1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
summary: Ensure that commands run when their core provided interfaces are connected
details: |
Install a test snap that plugs as many core provided interfaces as is
possible and verify the command can run (ie, don't test the interface
functionality itself). This will help catch things like AppArmor
policy syntax errors, seccomp policy parsing, udev querying bugs, etc.
# memory issue inside the adt environment
backends: [-autopkgtest]
# Ideally we would run this everywhere, but on systems with full security
# support, it takes a while, which leads to travis timeouts. Limit to:
# - Ubuntu Core
# - Ubuntu classic
# - All Ubuntu autopkgtests
# - Debian sid amd64 VM
# - TODO: All Fedora systems (for classic-only; unrelated error elsewhere)
systems:
- ubuntu-*
- debian-*
# Start early as it takes a long time.
priority: 100
environment:
CONSUMER_SNAP: test-snapd-policy-app-consumer
prepare: |
# We remove the shared-memory plug and interface in trusty because it fails with the
# following error since adding private /dev/shm support to shared-memory interface:
# shared-memory plug with "private: true" cannot be connected if "/dev/shm" is a symlink)
if os.query is-trusty; then
cp -r "$TESTSLIB/snaps/$CONSUMER_SNAP" .
sed -e '/shared-memory:/,+2d' -i $CONSUMER_SNAP/meta/snap.yaml
fi
echo "Given a snap is installed"
"$TESTSTOOLS"/snaps-state install-local "$CONSUMER_SNAP"
# If possible, prepare a session for the test user. On many systems this
# will allow running all tests as the unprivileged user. This shields us
# from accidentally triggering any additional processes from run in the
# session of the root user and stay behind after this test terminates.
if tests.session has-session-systemd-and-dbus; then
tests.session -u test prepare
fi
restore: |
# Remove the snaps to avoid timeout in next test
snap remove --purge "$CONSUMER_SNAP"
if tests.session has-session-systemd-and-dbus; then
tests.session -u test restore
fi
debug: |
# get the full journal to see any out-of-memory errors
# shellcheck disable=SC2119
"$TESTSTOOLS"/journal-state get-log
execute: |
echo "For each core-provided slot"
SNAP_MOUNT_DIR="$(os.paths snap-mount-dir)"
for plugcmd in "$SNAP_MOUNT_DIR"/bin/"$CONSUMER_SNAP".* ; do
# Just connect 20% of the interfaces on debian 10
# Debian 10 has bad performance disconnecting interfaces
# and the test fails (kill-timeout) trying either to remove
# interfaces or removing the snap
if os.query is-debian 10 && [ "$((RANDOM % 5))" != 0 ]; then
echo "skipping plug: $plugcmd"
continue
fi
plugcmd_bn=$(basename "$plugcmd")
plug_iface=$(echo "$plugcmd_bn" | tr '.' ':')
#shellcheck disable=SC2001
slot_iface=$(echo "$plug_iface" | sed "s/$CONSUMER_SNAP//")
# we test browser-support two different ways, so account for that
if [ "$plug_iface" = "$CONSUMER_SNAP:browser-sandbox" ]; then
slot_iface=":browser-support"
fi
CONNECTED_PATTERN="$slot_iface +.*$CONSUMER_SNAP"
DISCONNECTED_PATTERN="$slot_iface +-"
# Skip any interfaces that core doesn't ship
if ! snap interfaces | grep -E -q "$slot_iface +"; then
echo "$slot_iface not present, skipping"
continue
fi
if [ "$plug_iface" = "$CONSUMER_SNAP:qualcomm-ipc-router" ] && ( os.query is-trusty || os.query is-core16) ; then
# the qualcomm-ipc-router interface is known not to work on UC16
# without snapd, just check that it cannot be connected and move on
snap connect "$plug_iface" "$slot_iface" 2>&1 | MATCH "cannot connect plug on system without qipcrtr socket support"
continue
fi
if [ "$plug_iface" = "$CONSUMER_SNAP:mount-control" ] && os.query is-trusty ; then
# systemd version is too old, skipping
snap connect "$plug_iface" "$slot_iface" 2>&1 | MATCH "systemd version 204 is too old \\(expected at least 209\\)"
continue
fi
# The netlink-audit interface adds the `audit_read` capability to the
# AppArmor profile, but that's not supported on some older systems
if [ "$plug_iface" = "$CONSUMER_SNAP:netlink-audit" ] && os.query is-trusty; then
snap connect "$plug_iface" "$slot_iface" 2>&1 | MATCH "cannot connect plug on system without audit_read support"
continue
fi
echo "When slot $slot_iface is connected"
if snap interfaces | grep -E -q "$DISCONNECTED_PATTERN"; then
if [ "$slot_iface" = ":broadcom-asic-control" ] || [ "$slot_iface" = ":firewall-control" ] || [ "$slot_iface" = ":kubernetes-support" ] || [ "$slot_iface" = ":microstack-support" ] || [ "$slot_iface" = ":openvswitch-support" ] || [ "$slot_iface" = ":ppp" ]; then
# TODO: when the kmod backend no longer fails on missing
# modules, we can remove this
snap connect "$plug_iface" "$slot_iface" || true
else
snap connect "$plug_iface" "$slot_iface"
fi
fi
snap interfaces | MATCH "$CONNECTED_PATTERN"
echo "Then $plugcmd should succeed"
if tests.session has-session-systemd-and-dbus; then
tests.session -u test exec "$plugcmd" | MATCH PASS
else
# If we cannot run the plug command as the test user, in the
# relative safety of the user session which gets torn down, then
# run the test directly EXCEPT when testing the desktop interface.
#
# The desktop interface causes, at minimum, XDG document portal to
# activate in the root users's session, which is not cleaned up.
# Since that interface will only be used in a real session, leaving
# it out is acceptable.
if [ "$plugcmd" != "${CONSUMER_SNAP}.desktop" ]; then
"$plugcmd" | MATCH PASS
else
echo "skipping $plugcmd on an unsupported system"
fi
fi
echo "Finally disconnect the interface"
if snap interfaces | grep -E -q "$CONNECTED_PATTERN"; then
if [ "$plug_iface" = "$CONSUMER_SNAP:browser-sandbox" ]; then
snap disconnect "$CONSUMER_SNAP:browser-support" "$slot_iface"
else
snap disconnect "$plug_iface" "$slot_iface"
fi
fi
done
|
