1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
summary: Check status of LSMs
details: |
Confirm status of LSMs on various targets.
systems:
# kernels definitely too old
- -ubuntu-14.04-*
- -ubuntu-16.04-*
- -ubuntu-18.04-*
- -ubuntu-20.04-*
# skip 22.04 as kernel support in inconsistent between -generic, -kvm, -gcp
# variants
- -ubuntu-22.04-*
# XXX skip ubuntu-22.04, kernel does not support required syscalls, but it's
# cheap to allocate and we still want to verity the error path
# UC releases matching unsupported Ubuntu releases
- -ubuntu-core-18-*
- -ubuntu-core-20-*
- -ubuntu-core-22-*
debug: |
grep -n '' lsm.out || true
execute: |
no_kernel_support=0
case "$SPREAD_SYSTEM" in
debian-12-*)
no_kernel_support=1
;;
centos-*)
no_kernel_support=1
;;
amazon-linux-*)
no_kernel_support=1
;;
opensuse-15*)
no_kernel_support=1
;;
esac
if [ "$no_kernel_support" = "1" ]; then
# lacking kernel support
not snap debug lsm 2> lsm.stderr
MATCH 'error: function not implemented' < lsm.stderr
exit 0
else
snap debug lsm > lsm.out
fi
case "$SPREAD_SYSTEM" in
fedora-*|centos-*|opensuse-*-selinux-*)
MATCH "selinux" < lsm.out
NOMATCH "apparmor" < lsm.out
MATCH 'selinux LSM context: "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"' < lsm.out
;;
ubuntu-*|debian-*|arch-linux-*)
MATCH "apparmor" < lsm.out
NOMATCH "selinux" < lsm.out
MATCH 'apparmor LSM context: "unconfined"' < lsm.out
;;
opensuse-*)
MATCH "apparmor" < lsm.out
NOMATCH "selinux" < lsm.out
MATCH 'apparmor LSM context: "unconfined"' < lsm.out
;;
*)
echo "unsupported $SPREAD_SYSTEM"
exit 1
;;
esac
|
