QA Regression Testing

Merge ~alexmurray/qa-regression-testing:update-test-samba-to-run-under-apparmor into qa-regression-testing:master

  1. Git
  2. lp:~alexmurray/qa-regression-testing
  3. update-test-samba-to-run-under-apparmor
  4. Merge into master
Proposed by Alex Murray
Status: Needs review
Proposed branch: ~alexmurray/qa-regression-testing:update-test-samba-to-run-under-apparmor
Merge into: qa-regression-testing:master
Diff against target: 232 lines (+104/-6)
2 files modified
.launchpad.yaml (+16/-0)
scripts/test-samba.py (+88/-6)
Reviewer Review Type Date Requested Status
Steve Beattie Needs Fixing
Marc Deslauriers Approve
Review via email: mp+464872@code.launchpad.net

Description of the change

Includes the following changes:

scripts/test-samba.py: robustify handling of command-line args

Won't bork if run without -v now and should handle things more gracefully in
general

scripts/test-samba.py: test with apparmor profiles installed

To do this we then need to add some support for manually patching the apparmor
profile to allow the required path accesses by smbd.

scripts/test-samba.py: add local fix for upstream issue #386

To fix https://gitlab.com/apparmor/apparmor/-/issues/386 in noble manually add
some rules based on those in
https://gitlab.com/apparmor/apparmor/-/merge_requests/1219

.launchpad.yaml: add samba to lpci

Also skip a few tests in the lpci environment since we don't have permission to
mount there

To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote :

The primary motivation for the main change here (to run samba with apparmor-profiles installed and hence under confinement) is to catch any future instances of https://gitlab.com/apparmor/apparmor/-/issues/386

Reply
Revision history for this message
Alex Murray (alexmurray) wrote :

Bump - any chance to get a review on this one?

Reply
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

LGTM, though is your plan to fix the actual profiles and remove the workarounds in this script? It kind of defeats the purpose to have the workarounds here...

review: Approve
Reply
Revision history for this message
Steve Beattie (sbeattie) wrote :

Note that the tests are failing in focal and bionic because pre-usrmerge the apparmor_parser binary lived in /sbin/ as well as an issue with attempting to umount; see https://launchpadlibrarian.net/727074670/buildlog_ci_qa-regression-testing_1ffc82734f3224575281f37fed586bb559ef63d7_BUILDING.txt.gz

(Also, rather than having a seprate commit for merging changes from master, in this case to get the fixes to .launchpad.yaml, rebasing on top of master gives a cleaner history.)

Inline comment as well.

review: Needs Fixing
Reply
~alexmurray/qa-regression-testing:update-test-samba-to-run-under-apparmor updated
da83729... by Alex Murray

scripts/test-samba.py: use assertShellExitSuccess() as suggest by sbeattie

Signed-off-by: Alex Murray <email address hidden>

5efb927... by Alex Murray

scripts/test-samba.py: skip more tests in lpci that use mount

Signed-off-by: Alex Murray <email address hidden>

Revision history for this message
Alex Murray (alexmurray) wrote :

@mdeslaur - yep the plan is to remove these workarounds once apparmor 4.0.1 lands in noble via https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064672 (or some other such upload to get the issue fixed directly in apparmor-profiles)

@sbeattie - thanks for the review - issues should be fixed in the two subsequent commits. Also I chose to merge to keep the original commits ids to try and preserve any previous comments against them but I realise now that was redundant as there were none :) - will try rebase and drop the merge commit and hopefully it doesn't break too much stuff.

