i/builtin: mock apparmor consistently for the tests (canonical#14376)

also add a "allow all" test as there wasn't one afaict
olivercalder · Aug 16, 2024 · 552151e · 552151e
1 parent e53cf32
commit 552151e
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/interfaces/builtin/lxd_support_test.go b/interfaces/builtin/lxd_support_test.go
@@ -94,6 +94,8 @@ apps:
 }
 
 func (s *LxdSupportInterfaceSuite) TestAppArmorSpec(c *C) {
+	r := apparmor_sandbox.MockFeatures(nil, nil, nil, nil)
+	defer r()
 	appSet, err := interfaces.NewSnapAppSet(s.plug.Snap(), nil)
 	c.Assert(err, IsNil)
 	spec := apparmor.NewSpecification(appSet)
@@ -115,6 +117,19 @@ func (s *LxdSupportInterfaceSuite) TestAppArmorSpecUserNS(c *C) {
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "userns,\n")
 }
 
+func (s *LxdSupportInterfaceSuite) TestAppArmorSpecAllowAll(c *C) {
+	r := apparmor_sandbox.MockLevel(apparmor_sandbox.Full)
+	defer r()
+	r = apparmor_sandbox.MockFeatures(nil, nil, []string{"allow-all"}, nil)
+	defer r()
+	appSet, err := interfaces.NewSnapAppSet(s.plug.Snap(), nil)
+	c.Assert(err, IsNil)
+	spec := apparmor.NewSpecification(appSet)
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "allow all,\n")
+}
+
 func (s *LxdSupportInterfaceSuite) TestAppArmorSpecUnconfined(c *C) {
 	appSet, err := interfaces.NewSnapAppSet(s.plugInfo.Snap, nil)
 	c.Assert(err, IsNil)