* interface/seccomp: add socket AF_QIPCRTR
AF_QIPCRTR (Qualcomm IPC router protocol) is used to communicate
with services provided by other hardware blocks in the system.
Snaps to access some Qualcomm hardware components need this protocol.
Signed-off-by: Robert Liu <robert.liu@canonical.com>
* snap-seccomp: add AF_QIPCRTR and PF_QIPCRTR
Signed-off-by: Robert Liu <robert.liu@canonical.com>
* interfaces/builtin: add qrtr
Signed-off-by: Robert Liu <robert.liu@canonical.com>
* interfaces/builtin/qrtr: limit type to sock_dgram only
Signed-off-by: Robert Liu <robert.liu@canonical.com>
* interfaces/builtin/qualcomm-ipc-router: rename from qrtr and add more details
Signed-off-by: Robert Liu <robert.liu@canonical.com>
* interfaces/builtin/qualcomm-ipc-router: update tests
Signed-off-by: Robert Liu <robert.liu@canonical.com>
* sandbox/apparmor: support checking for network qipcrtr dgram parser feature
This is not a required or even preferred feature at this time, it will just be
used by one specific interface for checking. Eventually it should become a
proper feature that is queried / included in the system-key perhaps, etc. but
the rest of the machinery for this is not available yet.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/qualcomm-ipc-router: only perform the conn if the parser supports it
If the apparmor_parser on the system doesn't support the qipcrtr-socket
feature, then we shouldn't proceed with the connection of the apparmor plug.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/apparmor: expose the apparmor sandbox features through Specification
This allows interfaces to specialize their policy or behavior based on what
features are available in both the parser and the kernel.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/qualcomm-ipc-router: adjust implementation to use spec.Features()
This is the better way where the individual interface doesn't need to import
the sandbox directly and can instead get the features from the specification.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* cmd/snap-seccomp: address gofmt for 1.13
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* tests/interfaces-many-core-provided: check on xenial, qualcomm-ipc-router fails
This interface does not work on xenial, so we should get an error message
trying to connect it.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces: rename MockSetFeatures -> MockFeatures
Thanks to Samuele for the suggestion.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/qualcomm-ipc-router: drop redundant dgram from rule
Thanks to Alex for pointing this out.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* snap-seccomp: import "github.com/mvo5/libseccomp-golang" without the "seccomp" prefix to avoid breaking the debian-sid patch
* tests: fix skip on 16.04 for qualcomm-ipc-router
* interfaces/repo: add comment about issue with AppArmorConnectedPlug failures
Explain a potential issue we are running into with the current state of the
qualcomm-ipc-router interface.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/qualcomm-ipc-router: switch to BeforePreparePlug based impl
Use BeforePreparePlug instead of AppArmorConnectedPlug since
AppArmorConnectedPlug returning non-nil error leads to an inability to process
other connection changes for that snap until snapd is restarted.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* Revert "interfaces/apparmor: expose the apparmor sandbox features through Specification"
This reverts commit bff6b6b2b5c62349e2605c199241c97a61ba6cb3.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/qualcomm-ipc-router: switch to using BeforeConnectPlug
BeforePreparePlug is actually run just when a plug is declared, not necessarily
when the plug is going to be connected. For qualcomm-ipc-router, we want to
reject the connection, not necessarily the plug by itself.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/builtin/qualcomm-ipc-router: fix method args to match interface
Also need to adjust the new interfaces.BeforeConnectPlug helper which tests
this as it was using the wrong type as well.
Thanks to Samuele for finding this.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* tests/main/interfaces-many-core-provided: fix if check for xenial to add UC16
Xenial and Ubuntu Core 16 suffer from the same problem so they both need to be
considered in this check.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Co-authored-by: Ian Johnson <ian.johnson@canonical.com>
Co-authored-by: Michael Vogt <mvo@ubuntu.com>
Co-authored-by: Tsunghan Liu (Robert Liu) <robert.liu@canonical.com>
Co-authored-by: Ian Johnson <ian.johnson@canonical.com>
* Special-case system-files and force refreshing its static attributes on
reloadConnections. Fixes LP: #1942266
* tests/regression: add regression test for LP #1942266
This test currently fails.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* Incorporate spread test from Ian.
* Rename snap files to be consistent with snap name.
* Add extra test check
Co-authored-by: Ian Johnson <person.uwsome@gmail.com>
* tests/regression/lp-1942266: don't run on systems w/o apparmor
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Co-authored-by: Ian Johnson <ian.johnson@canonical.com>
Co-authored-by: Ian Johnson <person.uwsome@gmail.com>
Shellcheck complains:
```
ERROR:root:tests/main/services-install-hook-can-run-svcs/task.yaml: section 'execute':
In - line 5:
sed ./test-snapd-install-hook-runs-svc/meta/hooks/install.in -e s/%%FLAGS%%/$FLAGS/ > ./test-snapd-install-hook-runs-svc/meta/hooks/install
^----^ SC2086: Double quote to prevent globbing and word splitting.
Did you mean:
sed ./test-snapd-install-hook-runs-svc/meta/hooks/install.in -e s/%%FLAGS%%/"$FLAGS"/ > ./test-snapd-install-hook-runs-svc/meta/hooks/install
For more information:
https://www.shellcheck.net/wiki/SC2086 -- Double quote to prevent globbing ...
