Merge pull request #1092 from freedomofpress/grsec-kernel

Verify grsec kernel and paxctld is running in all VMs
freedomofpress · Jun 25, 2024 · be700ab · be700ab
2 parents 18b9111 + dd9ee29
commit be700ab
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 22 deletions.
diff --git a/tests/test_viewer.py b/tests/test_viewer.py
@@ -57,7 +57,6 @@ def test_mime_types(self):
 
     def test_mimetypes_service(self):
         self._service_is_active("securedrop-mime-handling")
-        self._service_is_active("paxctld")
 
     def test_mailcap_hardened(self):
         self.mailcap_hardened()

diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py
@@ -24,18 +24,25 @@ def test_expected(self):
         for test_vm in WANTED_VMS:
             self.assertIn(test_vm, vm_set)
 
-    def _check_kernel(self, vm):
+    def test_grsec_kernel(self):
         """
         Confirms expected grsecurity-patched kernel is running.
         """
-        # Running custom kernel in PVH mode requires pvgrub2-pvh
-        self.assertEqual(vm.virt_mode, "pvh")
-        self.assertEqual(vm.kernel, "pvgrub2-pvh")
+        # base doesn't have kernel configured and whonix uses dom0 kernel
+        # TODO: test in sd-viewer based dispVM
+        exceptions = [f"sd-base-{DEBIAN_VERSION}-template", "sd-whonix", "sd-viewer"]
 
-        # Check kernel flavor in VM
-        stdout, stderr = vm.run("uname -r")
-        kernel_version = stdout.decode("utf-8").rstrip()
-        assert kernel_version.endswith("-grsec-workstation")
+        for vm in self.sdw_tagged_vms:
+            if vm.name in exceptions:
+                continue
+            # Running custom kernel in PVH mode requires pvgrub2-pvh
+            self.assertEqual(vm.virt_mode, "pvh")
+            self.assertEqual(vm.kernel, "pvgrub2-pvh")
+
+            # Check running kernel is grsecurity-patched
+            stdout, stderr = vm.run("uname -r")
+            assert stdout.decode().strip().endswith("-grsec-workstation")
+            self._check_service_running(vm, "paxctld")
 
     def _check_service_running(self, vm, service, running=True):
         """
@@ -96,7 +103,6 @@ def test_sd_proxy_dvm(self):
         self.assertFalse(vm.autostart)
         self.assertNotIn("service.securedrop-mime-handling", vm.features)
         self._check_service_running(vm, "securedrop-mime-handling", running=False)
-        self._check_kernel(vm)
 
     def test_sd_app_config(self):
         vm = self.app.domains["sd-app"]
@@ -105,8 +111,6 @@ def test_sd_app_config(self):
         self.assertEqual(vm.template, f"sd-small-{DEBIAN_VERSION}-template")
         self.assertFalse(vm.provides_network)
         self.assertFalse(vm.template_for_dispvms)
-        self._check_kernel(vm)
-        self._check_service_running(vm, "paxctld")
         self.assertNotIn("service.securedrop-log-server", vm.features)
         self.assertIn("sd-workstation", vm.tags)
         self.assertIn("sd-client", vm.tags)
@@ -129,7 +133,6 @@ def test_sd_viewer_config(self):
         self.assertEqual(vm.template, f"sd-large-{DEBIAN_VERSION}-template")
         self.assertFalse(vm.provides_network)
         self.assertTrue(vm.template_for_dispvms)
-        self._check_kernel(vm)
         self.assertIn("sd-workstation", vm.tags)
 
         # MIME handling
@@ -145,7 +148,6 @@ def test_sd_gpg_config(self):
         self.assertTrue(vm.autostart)
         self.assertFalse(vm.provides_network)
         self.assertFalse(vm.template_for_dispvms)
-        self._check_kernel(vm)
         self.assertEqual(vm.features["service.securedrop-logging-disabled"], "1")
         self.assertIn("sd-workstation", vm.tags)
 
@@ -157,8 +159,6 @@ def test_sd_log_config(self):
         self.assertTrue(vm.autostart)
         self.assertFalse(vm.provides_network)
         self.assertFalse(vm.template_for_dispvms)
-        self._check_kernel(vm)
-        self._check_service_running(vm, "paxctld")
         self._check_service_running(vm, "securedrop-log-server")
         self.assertEqual(vm.features["service.securedrop-log-server"], "1")
         self.assertEqual(vm.features["service.securedrop-logging-disabled"], "1")
@@ -177,7 +177,6 @@ def sd_app_template(self):
         nvm = vm.netvm
         self.assertIsNone(nvm)
         self.assertIn("sd-workstation", vm.tags)
-        self._check_kernel(vm)
 
     def sd_viewer_template(self):
         vm = self.app.domains[f"sd-large-{DEBIAN_VERSION}-template"]
@@ -191,15 +190,13 @@ def sd_export_template(self):
         nvm = vm.netvm
         self.assertIsNone(nvm)
         self.assertIn("sd-workstation", vm.tags)
-        self._check_kernel(vm)
 
     def sd_export_dvm(self):
         vm = self.app.domains["sd-devices-dvm"]
         nvm = vm.netvm
         self.assertIsNone(nvm)
         self.assertIn("sd-workstation", vm.tags)
         self.assertTrue(vm.template_for_dispvms)
-        self._check_kernel(vm)
 
         # MIME handling (dvm does NOT setup mime, only its disposables do)
         self.assertNotIn("service.securedrop-mime-handling", vm.features)
@@ -212,7 +209,6 @@ def sd_export(self):
         vm_type = vm.klass
         self.assertEqual(vm_type, "DispVM")
         self.assertIn("sd-workstation", vm.tags)
-        self._check_kernel(vm)
 
         # MIME handling
         self.assertEqual(vm.features["service.securedrop-mime-handling"], "1")
@@ -225,15 +221,13 @@ def sd_small_template(self):
         self.assertIsNone(nvm)
         self.assertIn("sd-workstation", vm.tags)
         self.assertFalse(vm.template_for_dispvms)
-        self._check_kernel(vm)
 
     def sd_large_template(self):
         vm = self.app.domains[f"sd-large-{DEBIAN_VERSION}-template"]
         nvm = vm.netvm
         self.assertIsNone(nvm)
         self.assertIn("sd-workstation", vm.tags)
         self.assertFalse(vm.template_for_dispvms)
-        self._check_kernel(vm)
 
 
 def load_tests(loader, tests, pattern):