Reply

Unmerged commits

5efb927... by Alex Murray

scripts/test-samba.py: skip more tests in lpci that use mount

Signed-off-by: Alex Murray <email address hidden>

Succeeded
[SUCCEEDED] imagemagick:0 (build)
[SUCCEEDED] imagemagick:1 (build)
[SUCCEEDED] imagemagick:2 (build)
[SUCCEEDED] gcc-security:0 (build)
[SUCCEEDED] gcc-security:1 (build)
[SUCCEEDED] gcc-security:2 (build)
[SUCCEEDED] glibc:0 (build)
[SUCCEEDED] glibc:1 (build)
[SUCCEEDED] glibc:2 (build)
[SUCCEEDED] glibc-security:0 (build)
[SUCCEEDED] glibc-security:1 (build)
[SUCCEEDED] glibc-security:2 (build)
[SUCCEEDED] gnupg:0 (build)
[SUCCEEDED] gnupg:1 (build)
[SUCCEEDED] gnupg:2 (build)
[SUCCEEDED] sudo:0 (build)
[SUCCEEDED] sudo:1 (build)
[SUCCEEDED] sudo:2 (build)
[SUCCEEDED] git:0 (build)
[SUCCEEDED] git:1 (build)
[SUCCEEDED] git:2 (build)
[SUCCEEDED] ghostscript:0 (build)
[SUCCEEDED] ghostscript:1 (build)
[SUCCEEDED] ghostscript:2 (build)
[SUCCEEDED] busybox:0 (build)
[SUCCEEDED] busybox:1 (build)
[SUCCEEDED] busybox:2 (build)
[SUCCEEDED] coreutils:0 (build)
[SUCCEEDED] coreutils:1 (build)
[SUCCEEDED] coreutils:2 (build)
[SUCCEEDED] util-linux:0 (build)
[SUCCEEDED] util-linux:1 (build)
[SUCCEEDED] util-linux:2 (build)
[SUCCEEDED] ecdsautils:0 (build)
[SUCCEEDED] ecdsautils:1 (build)
[SUCCEEDED] ecdsautils:2 (build)
[SUCCEEDED] python-urllib3:0 (build)
[SUCCEEDED] python-urllib3:1 (build)
[SUCCEEDED] python-urllib3:2 (build)
[SUCCEEDED] amanda:0 (build)
[SUCCEEDED] amanda:1 (build)
[SUCCEEDED] samba:0 (build)
[SUCCEEDED] samba:1 (build)
[SUCCEEDED] samba:2 (build)
144 of 44 results FirstPreviousNextLast
da83729... by Alex Murray

scripts/test-samba.py: use assertShellExitSuccess() as suggest by sbeattie

Signed-off-by: Alex Murray <email address hidden>

c7edc74... by Alex Murray

.launchpad.yaml: add samba to lpci

Also skip a few tests in the lpci environment since we don't have permission to
mount there

Signed-off-by: Alex Murray <email address hidden>

71f83c1... by Alex Murray

scripts/test-samba.py: add local fix for upstream issue #386

To fix https://gitlab.com/apparmor/apparmor/-/issues/386 in noble manually add
some rules based on those in
https://gitlab.com/apparmor/apparmor/-/merge_requests/1219

Signed-off-by: Alex Murray <email address hidden>

96b9f5b... by Alex Murray

scripts/test-samba.py: test with apparmor profiles installed

To do this we then need to add some support for manually patching the apparmor
profile to allow the required path accesses by smbd.

Signed-off-by: Alex Murray <email address hidden>

9a73a0c... by Alex Murray

scripts/test-samba.py: robustify handling of command-line args

Won't bork if run without -v now and should handle things more gracefully in
general

