mirror of
https://github.com/token2/snapd.git
synced 2026-03-13 11:15:47 -07:00
6da6dd1472
* tests: fix typo: case Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document interfaces-audio-playback-record Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document interfaces-avahi-observe Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document interfaces-cli Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document interfaces-content-circular Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document interfaces-content-empty-content-attr Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-cups-control-autoconect Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-cups-control Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-content-mkdir-writable Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-custom-device-app-slot Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-desktop-document-portal Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-firewall-control Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-fuse-support Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests: fix typo: default Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-hardware-observe Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-hardware-random-control Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-hardware-random-observe Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-home Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document interfaces-hooks Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document interfaces-hooks-plug-with-number Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-kernel-module-control Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-libvirt Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-locale-control Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-location-control Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-log-observe Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document interfaces-mount-control Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: rewrite documentation of interfaces-mount-observe Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-netlink-connector Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-network Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: rewrite documentation of interfaces-network-bind Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-network-control Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-network-manager Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat and tweak details of interfaces-network-status Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document interfaces-packagekit-control Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document interfaces-password-manager-service Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-personal-files Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: rewrite details of interfaces-polkit Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document interfaces-pulseaudio Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-snapd-control Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document interfaces-snapd-control-with-manage Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-system-observe Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: reformat details of interfaces-upower-observe Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document interfaces-wayland Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document known Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document known-remote Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests: correct the summary for known-remote test Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests: fix typo: bound Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document install-local-w-metadata Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> * tests/main: document login Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> --------- Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
162 lines
6.4 KiB
YAML
162 lines
6.4 KiB
YAML
summary: Ensure that the network-control interface works.
|
|
|
|
details: |
|
|
The network-control interface allows a snap to configure networking.
|
|
|
|
A snap which defines the network-control plug must be shown in the
|
|
interfaces list. The plug must not be auto-connected on install and, as
|
|
usual, must be able to be reconnected.
|
|
|
|
A snap declaring a plug on this interface must be able to modify the network
|
|
configuration and ask for its status, the test sets up a network service,
|
|
gets information about it (read capability) and creates an arp entry (write
|
|
capability).
|
|
|
|
# ubuntu-14.04: systemd-run not supported
|
|
# ubuntu-18.04-32: network-control-consumer snap not available on i386
|
|
# ubuntu-core-16-32: cannot install snap base "core20"
|
|
# ubuntu-core-18-32: cannot install snap base "core20"
|
|
systems: [-fedora-*, -opensuse-*, -ubuntu-14.04*, -ubuntu-18.04-32, -ubuntu-core-16-32, -ubuntu-core-18-32]
|
|
|
|
environment:
|
|
PORT: 8081
|
|
SERVICE_NAME: "test-service"
|
|
ARP_ENTRY_ADDR: "30.30.30.30"
|
|
|
|
prepare: |
|
|
echo "Given a snap declaring a plug on the network-control interface is installed"
|
|
