Implement lxd-client interface exposing the lxd snap (LP: #1634880)

interfaces/builtin/all.go

@@ -34,6 +34,7 @@ var allInterfaces = []interfaces.Interface{
 	&HidrawInterface{},
 	&LocationControlInterface{},
 	&LocationObserveInterface{},
+	&LxdInterface{},
 	&LxdSupportInterface{},
 	&MirInterface{},
 	&ModemManagerInterface{},

interfaces/builtin/basedeclaration.go

@@ -272,6 +272,10 @@ slots:
       slot-snap-type:
         - core
     deny-auto-connection: true
+  lxd:
+    allow-installation: false
+    deny-connection: true
+    deny-auto-connection: true
   lxd-support:
     allow-installation:
       slot-snap-type:

interfaces/builtin/basedeclaration_test.go

@@ -370,6 +370,7 @@ var (
 		"serial-port":     []string{"core", "gadget"},
 		// snowflakes
 		"docker": nil,
+		"lxd":    nil,
 	}
 )
 
@@ -431,6 +432,12 @@ func (s *baseDeclSuite) TestSlotInstallation(c *C) {
 	err := ic.Check()
 	c.Assert(err, Not(IsNil))
 	c.Assert(err, ErrorMatches, "installation not allowed by \"docker\" slot rule of interface \"docker\"")
+
+	// test lxd specially
+	ic = s.installSlotCand(c, "lxd", snap.TypeApp, ``)
+	err = ic.Check()
+	c.Assert(err, Not(IsNil))
+	c.Assert(err, ErrorMatches, "installation not allowed by \"lxd\" slot rule of interface \"lxd\"")
 }
 
 func (s *baseDeclSuite) TestPlugInstallation(c *C) {
@@ -466,6 +473,7 @@ func (s *baseDeclSuite) TestConnection(c *C) {
 		"fwupd":            true,
 		"location-control": true,
 		"location-observe": true,
+		"lxd":              true,
 		"mir":              true,
 		"modem-manager":    true,
 		"udisks2":          true,

interfaces/builtin/lxd.go

@@ -0,0 +1,91 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+import (
+	"fmt"
+
+	"github.com/snapcore/snapd/interfaces"
+)
+
+const lxdConnectedPlugAppArmor = `
+# Description: allow access to the LXD daemon socket. This gives privileged
+# access to the system via LXD's socket API.
+
+/var/snap/lxd/common/lxd/unix.socket rw,
+`
+
+const lxdConnectedPlugSecComp = `
+# Description: allow access to the LXD daemon socket. This gives privileged
+# access to the system via LXD's socket API.
+
+shutdown
+`
+
+type LxdInterface struct{}
+
+func (iface *LxdInterface) Name() string {
+	return "lxd"
+}
+
+func (iface *LxdInterface) PermanentPlugSnippet(plug *interfaces.Plug, securitySystem interfaces.SecuritySystem) ([]byte, error) {
+	return nil, nil
+}
+
+func (iface *LxdInterface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) {
+	switch securitySystem {
+	case interfaces.SecurityAppArmor:
+		return []byte(lxdConnectedPlugAppArmor), nil
+	case interfaces.SecuritySecComp:
+		return []byte(lxdConnectedPlugSecComp), nil
+	}
+	return nil, nil
+}
+
+func (iface *LxdInterface) PermanentSlotSnippet(slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) {
+	return nil, nil
+}
+
+func (iface *LxdInterface) ConnectedSlotSnippet(plug *interfaces.Plug, slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) {
+	return nil, nil
+}
+
+func (iface *LxdInterface) SanitizePlug(plug *interfaces.Plug) error {
+	if iface.Name() != plug.Interface {
+		panic(fmt.Sprintf("plug is not of interface %q", iface.Name()))
+	}
+	return nil
+}
+
+func (iface *LxdInterface) SanitizeSlot(slot *interfaces.Slot) error {
+	if iface.Name() != slot.Interface {
+		panic(fmt.Sprintf("slot is not of interface %q", iface.Name()))
+	}
+	return nil
+}
+
+func (iface *LxdInterface) LegacyAutoConnect() bool {
+	return false
+}
+
+func (iface *LxdInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+	// allow what declarations allowed
+	return true
+}

interfaces/builtin/lxd_test.go

@@ -0,0 +1,102 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type LxdInterfaceSuite struct {
+	iface interfaces.Interface
+	slot  *interfaces.Slot
+	plug  *interfaces.Plug
+}
+
+var _ = Suite(&LxdInterfaceSuite{
+	iface: &builtin.LxdInterface{},
+	slot: &interfaces.Slot{
+		SlotInfo: &snap.SlotInfo{
+			Snap:      &snap.Info{SuggestedName: "core", Type: snap.TypeOS},
+			Name:      "lxd",
+			Interface: "lxd",
+		},
+	},
+
+	plug: &interfaces.Plug{
+		PlugInfo: &snap.PlugInfo{
+			Snap: &snap.Info{
+				SuggestedName: "lxd",
+				SideInfo:      snap.SideInfo{Developer: "canonical"},
+			},
+			Name:      "lxd",
+			Interface: "lxd",
+		},
+	},
+})
+
+func (s *LxdInterfaceSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "lxd")
+}
+
+func (s *LxdInterfaceSuite) TestSanitizeSlot(c *C) {
+	err := s.iface.SanitizeSlot(s.slot)
+	c.Assert(err, IsNil)
+}
+
+func (s *LxdInterfaceSuite) TestSanitizePlug(c *C) {
+	err := s.iface.SanitizePlug(s.plug)
+	c.Assert(err, IsNil)
+}
+
+func (s *LxdInterfaceSuite) TestUsedSecuritySystems(c *C) {
+	// connected plugs have a non-nil security snippet for apparmor
+	snippet, err := s.iface.ConnectedPlugSnippet(s.plug, s.slot, interfaces.SecurityAppArmor)
+	c.Assert(err, IsNil)
+	c.Assert(snippet, Not(IsNil))
+	snippet, err = s.iface.ConnectedPlugSnippet(s.plug, s.slot, interfaces.SecuritySecComp)
+	c.Assert(err, IsNil)
+	c.Assert(snippet, Not(IsNil))
+}
+
+func (s *LxdInterfaceSuite) TestConnectedPlugSnippetAppArmor(c *C) {
+	snippet, err := s.iface.ConnectedPlugSnippet(s.plug, s.slot, interfaces.SecurityAppArmor)
+	c.Assert(err, IsNil)
+	c.Check(string(snippet), testutil.Contains, "/var/snap/lxd/common/lxd/unix.socket rw,\n")
+}
+
+func (s *LxdInterfaceSuite) TestConnectedPlugSnippetSecComp(c *C) {
+	snippet, err := s.iface.ConnectedPlugSnippet(s.plug, s.slot, interfaces.SecuritySecComp)
+	c.Assert(err, IsNil)
+	c.Check(string(snippet), testutil.Contains, "shutdown\n")
+}
+
+func (s *LxdInterfaceSuite) TestLegacyAutoConnect(c *C) {
+	c.Check(s.iface.LegacyAutoConnect(), Equals, false)
+}
+
+func (s *LxdInterfaceSuite) TestAutoConnect(c *C) {
+	// allow what declarations allowed
+	c.Check(s.iface.AutoConnect(nil, nil), Equals, true)
+}