1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
summary: Ensure that the security rules related to device cgroups work.
details: |
This test checks the when an udev rule assigning a device to a snap is added,
then just that device is assigned to that snap and other devices are not shown
as assigned to the snap
systems:
#TODO: bpftool is not available on core22+ and tests.device-cgroup needs it for cgroups v2
- -ubuntu-core-22-*
- -ubuntu-core-24-*
environment:
DEVICE_NAME/kmsg: kmsg
UDEVADM_PATH/kmsg: /sys/devices/virtual/mem/kmsg
DEVICE_ID/kmsg: "c 1:11 rwm"
OTHER_DEVICE_NAME/kmsg: uinput
OTHER_UDEVADM_PATH/kmsg: /sys/devices/virtual/misc/uinput
OTHER_DEVICE_ID/kmsg: "c 10:223 rwm"
DEVICE_NAME/uinput: uinput
UDEVADM_PATH/uinput: /sys/devices/virtual/misc/uinput
DEVICE_ID/uinput: "c 10:223 rwm"
OTHER_DEVICE_NAME/uinput: kmsg
OTHER_UDEVADM_PATH/uinput: /sys/devices/virtual/mem/kmsg
OTHER_DEVICE_ID/uinput: "c 1:11 rwm"
prepare: |
if [ ! -e /sys/devices/virtual/misc/uinput ]; then
if ! modprobe uinput; then
echo "no uinput support, cannot run test"
exit 0
fi
fi
# create nvidia devices if they don't exist
if [ ! -e /dev/nvidia0 ]; then
mknod /dev/nvidia0 c 195 0
touch /dev/nvidia0.spread
fi
if [ ! -e /dev/nvidiactl ]; then
mknod /dev/nvidiactl c 195 255
touch /dev/nvidiactl.spread
fi
if [ ! -e /dev/nvidia-uvm ]; then
mknod /dev/nvidia-uvm c 247 0
touch /dev/nvidia-uvm.spread
fi
# move aside an existing nvidia device
if [ -e /dev/nvidia254 ]; then
mv /dev/nvidia254 /dev/nvidia254.spread
fi
# create uhid device if it doesn't exist
if [ ! -e /dev/uhid ]; then
mknod /dev/uhid c 10 239
touch /dev/uhid.spread
fi
restore: |
if [ -e /dev/nvidia0.spread ]; then
rm -f /dev/nvidia0 /dev/nvidia0.spread
fi
if [ -e /dev/nvidiactl.spread ]; then
rm -f /dev/nvidiactl /dev/nvidiactl.spread
fi
if [ -e /dev/nvidia-uvm.spread ]; then
rm -f /dev/nvidia-uvm /dev/nvidia-uvm.spread
fi
if [ -e /dev/nvidia254.spread ]; then
mv /dev/nvidia254.spread /dev/nvidia254
fi
if [ -e /dev/uhid.spread ]; then
rm -f /dev/uhid /dev/uhid.spread
fi
if [ -e /etc/udev/rules.d/70-snap.test-snapd-sh.rules ]; then
rm /etc/udev/rules.d/70-snap.test-snapd-sh.rules
systemctl restart systemd-udevd
udevadm control --reload-rules
udevadm trigger
fi
execute: |
# some systems (like s390x) do not have support for this
if [ ! -e /sys/devices/virtual/misc/uinput ]; then
echo "no uinput support, cannot run test"
exit 0
fi
tags_are_sticky=0
systemd_ver="$(systemctl --version | awk '/systemd [0-9]+/ { print $2 }' | cut -f1 -d"~")"
if [ "$systemd_ver" -ge 247 ]; then
# with systemd versions 247+, the TAGS are sticky, but CURRENT_TAGS is
# updated to reflect the latest state of DB
tags_are_sticky=1
fi
echo "Given snap is installed"
"$TESTSTOOLS"/snaps-state install-local test-snapd-sh
echo "Then the device is not assigned to that snap"
udevadm info "$UDEVADM_PATH" | NOMATCH "E: TAGS=.*snap_test-snapd-sh_sh"
udevadm info "$UDEVADM_PATH" | NOMATCH "E: CURRENT_TAGS=.*snap_test-snapd-sh_sh"
echo "And the device is not shown in the snap device list"
tests.device-cgroup test-snapd-sh.sh dump | NOMATCH "$DEVICE_ID"
echo "When a udev rule assigning the device to the snap is added"
content="KERNEL==\"$DEVICE_NAME\", TAG+=\"snap_test-snapd-sh_sh\""
echo "$content" > /etc/udev/rules.d/70-snap.test-snapd-sh.rules
udevadm control --reload-rules
udevadm settle
udevadm trigger
udevadm settle
echo "Then the device is shown as assigned to the snap"
udevadm info "$UDEVADM_PATH" | MATCH "E: TAGS=.*snap_test-snapd-sh_sh"
# CURRENT_TAGS just available on systemd 247+
if [ "$tags_are_sticky" = "1" ]; then
udevadm info "$UDEVADM_PATH" | MATCH "E: CURRENT_TAGS=.*snap_test-snapd-sh_sh"
fi
echo "And other devices are not shown as assigned to the snap"
if [ "$tags_are_sticky" = "1" ]; then
# no point in checking TAGS are other variant of the test could have
# executed on the same host and thus TAGS will be tainted
udevadm info "$OTHER_UDEVADM_PATH" | NOMATCH "E: CURRENT_TAGS=.*snap_test-snapd-sh_sh"
else
udevadm info "$OTHER_UDEVADM_PATH" | NOMATCH "E: TAGS=.*snap_test-snapd-sh_sh"
fi
echo "When a snap command is called"
test-snapd-sh.sh -c 'true'
tests.device-cgroup test-snapd-sh.sh dump > devices.list
echo "Then the device is shown in the snap device list"
MATCH "$DEVICE_ID" < devices.list
echo "And other devices are not shown in the snap device list"
NOMATCH "$OTHER_DEVICE_ID" < devices.list
echo "But existing nvidia devices are in the snap's device cgroup"
tests.device-cgroup test-snapd-sh.sh dump > devices.list
MATCH "c 195:0 rwm" < devices.list
MATCH "c 195:255 rwm" < devices.list
MATCH "c 247:0 rwm" < devices.list
echo "But nonexisting nvidia devices are not"
NOMATCH "c 195:254 rwm" < devices.list
echo "But the existing uhid device is in the snap's device cgroup"
MATCH "c 10:239 rwm" < devices.list
echo "Once the snap is removed, the current tags are automatically removed"
snap remove test-snapd-sh
udevadm info "$UDEVADM_PATH" | NOMATCH "E: CURRENT_TAGS=.*snap_test-snapd-sh_sh"
test ! -f /etc/udev/rules.d/70-snap.test-snapd-sh.rules
if [ "$tags_are_sticky" = "1" ]; then
udevadm info "$UDEVADM_PATH" | MATCH "E: TAGS=.*snap_test-snapd-sh_sh"
else
udevadm info "$UDEVADM_PATH" | NOMATCH "E: TAGS=.*snap_test-snapd-sh_sh"
fi
|
