mirror of
https://github.com/token2/snapd.git
synced 2026-03-13 11:15:47 -07:00
b04ff60f9b
Test that when plugging userns snaps can create new unprivileged user namespaces and also test that when this interface is not connected, this is denied, both via seccomp and also via AppArmor. Also update the spread configuration to support local qemu testing of ubuntu-22.10-64 * spread: add ubuntu-22.10-64 to local qemu backend Signed-off-by: Alex Murray <alex.murray@canonical.com> * tests/main/userns: add a spread test for the userns interface Test that when plugging userns snaps can create new unprivileged user namespaces and also test that when this interface is not connected, this is denied, both via seccomp and also via AppArmor. Signed-off-by: Alex Murray <alex.murray@canonical.com> * tests/main/userns: ensure apparmor_parser doesn't pin the ABI Instead specify to use the ABI presented by the kernel itself to ensure that the parser does not silently downgrade the policy. In the future I suspect we want snapd to always use the kernel ABI for apparmor_parser and then store this ABI within the system-key to ensure policy gets regenerated if / when the AppArmor kernel feature set changes. Signed-off-by: Alex Murray <alex.murray@canonical.com> * tests/main/userns: support other platforms Some of the CLONE_NEWXXXX flags are quite new so only use these in the test unshare implementation if they are defined, plus adapt to arch's different naming of the nogroup group as nobody. Signed-off-by: Alex Murray <alex.murray@canonical.com> * tests/main/interfaces-userns: rename userns spread test This ensures the naming is consistent across all the tests. Signed-off-by: Alex Murray <alex.murray@canonical.com> * tests/main/interfaces-userns: simplify logic for arch specifics On arch the nobody group is called nobody whereas on Ubuntu etc it is nogroup - parameterise this instead of duplicating the code logic Signed-off-by: Alex Murray <alex.murray@canonical.com> * tests/lib/snaps/test-snapd-userns/bin/sh: add missing newline at EOF Signed-off-by: Alex Murray <alex.murray@canonical.com> * spread.yaml: remove unnecessary addition of ubuntu-22.10-64 to qemu backend Signed-off-by: Alex Murray <alex.murray@canonical.com> * tests/main/interfaces-userns: restore sysctls and cleanups Restore sysctl values to their originals on cleanup, plus remove the unnecessary cleanup of the modified apparmor profile as these are restored automatically during the generic cleanup and finally remove trailing blank lines. Thanks to @sergiocazzolato for the suggestions. Signed-off-by: Alex Murray <alex.murray@canonical.com> --------- Signed-off-by: Alex Murray <alex.murray@canonical.com> Co-authored-by: Michael Vogt <mvo@ubuntu.com>