Add test that no AppArmor denied events are produced

[sairon]

As discussed in #3885, now that fixed Supervisor is in stable, we can test that no AppArmor denied events are logged during CI tests.

Summary by CodeRabbit

• Tests
  • Added an automated check to confirm that system logs remain free of unexpected security denial messages. This enhancement bolsters the overall reliability of our testing process.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request adds a new test function, test_no_apparmor_denies, to the existing Supervisor test suite. This test is set to run after the test_start_supervisor dependency and checks the system’s audit logs for any "DENIED" messages related to AppArmor. It executes a shell command to retrieve the logs and asserts that no such entries are found. The intent is to detect and flag any AppArmor permission issues during supervisor tests.

Changes

File	Change Summary
tests/supervisor_test/test_supervisor.py	Added test_no_apparmor_denies which depends on test_start_supervisor. It runs a shell command to fetch audit logs and asserts no "DENIED" entries exist.

Sequence Diagram(s)

sequenceDiagram
    participant Dependency as test_start_supervisor
    participant Test as test_no_apparmor_denies
    participant Shell as Shell Command Executor

    Dependency-->Test: Dependency satisfied
    Test->>Shell: Execute shell command to fetch audit logs
    Shell-->>Test: Return log output
    Test->>Test: Parse log for "DENIED" entries
    alt "DENIED" entries found
        Test-->>Test: Raise assertion error with details
    else No "DENIED" entries
        Test-->>Test: Complete test successfully
    end

Loading

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

tests/supervisor_test/test_supervisor.py (4)

195-200: Good test implementation but consider enhancing for more specific AppArmor checking.

The test successfully verifies that no AppArmor denial messages appear in the logs, which is valuable for ensuring proper configuration. However, there are a few potential enhancements that could make the test more robust:

Consider making the following improvements:

1. More specifically target AppArmor denials by using a more precise grep pattern:

-    output = shell.run_check("journalctl -t audit | grep DENIED || true")
+    output = shell.run_check("journalctl -t audit | grep 'apparmor=\"DENIED\"' || true")

2. Add a time constraint to only check logs since the supervisor test started:

-    output = shell.run_check("journalctl -t audit | grep DENIED || true")
+    output = shell.run_check("journalctl -t audit --since=\"$(systemctl show hassio_supervisor.service -p ActiveEnterTimestamp --value)\" | grep DENIED || true")

---

195-196: Consider moving this test earlier in the test sequence.

This test depends on test_start_supervisor but is positioned after tests that have further dependencies. For better clarity on the logical progression of tests, consider positioning this test closer to other tests that directly depend on test_start_supervisor.

Consider moving this test to appear right after other tests that directly depend on test_start_supervisor (like around line 46-55) to maintain a clearer dependency hierarchy.

---

197-197: Enhance the docstring with more context about AppArmor denials.

While the docstring is clear about what the test does, adding more context about why AppArmor denials are problematic would improve documentation.

Consider expanding the docstring:

-    """Check there are no AppArmor denies in the logs raised during Supervisor tests."""
+    """Check there are no AppArmor denies in the logs raised during Supervisor tests.
+    
+    AppArmor denials indicate that the Supervisor is attempting operations that are blocked by 
+    security policies, which could prevent proper functionality and should be addressed by 
+    updating the AppArmor profiles or modifying the Supervisor's behavior.
+    """

---

199-199: Add more context to error messages for easier debugging.

The current error message simply displays the raw output, which could be difficult to interpret if there are many denial entries.

Consider enhancing the error message to be more informative:

-    assert not output, f"AppArmor denies found: {output}"
+    assert not output, f"AppArmor denies found in the system logs. This indicates the Supervisor is attempting operations blocked by security policies. Review these denials and update profiles accordingly:\n{output}"

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a39b8a9 and 282490a.

📒 Files selected for processing (1)

• tests/supervisor_test/test_supervisor.py (1 hunks)

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Consider adding a verification step to ensure AppArmor is actually enabled.

The test assumes AppArmor is enabled, but it would be more robust to verify this first.

---

🏁 Script executed:

#!/bin/bash
# Check if AppArmor is enabled on the system
echo "Checking if AppArmor is enabled and running on the system..."
if command -v aa-status &> /dev/null; then
  aa-status
  echo "AppArmor profiles for the Supervisor:"
  aa-status | grep -i supervisor || echo "No specific Supervisor profile found"
else
  echo "AppArmor tools not installed or not in PATH"
  cat /sys/module/apparmor/parameters/enabled 2>/dev/null || echo "AppArmor kernel module status not found"
fi

Length of output: 385

---

Update Test to Verify AppArmor is Enabled

Based on the verification output, AppArmor is not active on the current system (the script showed that AppArmor tools are not installed and the kernel module is not enabled). To avoid relying on an assumption that AppArmor is enabled, please update the test in tests/supervisor_test/test_supervisor.py (lines 198–199) to first check whether AppArmor is active. For example, add a preliminary step that calls aa-status (or checks /sys/module/apparmor/parameters/enabled) and either skips the test or provides a clear warning if AppArmor is not enabled. This extra check will help prevent false negatives when running tests on systems without AppArmor.