github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/network_manager_test.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin_test 21 22 import ( 23 . "gopkg.in/check.v1" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/interfaces/builtin" 28 "github.com/snapcore/snapd/interfaces/dbus" 29 "github.com/snapcore/snapd/interfaces/seccomp" 30 "github.com/snapcore/snapd/interfaces/udev" 31 "github.com/snapcore/snapd/release" 32 "github.com/snapcore/snapd/snap" 33 "github.com/snapcore/snapd/snap/snaptest" 34 "github.com/snapcore/snapd/testutil" 35 ) 36 37 type NetworkManagerInterfaceSuite struct { 38 iface interfaces.Interface 39 slotInfo *snap.SlotInfo 40 slot *interfaces.ConnectedSlot 41 plugInfo *snap.PlugInfo 42 plug *interfaces.ConnectedPlug 43 } 44 45 const netmgrMockPlugSnapInfoYaml = `name: network-manager-client 46 version: 1.0 47 plugs: 48 network-manager: 49 interface: network-manager 50 apps: 51 nmcli: 52 command: foo 53 plugs: 54 - network-manager 55 ` 56 const netmgrMockSlotSnapInfoYaml = `name: network-manager 57 version: 1.0 58 apps: 59 nm: 60 command: foo 61 slots: [network-manager] 62 ` 63 64 var _ = Suite(&NetworkManagerInterfaceSuite{ 65 iface: builtin.MustInterface("network-manager"), 66 }) 67 68 func (s *NetworkManagerInterfaceSuite) SetUpTest(c *C) { 69 plugSnap := snaptest.MockInfo(c, netmgrMockPlugSnapInfoYaml, nil) 70 s.plugInfo = plugSnap.Plugs["network-manager"] 71 s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil) 72 73 slotSnap := snaptest.MockInfo(c, netmgrMockSlotSnapInfoYaml, nil) 74 s.slotInfo = slotSnap.Slots["network-manager"] 75 s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil) 76 } 77 78 func (s *NetworkManagerInterfaceSuite) TestName(c *C) { 79 c.Assert(s.iface.Name(), Equals, "network-manager") 80 } 81 82 // The label glob when all apps are bound to the network-manager slot 83 func (s *NetworkManagerInterfaceSuite) TestConnectedPlugSnippetUsesSlotLabelAll(c *C) { 84 app1 := &snap.AppInfo{Name: "app1"} 85 app2 := &snap.AppInfo{Name: "app2"} 86 slot := interfaces.NewConnectedSlot(&snap.SlotInfo{ 87 Snap: &snap.Info{ 88 SuggestedName: "network-manager", 89 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2}, 90 }, 91 Name: "network-manager", 92 Interface: "network-manager", 93 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2}, 94 }, nil, nil) 95 96 release.OnClassic = false 97 98 // connected plugs have a non-nil security snippet for apparmor 99 apparmorSpec := &apparmor.Specification{} 100 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot) 101 c.Assert(err, IsNil) 102 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager-client.nmcli"}) 103 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager-client.nmcli"), testutil.Contains, `peer=(label="snap.network-manager.*"),`) 104 } 105 106 // The label uses alternation when some, but not all, apps is bound to the network-manager slot 107 func (s *NetworkManagerInterfaceSuite) TestConnectedPlugSnippetUsesSlotLabelSome(c *C) { 108 app1 := &snap.AppInfo{Name: "app1"} 109 app2 := &snap.AppInfo{Name: "app2"} 110 app3 := &snap.AppInfo{Name: "app3"} 111 slot := interfaces.NewConnectedSlot(&snap.SlotInfo{ 112 Snap: &snap.Info{ 113 SuggestedName: "network-manager", 114 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2, "app3": app3}, 115 }, 116 Name: "network-manager", 117 Interface: "network-manager", 118 Apps: map[string]*snap.AppInfo{"app1": app1, "app2": app2}, 119 }, nil, nil) 120 121 release.OnClassic = false 122 123 apparmorSpec := &apparmor.Specification{} 124 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot) 125 c.Assert(err, IsNil) 126 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager-client.nmcli"}) 127 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager-client.nmcli"), testutil.Contains, `peer=(label="snap.network-manager.{app1,app2}"),`) 128 } 129 130 // The label uses short form when exactly one app is bound to the network-manager slot 131 func (s *NetworkManagerInterfaceSuite) TestConnectedPlugSnippetUsesSlotLabelOne(c *C) { 132 app := &snap.AppInfo{Name: "app"} 133 slot := interfaces.NewConnectedSlot(&snap.SlotInfo{ 134 Snap: &snap.Info{ 135 SuggestedName: "network-manager", 136 Apps: map[string]*snap.AppInfo{"app": app}, 137 }, 138 Name: "network-manager", 139 Interface: "network-manager", 140 Apps: map[string]*snap.AppInfo{"app": app}, 141 }, nil, nil) 142 143 release.OnClassic = false 144 apparmorSpec := &apparmor.Specification{} 145 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot) 146 c.Assert(err, IsNil) 147 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager-client.nmcli"}) 148 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager-client.nmcli"), testutil.Contains, `peer=(label="snap.network-manager.app"),`) 