* sandbox/apparmor: add GenerateAAREExclusionPatterns
This function is generic (and complex) enough to be able to handle all of the
overlapping and wildcard behavior we need in docker-support, and it could also
serve to replace numerous other places in the codebase where we need this sort
of complex behavior. It is a generalization of the existing
aareExclusionPatterns helper, though it's actually unclear if this exact
implementation will currently be able to serve the use case from that helper
directly or if more options/adjustments are needed to enable that use case as
well.
To keep the diff smaller, this patch does not actually change any of the
profiles/interfaces, just TODO's are left for where to use it.
Note that the generated rules are slightly more condensed in terms of number of
rules but significantly more verbose in terms of alternations, not sharing more
of repeated substrings between alternations inside the patterns. This was done
explicitly to keep the generating code simpler and easier to understand, but it
may prove to have performance effects, either detrimental or benevolent but
that should be measured before deciding to make the generation code even more
complex than it already is.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/docker-support: generate AARE exclusion patterns with helper func
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* sandbox/apparmor: unexport helper functions
These were not meant to be exported, only the fully generic one is meant to be
exported.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* sandbox/apparmor: fix bug mis-sorting capitalized letters in AARE exclude patt
Thanks to Alberto for spotting this :-)
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* sandbox/apparmor: fix format issues introduced during rebase
* sandbox/apparmor: simplify generateAAREExclusionPatternsGenericImpl
* sandbox/apparmor: add checks for unsupported cases and improve documentation
* sandbox/apparmor: update tests to compare the apparmor binary instead of source
* interfaces/builtin/docker_support: check if userns is supported before adding it to the profile
* interfaces/builtin/docker_support: fix dependencies
* sandbox/apparmor: use placeholders
* i/b/docker_support_test: update TestGenerateAAREExclusionPatterns to use SnapAppSet
* testutil/apparmor: use go crypto/sha1 module instead of system sha1sum command
* {sandbox,testutil}/apparmor: minor format fixes
* move helper to find common prefix to strutil
* add copyright info
* use string builder
* i/b/docker_support_test.go: update accordingly to 277fbc266e (many: add components to interfaces.SnapAppSet (#13837))
* strutil/commonprefix.go: remove extra empty line
* sandbox/apparmor/apparmor.go: sort prefixes to ensure profile is always the same
* sandbox/apparmor/apparmor.go: remove extra empty line
* i/b/docker_support_test: skip TestGenerateAAREExclusionPatterns is apparmor_parser is not usable
---------
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Co-authored-by: Ian Johnson <ian.johnson@canonical.com>
Replace ioutil.WriteFile with os.WriteFile since the former has been
deprecated since go1.16 and simply calls the latter.
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
Add an IsInterfaceNil checker that ensures both a variable's type and
value are nil. This is useful to prevent returned errors with non-nil
types from being compared to a nil value with a nil type (since the
compiler can't tell that the other variable is not nil typed), resulting
in the check failing.
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
Go 1.19 includes some changes to gofmt which intend to make lists and
heading clearer when rendered (https://go.dev/doc/go1.19). This commit
is the result of running the new gofmt and manually fixing some of it.
This was necessary because the new gofmt assumed lines beginning w/ tabs
to start lists or examples. While this is often true in our codebase,
we occasionally also use tabs to indent the lines after a TODO or FIXME
prefix or in yaml (e.g., excerpts of a snap.yaml). This meant that a lot of the
reformatted comments were broken and had to be fixed manually.
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
Only top-level containers were matched in an unsorted way and maps
were compared with reflect.DeepEqual. Now map values are also "unsorted
matched" so values like map[string][]string can be compared regardless
of order even with nesting. Note that containers nested in slices or
arrays are still compared in the normal way.
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
Two generic mocking helpers have been added:
- testutil.MockAny() - allows mocking of any mutable object with a compliant substitute,
it also return a restore function that shall be called to restore the original value
- testutil.(*BaseTest).MockAny() - allows mocking of any mutable object with a compliant substitute,
unlike the API above, this one takes care of restoring the original value on its own
Signed-off-by: Arseniy Aharonov <arseniy.aharonov@canonical.com>
Minor changes ensuring unset SNAPD_DEBG to avoid test failures when run with SNAPD_DEBUG=1.
Added support in test.yaml for unit tests with SNAPD_DEBUG=1 to be re-run to avoid regressions.
This is useful when comparing more complex structure from external packages,
when the structures may have unexported fields that would otherwise be picked up
by check.DeepEquals.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
The FileEquals checker can verify that the file content is equal to strings,
byte slices or something that implements fmt.Stringer. Extend the functionality
to allow checking that file contents are the same as of a reference file.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
The standard session bus configuration searches for service activation
files found in /usr/share/dbus-1/services, and may load other custom
local configuration. This could cause the test suite to spawn arbitrary
services installed on the system.
By using a custom daemon configuration file, without this servicedir
configuration, we ensure that tests using the fixture only see names
provided by the test suite.
When not using ggcgo, the value of runtime.Compiler is "gc" not "go".
Thanks to @niemeyer for spotting this.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Add three checkers relevant for examining symbolic links:
- SymlinkTargetEquals checks for a fixed target
- SymlinkTargetContains checks for a substring
- SymlinkTargetMatches checks for a regular expression
They are modelled after FileContentsChecker but implement fewer
variants as symbolic link targets are usually short strings.
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
