From dd9ee29db820f690de0e42fe0faa13043b5e2435 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Tue, 18 Jun 2024 16:27:35 -0400 Subject: [PATCH] Verify grsec kernel and paxctld is running in all VMs Previously paxctld was only tested in a few VMs, not all of them. --- tests/test_viewer.py | 1 - tests/test_vms_exist.py | 36 +++++++++++++++--------------------- 2 files changed, 15 insertions(+), 22 deletions(-) diff --git a/tests/test_viewer.py b/tests/test_viewer.py index d11aeb6d..79f9ed0f 100644 --- a/tests/test_viewer.py +++ b/tests/test_viewer.py @@ -57,7 +57,6 @@ def test_mime_types(self): def test_mimetypes_service(self): self._service_is_active("securedrop-mime-handling") - self._service_is_active("paxctld") def test_mailcap_hardened(self): self.mailcap_hardened() diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py index 52c38e2b..e585bc93 100644 --- a/tests/test_vms_exist.py +++ b/tests/test_vms_exist.py @@ -24,18 +24,25 @@ def test_expected(self): for test_vm in WANTED_VMS: self.assertIn(test_vm, vm_set) - def _check_kernel(self, vm): + def test_grsec_kernel(self): """ Confirms expected grsecurity-patched kernel is running. """ - # Running custom kernel in PVH mode requires pvgrub2-pvh - self.assertEqual(vm.virt_mode, "pvh") - self.assertEqual(vm.kernel, "pvgrub2-pvh") + # base doesn't have kernel configured and whonix uses dom0 kernel + # TODO: test in sd-viewer based dispVM + exceptions = [f"sd-base-{DEBIAN_VERSION}-template", "sd-whonix", "sd-viewer"] - # Check kernel flavor in VM - stdout, stderr = vm.run("uname -r") - kernel_version = stdout.decode("utf-8").rstrip() - assert kernel_version.endswith("-grsec-workstation") + for vm in self.sdw_tagged_vms: + if vm.name in exceptions: + continue + # Running custom kernel in PVH mode requires pvgrub2-pvh + self.assertEqual(vm.virt_mode, "pvh") + self.assertEqual(vm.kernel, "pvgrub2-pvh") + + # Check running kernel is grsecurity-patched + stdout, stderr = vm.run("uname -r") + assert stdout.decode().strip().endswith("-grsec-workstation") + self._check_service_running(vm, "paxctld") def _check_service_running(self, vm, service, running=True): """ @@ -96,7 +103,6 @@ def test_sd_proxy_dvm(self): self.assertFalse(vm.autostart) self.assertNotIn("service.securedrop-mime-handling", vm.features) self._check_service_running(vm, "securedrop-mime-handling", running=False) - self._check_kernel(vm) def test_sd_app_config(self): vm = self.app.domains["sd-app"] @@ -105,8 +111,6 @@ def test_sd_app_config(self): self.assertEqual(vm.template, f"sd-small-{DEBIAN_VERSION}-template") self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) - self._check_kernel(vm) - self._check_service_running(vm, "paxctld") self.assertNotIn("service.securedrop-log-server", vm.features) self.assertIn("sd-workstation", vm.tags) self.assertIn("sd-client", vm.tags) @@ -129,7 +133,6 @@ def test_sd_viewer_config(self): self.assertEqual(vm.template, f"sd-large-{DEBIAN_VERSION}-template") self.assertFalse(vm.provides_network) self.assertTrue(vm.template_for_dispvms) - self._check_kernel(vm) self.assertIn("sd-workstation", vm.tags) # MIME handling @@ -145,7 +148,6 @@ def test_sd_gpg_config(self): self.assertTrue(vm.autostart) self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) - self._check_kernel(vm) self.assertEqual(vm.features["service.securedrop-logging-disabled"], "1") self.assertIn("sd-workstation", vm.tags) @@ -157,8 +159,6 @@ def test_sd_log_config(self): self.assertTrue(vm.autostart) self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) - self._check_kernel(vm) - self._check_service_running(vm, "paxctld") self._check_service_running(vm, "securedrop-log-server") self.assertEqual(vm.features["service.securedrop-log-server"], "1") self.assertEqual(vm.features["service.securedrop-logging-disabled"], "1") @@ -177,7 +177,6 @@ def sd_app_template(self): nvm = vm.netvm self.assertIsNone(nvm) self.assertIn("sd-workstation", vm.tags) - self._check_kernel(vm) def sd_viewer_template(self): vm = self.app.domains[f"sd-large-{DEBIAN_VERSION}-template"] @@ -191,7 +190,6 @@ def sd_export_template(self): nvm = vm.netvm self.assertIsNone(nvm) self.assertIn("sd-workstation", vm.tags) - self._check_kernel(vm) def sd_export_dvm(self): vm = self.app.domains["sd-devices-dvm"] @@ -199,7 +197,6 @@ def sd_export_dvm(self): self.assertIsNone(nvm) self.assertIn("sd-workstation", vm.tags) self.assertTrue(vm.template_for_dispvms) - self._check_kernel(vm) # MIME handling (dvm does NOT setup mime, only its disposables do) self.assertNotIn("service.securedrop-mime-handling", vm.features) @@ -212,7 +209,6 @@ def sd_export(self): vm_type = vm.klass self.assertEqual(vm_type, "DispVM") self.assertIn("sd-workstation", vm.tags) - self._check_kernel(vm) # MIME handling self.assertEqual(vm.features["service.securedrop-mime-handling"], "1") @@ -225,7 +221,6 @@ def sd_small_template(self): self.assertIsNone(nvm) self.assertIn("sd-workstation", vm.tags) self.assertFalse(vm.template_for_dispvms) - self._check_kernel(vm) def sd_large_template(self): vm = self.app.domains[f"sd-large-{DEBIAN_VERSION}-template"] @@ -233,7 +228,6 @@ def sd_large_template(self): self.assertIsNone(nvm) self.assertIn("sd-workstation", vm.tags) self.assertFalse(vm.template_for_dispvms) - self._check_kernel(vm) def load_tests(loader, tests, pattern):