From 1a348f81375fe1b3eba98dc7743c3ac366555f64 Mon Sep 17 00:00:00 2001 From: Gerald Pinder Date: Sun, 30 Jun 2024 16:57:11 -0400 Subject: [PATCH] chore: Stop using secureblue for integration testing This would occasionally cause tests to fail cause SecureBlue would rightfully make changes to their code. We shouldn't be relying on this anymore as it was a crutch to lean on when we were first starting this project --- integration-tests/Earthfile | 35 ---------------- .../test-scripts/secureblue/100-test-chmod.sh | 41 ------------------- 2 files changed, 76 deletions(-) delete mode 100644 integration-tests/test-scripts/secureblue/100-test-chmod.sh diff --git a/integration-tests/Earthfile b/integration-tests/Earthfile index 06ecdde..339b274 100644 --- a/integration-tests/Earthfile +++ b/integration-tests/Earthfile @@ -3,7 +3,6 @@ PROJECT blue-build/cli all: BUILD +test-image - BUILD +test-secureblue BUILD +test-legacy-image BUILD +build BUILD +rebase @@ -24,20 +23,6 @@ test-legacy-image: DO +RUN_TESTS -test-secureblue: - FROM +build-template --src=template-secureblue - WORKDIR /tmp/test - COPY ./test-scripts/secureblue/*.sh ./ - - DO +RUN_TESTS - -test-secureblue-ucore: - FROM +build-template --src=template-secureblue-ucore - WORKDIR /tmp/test - COPY ./test-scripts/secureblue/*.sh ./ - - DO +RUN_TESTS - build-template: ARG --required src FROM DOCKERFILE \ @@ -56,18 +41,6 @@ template-legacy-containerfile: SAVE ARTIFACT /test -template-secureblue: - FROM +secureblue-base - RUN bluebuild -vv generate -o Containerfile recipes/general/recipe-silverblue-nvidia.yml - - SAVE ARTIFACT /test - -template-secureblue-ucore: - FROM +secureblue-base - RUN bluebuild -vv generate -o Containerfile recipes/server/recipe-server-main.yml - - SAVE ARTIFACT /test - build: FROM +test-base @@ -90,14 +63,6 @@ switch: RUN mkdir -p /etc/bluebuild && touch $BB_TEST_LOCAL_IMAGE RUN bluebuild -vv switch recipes/recipe.yml -secureblue-base: - FROM +test-base - - RUN rm -fr /test - GIT CLONE https://github.com/secureblue/secureblue.git /test - - DO +GEN_KEYPAIR - legacy-base: FROM ../+blue-build-cli-alpine RUN apk update --no-cache && apk add bash grep jq sudo coreutils diff --git a/integration-tests/test-scripts/secureblue/100-test-chmod.sh b/integration-tests/test-scripts/secureblue/100-test-chmod.sh deleted file mode 100644 index c805b9a..0000000 --- a/integration-tests/test-scripts/secureblue/100-test-chmod.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -# Function to check if hardening has been applied correctly -check_hardening() { - local sysctl_conf="/usr/etc/sysctl.d/hardening.conf" - local bwrap="/usr/bin/bwrap" - - # Check for the presence of user namespace hardening - if grep -q "user.max_user_namespaces = 0" "$sysctl_conf" && - grep -q "kernel.unprivileged_userns_clone = 0" "$sysctl_conf"; then - printf "Hardening settings are correctly applied in %s\n" "$sysctl_conf" - else - printf "Hardening settings are missing or incorrect in %s\n" "$sysctl_conf" >&2 - return 1 - fi - - # Check ownership and SUID bit of bwrap - if [ "$(stat -c '%U' "$bwrap")" = "root" ] && [ "$(stat -c '%a' "$bwrap")" -eq 4755 ]; then - printf "%s ownership and permissions are correctly set\n" "$bwrap" - else - printf "%s ownership or permissions are incorrect\n" "$bwrap" >&2 - return 1 - fi -} - -# Main function to orchestrate the checks -main() { - set -euo pipefail - - # Perform the checks - if ! check_hardening; then - printf "Hardening checks failed\n" >&2 - exit 1 - else - printf "All hardening checks passed\n" - fi -} - -main "$@"