File: task.yaml

package info (click to toggle)
snapd 2.72-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 80,412 kB
  • sloc: sh: 16,506; ansic: 16,211; python: 11,213; makefile: 1,919; exp: 190; awk: 58; xml: 22
file content (51 lines) | stat: -rw-r--r-- 2,858 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
summary: Check that snap-confine refuses to run unconfined

details: |
    snap-confine is setuid root but is only confined with an apparmor profile
    when invoked as a system-installed package or when running in the core from
    the usual location (/usr/lib/snapd/snap-confine). As a security precaution
    it should detect and refuse to run if invoked from the core snap.

# No confinement (AppArmor, Seccomp) available on these systems
systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]

prepare: |
    "$TESTSTOOLS"/snaps-state install-local test-snapd-sh
    echo "Ensure the snap-confine profiles on core are not loaded"
    # ensure the right apparmor_parser is used
    APPARMOR_PARSER="apparmor_parser"
    if snap debug sandbox-features --required apparmor:parser:snapd-internal; then
      APPARMOR_PARSER="/snap/snapd/current/usr/lib/snapd/apparmor_parser --config-file /snap/snapd/current/usr/lib/snapd/apparmor/parser.conf -b /snap/snapd/current/usr/lib/snapd/apparmor.d --policy-features /snap/snapd/current/usr/lib/snapd/apparmor.d/abi/4.0"
    fi
    for p in /var/lib/snapd/apparmor/profiles/snap-confine.*; do
        $APPARMOR_PARSER -R "$p"
    done

restore: |
    echo "Ensure the snap-confine profiles are restored"
    # ensure the right apparmor_parser is used
    APPARMOR_PARSER="apparmor_parser"
    if snap debug sandbox-features --required apparmor:parser:snapd-internal; then
      APPARMOR_PARSER="/snap/snapd/current/usr/lib/snapd/apparmor_parser --config-file /snap/snapd/current/usr/lib/snapd/apparmor/parser.conf -b /snap/snapd/current/usr/lib/snapd/apparmor.d --policy-features /snap/snapd/current/usr/lib/snapd/apparmor.d/abi/4.0"
    fi
    for p in /var/lib/snapd/apparmor/profiles/snap-confine.*; do
      $APPARMOR_PARSER -r "$p"
    done

debug: |
    SNAP_MOUNT_DIR="$(os.paths snap-mount-dir)"
    ls -ld "$SNAP_MOUNT_DIR/core/current/usr/lib/snapd/snap-confine" || true
    ls -ld "$SNAP_MOUNT_DIR/ubuntu-core/current/usr/lib/snapd/snap-confine" || true
    ls -ld /usr/lib/snapd/snap-confine || true
    snap list || true

execute: |
    # NOTE: This has to run as the test user because the protection is only
    # active if user gains elevated permissions as a result of using setuid
    # root snap-confine.
    SNAP_MOUNT_DIR="$(os.paths snap-mount-dir)"
    if su test -c "sh -c \"SNAP_NAME=test-snapd-sh SNAP_INSTANCE_NAME=test-snapd-sh $SNAP_MOUNT_DIR/core/current/usr/lib/snapd/snap-confine snap.test-snapd-sh.sh -c '/bin/true' 2>/dev/null\""; then
        echo "snap-confine didn't refuse to run!"
        exit 1
    fi
    su test -c "sh -c \"SNAP_NAME=test-snapd-sh SNAP_INSTANCE_NAME=test-snapd-sh $SNAP_MOUNT_DIR/core/current/usr/lib/snapd/snap-confine snap.test-snapd-sh.sh -c '/bin/true' 2>&1\"" | MATCH "Refusing to continue to avoid permission escalation attacks"