Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Load all the profile if not loaded for Ubuntu #12482

Merged
merged 11 commits into from
Nov 11, 2024
Merged

Load all the profile if not loaded for Ubuntu #12482

merged 11 commits into from
Nov 11, 2024

Conversation

alanmcanonical
Copy link
Contributor

@alanmcanonical alanmcanonical commented Oct 9, 2024
edited
Loading

Description:

  • Load all the profile if not loaded for Ubuntu without change the mode of loaded profiles

Rationale:

  • We change the default mode to enforce for Ubuntu so if the var_apparmor_mode has been changed it means the customs tailored the benchmark and don't want to enforce all existing profiles. In order to preserve the modes of loaded profiles and still to be compliant, we should only load the not loaded profiles into complain mode.

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Oct 9, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 9, 2024

Hi @alanmcanonical. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 9, 2024
edited
Loading

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 9, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12482
This image was built from commit: a137692

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12482

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12482 make deploy-local

@vojtapolasek vojtapolasek self-assigned this Oct 14, 2024
@vojtapolasek vojtapolasek added the Ubuntu Ubuntu product related. label Oct 14, 2024
@vojtapolasek vojtapolasek added this to the 0.1.75 milestone Oct 14, 2024
@vojtapolasek
Copy link
Collaborator

@alanmcanonical is it expected that test scenarios fail to initialize the testing environment for this rule in containers?

@alanmcanonical
Copy link
Contributor Author

alanmcanonical commented Oct 14, 2024
edited
Loading

@alanmcanonical is it expected that test scenarios fail to initialize the testing environment for this rule in containers?

No. It should succeed to create testing environment. I will have a look

@alanmcanonical alanmcanonical force-pushed the apparmor_load_all branch 2 times, most recently from 265924d to 00149d3 Compare October 16, 2024 20:53
@dodys dodys requested a review from a team October 17, 2024 07:40
@alanmcanonical
Copy link
Contributor Author

The apparmor is expected to fail inside the container environment. See here. The docker and podman provide minimal support for apparmor. These tests pass if we tests in qemu/kvm environment.

@dodys
Copy link
Contributor

dodys commented Oct 22, 2024

@Mab879 hey! could you please give some advice here.
We are trying for this rule to not run a container, but the tests are still being executed if platform: machine is set.
we also mentioned this behavior in #12511

@vojtapolasek
Copy link
Collaborator

@alanmcanonical could you please rebase so that this PR is in effect?
#12512

@alanmcanonical
Copy link
Contributor Author

The #12512 is not a complete fix for #12511 . We need to investigate into the ssg test system more to see what we can do to fix this

@vojtapolasek
Copy link
Collaborator

@alanmcanonical I see. I think the issue might take a while to resolve. Did you try creating local VM with Ubuntu and using Automatus to test those rules in that VM? If you did that and test scenarios pass, I think this can be merged.

@Mab879 Mab879 modified the milestones: 0.1.75, 0.1.76 Nov 6, 2024
alanmcanonical and others added 9 commits November 8, 2024 14:05
@alanmcanonical
Load all the profile if not loaded for Ubuntu without change the mode…
b04e254 
… of loaded profiles
@alanmcanonical
Add platform and packages
597611d
@alanmcanonical
Remove unnecessary platforms
7eb5d46
@alanmcanonical
Change platform into machine to avoid container test
7c9a113
@alanmcanonical
Remove platform: Ubuntu
b7dee27
@alanmcanonical
Add package[apparmor] back
1d46527
@alanmcanonical
Remove sle too
6a17a1f
@mpurg @alanmcanonical
Fix apparmor_complain rule to not load disabled profiles
34c3ecb 
This is to avoid enforcing the rsyslogd profile which
is disabled by default on Jammy.

Issue introduced with the recent change of the default value
var_apparmor_mode from complain to enforce.
@mpurg @alanmcanonical
Fix apparmor tests
7f33cf6 
Tests for ensure_apparmor_enforce were failing because
aa-complain and aa-enforce enabled the rsyslogd profile,
which is disabled by default, thus marking it as an "unconfined
process with a defined profile" and failing the SCE.

Solution is to restart the service when loading the profiles.

Tests for ensure_apparmor_enforce_or_complain were adapted
to not load disabled profiles.
@alanmcanonical
Copy link
Contributor Author

@alanmcanonical I see. I think the issue might take a while to resolve. Did you try creating local VM with Ubuntu and using Automatus to test those rules in that VM? If you did that and test scenarios pass, I think this can be merged.

All the tests pass on my qemu vm

@codeclimate CodeClimate
Copy link

codeclimate bot commented Nov 11, 2024

Code Climate has analyzed commit d7b3438 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

dodys
dodys approved these changes Nov 11, 2024
View reviewed changes
Copy link
Contributor

@dodys dodys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

@dodys dodys merged commit 3322dc9 into ComplianceAsCode:master Nov 11, 2024
91 of 98 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dodys dodys dodys approved these changes

Assignees

@vojtapolasek vojtapolasek

Labels
needs-ok-to-test Used by openshift-ci bot. Ubuntu Ubuntu product related.
Projects
None yet
Milestone
0.1.76
Development

Successfully merging this pull request may close these issues.
5 participants
@alanmcanonical @vojtapolasek @dodys @Mab879 @mpurg