"$TESTSTOOLS"/snaps-state install-local network-control-consumer
|
|
|
|
echo "And a network service is up"
|
|
# shellcheck source=tests/lib/network.sh
|
|
. "$TESTSLIB"/network.sh
|
|
make_network_service "$SERVICE_NAME" "$PORT"
|
|
|
|
restore: |
|
|
#shellcheck source=tests/lib/network.sh
|
|
. "$TESTSLIB/network.sh"
|
|
|
|
systemctl stop "$SERVICE_NAME"
|
|
|
|
ip netns delete test-ns || true
|
|
ip link delete veth0 || true
|
|
umount /run/netns || true
|
|
|
|
execute: |
|
|
#shellcheck source=tests/lib/network.sh
|
|
. "$TESTSLIB/network.sh"
|
|
|
|
echo "Then the plug disconnected by default"
|
|
snap interfaces -i network-control | MATCH "^- +network-control-consumer:network-control$"
|
|
|
|
echo "When the plug is connected"
|
|
snap connect network-control-consumer:network-control
|
|
|
|
echo "Then the snap command can query network status information"
|
|
network-control-consumer.cmd ss -lnt | MATCH "LISTEN.*:$PORT"
|
|
|
|
echo "And DNS information"
|
|
case "$SPREAD_SYSTEM" in
|
|
centos-*|debian-*|arch-linux-*|amazon-linux-*)
|
|
# echo no systemd-resolved in those images
|
|
;;
|
|
*)
|
|
network-control-consumer.cmd resolvectl | MATCH "DNS Server"
|
|
;;
|
|
esac
|
|
|
|
if [ "$(snap debug confinement)" = strict ] ; then
|
|
echo "When the plug is disconnected"
|
|
snap disconnect network-control-consumer:network-control
|
|
|
|
echo "Then the snap command can not query network status information"
|
|
if network-control-consumer.cmd ss -lnt 2>net-query.output; then
|
|
echo "Expected error caling command with disconnected plug"
|
|
exit 1
|
|
fi
|
|
MATCH "Permission denied" < net-query.output
|
|
fi
|
|
|
|
echo "When the plug is connected"
|
|
snap connect network-control-consumer:network-control
|
|
|
|
echo "When the plug is connected"
|
|
snap connect network-control-consumer:network-control
|
|
|
|
echo "A network namespace can be created"
|
|
network-control-consumer.cmd ip netns add test-ns
|
|
ip netns list | MATCH test-ns
|
|
|
|
echo "And a veth interface can be added to the namespace"
|
|
|
|
ip link add veth0 type veth peer name veth1
|
|
ip link list | MATCH "veth0.*veth1"
|
|
|
|
network-control-consumer.cmd ip link set veth1 netns test-ns
|
|
|
|
ip link list | MATCH "veth0"
|
|
ip link list | NOMATCH "veth1"
|
|
|
|
echo "And a command can be executed in the context of the namespace"
|
|
network-control-consumer.cmd ip netns exec test-ns ip link list | MATCH "veth1"
|
|
|
|
echo "Then the snap command can modify the network configuration"
|
|
network-control-consumer.cmd ip neigh add "$ARP_ENTRY_ADDR" lladdr aa:aa:aa:aa:aa:aa dev veth0
|
|
|
|
# the entry becomes visible
|
|
ip neigh show dev veth0 | MATCH "aa:aa:aa:aa:aa:aa"
|
|
|
|
# xdp is only support by apparmor in 20.04+
|
|
if [ "$(snap debug confinement)" = strict ] && ! os.query is-xenial && ! os.query is-bionic && ! os.query is-core16 && ! os.query is-core18; then
|
|
echo "Check that AF_XDP can be used"
|
|
network-control-consumer.cmd python3 -c 'import socket; AF_XDP=44; socket.socket(AF_XDP, socket.SOCK_RAW)'
|
|
fi
|
|
|
|
if [ "$(snap debug confinement)" = strict ] ; then
|
|
echo "And the policy has the ptrace suppression rule"
|
|
MATCH '^deny ptrace \(trace\),' < /var/lib/snapd/apparmor/profiles/snap.network-control-consumer.cmd
|
|
|
|
echo "When the plug is disconnected"
|
|
snap disconnect network-control-consumer:network-control
|
|
|
|
echo "Then the snap command can not modify the network configuration"
|
|
if network-control-consumer.cmd ip neigh del "$ARP_ENTRY_ADDR" lladdr aa:aa:aa:aa:aa:aa dev veth0 2>net-command.output; then
|
|
echo "Expected error calling command with disconnected plug"
|
|
exit 1
|
|
fi
|
|
MATCH "Permission denied" < net-command.output
|
|
|
|
echo "The snap is not able to create a network namespace"
|
|
if network-control-consumer.cmd ip netns add test-ns-2 2>ns-create.output; then
|
|
echo "Expected error calling ns create command with disconnected plug"
|
|
fi
|
|
MATCH "Permission denied" < ns-create.output
|
|
|
|
echo "And the snap can't add a veth interface to an existing namespace"
|
|
# first, move veth1 back to the root namespace
|
|
ip netns exec test-ns ip link set veth1 netns 1
|
|
if network-control-consumer.cmd ip link set veth1 netns test-ns 2>ns-move.output; then
|
|
echo "Expected error trying to move veth to network namespace with disconnected plug"
|
|
exit 1
|
|
fi
|
|
MATCH "Permission denied" < ns-move.output
|
|
|
|
|
|
echo "And the snap can't execute a command in the context of the namespace"
|
|
if network-control-consumer.cmd ip netns exec test-ns ip link list 2>ns-exec.output; then
|
|
echo "Expected error trying to execute command in a network namespace context with disconnected plug"
|
|
exit 1
|
|
fi
|
|
MATCH "Permission denied" < ns-exec.output
|
|
|
|
|
|
echo "And AF_XDP can no longer be used"
|
|
if [ "$(snap debug confinement)" = strict ] && ! os.query is-xenial && ! os.query is-bionic && ! os.query is-core16 && ! os.query is-core18; then
|
|
if network-control-consumer.cmd python3 -c 'import socket; AF_XDP=44; socket.socket(AF_XDP, socket.SOCK_RAW)' 2> python-af-xdp.output; then
|
|
echo "Expected error trying to open AF_XDP socket"
|
|
exit 1
|
|
fi
|
|
MATCH "Permission denied" < python-af-xdp.output
|
|
fi
|
|
fi
|