35 changes: 35 additions & 0 deletions tests/regression/lp-1949368/task.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
summary: Ensure that AppArmor paths are safe

details: |
Some interfaces allow the developer to specify filesystem paths in their
plug sttributes, which then get encoded into the AppArmor profile of the
applications. We need to make sure that these paths are properly quoted,
and that snapd will refuse to connect a plug whose paths include some
invalid characters.
prepare: |
echo "Creating the test snaps"
"$TESTSTOOLS"/snaps-state install-local content-provider
"$TESTSTOOLS"/snaps-state install-local content-consumer
execute: |
echo "The plug is disconnected by default"
snap interfaces content-provider
echo "Verify that the plug with invalid characters raised a warning"
snap warnings |
tr -d '\n' | # remove newlines
sed -e 's,\s\+, ,g' | # remove any extra spaces
MATCH 'snap "content-consumer" has bad plugs or slots: invalid-char'
echo "Connect a valid plug"
snap connect content-consumer:quoting content-provider:quoting
if [ "$(snap debug confinement)" = "strict" ]; then
echo "Verify that the AppArmor rule has proper quoting"
MATCH '"/var/snap/content-provider/x1/a,comma/\*\*" mrkix,' < /var/lib/snapd/apparmor/profiles/snap.content-consumer.sh
fi
echo "Attempt to install a snap with an invalid layout"
"$TESTSTOOLS"/snaps-state install-local bad-layout 2>&1 |MATCH 'cannot validate snap "bad-layout".*contains a reserved apparmor char'