ERROR:root:validation failed for the following files:
- tests/main/services-install-hook-can-run-svcs/task.yaml
```
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* interfaces/interfaces/ion-memory-control: add: add interface for Android ION memory allocator
Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>
* tests: add ion-memory-control to snap.yaml and base decl tests
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/interfaces/ion-memory-control: adding reference url about ion to the apparmot snippet
Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>
Co-authored-by: Ian Johnson <ian.johnson@canonical.com>
The new and the older shellcheck versions disagree about the
nature of the echo -e warning. New shellcheck warns with SC3037
and old with SC2039. The old shellcheck runs when in the
tests/unit/go spread test and the new in GH actions. Given that
this is the only instance where this is a problem this commit just
makes shellcheck ignore both the old and the new code for the issue.
This was merged as part of #10443 [1] but because it got squashed
we need the isolated fix for 2.51.
[1] bd730fd49c
* many: shellcheck fixes
We got a new shellcheck in "edge" and it seems this broke master.
This commit adds the required fixes.
* tests: update `shellcheck disable=SC3037` for echo -e
We want to keep the `echo -e` - using printf is not cleaner and
also results in a shellcheck warning. We already had a shellcheck
disable that seems to have been changed with the new version of
shellcheck. So this commit updates it to the new SC3037 value.
The snapd snap does not yet specify a base, so it is no longer buildable with
snapcraft 5.x, which drops support for baseless and base: core snaps.
Instead, use 4.x channel of snapcraft which does still support this scenario.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
We do not yet have tests.nested on release/2.51, so revert this test for that
branch to use the old commands.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* tests/lib/store.sh: allow adding extra bits to snap-declaration via opts
This is needed in order to customize the snap-declaration with i.e. plugs or
slots or other special things granted through the snap-declaration assertion to
the snap.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* tests/lib/nested.sh: add NESTED_FAKESTORE_SNAP_DECL_PC_GADGET env var
This is used add special extra custom snap-declaration bits to the declaration
for tests which use the fakestore but need extra permissions to do things in
hooks or services for the gadget snap.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* o/devicestate/handlers_install.go: add workaround to create dirs for install
For UC20 install mode, we have devices which need to install files into the run
mode system before rebooting into install mode. The temporary solution designed
for this was to use the install-device hook with system-files providing write
access to the /run/mnt/ubuntu-data/system-data/_writable_defaults/... directory
where ubuntu-data is mounted during install mode. That seemed to work fine in
devmode, but the issue in strict mode is that system-files only grants
permissions to create that specific file, it doesn't grant permission to create
any of the parent directories the file lives in.
So, temporarily for this device to be released and shipped, create those
directories at the end of the setup-run-system task, which runs before the
install-device hook, thus ensuring that the hook is successful.
Also add a spread test for this situation.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* tests/core20-install-device-file-install-via-hook-hack: also check dir perms
As suggested by Samuele, also check the permissions of the directories that we
are creating here.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Restore the default behaviour of acking the newly created assertions by
default, but add a --noack option to prevent this from happening. Use
this option in the nested tests.
2021-07-15T15:56:05.7126628Z + nested_exec 'cloud-init status --wait'
2021-07-15T15:56:05.7128190Z + sshpass -p ubuntu ssh -p 8022 -o
ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o
StrictHostKeyChecking=no user1@localhost 'cloud-init status --wait'
2021-07-15T15:56:05.7129863Z Warning: Permanently added
'[localhost]:8022' (ECDSA) to the list of known hosts.
2021-07-15T15:56:05.7130784Z ...Traceback (most recent call last):
2021-07-15T15:56:05.7131722Z File "/usr/bin/cloud-init", line 11, in
<module>
2021-07-15T15:56:05.7132688Z load_entry_point('cloud-init==21.2',
'console_scripts', 'cloud-init')()
2021-07-15T15:56:05.7133815Z File
"/usr/lib/python3/dist-packages/cloudinit/cmd/main.py", line 890, in
main
2021-07-15T15:56:05.7134522Z retval = util.log_time(
2021-07-15T15:56:05.7135483Z File
"/usr/lib/python3/dist-packages/cloudinit/util.py", line 2348, in
log_time
2021-07-15T15:56:05.7136208Z ret = func(*args, **kwargs)
2021-07-15T15:56:05.7137399Z File
"/usr/lib/python3/dist-packages/cloudinit/cmd/status.py", line 60, in
handle_status_args
2021-07-15T15:56:05.7138405Z status, status_detail, time =
_get_status_details(init.paths)
2021-07-15T15:56:05.7139692Z File
"/usr/lib/python3/dist-packages/cloudinit/cmd/status.py", line 123, in
_get_status_details
2021-07-15T15:56:05.7140784Z status_v1 =
load_json(load_file(status_file)).get('v1', {})
2021-07-15T15:56:05.7141944Z File
"/usr/lib/python3/dist-packages/cloudinit/util.py", line 1311, in
load_file
2021-07-15T15:56:05.7142911Z with open(fname, 'rb') as ifh:
2021-07-15T15:56:05.7143952Z FileNotFoundError: [Errno 2] No such file
or directory: '/run/cloud-init/status.json'
