mirror of
https://github.com/token2/snapd.git
synced 2026-03-13 11:15:47 -07:00
d58cd19ed4
* tests: add details to spread tests - part-3 This is needed to improve the spread tests documentation. * Update tests/main/catalog-update/task.yaml Co-authored-by: Miguel Pires <miguelpires94@gmail.com> * Update tests/main/cgroup-devices-v1/task.yaml Co-authored-by: Miguel Pires <miguelpires94@gmail.com> * Update tests/main/cgroup-devices-v2/task.yaml Co-authored-by: Miguel Pires <miguelpires94@gmail.com> * Update tests/main/change-errors/task.yaml Co-authored-by: Miguel Pires <miguelpires94@gmail.com> * Update tests/main/classic-confinement-not-supported/task.yaml Co-authored-by: Miguel Pires <miguelpires94@gmail.com> * Update tests/main/classic-custom-device-reg/task.yaml Co-authored-by: Miguel Pires <miguelpires94@gmail.com> * Update tests/main/interfaces-accounts-service/task.yaml Co-authored-by: Miguel Pires <miguelpires94@gmail.com> * Update tests/main/interfaces-browser-support/task.yaml Co-authored-by: Miguel Pires <miguelpires94@gmail.com> --------- Co-authored-by: Miguel Pires <miguelpires94@gmail.com>
178 lines
6.9 KiB
YAML
178 lines
6.9 KiB
YAML
summary: Check that the browser-support interface works
|
|
|
|
details: |
|
|
Verify that a snap using the browser-support interface is able to
|
|
access the various APIs needed by modern web browsers.
|
|
|
|
environment:
|
|
ALLOW_SANDBOX/allow: true
|
|
ALLOW_SANDBOX/disallow: false
|
|
OWNED_FILES:
|
|
/var/tmp/etilqs_test
|
|
/home/test/.local/share/jupyter/foo
|
|
READABLE_FILES:
|
|
/run/udev/data/+platform:test
|
|
/etc/opt/chrome/test
|
|
READABLE_WITH_SANDBOX_FILES:
|
|
/run/udev/data/c1:1-test
|
|
/run/udev/data/c10:1-test
|
|
/run/udev/data/c13:1-test
|
|
/run/udev/data/c180:1-test
|
|
/run/udev/data/c4:1-test
|
|
/run/udev/data/c5:1-test
|
|
/run/udev/data/c7:1-test
|
|
/run/udev/data/+hid:test
|
|
/run/udev/data/+input:input1-test
|
|
/run/udev/data/c29:1-test
|
|
/run/udev/data/+backlight:test
|
|
/run/udev/data/+leds:test
|
|
/run/udev/data/c116:1-test
|
|
/run/udev/data/+sound:card1-test
|
|
/run/udev/data/c108:1-test
|
|
/run/udev/data/c189:1-test
|
|
/run/udev/data/c89:1-test
|
|
/run/udev/data/c81:1-test
|
|
/run/udev/data/+acpi:test
|
|
/run/udev/data/+hwmon:hwmon1-test
|
|
/run/udev/data/+i2c:test
|
|
|
|
prepare: |
|
|
echo "Given a snap declaring a plug on browser-support with allow-sandbox set to $ALLOW_SANDBOX is installed"
|
|
sed "s/@ALLOW_SANDBOX@/$ALLOW_SANDBOX/" browser-support-consumer/meta/snap.yaml.in > browser-support-consumer/meta/snap.yaml
|
|
chmod 644 browser-support-consumer/meta/snap.yaml
|
|
"$TESTSTOOLS"/snaps-state install-local browser-support-consumer
|
|
touch created_dirs
|
|
|
|
restore: |
|
|
rm -f /var/tmp/test
|
|
for file in $OWNED_FILES $READABLE_FILES $READABLE_WITH_SANDBOX_FILES; do
|
|
rm -f "$file"
|
|
done
|
|
|
|
while read -r dir; do
|
|
rm -rf "$dir"
|
|
done < created_dirs
|
|
rm -f created_dirs
|
|
|
|
execute: |
|
|
if [ "$ALLOW_SANDBOX" = "false" ]; then
|
|
echo "If allow-sandbox is false then the plug is connected by default"
|
|
else
|
|
echo "If allow-sandbox is true then the plug is not connected by default"
|
|
snap interfaces -i browser-support | MATCH '\- +browser-support-consumer:browser-support'
|
|
|
|
echo "Do connect it manually"
|
|
snap connect browser-support-consumer:browser-support
|
|
fi
|
|
|
|
echo "And the snap is able to access tmp"
|
|
echo "test" > /var/tmp/test
|
|
SNAP_MOUNT_DIR="$(os.paths snap-mount-dir)"
|
|
su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd ls /var/tmp/" test | MATCH test
|
|
|
|
echo "And the snap is able to access owned files"
|
|
for owned_file in $OWNED_FILES; do
|
|
parent_dir=$(dirname "$owned_file")
|
|
if [ ! -d "$parent_dir" ]; then
|
|
su -l -c "mkdir -p $parent_dir" test
|
|
echo "$parent_dir" >> created_dirs
|
|
fi
|
|
echo "test" > "$owned_file"
|
|
chown test:12345 "$owned_file"
|
|
su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $owned_file" test | MATCH test
|
|
su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd touch $owned_file" test
|
|
done
|
|
|
|
echo "And the snap is able to access readable files"
|
|
for readable_file in $READABLE_FILES; do
|
|
parent_dir=$(dirname "$readable_file")
|
|
if [ ! -d "$parent_dir" ]; then
|
|
if mkdir -p "$parent_dir"; then
|
|
echo "$parent_dir" >> created_dirs
|
|
else
|
|
echo "$parent_dir couldn't be created, write-only partition?"
