forked from snapcore/snapd
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
i/apparmor: support for home.d tunables from /etc/ (snapcore#13118)
* i/apparmor: support for home.d tunables from /etc/ * tests: update snapd-homedirs-vendored to run on all ubuntu versions * i/apparmor: add additional unit test Only enable the spread test for ubuntu 20 and newer as any distro before don't support the neccessary features --------- Co-authored-by: Michael Vogt <mvo@ubuntu.com>
- Loading branch information
1 parent
dcb8ad2
commit b98e4af
Showing
6 changed files
with
174 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
summary: Test that vendored apparmor does not break any system tunables | ||
|
||
# On ubuntu 18 and below snapd-internal is not available | ||
systems: [ubuntu-18*, ubuntu-2*] | ||
|
||
environment: | ||
USERNAME: home-sweet-home | ||
|
||
prepare: | | ||
# Create a new user in a non-standard location | ||
mkdir -p /remote/users | ||
useradd -b /remote/users -m -U "$USERNAME" | ||
# Download current snapd edge | ||
snap download --edge snapd --basename=snapd_edge | ||
# Repack it with currently built snapd | ||
unpackdir=/tmp/snapd-current-snap | ||
unsquashfs -no-progress -d "${unpackdir}" snapd_edge.snap | ||
dpkg-deb -x "${GOHOME}"/snapd_*.deb "${unpackdir}" | ||
snap pack "${unpackdir}" --filename snapd_modified.snap | ||
rm -rf "${unpackdir}" | ||
restore: | | ||
userdel -f --remove "$USERNAME" | ||
rm -rf /remote/users | ||
debug: | | ||
# output custom snap-confine snippets | ||
ls -l /var/lib/snapd/apparmor/snap-confine/ | ||
for f in /var/lib/snapd/apparmor/snap-confine/*; do | ||
echo "$f" | ||
cat "$f" | ||
done | ||
execute: | | ||
echo "Downgrading the snapd deb to pre-vendored apparmor times" | ||
TARGET_VER="$(apt list -a snapd|grep -- -updates|cut -f2 -d' ')" | ||
apt install -yqq --allow-downgrades snapd="$TARGET_VER" | ||
echo "But installing the vendored apparmor snapd with our changes" | ||
snap install --dangerous snapd_modified.snap | ||
# Verify supported features | ||
snap debug sandbox-features --required apparmor:parser:snapd-internal | ||
snap debug sandbox-features --required apparmor:parser:include-if-exists | ||
# Install our test snap | ||
"$TESTSTOOLS"/snaps-state install-local test-snapd-sh | ||
echo "Invoke the test app without setting up homedir support" | ||
if sudo -u "$USERNAME" -i test-snapd-sh.cmd echo "Hello world" 2> stderr.log; then | ||
echo "The command succeeded; this is unexpected where AppArmor is fully working" | ||
test "$(snap debug confinement)" = partial | ||
else | ||
MATCH "Sorry, home directories outside of /home needs configuration" < stderr.log | ||
fi | ||
rm -f stderr.log | ||
echo "Enable the home directories under /remote/users" | ||
snap set system homedirs=/remote/users | ||
echo "Verify that the system-params file has been created" | ||
MATCH "^homedirs=/remote/users$" < /var/lib/snapd/system-params | ||
echo "And that the AppArmor tunable file is proper" | ||
MATCH "^@{HOMEDIRS}\\+=\"/remote/users\"$" < /etc/apparmor.d/tunables/home.d/snapd | ||
echo "Invoke the test app again (should now work)" | ||
sudo -u "$USERNAME" -i test-snapd-sh.cmd echo "Hello world" | MATCH "Hello world" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
#!/bin/bash | ||
exec "$@" |
7 changes: 7 additions & 0 deletions
7
tests/main/snapd-homedirs-vendored/test-snapd-sh/meta/snap.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
name: test-snapd-sh | ||
summary: A no-strings-attached, no-fuss shell for writing tests | ||
version: 1.0 | ||
|
||
apps: | ||
cmd: | ||
command: bin/sh |