* asserts,i/policy: add on-core-desktop constraint
This is required for interface behaviours that are different on Core Desktop.
* interfaces/builtin/home: autoconnect home on core desktop
Core desktop is much like a classic system in that the user would reasonably
expect to be able to access this home directory.
* build-aux: update vendored apparmor to 4.0.1 release
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* build-aux: add autoconf-archive to apparmor/build-packages
Unlike the Launchpad tarball, the one from apparmor gitlab tarball
requires this to be present as it is just a snapshot of the git tree,
not a release tarball like those provided by Launchpad.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* build-aux: remove apparmor parser performance patch
This was already included upstream as part of the 3.1.0 release and
hence is included in the 4.0.1 release which we are now vendoring.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* build-aux: remove remote patch application logic
They are already included in apparmor 4.x release.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* build-aux: remove local patch application logic
All local patches are now merged in the 4.x release.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* cmd/configure.ac: expect apparmor 4.0.1 when building as a snap
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* sandbox/apparmor: use apparmor 4.0 abi with vendored parser
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* sandbox/apparmor: add debug logging when probing parser features
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* sandbox/apparmor: log apparmor_parser version when probing features
This is helpful when trying to debug why certain features may not be supported.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* tests/main: update for new vendored apparmor 4.0
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* Reapply "i/builtin: allow docker-support to use mqueue (#13738)" (#13765)
This reverts commit ce298864e3.
* interfaces: adjust docker-support test to handle mqueue
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* sandbox/apparmor: mask mqueue feature until apparmor 4.0.1
It seems that mediation of mqueue is miscompiled by apparmor_parser
4.0.0~beta3 that was present in Ubuntu 24.04 until the 10th of July
2024. Detect this and mask the presence of mqueue unless apparmor parser
4.0.1, or newer, is used.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* sandbox/apparmor: support bundled 3.0 or 4.0 (preferred) abi
Mirror the logic used in apparmor-from-the-host to apparmor-from-snapd-snap.
This mainly fixes tests that repackage old snapd snap without touching
apparmor, but in general seems like the right thing to do.
The logic is such, that abi 4 is preferred.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* sandbox/apparmor: unify test mocking logic
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* sandbox/apparmor: refactor appArmorParserVersion not to clobber cmd
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* sandbox/apparmor: fix pair of typos
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
---------
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Co-authored-by: Alex Murray <alex.murray@canonical.com>
Make sure that snap refresh/install does not crash if a change has no
api data. This is not happening in usual interactions with the store,
but it does in some cases when we use the fakestore, which is breaking
some integration tests.
* Add snippets with priorities
AppArmor rules that forbid access to a resource have more
priority than rules that allow access to those same resources.
This means that if an interface restricts access to an specific
resource, it won't be possible to enable access to that same
resource from another, more privileged, interface.
An example of this is reading the .desktop files of all the
installed snaps in the system: the superprivileged interface
'desktop-launch' enables access to these files, so any snap
that has a connected plug for this interface should be able
to read them. Unfortunately, the 'desktop-legacy' interface
explicitly denies access to these files, and since it is
connected automatically if a snap uses the 'desktop' or the
'unity7' interfaces, this mean that no graphical application
will be able to read the .desktop files, even if the super-
privileged interface 'desktop-launch' interface is connected.
To allow this specific case, a temporary patch (
https://github.com/snapcore/snapd/pull/13933) was created and
merged, but it is clearly an ugly and not-generic solution.
For this reason, this new patch was created, following the
specification https://docs.google.com/document/d/1K-1MYhp1RKSW_jzuuyX7TSVCg2rYplKZFdJbZAupP4Y/edit
This patch allows to add "prioritized snippets". Each one has
an UID and a priority. If no prioritized snippet with the same
UID has been previously added, the new prioritized snippet will
be added like any other normal snippet. But if there is already
an added snippet with the same UID, then the priority of both
the old and the new snippets are compared. If the new priority
is lower than the old one, the new snippet is ignored; if the
new priority is bigger than the old one, the new snippet fully
replaces the old one. Finally, if both priorities are the same,
the new snippet will be appended to the old snippet.
This generic mechanism allows to give an interface priority
over others if needed, like in the previous case.
