File: task.yaml

package info (click to toggle)
snapd 2.71-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 79,536 kB
  • sloc: ansic: 16,114; sh: 16,105; python: 9,941; makefile: 1,890; exp: 190; awk: 40; xml: 22
file content (177 lines) | stat: -rw-r--r-- 7,074 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
 
summary: Check that the browser-support interface works

details: |
    Verify that a snap using the browser-support interface is able to
    access the various APIs needed by modern web browsers.

environment:
    ALLOW_SANDBOX/allow: true
    ALLOW_SANDBOX/disallow: false
    OWNED_FILES:
        /var/tmp/etilqs_test
        /home/test/.local/share/jupyter/foo
    READABLE_FILES:
        /run/udev/data/+platform:test
        /etc/opt/chrome/test
    READABLE_WITH_SANDBOX_FILES:
        /run/udev/data/c1:1-test
        /run/udev/data/c10:1-test
        /run/udev/data/c13:1-test
        /run/udev/data/c180:1-test
        /run/udev/data/c4:1-test
        /run/udev/data/c5:1-test
        /run/udev/data/c7:1-test
        /run/udev/data/+hid:test
        /run/udev/data/+input:input1-test
        /run/udev/data/c29:1-test
        /run/udev/data/+backlight:test
        /run/udev/data/+leds:test
        /run/udev/data/c116:1-test
        /run/udev/data/+sound:card1-test
        /run/udev/data/c108:1-test
        /run/udev/data/c189:1-test
        /run/udev/data/c89:1-test
        /run/udev/data/c81:1-test
        /run/udev/data/+acpi:test
        /run/udev/data/+hwmon:hwmon1-test
        /run/udev/data/+i2c:test

prepare: |
    echo "Given a snap declaring a plug on browser-support with allow-sandbox set to $ALLOW_SANDBOX is installed"
    sed "s/@ALLOW_SANDBOX@/$ALLOW_SANDBOX/" browser-support-consumer/meta/snap.yaml.in > browser-support-consumer/meta/snap.yaml
    chmod 644 browser-support-consumer/meta/snap.yaml
    "$TESTSTOOLS"/snaps-state install-local browser-support-consumer
    touch created_dirs

restore: |
    rm -f /var/tmp/test
    for file in $OWNED_FILES $READABLE_FILES $READABLE_WITH_SANDBOX_FILES; do
        rm -f "$file"
    done

    while read -r dir; do
        rm -rf "$dir"
    done < created_dirs
    rm -f created_dirs

execute: |
    if [ "$ALLOW_SANDBOX" = "false" ]; then
       echo "If allow-sandbox is false then the plug is connected by default"
    else
       echo "If allow-sandbox is true then the plug is not connected by default"
       snap interfaces -i browser-support | MATCH '\- +browser-support-consumer:browser-support'

       echo "Do connect it manually"
       snap connect browser-support-consumer:browser-support
    fi

    echo "And the snap is able to access tmp"
    echo "test" > /var/tmp/test
    SNAP_MOUNT_DIR="$(os.paths snap-mount-dir)"
    su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd ls /var/tmp/" test | MATCH test

    echo "And the snap is able to access owned files"
    for owned_file in $OWNED_FILES; do
        parent_dir=$(dirname "$owned_file")
        if [ ! -d "$parent_dir" ]; then
            su -l -c "mkdir -p $parent_dir" test
            echo "$parent_dir" >> created_dirs
        fi
        echo "test" > "$owned_file"
        chown test:12345 "$owned_file"
        su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $owned_file" test | MATCH test
        su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd touch $owned_file" test
    done

    echo "And the snap is able to access readable files"
    for readable_file in $READABLE_FILES; do
        parent_dir=$(dirname "$readable_file")
        if [ ! -d "$parent_dir" ]; then
            if mkdir -p "$parent_dir"; then
                echo "$parent_dir" >> created_dirs
            else
                echo "$parent_dir couldn't be created, write-only partition?"
                continue
            fi
        fi
        echo "test" > "$readable_file"
        su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file" test | MATCH test
    done

    for readable_file in $READABLE_WITH_SANDBOX_FILES; do
        parent_dir=$(dirname "$readable_file")
        if [ ! -d "$parent_dir" ]; then
            mkdir -p "$parent_dir"
            echo "$parent_dir" >> created_dirs
        fi
        echo "test" > "$readable_file"
    done

    if [ "$ALLOW_SANDBOX" = "true" ]; then
        for readable_file in $READABLE_WITH_SANDBOX_FILES; do
            su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file" test | MATCH test
        done
    fi

    if [ "$(snap debug confinement)" = partial ] ; then
        exit 0
    fi

    if [ "$ALLOW_SANDBOX" = "false" ]; then
        echo "And the policy has the ptrace suppression rule without sandbox"
        MATCH '^deny ptrace \(trace\),' < /var/lib/snapd/apparmor/profiles/snap.browser-support-consumer.cmd
    else
        echo "And the policy has the ptrace suppression rule with sandbox"
        MATCH '^deny ptrace \(trace\),' < /var/lib/snapd/apparmor/profiles/snap.browser-support-consumer.cmd && echo "Found ptrace rule, but shouldn't have" && exit 1
    fi

    echo "And the resources available with sandbox are not reachable without it"
    if [ "$ALLOW_SANDBOX" = "false" ]; then
        for readable_file in $READABLE_WITH_SANDBOX_FILES; do
            if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file" test 2> readable-without-sandbox-read.err; then
                echo "Expected error without sandbox didn't happen"
                exit 1
            fi
            MATCH "Permission denied" < readable-without-sandbox-read.err
        done
    fi

    echo "When the plug is disconnected"
    snap disconnect browser-support-consumer:browser-support

    echo "Then the snap is not able to access tmp"
    if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd ls /var/tmp/" test 2> tmpdir-access.err; then
        echo "Expected error with disconnected plug didn't happen"
        exit 1
    fi
    MATCH "Permission denied" < tmpdir-access.err
    if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat /var/tmp/etilqs_test" test 2> tmpfile-read.err; then
        echo "Expected error with disconnected plug didn't happen"
        exit 1
    fi
    MATCH "Permission denied" < tmpfile-read.err

    for owned_file in $OWNED_FILES; do
        if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $owned_file" test 2> owned-read.err; then
            echo "Expected error with disconnected plug didn't happen"
            exit 1
        fi
        MATCH "Permission denied" < owned-read.err
    done
    for readable_file in $READABLE_FILES; do
        if [ -f "$readable_file" ] && su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file" test 2> readable-read.err; then
            echo "Expected error with disconnected plug didn't happen"
            exit 1
        fi
        MATCH "Permission denied" < readable-read.err
    done
    if [ "$ALLOW_SANDBOX" = "true" ]; then
        for readable_file in $READABLE_WITH_SANDBOX_FILES; do
            if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file" test 2> readable-with-sandbox-read.err; then
                echo "Expected error with disconnected plug didn't happen"
                exit 1
            fi
            MATCH "Permission denied" < readable-with-sandbox-read.err
        done
    fi