1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
summary: Check that enable/disable works
details: |
Snapd allows enabling and disabling snaps through the `snap enable` and
`snap disable` commands. When a snap is disabled, the binaries and services
of the snap will no longer be available, but all the data is still available
and the snap can easily be enabled again.
This test verifies that when a snap is disabled, it is listed as disabled and
the command and the security profiles are no longer there. Then it checks
that the snap runs normally after it is enabled.
It also checks that the important snaps (core, gadget, kernel and bases) can't
be disabled.
prepare: |
echo "Install test-snapd-sh and ensure it runs"
"$TESTSTOOLS"/snaps-state install-local test-snapd-sh
test-snapd-sh.sh -c 'echo Hello' | MATCH Hello
execute: |
echo "Disable test-snapd-sh and ensure it is listed as disabled"
snap disable test-snapd-sh | MATCH disabled
echo "Ensure the test-snapd-sh command is no longer there"
SNAP_MOUNT_DIR="$(os.paths snap-mount-dir)"
if ls "$SNAP_MOUNT_DIR"/bin/test-snapd-sh*; then
echo "test-snapd-sh binaries are not disabled"
exit 1
fi
if [ "$(snap debug confinement)" = strict ]; then
echo "Ensure the test-snapd-sh security profiles are no longer there"
if ls /var/lib/snapd/apparmor/profiles/snap.test-snapd-sh*; then
echo "test-snapd-sh securiry profiles are not disabled"
exit 1
fi
fi
echo "Enable test-snapd-sh again and ensure it is no longer listed as disabled"
snap enable test-snapd-sh | MATCH enabled
if [ "$(snap debug confinement)" = strict ]; then
echo "Ensure the test-snapd-sh security profiles are present"
if ! ls /var/lib/snapd/apparmor/profiles/snap.test-snapd-sh*; then
echo "test-snapd-sh securiry profiles are not present"
exit 1
fi
fi
echo "Ensure test-snapd-sh runs normally after it was enabled"
test-snapd-sh.sh -c 'echo Hello' |MATCH Hello
echo "Ensure the important snaps can not be disabled"
snap install bare core24
for sn in core $(snaps.name kernel) $(snaps.name gadget) core24 bare; do
if snap disable "$sn"; then
echo "It should not be possible to disable $sn"
exit 1
fi
done
# ignore error because core24 may be used by the model
snap remove bare core24 || :
# XXX: removing a disabled snap works but will fail to run its "remove" hook.
# We should fix this but it's unclear how at the moment. Ideally, we would
# link enough stuff back to run the hook but, even then, the hook might run
# the snap which would be unexpected given that the user disabled it.
# Alternatively, we can warn the user that the hook won't run and require a --force.
"$TESTSTOOLS"/snaps-state install-local snap-hooks
snap disable snap-hooks
snap remove snap-hooks
CHG_ID=$(snap changes | tail -n 2 | awk '{print $1}')
snap change "$CHG_ID" > remove.out
MATCH "ERROR ignoring failure in hook \"remove\"" < remove.out
MATCH "error: cannot find current revision for snap snap-hooks: readlink $SNAP_MOUNT_DIR/snap-hooks/current: no such file or directory" < remove.out
|
