1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
summary: Ensure that /dev/input/event* is allowed to slot snaps that need it
details: |
The default policy disallows access to /dev/input/event* and snapd
by default uses 'udevadm trigger --subsystem-nomatch=input'. Some slots
like mir, wayland and x11 actually need access to /dev/input/event* and
request snapd perform 'udevadm trigger --subsystem-match=input'. For
this test, use a snap that slots 'mir' since it is allowed on Core and
classic distro. Also test that simply plugging 'mir' does not grant the
access and that plugging mir with another interface (specifically,
time-control) that trigger the device cgroup also does not.
prepare: |
echo "Given the test-snapd-udev-input-subsystem is installed"
"$TESTSTOOLS"/snaps-state install-local test-snapd-udev-input-subsystem
debug: |
# shellcheck disable=SC2046
udevadm info $(find /dev/input/ -type c) | grep -e N: -e MAJOR= -e MINOR= -e TAGS= || true
execute: |
if [ -z "$(find /dev/input/by-path -name '*-event-kbd')" ]; then
if [ "$SPREAD_SYSTEM" = "ubuntu-16.04-64" ]; then
# ensure the test runs at least on this spread system
echo "No /dev/input/by-path but this test cannot be skipped on ubuntu-16.04-64"
exit 1
fi
echo "SKIP: no /dev/input/by-path or keyboard input detected"
exit 0
fi
echo "The mir slot and plug are available by default and connected"
snap interfaces -i mir | MATCH "test-snapd-udev-input-subsystem:mir-slot +test-snapd-udev-input-subsystem:mir-plug"
echo "The snap's slot can access an evdev keyboard"
test-snapd-udev-input-subsystem.slot
if [ "$(snap debug confinement)" != "strict" ]; then
exit 0
fi
echo "The snap's plug cannot access an evdev keyboard when connected"
if test-snapd-udev-input-subsystem.plug 2> call.error; then
echo "Expected permission error with connected plug"
exit 1
fi
# AppArmor is 'Permission denied' which is expected with default policy
MATCH "Permission denied" < call.error
echo "When the mir plug is disconnected"
snap disconnect test-snapd-udev-input-subsystem:mir-plug test-snapd-udev-input-subsystem:mir-slot
snap interfaces -i mir | MATCH -- '- +test-snapd-udev-input-subsystem:mir-plug'
echo "The snap's plug still cannot access an evdev keyboard"
if test-snapd-udev-input-subsystem.plug 2> call.error; then
echo "Expected permission error with disconnected plug"
exit 1
fi
# AppArmor is 'Permission denied' which is expected with default policy
MATCH "Permission denied" < call.error
echo "When the time-control plug is disconnected"
snap interfaces -i time-control | MATCH ':time-control +-'
echo "The snap's time-control plug cannot access an evdev keyboard when disconnected"
if test-snapd-udev-input-subsystem.plug-with-time-control 2> call.error; then
echo "Expected permission error with disconnected time-control plug"
exit 1
fi
# AppArmor is 'Permission denied' which is expected with default policy
MATCH "Permission denied" < call.error
echo "When the time-control plug is connected"
snap connect test-snapd-udev-input-subsystem:time-control
snap interfaces -i time-control | MATCH ":time-control +test-snapd-udev-input-subsystem"
echo "The snap's plug still cannot access an evdev keyboard"
if test-snapd-udev-input-subsystem.plug-with-time-control 2> call.error; then
echo "Expected permission error with disconnected time-control plug"
exit 1
fi
# device cgroup is 'Operation not permitted' which is expected since the
# device cgroup is in effect (because of rtc) and the device isn't in the
# cgroup. DAC is evaluated before AppArmor so since the device wasn't added
# to the cgroup, we see a DAC denial.
MATCH "(Operation not permitted|Permission denied)" < call.error
|
