1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
summary: Ensure correctness of block-devices interface.
details: |
The block-devices interface allows direct access to block devices, such as
/dev/sda, and optionally to partitions on said devices, e.g. /dev/sda1.
prepare: |
# identify which disk /var/snap lives on; we could use %Hd:%Ld, but not all
# versions of coreutils support that, but it's not always obvious what the
# device is if the host is using btrfs, or an alias such as /dev/root
maybe_partition_dev="$(df --output=source /var/snap | tail -n -1)"
# we're expecting a partition
udevadm info -q property "$maybe_partition_dev" | MATCH 'DEVTYPE=partition'
# get the node name under /dev
partition_dev_name="$(udevadm info -q name "$maybe_partition_dev")"
partition_dev="/dev/$partition_dev_name"
p="$(udevadm info -q path "$partition_dev")"
parent_dev_name="$(basename "$(dirname "$p")")"
parent_dev="/dev/$parent_dev_name"
# and a parent disk
udevadm info -q property "$parent_dev" | MATCH 'DEVTYPE=disk'
echo "$parent_dev" > disk.dev
echo "$partition_dev" > partition.dev
echo "Given a snap declaring block-devices plugs is installed"
"$TESTSTOOLS"/snaps-state install-local test-snapd-block-devices
execute: |
has_apparmor=yes
if ! snap debug sandbox-features | grep 'apparmor:' ; then
has_apparmor=no
fi
echo "The interface is not connected by default"
snap connections test-snapd-block-devices | MATCH '^block-devices +test-snapd-block-devices:block-devices +-'
snap connections test-snapd-block-devices | MATCH '^block-devices +test-snapd-block-devices:block-devices-with-partitions +-'
echo "When the block-devices plug is connected"
snap connect test-snapd-block-devices:block-devices
disk_dev="$(cat disk.dev)"
partition_dev="$(cat partition.dev)"
echo "Then the snap is able to read the parent disk"
test-snapd-block-devices.sh -c "dd if=$disk_dev of=/dev/null bs=1 count=1"
if [ "$has_apparmor" = "yes" ]; then
echo "But not the partition device"
not test-snapd-block-devices.sh -c "dd if=$partition_dev of=/dev/null bs=1 count=1" > err.log 2>&1
# EACCESS - blocked by AppArmor
MATCH 'dd: failed to open .*: Permission denied' < err.log
else
# udev rules originally generated by block-devices interface are too
# wide an allow access to partition devices
echo "In absence of AppArmor, the app is able to read the partition devices"
test-snapd-block-devices.sh -c "dd if=$partition_dev of=/dev/null bs=1 count=1"
fi
echo "When block-devices with optional partition access is connected"
snap connect test-snapd-block-devices:block-devices-with-partitions
echo "Then the snap app plugging the interface is able to read the disk"
test-snapd-block-devices.sh-with-partitions -c "dd if=$disk_dev of=/dev/null bs=1 count=1"
echo "And the partition device"
test-snapd-block-devices.sh-with-partitions -c "dd if=$partition_dev of=/dev/null bs=1 count=1"
if [ "$has_apparmor" = "yes" ]; then
echo "But the other one is not"
not test-snapd-block-devices.sh -c "dd if=$partition_dev of=/dev/null bs=1 count=1" > err.log 2>&1
MATCH 'dd: failed to open .*: Permission denied' < err.log
fi
echo "When the plug is disconnected"
snap disconnect test-snapd-block-devices:block-devices
snap disconnect test-snapd-block-devices:block-devices-with-partitions
echo "Then the snap is not able to read block devices, disks nor partitions"
not test-snapd-block-devices.sh -c "dd if=$disk_dev of=/dev/null bs=1 count=1" > err.log 2>&1
# EPERM - blocked by cgroups
MATCH 'dd: failed to open .*: Operation not permitted' < err.log
not test-snapd-block-devices.sh -c "dd if=$partition_dev of=/dev/null bs=1 count=1" > err.log 2>&1
MATCH 'dd: failed to open .*: Operation not permitted' < err.log
echo "And the snap is able to reconnect"
snap connect test-snapd-block-devices:block-devices
snap connect test-snapd-block-devices:block-devices-with-partitions
|
