconfined")
    49  	c.Assert(err, ErrorMatches, `security label "unconfined" does not belong to a snap`)
    50  
    51  	_, _, _, err = apparmor.DecodeLabel("/usr/bin/ntpd")
    52  	c.Assert(err, ErrorMatches, `security label "/usr/bin/ntpd" does not belong to a snap`)
    53  }
    54  
    55  func (s *apparmorSuite) TestDecodeLabelUnrecognisedSnapLabel(c *C) {
    56  	_, _, _, err := apparmor.DecodeLabel("snap.weird")
    57  	c.Assert(err, ErrorMatches, `unknown snap related security label "snap.weird"`)
    58  }
    59  
    60  func (s *apparmorSuite) TestSnapAppFromPidNewKernelPath(c *C) {
    61  	d := c.MkDir()
    62  	restore := apparmor.MockFsRootPath(d)
    63  	defer restore()
    64  
    65  	// when the new file exists we use that one
    66  	newProcFile := filepath.Join(d, "proc/42/attr/apparmor/current")
    67  	c.Assert(os.MkdirAll(filepath.Dir(newProcFile), 0755), IsNil)
    68  	c.Assert(ioutil.WriteFile(newProcFile, []byte("snap.foo.app"), 0644), IsNil)
    69  
    70  	oldProcFile := filepath.Join(d, "proc/42/attr/current")
    71  	c.Assert(os.MkdirAll(filepath.Dir(oldProcFile), 0755), IsNil)
    72  	c.Assert(ioutil.WriteFile(oldProcFile, []byte("random-other-unread-data"), 0644), IsNil)
    73  
    74  	name, app, hook, err := apparmor.SnapAppFromPid(42)
    75  	c.Assert(err, IsNil)
    76  	c.Assert(name, Equals, "foo")
    77  	c.Assert(app, Equals, "app")
    78  	c.Assert(hook, Equals, "")
    79  }
    80  
    81  func (s *apparmorSuite) TestSnapAppFromPid(c *C) {
    82  	d := c.MkDir()
    83  	restore := apparmor.MockFsRootPath(d)
    84  	defer restore()
    85  
    86  	// When no /proc/$pid/attr/current exists, assume unconfined
    87  	_, _, _, err := apparmor.SnapAppFromPid(42)
    88  	c.Check(err, ErrorMatches, `security label "unconfined" does not belong to a snap`)
    89  
    90  	procFile := filepath.Join(d, "proc/42/attr/current")
    91  	c.Assert(os.MkdirAll(filepath.Dir(procFile), 0755), IsNil)
    92  
    93  	c.Assert(ioutil.WriteFile(procFile, []byte("not-read"), 0000), IsNil)
    94  	_, _, _, err = apparmor.SnapAppFromPid(42)
    95  	c.Check(err, ErrorMatches, `open .*/proc/42/attr/current: permission denied`)
    96  	c.Assert(os.Remove(procFile), IsNil)
    97  
    98  	for _, t := range []struct {
    99  		contents        string
   100  		name, app, hook string
   101  		err             string
   102  	}{{
   103  		contents: "unconfined\n",
   104  		err:      `security label "unconfined" does not belong to a snap`,
   105  	}, {
   106  		contents: "/usr/sbin/cupsd (enforce)\n",
   107  		err:      `security label "/usr/sbin/cupsd" does not belong to a snap`,
   108  	}, {
   109  		contents: "snap.foo.app (complain)\n",
   110  		name:     "foo",
   111  		app:      "app",
   112  	}, {
   113  		contents: "snap.foo.hook.snap-hook (complain)\n",
   114  		name:     "foo",
   115  		hook:     "snap-hook",
   116  	}, {
   117  		contents: "snap.foo.app.garbage\n",
   118  		err:      `unknown snap related security label "snap.foo.app.garbage"`,
   119  	}, {
   120  		contents: "snap.foo.hook.app.garbage\n",
   121  		err:      `unknown snap related security label "snap.foo.hook.app.garbage"`,
   122  	}} {
   123  		c.Assert(ioutil.WriteFile(procFile, []byte(t.contents), 0644), IsNil)
   124  		name, app, hook, err := apparmor.SnapAppFromPid(42)
   125  		if t.err != "" {
   126  			c.Check(err, ErrorMatches, t.err)
   127  		} else {
   128  			c.Check(err, IsNil)
   129  			c.Check(name, Equals, t.name)
   130  			c.Check(app, Equals, t.app)
   131  			c.Check(hook, Equals, t.hook)
   132  		}
   133  	}
   134  }