Merge ~alexmurray/qa-regression-testing:kernel-lockdown-support into qa-regression-testing:master

On Wed, Mar 09, 2022 at 06:09:21AM -0000, Alex Murray wrote:
> Alex Murray has proposed merging ~alexmurray/qa-regression-testing:kernel-lockdown-support into qa-regression-testing:master.
>
> Requested reviews:
> Steve Beattie (sbeattie)
>
> For more details, see:
> https://code.launchpad.net/~alexmurray/qa-regression-testing/+git/qa-regression-testing/+merge/416573
>
> The apparmor regression tests fail when using UEFI secure boot (and
> hence when kernel lockdown is enabled) since the ioperm/iopl tests
> fail due to being disallowed by locked when they are expected to pass.

I understand why you want to fix this in this way, but this is
realistically a bug in the upstream test suite; if in lockdown mode,
the ioperm/opl tests should be skipped or possibly by XFAIL.

(Would also be nice to have some lockdown tests against the kernel
that ensure the things that are supposed to be enforced by lockdown
actually are.)

> --
> You are requested to review the proposed merge of ~alexmurray/qa-regression-testing:kernel-lockdown-support into qa-regression-testing:master.

> diff --git a/scripts/test-apparmor.py b/scripts/test-apparmor.py
> index 7a92efc..14a8f6f 100755
> --- a/scripts/test-apparmor.py
> +++ b/scripts/test-apparmor.py
> @@ -3211,6 +3211,7 @@ class ApparmorUnixDomainConnect(testlib.TestlibCase):
>
> if __name__ == '__main__':
> testlib.require_sudo()
> + testlib.require_nolockdown()
>
> if (len(sys.argv) > 1 and sys.argv[1] != '-v'):
> if "--with-subdomain-stress" in sys.argv:
> diff --git a/scripts/testlib.py b/scripts/testlib.py
> index 5bce8fa..e92312b 100644
> --- a/scripts/testlib.py
> +++ b/scripts/testlib.py
> @@ -225,6 +225,27 @@ def timeout(secs, f, *args):
> return result
>
>
> +def is_lockeddown():
> + rc, _ = cmd_pipe(["journalctl", "-k", "-b0"], ["grep", "-q", "-i", "kernel is locked down from EFI secure boot"])
> + if rc == 0:
> + return True
> + # try interrogating /sys/kernel/security/lockdown
> + if os.path.exists("/sys/kernel/security/lockdown"):
> + rc = cmd(["grep", "-q", "\\[none\\]", "/sys/kernel/security/lockdown"])
> + if rc == 0:
> + return True
> + return False
> +
> +def require_nolockdown():
> + if is_lockeddown():
> + print("This series of tests requires the lockdown LSM to be disabled.", file=sys.stderr)
> + sys.exit(1)
> +
> +def require_lockdown():
> + if not is_lockeddown():
> + print("This series of tests requires the lockdown LSM to be enabled.", file=sys.stderr)
> + sys.exit(1)
> +
> def require_nonroot():
> if os.geteuid() == 0:
> print("This series of tests should be run as a regular user with sudo access, not as root.", file=sys.stderr)

--
Steve Beattie
<email address hidden>

On Tue, Mar 15, 2022 at 09:27:16PM -0000, Steve Beattie wrote:
> I understand why you want to fix this in this way, but this is
> realistically a bug in the upstream test suite; if in lockdown mode,
> the ioperm/opl tests should be skipped or possibly by XFAIL.

FYI, https://gitlab.com/apparmor/apparmor/-/issues/226 was filed for
this issue with upstream apparmor. When we have a fix there, we can
incorporate it as a patch into qrt like some of the other apparmor
regression test fixes we've had to bring back.

Thanks.

--
Steve Beattie
<email address hidden>