interfaces/builtin: allow missing resolve1 link setters#16807
Open
zyga wants to merge 1 commit intocanonical:masterfrom
Open
interfaces/builtin: allow missing resolve1 link setters#16807zyga wants to merge 1 commit intocanonical:masterfrom
zyga wants to merge 1 commit intocanonical:masterfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the AppArmor DBus rules for the network-control and network-manager built-in interfaces to permit additional org.freedesktop.resolve1.Link setter methods that were already permitted on org.freedesktop.resolve1.Manager, and adds regression tests to prevent future omissions.
Changes:
- Extend the allowed
org.freedesktop.resolve1.LinkSet{...}member list to includeDefaultRoute,DNSOverTLS, andDNSExfor both interfaces. - Add regression assertions in the corresponding test suites to validate the presence of the updated member list.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| interfaces/builtin/network_manager.go | Expands the resolve1 Link Set{...} member list in the network-manager AppArmor snippet. |
| interfaces/builtin/network_manager_test.go | Adds an assertion intended to guard the updated resolve1 Link member list. |
| interfaces/builtin/network_control.go | Expands the resolve1 Link Set{...} member list in the network-control AppArmor snippet. |
| interfaces/builtin/network_control_test.go | Adds a regression assertion covering the updated resolve1 Link member list. |
| err = apparmorSpec.AddPermanentSlot(s.iface, s.slotInfo) | ||
| c.Assert(err, IsNil) | ||
| c.Assert(apparmorSpec.SecurityTags(), HasLen, 1) | ||
| c.Assert(apparmorSpec.SnippetForTag("snap.network-manager.nm"), testutil.Contains, `member="Set{DefaultRoute,DNS,DNSEx,DNSSEC,DNSSECNegativeTrustAnchors,DNSOverTLS,Domains,LLMNR,MulticastDNS}"`) |
There was a problem hiding this comment.
These new assertions verify the Link Set{...} member list contains the expected methods, but they don’t actually check that the Link list stays in sync with the corresponding SetLink{...} member list in the same snippet (as described in the PR). Consider asserting both lists are equivalent (e.g., by extracting a shared expected member list) so future changes can’t update one without the other.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #16807 +/- ##
==========================================
- Coverage 77.63% 77.55% -0.08%
==========================================
Files 1351 1365 +14
Lines 188484 188785 +301
Branches 2446 2446
==========================================
+ Hits 146322 146421 +99
- Misses 33338 33523 +185
- Partials 8824 8841 +17
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
zyga
added
the
Needs security review
|
Thu Mar 26 12:42:36 UTC 2026 Failures:Executing:
Restoring:
Skipped tests from snapd-testing-skipIf you wish to have any of the below tests run in your PR, in your PR description, add 'unskip:' followed by a copy-and-pasted list (without variants) of the below tests you wish to run (unskip plus test list must be valid yaml)
|
The network-control and network-manager AppArmor snippets allowed
SetLink{DefaultRoute,DNSOverTLS,DNS,DNSEx,...} on
org.freedesktop.resolve1.Manager but omitted the equivalent methods
on org.freedesktop.resolve1.Link.
Add DefaultRoute, DNSOverTLS, and DNSEx to the Link member list
for both interfaces, and add regression checks in the corresponding
tests to ensure the member set stays in sync.
Fixes: https://bugs.launchpad.net/bugs/2143934
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The network-control and network-manager AppArmor snippets allowed
SetLink{DefaultRoute,DNSOverTLS,DNS,DNSEx,...} on
org.freedesktop.resolve1.Manager but omitted the equivalent methods
on org.freedesktop.resolve1.Link.
Add DefaultRoute, DNSOverTLS, and DNSEx to the Link member list
for both interfaces, and add regression checks in the corresponding
tests to ensure the member set stays in sync.
Fixes: https://bugs.launchpad.net/bugs/2143934