diff --git a/integration-tests/Earthfile b/integration-tests/Earthfile index 305bac3..35716b8 100644 --- a/integration-tests/Earthfile +++ b/integration-tests/Earthfile @@ -3,17 +3,34 @@ PROJECT blue-build/cli all: ARG NIGHTLY=false - BUILD +build-template --NIGHTLY=$NIGHTLY + BUILD +test-image --NIGHTLY=$NIGHTLY + BUILD +test-secureblue --NIGHTLY=$NIGHTLY BUILD +build --NIGHTLY=$NIGHTLY BUILD +rebase --NIGHTLY=$NIGHTLY BUILD +upgrade --NIGHTLY=$NIGHTLY +test-image: + ARG NIGHTLY=false + FROM +build-template --NIGHTLY=$NIGHTLY --src=template-containerfile + WORKDIR /tmp/test + COPY ./test-scripts/*.sh ./ + + DO +RUN_TESTS + +test-secureblue: + ARG NIGHTLY=false + FROM +build-template --NIGHTLY=$NIGHTLY --src=template-secureblue + WORKDIR /tmp/test + COPY ./test-scripts/secureblue/*.sh ./ + + DO +RUN_TESTS + build-template: ARG NIGHTLY=false + ARG --required src FROM DOCKERFILE \ - -f +template-containerfile/test/Containerfile \ - +template-containerfile/test/* --NIGHTLY=$NIGHTLY - RUN [ -f /usr/test-file ] + -f +$src/test/Containerfile \ + +$src/test/* --NIGHTLY=$NIGHTLY template-containerfile: ARG NIGHTLY=false @@ -22,6 +39,13 @@ template-containerfile: SAVE ARTIFACT /test +template-secureblue: + ARG NIGHTLY=false + FROM +secureblue-base --NIGHTLY=$NIGHTLY + RUN bluebuild -vv template -o Containerfile config/recipes/desktop/recipe-silverblue-nvidia.yml + + SAVE ARTIFACT /test + build: ARG NIGHTLY=false FROM +test-base --NIGHTLY=$NIGHTLY @@ -41,6 +65,13 @@ upgrade: RUN --privileged bluebuild -vv upgrade config/recipe.yml +secureblue-base: + ARG NIGHTLY=false + FROM +test-base --NIGHTLY=$NIGHTLY + + RUN rm -fr /test + GIT CLONE https://github.com/secureblue/secureblue.git /test + test-base: ARG NIGHTLY=false @@ -56,3 +87,11 @@ test-base: ENV COSIGN_PRIVATE_KEY=$(cat cosign.key) RUN rm cosign.key +RUN_TESTS: + FUNCTION + FOR script IN $(ls *.sh) + RUN --no-cache chmod +x $script \ + && echo "Running test $script" \ + && ./$script + END + diff --git a/integration-tests/test-scripts/secureblue/100-test-chmod.sh b/integration-tests/test-scripts/secureblue/100-test-chmod.sh new file mode 100644 index 0000000..c805b9a --- /dev/null +++ b/integration-tests/test-scripts/secureblue/100-test-chmod.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash + +set -euo pipefail + +# Function to check if hardening has been applied correctly +check_hardening() { + local sysctl_conf="/usr/etc/sysctl.d/hardening.conf" + local bwrap="/usr/bin/bwrap" + + # Check for the presence of user namespace hardening + if grep -q "user.max_user_namespaces = 0" "$sysctl_conf" && + grep -q "kernel.unprivileged_userns_clone = 0" "$sysctl_conf"; then + printf "Hardening settings are correctly applied in %s\n" "$sysctl_conf" + else + printf "Hardening settings are missing or incorrect in %s\n" "$sysctl_conf" >&2 + return 1 + fi + + # Check ownership and SUID bit of bwrap + if [ "$(stat -c '%U' "$bwrap")" = "root" ] && [ "$(stat -c '%a' "$bwrap")" -eq 4755 ]; then + printf "%s ownership and permissions are correctly set\n" "$bwrap" + else + printf "%s ownership or permissions are incorrect\n" "$bwrap" >&2 + return 1 + fi +} + +# Main function to orchestrate the checks +main() { + set -euo pipefail + + # Perform the checks + if ! check_hardening; then + printf "Hardening checks failed\n" >&2 + exit 1 + else + printf "All hardening checks passed\n" + fi +} + +main "$@" diff --git a/integration-tests/test-scripts/test-file.sh b/integration-tests/test-scripts/test-file.sh new file mode 100644 index 0000000..51823fc --- /dev/null +++ b/integration-tests/test-scripts/test-file.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +[ -f /usr/test-file ] diff --git a/src/commands/build.rs b/src/commands/build.rs index 38e7558..9304e72 100644 --- a/src/commands/build.rs +++ b/src/commands/build.rs @@ -387,7 +387,11 @@ impl BuildCommand { build_strat.tag(&full_image, image_name, tag)?; if self.push { - let retry_count = if !self.no_retry_push { self.retry_count } else { 0 }; + let retry_count = if !self.no_retry_push { + self.retry_count + } else { + 0 + }; debug!("Pushing all images"); // Push images with retries (1s delay between retries)