1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
summary: Ensure snapd-apparmor works as expected
details: |
This test verifies that snapd.apparmor is able to reload apparmor profiles
in the absence of snapd. It also checks that snapd.apparmor.service fails
when a profile is invalid.
environment:
CONSUMER_SNAP: test-snapd-policy-app-consumer
debug: |
"$TESTSTOOLS"/journal-state get-log -u snap.apparmor.service
execute: |
if ! systemctl is-active snapd.apparmor.service; then
echo "Skipping test since snapd.apparmor.service is not active"
exit 0
fi
echo "Ensure snapd.apparmor is enabled"
systemctl is-enabled snapd.apparmor.service
# install a test snap which generates a lot of apparmor policies
echo "Given a test snap is installed"
"$TESTSTOOLS"/snaps-state install-local "$CONSUMER_SNAP"
tests.cleanup defer snap remove --purge "$CONSUMER_SNAP"
# stop snapd so it does not try and load apparmor policies directly
echo "And snapd is stopped"
systemctl stop snapd.service
tests.cleanup defer systemctl restart snapd.service
# get the current set of profiles but ignore any which may have gotten
# created on-the-fly by apparmor for namespaced commands - these
# contain / - as these won't get automatically recreated by
# snapd.apparmor
grep -v / /sys/kernel/security/apparmor/profiles | cut -f1 -d" " | sort > profiles.txt
# manually unload all profiles defined by snap apparmor policies
echo "If we unload existing snap apparmor policy"
for p in /var/lib/snapd/apparmor/profiles/*; do
while IFS= read -r profile; do
echo "Unloading $profile..."
echo -n "$profile" > /sys/kernel/security/apparmor/.remove
# check it is now unloaded - ensure we match the complete profile
# name so we don't inadvertently match on the wrong profile via a
# prefix where a snap has one command that is a prefix of another
# (ie. snap.foo.foo and snap.foo.foo-bar)
NOMATCH "^$profile " /sys/kernel/security/apparmor/profiles
done < <(grep ^profile < "$p" | cut -f2 -d" " | sed s/'"'//g)
done
# ensure we are actually testing something - ie snapd.apparmor will
# actually have to do some work
grep -v / /sys/kernel/security/apparmor/profiles | cut -f1 -d" " | sort > profiles_after_unload.txt
diff -u profiles.txt profiles_after_unload.txt && exit 1
# restart snapd.apparmor service to reload profiles
echo "And restart snapd.apparmor.service"
systemctl restart snapd.apparmor.service
# check that logging from snapd-apparmor works
"$TESTSTOOLS"/journal-state match-log "Loading profiles " -u snapd.apparmor
# get the set of profiles which now exist
grep -v / /sys/kernel/security/apparmor/profiles | cut -f1 -d" " | sort > profiles_after_reload.txt
# and check there is no difference (ie. that snapd-apparmor reloaded
# all profiles as expected)
echo "Then profiles should have reloaded successfully..."
diff -u profiles.txt profiles_after_reload.txt
# also check that snapd.apparmor.service fails when a profile is invalid
sed -i s/profile/profileinvalidnametobereplaced/ /var/lib/snapd/apparmor/profiles/snap.$CONSUMER_SNAP.*
tests.cleanup defer sed -i s/profileinvalidnametobereplaced/profile/ /var/lib/snapd/apparmor/profiles/snap.$CONSUMER_SNAP.*
systemctl restart snapd.apparmor.service && exit 1
systemctl status snapd.apparmor.service && exit 1
# fixup the profiles again
sed -i s/profileinvalidnametobereplaced/profile/ /var/lib/snapd/apparmor/profiles/snap.$CONSUMER_SNAP.*
# and restart
systemctl restart snapd.apparmor.service
|