* Remove slices.Contains, since seems to be not supported
* Update interfaces/apparmor/spec.go
Co-authored-by: Zygmunt Bazyli Krynicki <me@zygoon.pl>
* Use testutils.Contains
* Replace "uid" with "key" for clarity and sanity
* Add specific type for priority keys and force registering them
* Remove unneeded return
* Use SnippetKey as type
* Don't use "slice" since MacOS seems to not support it
* Update interfaces/apparmor/spec.go
Co-authored-by: Zygmunt Bazyli Krynicki <me@zygoon.pl>
* Update interfaces/apparmor/spec.go
Co-authored-by: Zygmunt Bazyli Krynicki <me@zygoon.pl>
* Use String instead of GetValue
* Use SnippetKey as key instead of the inner string
* Update interfaces/connection.go
Co-authored-by: Zygmunt Bazyli Krynicki <me@zygoon.pl>
* Several changes requested
* Create the SnippetKeys inside Spec
* Move key registration outside Spec
This creates a centralized key registry inside apparmor module,
so keys can be registered using top variables, and any
duplicated key will produce a panic when snapd is launched,
thus just panicking in any test too.
* Added extra ways of working with SnippetKeys
* Add extra check
* Replace GetSnippetKey with GetSnippetKeys
* Update the priority code use case
A previous PR was merged with a Quick&Dirty(tm) solution to the
priority problem between unity7 and desktop-legacy interfaces
against desktop-launch interface.
Now that it has been merged, that code must be updated to the
new mechanism implemented in this PR. This is exactly what this
commit does.
* Add explanation and constants for prioritized snippets
* Fix prioritized snippet key and add test in all_test
* Several changes requested by Zygmunt Vazyli
---------
Co-authored-by: Zygmunt Bazyli Krynicki <me@zygoon.pl>
Some applications like real-time ones often need to control the CPU C-state.
Which is a capability that makes sense to be added in cpu-control interface.
- add: AppArmor rule to access cpu_dma_latency device node.
- add: udev rule to allow access of cpu_dma_latency device node.
- add: unit test for udev rule
see: https://docs.kernel.org/power/pm_qos_interface.html#pm-qos-framework
Signed-off-by: Lincoln Wallace <lincoln.wallace@canonical.com>
* o/ifacestate: fix typo
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* o/ifacestate: autoconnection checking should not be task-bound
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* o/ifacestate: update static attrs based on {auto,}connection policy
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* tests: add spread test for static attr updating
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* tests: add shared-memory static-attr update test
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* o/ifacestate: add tests for policy-driven static attr updates
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* o/ifacestate: simplify state error handling when reloading connections
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* Revert "o/ifacestate: simplify state error handling when reloading connections"
This reverts commit d3f67c67e22b463b994a13f50064cef551e86686.
* o/i: restore DeviceCtx on cleanup
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* o/ifacestate: simpler state handling when reloading connections
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* o/ifacestate: also check AutoConnect method when doing policy based
reloading
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* o/i: use new Sequence helpers in test
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* o/ifacestate: add missing appset parameter
* tests/main/upgrade-from-2.15: kill the test
The test is no longer useful. The oldest version we have in any distribution is
2.38 in Trusty, see https://launchpad.net/snapd/+packages but also 2.15 is very
ancient and completely unsupported at this time.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* overlord: update managers test to account for preserved plug static attributes
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* tests/main/interface-static-attrs-update-on-refresh: clean up after the test
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
---------
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
Co-authored-by: Philip Meulengracht <the_meulengracht@hotmail.com>
Co-authored-by: Maciej Borzecki <maciej.borzecki@canonical.com>
cdf5cfd47b Remove centos-7 support
f3996cc3fa change the spread label
1e309f41c6 change how legacy parameter is determine in remote.pull
c43c35f7e3 run remote refresh and wait-for for xenial (skip bionic)
5262d30da7 make sure the test jobs are executed in runners with the spread label
cb74259b7a add openstack systems
0b41fd40d3 fix tests.pkgs on arch-linux
558e109793 run fedora-40 spread tests in openstack
6f6187416d fix list implementation
b4a5439c9b added more type annotatios to log_helper
58da1e36c3 mypy cleaned