Signed-off-by: Alex Murray <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/.launchpad.yaml b/.launchpad.yaml
2index a32b91d..c498f70 100644
3--- a/.launchpad.yaml
4+++ b/.launchpad.yaml
5@@ -14,6 +14,7 @@ pipeline:
6 - ecdsautils
7 - python-urllib3
8 - amanda
9+ - samba
10
11 jobs:
12 imagemagick:
13@@ -226,3 +227,18 @@ jobs:
14 DEBIAN_FRONTEND=noninteractive apt upgrade --assume-yes
15 run: |
16 ./lpcraft-runner amanda
17+
18+ samba:
19+ matrix:
20+ - series: jammy
21+ architectures: amd64
22+ - series: focal
23+ architectures: amd64
24+ - series: bionic
25+ architectures: amd64
26+ packages:
27+ - sudo
28+ run-before: |
29+ DEBIAN_FRONTEND=noninteractive apt upgrade --assume-yes
30+ run: |
31+ ./lpcraft-runner samba
32diff --git a/scripts/test-samba.py b/scripts/test-samba.py
33index df2e6b5..d2adfe0 100755
34--- a/scripts/test-samba.py
35+++ b/scripts/test-samba.py
36@@ -19,7 +19,7 @@
37 # along with this program. If not, see <http://www.gnu.org/licenses/>.
38 #
39
40-# QRT-Packages: samba smbclient bind9-host sudo
41+# QRT-Packages: samba smbclient bind9-host sudo apparmor-profiles linux-generic
42 # QRT-Alternates: smbfs cifs-utils
43
44 '''
45@@ -81,6 +81,8 @@ class SambaCommon(testlib.TestlibCase):
46 rc, report = testlib.cmd(["/sbin/ip", "-4", "route", "list", "0/0"])
47 interface = report.split("\n")[0].split()[4]
48
49+ # ensure real_ip is defined
50+ self.real_ip = self.ip
51 rc, report = testlib.cmd(["/sbin/ip", "-4", "address", "show", "dev", interface])
52 for line in report.split("\n"):
53 if line.strip().startswith("inet"):
54@@ -267,6 +269,29 @@ class SambaCommon(testlib.TestlibCase):
55 self._testparm()
56 self._restart()
57
58+ def _add_apparmor_rule(self, rule, path):
59+ contents = None
60+ if os.path.exists(path):
61+ with open(path, "r") as f:
62+ contents = f.read()
63+ new_contents = ""
64+ for line in contents.splitlines():
65+ # append rule before the end of the profile
66+ if line == "}":
67+ new_contents = new_contents + " " + rule + "\n"
68+ new_contents = new_contents + line + "\n"
69+ with open(path, "w") as f:
70+ f.write(new_contents)
71+ self.assertShellExitSuccess(['apparmor_parser', '-r', path])
72+ return (contents, path)
73+
74+ def _restore_apparmor_profile(self, profile):
75+ contents, path = profile
76+ if contents is not None:
77+ with open(path, "w") as f:
78+ f.write(contents)
79+ self.assertShellExitSuccess(['apparmor_parser', '-r', path])
80+
81 def _word_find(self, report, name):
82 '''Check for a specific string'''
83 warning = 'Could not find "%s"\n' % name
84@@ -444,9 +469,26 @@ class SambaTmp(SambaCommon):
85 ''', append=True)
86 self._testparm()
87 self._restart()
88+ # ensure that apparmor will allow access to /tmp - NOTE this should happen
89+ # automatically in noble+ when restarting smbd once LP: #2063079 is
90+ # resolved
91+ self.orig_profile = self._add_apparmor_rule("/tmp{,/**} rw,", "/etc/apparmor.d/usr.sbin.smbd")
92+ # add some rules for samba-rpcd-classic as well until this is fixed in
93+ # the apparmor-profiles package (see
94+ # https://gitlab.com/apparmor/apparmor/-/issues/386 for more details)
95+ self.orig_rpcd_classic = self._add_apparmor_rule("""
96+@{run}/samba/ncalrpc/np/srvsvc wr,
97+@{run}/samba/ncalrpc/np/winreg wr,
98+/dev/urandom rw,
99+/usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd,
100+""",
101+ path="/etc/apparmor.d/samba-rpcd-classic")
102
103 def tearDown(self):
104 '''Tear down method'''
105+ # revert apparmor profiles
106+ self._restore_apparmor_profile(self.orig_profile)
107+ self._restore_apparmor_profile(self.orig_rpcd_classic)
108 self._tearDown()
109
110 def test_tmp_browse(self):
111@@ -704,6 +746,11 @@ class SambaSmbfs(SambaCommon):
112 self.mountpoint = tempfile.mkdtemp(prefix='testlib', dir='/mnt')
113 os.chmod(self.mountpoint, 0o755)
114
115+ # ensure that apparmor will allow access to /tmp - NOTE this should happen
