From 3e3ea4c77b733a70572cd26e8f3938a02324b85d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 21 Jan 2025 12:01:14 -0500 Subject: [PATCH 1/4] Disable unix-chkpwd AppArmor profile This is necessary when running Molecule tests against Fedora 40 and 41; otherwise, the privileged container cannot successfully sudo and hence Ansible is unable to do anything. Note that this change is reverted after the Molecule tests are run. For now, disabling the unix-chkpwd AppArmor profile also requires an apt-get purge of the firefox and passt packages. It should be possible to remove this purge (and the ensuing systemctl reload apparmor.service) at a future date. See cisagov/skeleton-ansible-role#215 for more details. --- .github/workflows/build.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a30b335..f0a05ff 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -238,11 +238,43 @@ jobs: uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + # Disabling the unix-chkpwd AppArmor profile is necessary when + # running Molecule tests against Fedora 40 and 41; otherwise, + # the privileged container cannot successfully run sudo and + # hence Ansible is unable to do anything. See + # fedora-cloud/docker-brew-fedora#117 for more details. + # + # Purging firefox is currently necessary because the + # installation available on the GitHub runner instance provides + # two conflicting AppArmor profiles: + # /etc/apparmor.d/usr.bin.firefox and /etc/apparmor.d/firefox. + # This conflict causes the aa-disable /usr/sbin/unix_chkpwd + # command to fail. + # + # Purging passt is currently necessary because the installation + # available on the GitHub runner instance contains a wonky + # AppArmor file (/etc/apparmor.d/abstractions/passt) that causes + # the aa-disable command to fail. + # + # TODO: Remove the apt-get purge and systemctl reload commands + # when possible. See cisagov/skeleton-ansible-role#215 for more + # details. + - name: Disable unix-chkpwd AppArmor profile + run: | + sudo apt-get purge firefox passt + sudo systemctl reload apparmor.service + sudo apt-get install apparmor-utils + sudo aa-disable /usr/sbin/unix_chkpwd + if: ${{ startsWith(matrix.platform, 'fedora') }} - name: Run molecule tests run: >- molecule test --platform-name ${{ matrix.platform }}-${{ matrix.architecture }} --scenario-name ${{ matrix.scenario }} + - name: Re-enable unix-chkpwd AppArmor profile + run: >- + sudo aa-enforce /usr/sbin/unix_chkpwd + if: ${{ startsWith(matrix.platform, 'fedora') }} - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE From a473457a41123ad3f55861de30d6845421dcc782 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 23 Jan 2025 14:32:29 -0500 Subject: [PATCH 2/4] Reinstall firefox and passt These system packages had to be uninstalled to allow the disabling of the unix-chkpwd AppArmor profile, but can be reinstalled at this point. Co-authored-by: Nicholas McDonnell --- .github/workflows/build.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f0a05ff..6a002e8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -271,9 +271,12 @@ jobs: molecule test --platform-name ${{ matrix.platform }}-${{ matrix.architecture }} --scenario-name ${{ matrix.scenario }} + # TODO: Remove the apt-get install command when possible. See + # cisagov/skeleton-ansible-role#215 for more details. - name: Re-enable unix-chkpwd AppArmor profile - run: >- + run: | sudo aa-enforce /usr/sbin/unix_chkpwd + sudo apt-get install firefox passt if: ${{ startsWith(matrix.platform, 'fedora') }} - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 From b6f26f063896632770ee99574d0a76892fd95041 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 18 Jan 2025 12:36:07 -0500 Subject: [PATCH 3/4] Use native ARM runners when testing on ARM architecture This provides better and faster testing of ARM architectures than testing under QEMU emulation. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6a002e8..64a71e7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -177,7 +177,7 @@ jobs: permissions: # actions/checkout needs this to fetch code contents: read - runs-on: ubuntu-latest + runs-on: ubuntu-${{ startsWith(matrix.architecture, 'arm') && '24.04-arm' || 'latest' }} strategy: fail-fast: false matrix: From 7a3c69426781d0a334939e469e3c3b632883e45b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 18 Jan 2025 12:51:52 -0500 Subject: [PATCH 4/4] Uncomment the GitHubSecurityLab/actions-permissions/monitor@v1 job We are no longer emulating ARM under QEMU, so using this GitHub Action no longer causes the runners to run out of resources and crash. --- .github/workflows/build.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 64a71e7..3e9cbdb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -200,13 +200,10 @@ jobs: scenario: - default steps: - # With this task in place the GitHub runners run out of - # resources and crash. See cisagov/skeleton-ansible-role#211 - # for more details. - # - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - # with: - # # Uses the organization variable unless overridden - # config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2