Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add test that no AppArmor denied events are produced #3912

Merged
merged 1 commit into from
Mar 5, 2025
Merged

Add test that no AppArmor denied events are produced #3912

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions tests/supervisor_test/test_supervisor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,13 @@ def test_restore_ssl_directory(shell_json, stash):
logger.info("Backup restore result: %s", result)


@pytest.mark.dependency(depends=["test_start_supervisor"])
def test_no_apparmor_denies(shell):
"""Check there are no AppArmor denies in the logs raised during Supervisor tests."""
output = shell.run_check("journalctl -t audit | grep DENIED || true")
assert not output, f"AppArmor denies found: {output}"
Comment on lines +198 to +199
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Consider adding a verification step to ensure AppArmor is actually enabled.

The test assumes AppArmor is enabled, but it would be more robust to verify this first.

🏁 Script executed:

#!/bin/bash
# Check if AppArmor is enabled on the system
echo "Checking if AppArmor is enabled and running on the system..."
if command -v aa-status &> /dev/null; then
  aa-status
  echo "AppArmor profiles for the Supervisor:"
  aa-status | grep -i supervisor || echo "No specific Supervisor profile found"
else
  echo "AppArmor tools not installed or not in PATH"
  cat /sys/module/apparmor/parameters/enabled 2>/dev/null || echo "AppArmor kernel module status not found"
fi

Length of output: 385

Update Test to Verify AppArmor is Enabled

Based on the verification output, AppArmor is not active on the current system (the script showed that AppArmor tools are not installed and the kernel module is not enabled). To avoid relying on an assumption that AppArmor is enabled, please update the test in tests/supervisor_test/test_supervisor.py (lines 198–199) to first check whether AppArmor is active. For example, add a preliminary step that calls aa-status (or checks /sys/module/apparmor/parameters/enabled) and either skips the test or provides a clear warning if AppArmor is not enabled. This extra check will help prevent false negatives when running tests on systems without AppArmor.



@pytest.mark.dependency(depends=["test_start_supervisor"])
def test_kernel_not_tainted(shell):
"""Check if the kernel is not tainted - do it at the end of the
Expand Down