[FEATURE] openQA tests for SIG/Security override packages #193
Comments
|
Since we are still early in this process, now would be the time to define a descriptor format identifying all impacted callee functions (including any signature changes since thatll come back to bite us later via CFI) by the patches applied. This should permit identification of callers and exercising them against the patched targets with their current prototypes and data. Specified targeting for testing, autonomously if we can, to make sure we hit the test conditions every time vs relying on test suites of consumers to maybe hit a patched call target (openqa seems a bit higher level, just started reading) or manually maintaining ever more tests. Extraction of those call targets can quite likely be pulled from the diffs by a script. |
|
For context, @sempervictus comes here from a discussion around glibc hardening. This can explain the focus of his comments. I think most of them actually don't apply, as we're planning rather conservative changes (within same ABI, so no function signature changes for CFI either) and most of them not to libraries. We're also not planning to replace the whole distro, but just some packages - at least as long as the base distro's focus remains like it was (bug-for-bug with RHEL). So I think what we actually need are (1) unit tests for the changed behavior (e.g., for the few glibc functions that behave subtly differently [yet within spec] when hardened) perhaps invoked during package build (RPM An example bug I'd like us to have detected with automated testing is the recent inadvertent and unspecified and undetected dependency of the hardened |
|
@solardiz The general approach you describe in item 2 would be possible in openQA with proper definition of the post-install checks that would be desired. Do you still have copies of the |
|
Thoughts on implementation for comment before I commit any code changes: Add variable This would make either |
I still have my own test builds that should exhibit the same problem. I can provide them to you somewhere. I am also asking on the Testing channel whether we store the old Peridot-made builds anywhere. |
Is your feature request related to a problem? Please describe.
Recently the Security SIG began providing overrides for a number of packages in Rocky 9. The plan is to also provide those for Rocky 8 in the future. (wiki)
Theoretically we should be able to test application of those packages to various system configurations in openQA to provide confirmation that these overrides work as expected in our critical configurations.
A base test suite that adds the Security SIG repository to the system under test is needed as a starting point. Further tests can be added to install specific overrides along with tests that can/will verify their correct/desired operation can then also be implemented.
Members of the Security Team should be consulted to define the requirements of such tests and ideally they will be able to contribute tests directly to openQA at the time they are developing the overrides.
The text was updated successfully, but these errors were encountered: