File: task.yaml

package info (click to toggle)
snapd 2.72-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 80,412 kB
  • sloc: sh: 16,506; ansic: 16,211; python: 11,213; makefile: 1,919; exp: 190; awk: 58; xml: 22
file content (151 lines) | stat: -rw-r--r-- 5,221 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
 
summary: Ensure that the snap-seccomp bpf handling works

details: |
    This test installs the test-snapd-sh snap and runs different checks 
    to validate that snap-seccomp bpf handling works as expected. Those 
    checks include the use of @complain and @unrestricted keywords, 
    missing, empty and invalid profiles, checks the filter size limit 
    and ensures that that snap-confine waits for security profiles to 
    appear. It also verifies that amd64 arch works with i386 binaries.

systems: [ubuntu-*]

# Start early as it takes a long time.
priority: 100

environment:
    PROFILE: /var/lib/snapd/seccomp/bpf/snap.test-snapd-sh.sh
    SNAP_SECCOMP: /usr/lib/snapd/snap-seccomp

execute: |
    echo "Install test-snapd-sh and verify it works"
    snap install test-snapd-sh
    test-snapd-sh.sh -c 'echo hello' | MATCH hello

    if tests.info is-snapd-from-archive; then
        MOUNT_DIR="$(os.paths snap-mount-dir)"
        SNAP_SECCOMP="$MOUNT_DIR/snapd/current$SNAP_SECCOMP"
    fi

    # we can dump existing profile
    $SNAP_SECCOMP dump "${PROFILE}.bin2" "$PWD/bpf-dump"
    test -s "$PWD/bpf-dump.allow"
    test -s "$PWD/bpf-dump.deny"

    # from the old test_complain
    echo "Test that the @complain keyword works"
    rm -f "${PROFILE}.bin2"
    cat >"${PROFILE}.src" <<EOF
    # some comment
    @complain
    EOF
    $SNAP_SECCOMP compile "${PROFILE}.src" "${PROFILE}.bin2"
    echo "Ensure the code still runs"
    test-snapd-sh.sh -c 'echo hello' | MATCH hello

    # from the old test_complain_missed
    rm -f "${PROFILE}.bin2"
    cat >"${PROFILE}.src" <<EOF
    # super strict filter
    @complai
    @complaim
    @omplain
    @COMPLAIN
    complain
    EOF
    $SNAP_SECCOMP compile "${PROFILE}.src" "${PROFILE}.bin2"
    echo "Ensure the code cannot not run due to impossible filtering"
    if test-snapd-sh.sh -c 'echo hello'; then
        echo "filtering broken: program should have failed to run"
        exit 1
    fi
    
    # from the old test_unrestricted
    echo "Test that the @unrestricted keyword works"
    rm -f "${PROFILE}.bin2"
    cat >"${PROFILE}.src" <<EOF
    # some comment
    @unrestricted
    EOF
    $SNAP_SECCOMP compile "${PROFILE}.src" "${PROFILE}.bin2"
    echo "Ensure the code still runs"
    test-snapd-sh.sh -c 'echo hello' | MATCH hello

    # from the old test_unrestricted_missed
    rm -f "${PROFILE}.bin2"
    cat >"${PROFILE}.src" <<EOF
    # super strict filter
    @unrestricte
    @unrestrictes
    @nrestricted
    @UNRESTRICTED
    unrestricted
    EOF
    $SNAP_SECCOMP compile "${PROFILE}.src" "${PROFILE}.bin2"
    echo "Ensure the code cannot not run due to impossible filtering"
    if test-snapd-sh.sh -c 'echo hello'; then
        echo "filtering broken: program should have failed to run"
        exit 1
    fi

    # from the old test_noprofile
    rm -f "${PROFILE}.bin2"
    echo "Ensure the code cannot not run due to missing filter"
    if SNAP_CONFINE_MAX_PROFILE_WAIT=3 test-snapd-sh.sh -c 'echo hello'; then
        echo "filtering broken: program should have failed to run"
        exit 1
    fi

    echo "Break snapd.test-snapd-sh.bin2 to ensure (kernel) validation works"
    dd if=/dev/urandom of="${PROFILE}.bin2" count=1 bs=1024
    if output=$(test-snapd-sh.sh -c 'echo hello' 2>&1 ); then
        echo "test-snapd-sh.sh should fail with invalid seccomp profile"
        exit 1
    fi
    echo "$output" | MATCH "unexpected seccomp header: .*"

    echo "Add huge snapd.test-snapd-sh filters to ensure size limit works"
    dd if=/dev/zero of="${PROFILE}.bin2" count=50 bs=1M
    if output=$(test-snapd-sh.sh -c 'echo hello' 2>&1 ); then
        echo "test-snapd-sh.sh should fail with big seccomp profile"
        exit 1
    fi
    # TODO: adjust the test so that the header is valid and the profile big
    #echo "$output" | MATCH "cannot fit .* to memory buffer"

    
    echo "Ensure the code cannot not run with a missing filter profile"
    rm -f "${PROFILE}.bin2"
    if test-snapd-sh.sh -c 'echo hello'; then
        echo "filtering broken: program should have failed to run"
        exit 1
    fi

    echo "Ensure the code cannot not run with an empty seccomp profile"
    rm -f "${PROFILE}.bin2"
    echo "" > "${PROFILE}.src"
    $SNAP_SECCOMP compile "${PROFILE}.src" "${PROFILE}.bin2"
    if test-snapd-sh.sh -c 'echo hello'; then
        echo "filtering broken: program should have failed to run"
        exit 1
    fi

    echo "Ensure snap-confine waits for security profiles to appear"
    rm -f "${PROFILE}.bin2"
    cat >"${PROFILE}.src" <<EOF
    @unrestricted
    EOF
    ( (sleep 3; $SNAP_SECCOMP compile "${PROFILE}.src" "${PROFILE}.bin2") &)
    echo "Ensure the code still runs"
    test-snapd-sh.sh -c 'echo hello' | MATCH hello

    if os.query is-pc-amd64; then
        echo "Ensure secondary arch works for amd64 with i386 binaries"
        snap install --edge test-snapd-hello-multi-arch
        test-snapd-hello-multi-arch.hello-i386

        echo "Ensure secondary arch works in @complain mode too"
        snap remove --purge test-snapd-hello-multi-arch
        snap install --devmode --edge test-snapd-hello-multi-arch
        test-snapd-hello-multi-arch.hello-i386
    fi