8000 test_grsecurity improvements to run against kernel test farm by legoktm · Pull Request #7542 · freedomofpress/securedrop · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

test_grsecurity improvements to run against kernel test farm #7542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll 10000 occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 12, 2025
Merged

test_grsecurity improvements to run against kernel test farm #7542

merged 2 commits into from
May 12, 2025

Conversation

legoktm
Copy link
Member
@legoktm legoktm commented May 8, 2025

Status

Ready for review

Description of Changes

  • Don't remove paxtest if it was previously installed
  • Don't assert hostname in test_paxctld_focal

See individual commit messages for further details.

Testing

How should the reviewer test this PR?

  • staging CI passes

Deployment

Any special considerations for deployment? n/a

legoktm added 2 commits May 8, 2025 18:09
@legoktm
Don't remove paxtest if it was previously installed
b7d453f 
The testinfra tests automatically remove paxtest once the test is done,
but for cases where it's preinstalled, like on the kernel farm hosts,
that's annoying.

So let's only uninstall it if we were the ones who installed it.
@legoktm
Don't assert hostname in test_paxctld_focal
0c02292 
It fails on the kernel test farm hosts, which use different hostnames,
but more importantly, it's unnecessary. The relevant apache2 paxctld
rule is set on both app and mon servers, unconditionally.
@legoktm legoktm requested a review from a team as a code owner May 8, 2025 22:35
@legoktm legoktm moved this to Ready For Review in SecureDrop May 8, 2025
@cfm cfm moved this from Ready For Review to Under Review in SecureDrop May 12, 2025
cfm
cfm approved these changes May 12, 2025
View reviewed changes
Copy link
Member
@cfm cfm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Staging CI is failing, but the failures are unrelated to these changes:

  • Focal: molecule/testinfra/common/test_automatic_updates.py
 __________ test_unattended_upgrades_functional[ansible://app-staging] __________
[gw1] linux -- Python 3.9.2 /home/sdci/securedrop-source/.venv/bin/python

host = <testinfra.host.Host ansible://app-staging>

    def test_unattended_upgrades_functional(host):
        """
        Ensure unattended-upgrades completes successfully and ensures all packages
        are up-to-date.
        """
        c = host.run("sudo unattended-upgrades --dry-run --debug")
>       assert c.rc == 0
E       assert 1 == 0
E        +  where 1 = CommandResult(command=b'sudo unattended-upgrades --dry-run --debug', exit_status=1, stdout=b"Starting unattended upgrades script\nAllowed origins are: origin=Ubuntu,archive=focal, origin=Ubuntu,archive=focal-security, origin=Ubuntu,archive=focal-updates, origin=SecureDrop,codename=focal\nInitial blacklist: \nInitial whitelist (not strict): \nUsing (^linux-.*-[1-9][0-9]*\\.[0-9]+\\.[0-9]+-[0-9]+(-.+)?$|^kfreebsd-.*-[1-9][0-9]*\\.[0-9]+\\.[0-9]+-[0-9]+(-.+)?$|^gnumach-.*-[1-9][0-9]*\\.[0-9]+\\.[0-9]+-[0-9]+(-.+)?$|^.*-modules-[1-9][0-9]*\\.[0-9]+\\.[0-9]+-[0-9]+(-.+)?$|^.*-kernel-[1-9][0-9]*\\.[0-9]+\\.[0-9]+-[0-9]+(-.+)?$|^linux-.*-[1-9][0-9]*\\.[0-9]+\\.[0-9]+-[0-9]+(-.+)?$|^kfreebsd-.*-[1-9][0-9]*\\.[0-9]+\\.[0-9]+-[0-9]+(-.+)?$|^gnumach-.*-[1-9][0-9]*\\.[0-9]+\\.[0-9]+-[0-9]+(-.+)?$|^.*-modules-[1-9][0-9]*\\.[0-9]+\\.[0-9]+-[0-9]+(-.+)?$|^.*-kernel-[1-9][0-9]*\\.[0-9]+\\.[0-9]+-[0-9]+(-.+)?$) regexp to find kernel packages\nUsing (^linux-.*-5\\.15\\.181\\-1\\-grsec\\-securedrop$|^linux-.*-5\\.15\\.181\\-1$|^kfreebsd-.*-5\\.15\\.181\\-1\\-grsec\\-securedrop$|^kfreebsd-.*-5\\.15\\.181\\-1$|^gnumach-.*-5\\.15\\.181\\-1\\-grsec\\-securedrop$|^gnumach-.*-5\\.15\\.181\\-1$|^.*-modules-5\\.15\\.181\\-1\\-grsec\\-securedrop$|^.*-modules-5\\.15\\.181\\-1$|^.*-kernel-5\\.15\\.181\\-1\\-grsec\\-securedrop$|^.*-kernel-5\\.15\\.181\\-1$|^linux-.*-5\\.15\\.181\\-1\\-grsec\\-securedrop$|^linux-.*-5\\.15\\.181\\-1$|^kfreebsd-.*-5\\.15\\.181\\-1\\-grsec\\-securedrop$|^kfreebsd-.*-5\\.15\\.181\\-1$|^gnumach-.*-5\\.15\\.181\\-1\\-grsec\\-securedrop$|^gnumach-.*-5\\.15\\.181\\-1$|^.*-modules-5\\.15\\.181\\-1\\-grsec\\-securedrop$|^.*-modules-5\\.15\\.181\\-1$|^.*-kernel-5\\.15\\.181\\-1\\-grsec\\-securedrop$|^.*-kernel-5\\.15\\.181\\-1$) regexp to find running kernel packages\nChecking: ossec-agent ([<Origin component:'main' archive:'' origin:'SecureDrop' label:'' site:'apt-test.freedom.press' isTrusted:True>])\npkg ossec-agent is on hold\nsanity check failed for: set() : no package is selected to be upgraded or installed\nSIGTERM received, will stop\npkgs that look like they should be upgraded: \nSIGNAL received, stopping\n", stderr=None).rc

I'll approve this change for merge and keep an eye on staging on develop.

@cfm cfm added this pull request to the merge queue May 12, 2025
Merged via the queue into develop with commit 92d8f66 May 12, 2025
44 of 46 checks passed
@github-project-automation github-project-automation bot moved this from Under Review to Done in SecureDrop May 12, 2025
@cfm cfm mentioned this pull request May 13, 2025
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfm cfm cfm approved these changes

Assignees

@cfm cfm

Labels
None yet
Projects
SecureDrop
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@legoktm @cfm
0