149 } 150 151 func (s *NetworkManagerInterfaceSuite) TestConnectedPlugSnippedUsesUnconfinedLabelOnClassic(c *C) { 152 slot := interfaces.NewConnectedSlot(&snap.SlotInfo{}, nil, nil) 153 release.OnClassic = true 154 apparmorSpec := &apparmor.Specification{} 155 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot) 156 c.Assert(err, IsNil) 157 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager-client.nmcli"}) 158 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager-client.nmcli"), testutil.Contains, "peer=(label=unconfined),") 159 } 160 161 func (s *NetworkManagerInterfaceSuite) TestConnectedPlugIntrospectionOnCore(c *C) { 162 release.OnClassic = false 163 apparmorSpec := &apparmor.Specification{} 164 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot) 165 c.Assert(err, IsNil) 166 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager-client.nmcli"}) 167 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager-client.nmcli"), testutil.Contains, "Allow us to introspect the network-manager providing snap") 168 } 169 170 func (s *NetworkManagerInterfaceSuite) TestConnectedSlotIntrospectionOnCore(c *C) { 171 release.OnClassic = false 172 apparmorSpec := &apparmor.Specification{} 173 err := apparmorSpec.AddConnectedSlot(s.iface, s.plug, s.slot) 174 c.Assert(err, IsNil) 175 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager.nm"}) 176 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager.nm"), testutil.Contains, "# Allow plugs to introspect us") 177 } 178 179 func (s *NetworkManagerInterfaceSuite) TestConnectedPlugIntrospectionOnClassic(c *C) { 180 release.OnClassic = true 181 apparmorSpec := &apparmor.Specification{} 182 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot) 183 c.Assert(err, IsNil) 184 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager-client.nmcli"}) 185 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager-client.nmcli"), Not(testutil.Contains), "Allow us to introspect the network-manager providing snap") 186 } 187 188 func (s *NetworkManagerInterfaceSuite) TestConnectedSlotIntrospectionOnClassic(c *C) { 189 release.OnClassic = true 190 apparmorSpec := &apparmor.Specification{} 191 err := apparmorSpec.AddConnectedSlot(s.iface, s.plug, s.slot) 192 c.Assert(err, IsNil) 193 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager.nm"}) 194 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager.nm"), Not(testutil.Contains), "# Allow plugs to introspect us") 195 } 196 197 func (s *NetworkManagerInterfaceSuite) TestConnectedSlotSnippetAppArmor(c *C) { 198 apparmorSpec := &apparmor.Specification{} 199 err := apparmorSpec.AddConnectedSlot(s.iface, s.plug, s.slot) 200 c.Assert(err, IsNil) 201 c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager.nm"}) 202 c.Assert(apparmorSpec.SnippetForTag("snap.network-manager.nm"), testutil.Contains, `/org/freedesktop/NetworkManager`) 203 } 204 205 func (s *NetworkManagerInterfaceSuite) TestUsedSecuritySystems(c *C) { 206 apparmorSpec := &apparmor.Specification{} 207 err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot) 208 c.Assert(err, IsNil) 209 err = apparmorSpec.AddPermanentSlot(s.iface, s.slotInfo) 210 c.Assert(err, IsNil) 211 c.Assert(apparmorSpec.SecurityTags(), HasLen, 2) 212 213 dbusSpec := &dbus.Specification{} 214 err = dbusSpec.AddPermanentSlot(s.iface, s.slotInfo) 215 c.Assert(err, IsNil) 216 c.Assert(dbusSpec.SecurityTags(), HasLen, 1) 217 218 dbusSpec = &dbus.Specification{} 219 err = dbusSpec.AddConnectedPlug(s.iface, s.plug, s.slot) 220 c.Assert(err, IsNil) 221 c.Assert(dbusSpec.SecurityTags(), HasLen, 0) 222 } 223 224 func (s *NetworkManagerInterfaceSuite) TestSecCompPermanentSlot(c *C) { 225 seccompSpec := &seccomp.Specification{} 226 err := seccompSpec.AddPermanentSlot(s.iface, s.slotInfo) 227 c.Assert(err, IsNil) 228 c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.network-manager.nm"}) 229 c.Check(seccompSpec.SnippetForTag("snap.network-manager.nm"), testutil.Contains, "listen\n") 230 } 231 232 func (s *NetworkManagerInterfaceSuite) TestUDevPermanentSlot(c *C) { 233 spec := &udev.Specification{} 234 c.Assert(spec.AddPermanentSlot(s.iface, s.slotInfo), IsNil) 235 c.Assert(spec.Snippets(), HasLen, 2) 236 c.Assert(spec.Snippets(), testutil.Contains, `# network-manager 237 KERNEL=="rfkill", TAG+="snap_network-manager_nm"`) 238 c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_network-manager_nm", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_network-manager_nm $devpath $major:$minor"`) 239 } 240 241 func (s *NetworkManagerInterfaceSuite) TestInterfaces(c *C) { 242 c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface) 243 }