interfaces: update network-control interface with permissions required by resolvectl

* Update network-control interface with permissions required by resolvectl command. * Split send/receive permissions (thanks alexmurray). * CentOS, Debian, Arch and Amazon Linux don't have resolvectl installed, so don't run there Co-authored-by: Maciej Borzecki <maciek.borzecki@gmail.com> Co-authored-by: Maciej Borzecki <maciek.borzecki@gmail.com>

3 files changed, 44 insertions, 0 deletions

diff --git a/interfaces/builtin/network_control.go b/interfaces/builtin/network_control.go
index c6b25c6eff..6d753c1f20 100644
--- a/interfaces/builtin/network_control.go
+++ b/interfaces/builtin/network_control.go
@@ -68,6 +68,38 @@ dbus (send)
 member="SetLink{DefaultRoute,DNSOverTLS,DNS,DNSEx,DNSSEC,DNSSECNegativeTrustAnchors,MulticastDNS,Domains,LLMNR}"
 peer=(label=unconfined),
 
+# required by resolvectl command
+dbus (send)
+ bus=system
+ path="/org/freedesktop/resolve1"
+ interface=org.freedesktop.DBus.Properties
+ member=Get{,All}
+ peer=(label=unconfined),
+
+# required by resolvectl command
+dbus (receive)
+ bus=system
+ path="/org/freedesktop/resolve1"
+ interface=org.freedesktop.DBus.Properties
+ member=PropertiesChanged
+ peer=(label=unconfined),
+
+# required by resolvectl command
+dbus (send)
+ bus=system
+ path="/org/freedesktop/resolve1/link/*"
+ interface="org.freedesktop.DBus.Properties"
+ member=Get{,All}
+ peer=(label=unconfined),
+
+# required by resolvectl command
+dbus (receive)
+ bus=system
+ path="/org/freedesktop/resolve1/link/*"
+ interface="org.freedesktop.DBus.Properties"
+ member=PropertiesChanged
+ peer=(label=unconfined),
+
 #include <abstractions/ssl_certs>
 
 capability net_admin,
@@ -131,6 +163,7 @@ network sna,
 /{,usr/}{,s}bin/pppdump ixr,
 /{,usr/}{,s}bin/pppoe-discovery ixr,
 #/{,usr/}{,s}bin/pppstats ixr, # needs sys_module
+/{,usr/}{,s}bin/resolvectl ixr,
 /{,usr/}{,s}bin/route ixr,
 /{,usr/}{,s}bin/routef ixr,
 /{,usr/}{,s}bin/routel ixr,
diff --git a/tests/main/interfaces-network-control/network-control-consumer/meta/snap.yaml b/tests/main/interfaces-network-control/network-control-consumer/meta/snap.yaml
index b6d77dca82..4fa97b850a 100644
--- a/tests/main/interfaces-network-control/network-control-consumer/meta/snap.yaml
+++ b/tests/main/interfaces-network-control/network-control-consumer/meta/snap.yaml
@@ -2,6 +2,7 @@ name: network-control-consumer
 version: 1.0
 summary: Basic network-control consumer snap
 description: A basic snap declaring a plug on network-control
+base: core20
 
 apps:
 cmd:
diff --git a/tests/main/interfaces-network-control/task.yaml b/tests/main/interfaces-network-control/task.yaml
index 40984acb92..7b4cd7673d 100644
--- a/tests/main/interfaces-network-control/task.yaml
+++ b/tests/main/interfaces-network-control/task.yaml
@@ -54,6 +54,16 @@ execute: |
 echo "Then the snap command can query network status information"
 network-control-consumer.cmd ss -lnt | MATCH "LISTEN.*:$PORT"
 
+ echo "And DNS information"
+ case "$SPREAD_SYSTEM" in
+ centos-*|debian-*|arch-linux-*|amazon-linux-*)
+ # echo no systemd-resolved in those images
+ ;;
+ *)
+ network-control-consumer.cmd resolvectl | MATCH "DNS Server"
+ ;;
+ esac
+
 if [ "$(snap debug confinement)" = strict ] ; then
 echo "When the plug is disconnected"
 snap disconnect network-control-consumer:network-control