Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account
interfaces/builtin: use udev tagging more broadly #3617
adc5e2d
f9eb89b
c427431
42aee8c
ea03824
00cfd44
9c450d8
2d2bf4d
704309a
c794b4e
08e371d
b35a96d
a1ba129
0594b63
508f365
20b84fd
b55d265
8d9178b
081d556
1610a5b
8656db0
e9a9366
a91f95c
03372d4
dba0999
369c994
2b69ed7
e668e55
2b9cef3
083f39b
225e6c8
9424db3
0fa8cad
b382f32
15776bc
725a87f
de39170
e145e49
df17466
c3966e3
1f4a0fe
aad70a4
09b2c67
f16e69f
4dc3c47
| @@ -1,7 +1,7 @@ | ||
| // -*- Mode: Go; indent-tabs-mode: t -*- | ||
| /* | ||
| - * Copyright (C) 2016 Canonical Ltd | ||
| + * Copyright (C) 2016-2017 Canonical Ltd | ||
adglkh
Contributor
|
||
| * | ||
| * This program is free software: you can redistribute it and/or modify | ||
| * it under the terms of the GNU General Public License version 3 as | ||
| @@ -26,6 +26,7 @@ import ( | ||
| "github.com/snapcore/snapd/interfaces/apparmor" | ||
| "github.com/snapcore/snapd/interfaces/builtin" | ||
| "github.com/snapcore/snapd/interfaces/seccomp" | ||
| + "github.com/snapcore/snapd/interfaces/udev" | ||
| "github.com/snapcore/snapd/snap" | ||
| "github.com/snapcore/snapd/snap/snaptest" | ||
| "github.com/snapcore/snapd/testutil" | ||
| @@ -86,20 +87,25 @@ func (s *BluetoothControlInterfaceSuite) TestSanitizePlug(c *C) { | ||
| c.Assert(s.plug.Sanitize(s.iface), IsNil) | ||
| } | ||
| -func (s *BluetoothControlInterfaceSuite) TestUsedSecuritySystems(c *C) { | ||
| - // connected plugs have a non-nil security snippet for apparmor | ||
| - apparmorSpec := &apparmor.Specification{} | ||
| - err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, nil, s.slot, nil) | ||
| - c.Assert(err, IsNil) | ||
| - c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other.app2"}) | ||
| - c.Assert(apparmorSpec.SnippetForTag("snap.other.app2"), testutil.Contains, "capability net_admin") | ||
| +func (s *BluetoothControlInterfaceSuite) TestAppArmorSpec(c *C) { | ||
| + spec := &apparmor.Specification{} | ||
| + c.Assert(spec.AddConnectedPlug(s.iface, s.plug, nil, s.slot, nil), IsNil) | ||
| + c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.other.app2"}) | ||
| + c.Assert(spec.SnippetForTag("snap.other.app2"), testutil.Contains, "capability net_admin") | ||
| +} | ||
| + | ||
| +func (s *BluetoothControlInterfaceSuite) TestSecCompSpec(c *C) { | ||
| + spec := &seccomp.Specification{} | ||
| + c.Assert(spec.AddConnectedPlug(s.iface, s.plug, nil, s.slot, nil), IsNil) | ||
| + c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.other.app2"}) | ||
| + c.Assert(spec.SnippetForTag("snap.other.app2"), testutil.Contains, "\nbind\n") | ||
| +} | ||
| - // connected plugs have a non-nil security snippet for seccomp | ||
| - seccompSpec := &seccomp.Specification{} | ||
| - err = seccompSpec.AddConnectedPlug(s.iface, s.plug, nil, s.slot, nil) | ||
| - c.Assert(err, IsNil) | ||
| - c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.other.app2"}) | ||
| - c.Check(seccompSpec.SnippetForTag("snap.other.app2"), testutil.Contains, "\nbind\n") | ||
| +func (s *BluetoothControlInterfaceSuite) TestUDevSpec(c *C) { | ||
| + spec := &udev.Specification{} | ||
| + c.Assert(spec.AddConnectedPlug(s.iface, s.plug, nil, s.slot, nil), IsNil) | ||
| + c.Assert(spec.Snippets(), HasLen, 1) | ||
| + c.Assert(spec.Snippets()[0], testutil.Contains, `SUBSYSTEM=="bluetooth", TAG+="snap_other_app2"`) | ||
| } | ||
| func (s *BluetoothControlInterfaceSuite) TestInterfaces(c *C) { | ||
| @@ -38,12 +38,20 @@ const broadcomAsicControlConnectedPlugAppArmor = ` | ||
| /dev/linux-user-bde rw, | ||
| /dev/linux-kernel-bde rw, | ||
| /dev/linux-bcm-knet rw, | ||
| + | ||
| +# These are broader than they needs to be, but until we query udev | ||
| +# for specific devices, use a broader glob | ||
niemeyer
Contributor
|
||
| +/sys/devices/pci[0-9]*/**/config r, | ||
| +/sys/devices/pci[0-9]*/**/{,subsystem_}device r, | ||
| +/sys/devices/pci[0-9]*/**/{,subsystem_}vendor r, | ||
| + | ||
| +/sys/bus/pci/devices/ r, | ||
| +/run/udev/data/+pci:[0-9]* r, | ||
| ` | ||
| const broadcomAsicControlConnectedPlugUDev = ` | ||
| -KERNEL=="linux-user-bde", TAG+="###SLOT_SECURITY_TAGS###" | ||
| -KERNEL=="linux-kernel-bde", TAG+="###SLOT_SECURITY_TAGS###" | ||
| -KERNEL=="linux-bcm-knet", TAG+="###SLOT_SECURITY_TAGS###" | ||
| +SUBSYSTEM=="pci", DRIVER=="linux-kernel-bde", TAG+="###CONNECTED_SECURITY_TAGS###" | ||
| +SUBSYSTEM=="net", KERNEL=="bcm[0-9]*", TAG+="###CONNECTED_SECURITY_TAGS###" | ||
| ` | ||
| // The upstream linux kernel doesn't come with support for the | ||
You changed the copyright in bluetooth_control_test.go, but forgot to update it and bluetooth_control.go for
/dev/vhci, which is included in the apparmor policy. Can you add that?