1ff651e680 update wording of remote.pull
18615b1667 just usc scp -O when ssh version is -ge 9
cc68c9868b Added type annotations for log-filter
66f90d10cd Adding -O to scp command to make it compatible in uc24 tests
496cb7b5b3 removing support for centos-8
f2eef30db4 Updated the log helper and log parser
5a375ebf73 Formatting for python utils
d3eed3faa5 fix codespell in CODE_OF_CONDUCT.md
18bcca6b14 new log helper
d60381fcd9 add run number to filtered filename
5dde2d67b8 consider the tests execution in main
6b9a3aabcc change filtered log name
b2756aa579 default file is .filtered.log
500b9dace4 Fix tests workflow
45db26a3d2 fix shellcheck error in log-filter
fe45c27b7d create a var to store filter params
5a9b66d7dc filter spread results
51f9b055af New tool used to filter the spread.log output
b8d20c1d5b fix snaps.name test with correct siffix spelling
f640ac72e3 Add missing test details
f0754df304 Filter the error y debug output in log-parser
fc10196efd Add suggestions to details
94ac5ffe58 Add details on tests
501578c719 add more checks in os.query to check is-core_xx
e8929207ff fix os-query for ubuntu comparing with core
226114641f os.query won't check SPREAD_SYSTEM anymore to compare core systems
b89ec98b23 use local variables in os.query tool
dacfd81de9 fix is_core functions
1db5214d5f Improve the remote docs (#36)
2e4a3153a2 1 more comment
3a0fc57e1e add explanation about why we check for ( Do | Doing )
4cf8e635bf fix os.query test after merge
b89b4f8647 fix artifacts name
d30cee6da0 Merge remote-tracking branch 'upstream/main'
5ef5dcbe8f Tests use artifacts in spread tests (#51)
555c43d2ab Support auto-refresh with Do instead of Doing
96c2b0c19c remove tests support for ubuntu 23.04 (EoL)
74082c0c34 Tests improve remote wait (#49)
5121bfb659 remove support for opensuse leap 15.4 (#48)
30df700d08 Add new systems support (#47)
1f08938925 Support check amazon linux version (#46)
43533bdd97 Change the exit value checking for test formats (#45)
3c88244c04 Update check-test-format to support a dir and a list of files (#44)
510d95f429 add extra check for error in auto-refresh detection function
3289d4031b Try open the log with latin-1 encoding when utf-8 is not working
9db785499f improved how the tools are waiting for system reboot
2a5c4414a3 fix shellcheck errors
5e7b63883d Fixes for osquery and tests pkgs (#43)
4c9145e2ac support reboot waiting for auto-refresh
45768f5188 show changes in unknown status after refresh
8013c30c2a Remove support for ubuntu 22.10
b32b80bf54 Fix remote.rait-for test in bionic
5675c625e9 Enable fedora 38
55f4471957 Support for new oss
f2e88b357c New tool used to query spread json reports
cacd35ede0 utils/spread-shellcheck: explain disabled warnings (#42)
c82afb2dee Support --no-install-recommends parameter when installing dependencies with tests.pkgs
b84eea92e2 spread-shellcheck: fix quotes in environment variables (#41)
ab1e51c29f New comparison in os-query for core systems (#40)
e5ae22a5d4 systemd units can be overwritten
63540b845a Fix error messages in remote pull and push
75e8a426a5 make sure the unit is removed in tests.systemd test
9089ff5c02 Update tests to use the new tests.systemd stop-unit
44ecd5e56a Move tests.systemd stop-units to stop-unit
01a2a83b4b Update tests.systemd to have stop units as systemd.sh
162e93bd35 update tests.systemd CLI options to be the same than retry command
14aa43a405 new feature to re-run failed spread tests (#39)
604cb782db Fix shellcheck in systemd tool
bfc71082c8 Update the tests.systemd to allow parameters waiting for service status
8a2d0a99df Adding quiet tool and removing set +-x from tests.pkgs
d90935d2a4 A comment explaining about the default values for wait-for
3232c5dba7 Add support for ubuntu 23.04
a7164fba07 remove fedora 35 support, add fedora 37 support
89b9eb5301 Update systems supported
92bb6a0664 Include snap-sufix in the snaps.name tool
git-subtree-dir: tests/lib/external/snapd-testing-tools
git-subtree-split: cdf5cfd47b4b9d528ab4544c1d6900dec797fbf2
* tets: remove support for centos-7
Centos-7 is EOL since June-30
Signed-off-by: Sergio Cazzolato <sergio.cazzolato@canonical.com>
* update the release_tst.go with the real centos 9 info
---------
Signed-off-by: Sergio Cazzolato <sergio.cazzolato@canonical.com>
* sandbox/apparmor: add GenerateAAREExclusionPatterns
This function is generic (and complex) enough to be able to handle all of the
overlapping and wildcard behavior we need in docker-support, and it could also
serve to replace numerous other places in the codebase where we need this sort
of complex behavior. It is a generalization of the existing
aareExclusionPatterns helper, though it's actually unclear if this exact
implementation will currently be able to serve the use case from that helper
directly or if more options/adjustments are needed to enable that use case as
well.
