Merge ~alexmurray/qa-regression-testing:kernel-lockdown-support into qa-regression-testing:master
Proposed by
Alex Murray
Status: | Rejected |
---|---|
Rejected by: | Alex Murray |
Proposed branch: | ~alexmurray/qa-regression-testing:kernel-lockdown-support |
Merge into: | qa-regression-testing:master |
Diff against target: |
44 lines (+22/-0) 2 files modified
scripts/test-apparmor.py (+1/-0) scripts/testlib.py (+21/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Steve Beattie | Pending | ||
Review via email: mp+416573@code.launchpad.net |
Description of the change
The apparmor regression tests fail when using UEFI secure boot (and hence when kernel lockdown is enabled) since the ioperm/iopl tests fail due to being disallowed by locked when they are expected to pass.
To post a comment you must log in.
On Wed, Mar 09, 2022 at 06:09:21AM -0000, Alex Murray wrote: qa-regression- testing: kernel- lockdown- support into qa-regression- testing: master. /code.launchpad .net/~alexmurra y/qa-regression -testing/ +git/qa- regression- testing/ +merge/ 416573
> Alex Murray has proposed merging ~alexmurray/
>
> Requested reviews:
> Steve Beattie (sbeattie)
>
> For more details, see:
> https:/
>
> The apparmor regression tests fail when using UEFI secure boot (and
> hence when kernel lockdown is enabled) since the ioperm/iopl tests
> fail due to being disallowed by locked when they are expected to pass.
I understand why you want to fix this in this way, but this is
realistically a bug in the upstream test suite; if in lockdown mode,
the ioperm/opl tests should be skipped or possibly by XFAIL.
(Would also be nice to have some lockdown tests against the kernel
that ensure the things that are supposed to be enforced by lockdown
actually are.)
> -- qa-regression- testing: kernel- lockdown- support into qa-regression- testing: master.
> You are requested to review the proposed merge of ~alexmurray/
> diff --git a/scripts/ test-apparmor. py b/scripts/ test-apparmor. py test-apparmor. py test-apparmor. py ainConnect( testlib. TestlibCase) : require_ sudo() require_ nolockdown( ) subdomain- stress" in sys.argv: testlib. py b/scripts/ testlib. py testlib. py testlib. py ["journalctl" , "-k", "-b0"], ["grep", "-q", "-i", "kernel is locked down from EFI secure boot"]) security/ lockdown exists( "/sys/kernel/ security/ lockdown" ): security/ lockdown" ]) nolockdown( ):
> index 7a92efc..14a8f6f 100755
> --- a/scripts/
> +++ b/scripts/
> @@ -3211,6 +3211,7 @@ class ApparmorUnixDom
>
> if __name__ == '__main__':
> testlib.
> + testlib.
>
> if (len(sys.argv) > 1 and sys.argv[1] != '-v'):
> if "--with-
> diff --git a/scripts/
> index 5bce8fa..e92312b 100644
> --- a/scripts/
> +++ b/scripts/
> @@ -225,6 +225,27 @@ def timeout(secs, f, *args):
> return result
>
>
> +def is_lockeddown():
> + rc, _ = cmd_pipe(
> + if rc == 0:
> + return True
> + # try interrogating /sys/kernel/
> + if os.path.
> + rc = cmd(["grep", "-q", "\\[none\\]", "/sys/kernel/
> + if rc == 0:
> + return True
> + return False
> +
> +def require_
> + if is_lockeddown():
> + print("This series of tests requires the lockdown LSM to be disabled.", file=sys.stderr)
> + sys.exit(1)
> +
> +def require_lockdown():
> + if not is_lockeddown():
> + print("This series of tests requires the lockdown LSM to be enabled.", file=sys.stderr)
> + sys.exit(1)
> +
> def require_nonroot():
> if os.geteuid() == 0:
> print("This series of tests should be run as a regular user with sudo access, not as root.", file=sys.stderr)
--
Steve Beattie
<email address hidden>