|
|
continue
|
|
fi
|
|
fi
|
|
echo "test" > "$readable_file"
|
|
su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file" test | MATCH test
|
|
done
|
|
|
|
for readable_file in $READABLE_WITH_SANDBOX_FILES; do
|
|
parent_dir=$(dirname "$readable_file")
|
|
if [ ! -d "$parent_dir" ]; then
|
|
mkdir -p "$parent_dir"
|
|
echo "$parent_dir" >> created_dirs
|
|
fi
|
|
echo "test" > "$readable_file"
|
|
done
|
|
|
|
if [ "$ALLOW_SANDBOX" = "true" ]; then
|
|
for readable_file in $READABLE_WITH_SANDBOX_FILES; do
|
|
su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file" test | MATCH test
|
|
done
|
|
fi
|
|
|
|
if [ "$(snap debug confinement)" = partial ] ; then
|
|
exit 0
|
|
fi
|
|
|
|
if [ "$ALLOW_SANDBOX" = "false" ]; then
|
|
echo "And the policy has the ptrace suppression rule without sandbox"
|
|
MATCH '^deny ptrace \(trace\),' < /var/lib/snapd/apparmor/profiles/snap.browser-support-consumer.cmd
|
|
else
|
|
echo "And the policy has the ptrace suppression rule with sandbox"
|
|
MATCH '^deny ptrace \(trace\),' < /var/lib/snapd/apparmor/profiles/snap.browser-support-consumer.cmd && echo "Found ptrace rule, but shouldn't have" && exit 1
|
|
fi
|
|
|
|
echo "And the resources available with sandbox are not reachable without it"
|
|
if [ "$ALLOW_SANDBOX" = "false" ]; then
|
|
for readable_file in $READABLE_WITH_SANDBOX_FILES; do
|
|
if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file" test 2> readable-without-sandbox-read.err; then
|
|
echo "Expected error without sandbox didn't happen"
|
|
exit 1
|
|
fi
|
|
MATCH "Permission denied" < readable-without-sandbox-read.err
|
|
done
|
|
fi
|
|
|
|
echo "When the plug is disconnected"
|
|
snap disconnect browser-support-consumer:browser-support
|
|
|
|
echo "Then the snap is not able to access tmp"
|
|
if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd ls /var/tmp/" test 2> tmpdir-access.err; then
|
|
echo "Expected error with disconnected plug didn't happen"
|
|
exit 1
|
|
fi
|
|
MATCH "Permission denied" < tmpdir-access.err
|
|
if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat /var/tmp/etilqs_test" test 2> tmpfile-read.err; then
|
|
echo "Expected error with disconnected plug didn't happen"
|
|
exit 1
|
|
fi
|
|
MATCH "Permission denied" < tmpfile-read.err
|
|
|
|
for owned_file in $OWNED_FILES; do
|
|
if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $owned_file" test 2> owned-read.err; then
|
|
echo "Expected error with disconnected plug didn't happen"
|
|
exit 1
|
|
fi
|
|
MATCH "Permission denied" < owned-read.err
|
|
done
|
|
for readable_file in $READABLE_FILES; do
|
|
if [ -f "$readable_file" ] && su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file" test 2> readable-read.err; then
|
|
echo "Expected error with disconnected plug didn't happen"
|
|
exit 1
|
|
fi
|
|
MATCH "Permission denied" < readable-read.err
|
|
done
|
|
if [ "$ALLOW_SANDBOX" = "true" ]; then
|
|
for readable_file in $READABLE_WITH_SANDBOX_FILES; do
|
|
if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file" test 2> readable-with-sandbox-read.err; then
|
|
echo "Expected error with disconnected plug didn't happen"
|
|
exit 1
|
|
fi
|
|
MATCH "Permission denied" < readable-with-sandbox-read.err
|
|
done
|
|
fi
|
|
|