To keep the diff smaller, this patch does not actually change any of the
profiles/interfaces, just TODO's are left for where to use it.
Note that the generated rules are slightly more condensed in terms of number of
rules but significantly more verbose in terms of alternations, not sharing more
of repeated substrings between alternations inside the patterns. This was done
explicitly to keep the generating code simpler and easier to understand, but it
may prove to have performance effects, either detrimental or benevolent but
that should be measured before deciding to make the generation code even more
complex than it already is.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/docker-support: generate AARE exclusion patterns with helper func
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* sandbox/apparmor: unexport helper functions
These were not meant to be exported, only the fully generic one is meant to be
exported.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* sandbox/apparmor: fix bug mis-sorting capitalized letters in AARE exclude patt
Thanks to Alberto for spotting this :-)
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* sandbox/apparmor: fix format issues introduced during rebase
* sandbox/apparmor: simplify generateAAREExclusionPatternsGenericImpl
* sandbox/apparmor: add checks for unsupported cases and improve documentation
* sandbox/apparmor: update tests to compare the apparmor binary instead of source
* interfaces/builtin/docker_support: check if userns is supported before adding it to the profile
* interfaces/builtin/docker_support: fix dependencies
* sandbox/apparmor: use placeholders
* i/b/docker_support_test: update TestGenerateAAREExclusionPatterns to use SnapAppSet
* testutil/apparmor: use go crypto/sha1 module instead of system sha1sum command
* {sandbox,testutil}/apparmor: minor format fixes
* move helper to find common prefix to strutil
* add copyright info
* use string builder
* i/b/docker_support_test.go: update accordingly to 277fbc266e (many: add components to interfaces.SnapAppSet (#13837))
* strutil/commonprefix.go: remove extra empty line
* sandbox/apparmor/apparmor.go: sort prefixes to ensure profile is always the same
* sandbox/apparmor/apparmor.go: remove extra empty line
* i/b/docker_support_test: skip TestGenerateAAREExclusionPatterns is apparmor_parser is not usable
---------
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Co-authored-by: Ian Johnson <ian.johnson@canonical.com>
Adds registry support to `snapctl get` so snaps can access registry
views, if they have a matching connected plug for the view and if the
registry assertion can be found.
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
* o/hookstate/ctlcmd: queue service command if run from default-configure hook
Queue "snapctl restart ..." and "snapctl start ..." commands to be run after
default-configure similar to configure hook. This is to avoid a problem where
the service doesn't see a new value if it uses "snapctl get ...", because it's
still not commited by default-configure hook.
Fixes: https://bugs.launchpad.net/snapd/+bug/2047949
Signed-off-by: Zeyad Gouda <zeyad.gouda@canonical.com>
* o/hookstate/ctlcmd: refactor TestQueuedCommands into two tests
And add comments explaining tasks relative order.
Signed-off-by: Zeyad Gouda <zeyad.gouda@canonical.com>
* o/hookstate/ctlcmd: fix typo in TestQueuedCommandsDefaultConfigureHook
Signed-off-by: Zeyad Gouda <zeyad.gouda@canonical.com>
* o/hookstate/ctlcmd: inject default-configure hook commands after start-snap-services
Signed-off-by: Zeyad Gouda <zeyad.gouda@canonical.com>
* o/hookstate/ctlcmd: fix queuing commands for default-configure hook
Multiple snaps could be installed in a single transaction
where all snap tasksets are in a single lane.
The old simplistic approach of looking up the first
"start-snap-services" fails when we have multiple
tasks for multiple snaps in the same lane.
A test is added to trigger this corner case, and the fix
just checks the snap name associated with the "start-snap-services"
tasks.
Signed-off-by: Zeyad Gouda <zeyad.gouda@canonical.com>
* o/hookstate/ctlcmd: explain why configure hook is not tested for single transaction
Signed-off-by: Zeyad Gouda <zeyad.gouda@canonical.com>
---------
Signed-off-by: Zeyad Gouda <zeyad.gouda@canonical.com>
Add a debug command to execute raw queries to the snapd API. This is useful when
trying to query snapd endpoints directly, but curl is other similar tool is not
available.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