116+ # automatically in noble+ when restarting smbd once LP: #2063079 is
117+ # resolved
118+ self.orig_profile = self._add_apparmor_rule("/tmp{,/**} rw,", "/etc/apparmor.d/usr.sbin.smbd")
119+
120 self.testdir = tempfile.mkdtemp(prefix='testlib', dir='/tmp')
121 os.chmod(self.testdir, 0o1777)
122
123@@ -715,6 +762,8 @@ class SambaSmbfs(SambaCommon):
124 if os.path.exists(self.testdir):
125 testlib.recursive_rm(self.testdir)
126 self.user = None
127+ # revert apparmor profile
128+ self._restore_apparmor_profile(self.orig_profile)
129 self._tearDown()
130
131 def test_guest(self):
132@@ -830,6 +879,10 @@ class SambaUnixext(SambaCommon):
133 self._testparm()
134 self._restart()
135
136+ @unittest.skipIf(
137+ 'LPCRAFT_QRT_RUNNER' in os.environ,
138+ 'unable to mount in lpci environment'
139+ )
140 def test_default(self):
141 '''(SambaUnixext) Default options'''
142
143@@ -951,6 +1004,10 @@ class SambaUnixext(SambaCommon):
144 self.assertEqual(expected, rc, result + report)
145
146
147+ @unittest.skipIf(
148+ 'LPCRAFT_QRT_RUNNER' in os.environ,
149+ 'unable to mount in lpci environment'
150+ )
151 def test_unixextandwldis(self):
152 '''(SambaUnixext) Test with unix extensions and wide links disabled'''
153
154@@ -1029,6 +1086,11 @@ class SambaCifs(SambaCommon):
155 self.testdir = tempfile.mkdtemp(prefix='testlib', dir='/tmp')
156 os.chmod(self.testdir, 0o1777)
157
158+ # ensure that apparmor will allow access to /tmp - NOTE this should happen
159+ # automatically in noble+ when restarting smbd once LP: #2063079 is
160+ # resolved
161+ self.orig_profile = self._add_apparmor_rule("/tmp{,/**} rw,", "/etc/apparmor.d/usr.sbin.smbd")
162+
163 def tearDown(self):
164 '''Tear down method'''
165 subprocess.call(['umount', self.mountpoint])
166@@ -1041,8 +1103,14 @@ class SambaCifs(SambaCommon):
167 if os.path.exists(self.creds):
168 os.unlink(self.creds)
169 self.user = None
170+ # revert apparmor profile
171+ self._restore_apparmor_profile(self.orig_profile)
172 self._tearDown()
173
174+ @unittest.skipIf(
175+ 'LPCRAFT_QRT_RUNNER' in os.environ,
176+ 'unable to mount in lpci environment'
177+ )
178 def test_guest(self):
179 '''(SambaCifs) Guest mount (read-only)'''
180
181@@ -1059,6 +1127,10 @@ class SambaCifs(SambaCommon):
182
183 SambaCommon._test_dir_list(self, self.mountpoint)
184
185+ @unittest.skipIf(
186+ 'LPCRAFT_QRT_RUNNER' in os.environ,
187+ 'unable to mount in lpci environment'
188+ )
189 def test_user(self):
190 '''(SambaCifs) User mount (read/write)'''
191 self.user = self._adduser()
192@@ -1152,6 +1224,10 @@ class SambaCifs(SambaCommon):
193 result = 'Found user password in report\n'
194 self.assertFalse(self.user.password in report, result + report)
195
196+ @unittest.skipIf(
197+ 'LPCRAFT_QRT_RUNNER' in os.environ,
198+ 'unable to mount in lpci environment'
199+ )
200 def test_number_files(self):
201 '''(SambaCifs) Test number of files'''
202
203@@ -1203,6 +1279,10 @@ class SambaHomes(SambaCommon):
204 self.nohome_user = None
205 self._tearDown()
206
207+ @unittest.skipIf(
208+ 'LPCRAFT_QRT_RUNNER' in os.environ,
209+ 'unable to mount in lpci environment'
210+ )
211 def test_homedir_user(self):
212 '''(SambaHomes) Regular User mount'''
213
214@@ -1392,11 +1472,13 @@ if __name__ == '__main__':
215 ubuntu_version = testlib.manager.lsb_release["Release"]
216
217 tmpserve = False
218- if (len(sys.argv) == 1 or sys.argv[1] != '-v'):
219- if sys.argv[1] == "tmpserve":
220- tmpserve = True
221- else:
222- test_client = sys.argv[1]
223+ if "tmpserve" in sys.argv:
224+ tmpserve = True
225+ elif len(sys.argv) > 1:
226+ # infer test_client as the first non -v argument
227+ args = [arg for arg in sys.argv[1:] if arg != "-v"]
228+ if args:
229+ test_client = args[0]
230
231 if tmpserve:
232 # useful for testing apps that use samba

Subscribers

People subscribed via source and target branches