func (s *BoolFileInterfaceSuite) TestPlugSnippetHandlesSymlinkErrors(c *C) { // Symbolic link traversal is handled correctly builtin.MockEvalSymlinks(&s.BaseTest, func(path string) (string, error) { return "", fmt.Errorf("broken symbolic link") }) snippet, err := s.iface.ConnectedPlugSnippet(s.plug, s.gpioSlot, interfaces.SecurityAppArmor) c.Assert(err, ErrorMatches, "cannot compute plug security snippet: broken symbolic link") c.Assert(snippet, IsNil) }
func (s *BoolFileInterfaceSuite) TestPermanentPlugSecurityDoesNotContainSlotSecurity(c *C) { // Use a fake (successful) dereferencing function for the remainder of the test. builtin.MockEvalSymlinks(&s.BaseTest, func(path string) (string, error) { return path, nil }) var err error var slotSnippet, plugSnippet []byte plugSnippet, err = s.iface.PermanentPlugSnippet(s.plug, interfaces.SecurityAppArmor) c.Assert(err, IsNil) slotSnippet, err = s.iface.PermanentSlotSnippet(s.gpioSlot, interfaces.SecurityAppArmor) c.Assert(err, IsNil) // Ensure that we don't accidentally give plug-side permissions to slot-side. c.Assert(bytes.Contains(plugSnippet, slotSnippet), Equals, false) }
func (s *BoolFileInterfaceSuite) TestPlugSnippetDereferencesSymlinks(c *C) { // Use a fake (successful) dereferencing function for the remainder of the test. builtin.MockEvalSymlinks(&s.BaseTest, func(path string) (string, error) { return "(dereferenced)" + path, nil }) // Extra apparmor permission to access GPIO value // The path uses dereferenced symbolic links. snippet, err := s.iface.ConnectedPlugSnippet(s.plug, s.gpioSlot, interfaces.SecurityAppArmor) c.Assert(err, IsNil) c.Assert(snippet, DeepEquals, []byte( "(dereferenced)/sys/class/gpio/gpio13/value rwk,\n")) // Extra apparmor permission to access LED brightness. // The path uses dereferenced symbolic links. snippet, err = s.iface.ConnectedPlugSnippet(s.plug, s.ledSlot, interfaces.SecurityAppArmor) c.Assert(err, IsNil) c.Assert(snippet, DeepEquals, []byte( "(dereferenced)/sys/class/leds/input27::capslock/brightness rwk,\n")) }