interfaces/network-setup-control: allow dbus netplan apply messages

interfaces/builtin/network_setup_control.go

@@ -45,6 +45,17 @@ const networkSetupControlConnectedPlugAppArmor = `
 
 /run/udev/rules.d/ rw,                 # needed for cloud-init
 /run/udev/rules.d/[0-9]*-netplan-* rw,
+
+#include <abstractions/dbus-strict>
+
+# Allow use of NetPlan Apply API, used to apply network configuration
+dbus (send)
+    bus=system
+    interface=io.netplan.Netplan
+    path=/io/netplan/Netplan
+	member=Apply
+	peer=(label=unconfined),
+
 `
 
 func init() {

tests/main/netplan-apply/fake-netplan-apply-service.py

@@ -0,0 +1,50 @@
+#!/usr/bin/python3
+
+from gi.repository import GLib
+import dbus.mainloop.glib
+import dbus.service
+import sys
+
+BUS_NAME = "io.netplan.Netplan"
+OBJECT_PATH = "/io/netplan/Netplan"
+DOC_IFACE = "io.netplan.Netplan"
+
+
+class NetplanApplyService(dbus.service.Object):
+    def __init__(self, connection, object_path, logfile):
+        super().__init__(connection, object_path)
+        self._logfile = logfile
+
+    @dbus.service.method(dbus_interface=DOC_IFACE, in_signature="",
+                         out_signature="b")
+    def Apply(self):
+        # log that we were called and always return True
+        with open(self._logfile, "a+") as fp:
+            fp.write("Apply called\n")
+        return True
+
+
+def main(argv):
+    logfile = argv[1]
+    dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
+    main_loop = GLib.MainLoop()
+
+    bus = dbus.SystemBus()
+    # Make sure we quit when the bus shuts down
+    bus.add_signal_receiver(
+        main_loop.quit, signal_name="Disconnected",
+        path="/org/freedesktop/DBus/Local",
+        dbus_interface="org.freedesktop.DBus.Local")
+
+    NetplanApplyService(bus, OBJECT_PATH, logfile)
+
+    # Allow other services to assume our bus name
+    dbus.service.BusName(
+        BUS_NAME, bus, allow_replacement=True, replace_existing=True,
+        do_not_queue=True)
+
+    main_loop.run()
+
+
+if __name__ == '__main__':
+    sys.exit(main(sys.argv))

tests/main/netplan-apply/io.netplan.Netplan.conf

@@ -0,0 +1,18 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+
+  <policy user="root">
+    <allow own="io.netplan.Netplan"/>
+  </policy>
+
+  <policy context="default">
+    <allow send_destination="io.netplan.Netplan"
+           send_interface="io.netplan.Netplan"/>
+    <allow send_destination="io.netplan.Netplan"
+           send_interface="org.freedesktop.DBus.Introspectable"/>
+  </policy>
+
+</busconfig>
+

tests/main/netplan-apply/snapcraft.yaml

@@ -0,0 +1,50 @@
+name: test-snapd-netplan-apply
+base: core18
+version: git
+summary: Backend-agnostic network configuration in YAML
+description: |
+  Netplan is a utility for easily configuring networking on a linux system.
+  You simply create a YAML description of the required network interfaces and
+  what each should be configured to do. From this description Netplan will
+  generate all the necessary configuration for your chosen renderer tool.
+grade: devel
+confinement: strict
+
+apps:
+  netplan:
+    command: usr/bin/python3 $SNAP/usr/sbin/netplan
+    environment:
+      PYTHONPATH: $SNAP/usr/lib/python3/dist-packages:$PYTHONPATH
+    adapter: full
+    plugs:
+      - network
+      - network-bind
+      - network-setup-control
+
+parts:
+  netplan:
+    source: https://github.com/CanonicalLtd/netplan.git
+    plugin: make
+    build-packages:
+      - bash-completion
+      - libglib2.0-dev
+      - libyaml-dev
+      - uuid-dev
+      - pandoc
+      - pkg-config
+      - python3
+      - python3-coverage
+      - python3-yaml
+      - python3-netifaces
+      - python3-nose
+      - pyflakes3
+      - pep8
+      - systemd
+      - libsystemd-dev
+    stage-packages:
+      - iproute2
+      - python3
+      - python3-netifaces
+      - python3-yaml
+      - systemd
+      - libatm1

tests/main/netplan-apply/task.yaml

@@ -0,0 +1,87 @@
+summary: Ensure that netplan apply works with network-setup-control
+
+details: |
+    Netplan apply is used to apply network configuration to the system
+
+environment:
+    NETPLAN: io.netplan.Netplan
+
+# run on all classic ubuntu LTS and current dev systems 16.04+
+systems: 
+    - ubuntu-16*
+    - ubuntu-18*
+    - ubuntu-19*
+    - ubuntu-20*
+
+prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    snap install test-snapd-netplan-apply --edge
+
+    # backup the dbus service file and policy config if they exist before 
+    # executing
+    for f in system-services/$NETPLAN.service system.d/$NETPLAN.conf; do
+        if [ -f /usr/share/dbus-1/$f ]; then
+            mv /usr/share/dbus-1/$f /usr/share/dbus-1/$f.backup
+        fi      
+    done
+
+    # install the dbus policy config file and service unit for our fake netplan
+    # system dbus service
+    echo "Install the netplan D-Bus activatable system service"
+    mkdir -p /usr/share/dbus-1/system.d 
+    mkdir -p /usr/share/dbus-1/system-services
+    cp $NETPLAN.conf /usr/share/dbus-1/system.d/$NETPLAN.conf
+    # generate the service file here so that we can referece the python file and
+    # the log file in this directory
+    cat << EOF > /usr/share/dbus-1/system-services/$NETPLAN.service
+    [D-BUS Service]
+    Name=$NETPLAN
+    Exec=$(pwd)/fake-netplan-apply-service.py $(pwd)/dbus-netplan-apply.log
+    User=root
+    AssumedAppArmorLabel=unconfined
+    EOF
+
+    touch dbus-netplan-apply.log
+
+restore: |
+    # kill the dbus service if it is running 
+    set +e
+    if [ -n "$(pgrep --full fake-netplan-apply-service.py)" ]; then
+        for pid in $(pgrep --full fake-netplan-apply-service.py); do
+            kill -9 "$pid"
+        done
+    fi
+    set -e
+
+    # restore the dbus service file and policy config file if the backup exists
+    for f in system-services/$NETPLAN.service system.d/$NETPLAN.conf; do
+        if [ -f /usr/share/dbus-1/$f.backup ]; then
+            mv /usr/share/dbus-1/$f.backup /usr/share/dbus-1/$f
+        fi      
+    done
+
+execute: |
+    echo "The interface is disconnected by default"
+    snap connections test-snapd-netplan-apply | MATCH 'network-setup-control +test-snapd-netplan-apply:network-setup-control +- +-'
+
+    echo "Running netplan apply without network-setup-control fails"
+    if test-snapd-netplan-apply.netplan apply; then
+        echo "Expected access denied error for netplan apply"
+        exit 1
+    fi
+
+    echo "The D-Bus service was not activated"
+    not MATCH "Apply called" < dbus-netplan-apply.log
+
+    echo "When the interface is connected"
+    snap connect test-snapd-netplan-apply:network-setup-control
+
+    echo "Running netplan apply now works"
+    if ! test-snapd-netplan-apply.netplan apply; then
+        echo "Unexpected error running netplan apply"
+        exit 1
+    fi
+
+    echo "And the D-Bus service was activated"
+    MATCH "Apply called" < dbus-netplan-apply.log