1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
summary: Check that try command works
details: |
The snap try command can be used to install a snap without creating the
squashfs file, which for large snaps is very costly. The test shows that
snap try works for snaps using strict, devmode and classic confinement.
# s390x does not have /dev/kmsg
# ubuntu-14.04: systemd-run not supported
systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -ubuntu-*-s390x, -centos-*, -ubuntu-14.04*]
environment:
PORT: 8081
READABLE_FILE: "/var/snap/test-snapd-tools/x1/file.txt"
SERVICE_NAME: "test-service"
prepare: |
tests.exec is-skipped && exit 0
# shellcheck source=tests/lib/network.sh
. "$TESTSLIB"/network.sh
make_network_service "$SERVICE_NAME" "$PORT"
restore: |
tests.exec is-skipped && exit 0
systemctl stop "$SERVICE_NAME"
rm -f "$READABLE_FILE"
execute: |
tests.exec is-skipped && exit 0
echo "Given a buildable snap in a known directory"
echo "When try is executed on that directory"
snap try "$TESTSLIB"/snaps/test-snapd-tools
echo "Then the snap is listed as installed with try in the notes"
snap list | MATCH '^test-snapd-tools .* try'
echo "And commands from the snap-try binary can be run"
test-snapd-tools.success
echo "And commands from the snap-try binary can read in a readable dir"
echo -n "Hello World" > "$READABLE_FILE"
test-snapd-tools.cat "$READABLE_FILE" | MATCH "Hello World"
echo "Given a buildable snap which access confinement-protected resources in a known directory"
echo "When try is executed on that directory"
snap try "$TESTSLIB"/snaps/test-snapd-tools
if [ "$(snap debug confinement)" = strict ] ; then
echo "Then the snap command is not able to access the protected resource"
if test-snapd-tools.head -1 /dev/kmsg; then
echo "Expected confinement denial in try mode didn't work"
exit 1
fi
fi
echo "Given a buildable snap which access confinement-protected resources in a known directory"
echo "When try is executed on that directory with devmode enabled"
snap try "$TESTSLIB"/snaps/test-snapd-tools --devmode
echo "Then the snap command is able to access the protected resource"
test-snapd-tools.head -1 /dev/kmsg
echo "Given a buildable snap which access confinement-enabled network resources in a known directory"
echo "When try is executed on that directory"
snap try "$TESTSLIB"/snaps/network-consumer
echo "Then the snap is able to access the network resource"
network-consumer http://127.0.0.1:"$PORT" | MATCH "ok"
n=test-snapd-classic-confinement
s=$TESTSLIB/snaps/$n
echo "Given a buildable snap with classic confinement:"
echo " - you can't try it without --classic:"
not snap try "$s"
not snap try --jailmode "$s"
not snap try --devmode "$s"
touch /tmp/lala
echo " - you can try it with --classic:"
snap try --classic "$s"
snap list $n | MATCH $n.*classic
$n | MATCH lala
snap remove $n
# SOON:
# echo " - you can also try it with --classic --jailmode:"
# snap try --classic --devmode $s
# snap list $n | MATCH "$n.*(classic,jailmode|jailmode,classic)"
# $n | MATCH lala
|
