From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>
Subject: [PATCH ima-evm-utils] Experimental fsverity.test related GA CI improvements
Date: Thu, 1 Dec 2022 03:26:54 +0300 [thread overview]
Message-ID: <20221201002654.2238906-1-vt@altlinux.org> (raw)
From: Mimi Zohar <zohar@linux.ibm.com>
This does not make fsverity.test working on GA CI, though.
- `--device /dev/loop-control' is required for losetup(8) to work.
- `--privileged' is required foo mount(8) to work, and this makes
`--security-opt seccomp=unconfined' redundant.
- GA container does not have `/sys/kernel/security' mounted which is
needed for `/sys/kernel/security/integrity/ima/policy'.
- Enable `set -x` in CI as the logs is everything we have to analyze on
failures.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
.github/workflows/ci.yml | 2 +-
build.sh | 12 +++++++++++-
tests/fsverity.test | 2 +-
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8223b87..d2afdfe 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -98,7 +98,7 @@ jobs:
container:
image: ${{ matrix.container }}
env: ${{ matrix.env }}
- options: --security-opt seccomp=unconfined
+ options: --privileged --device /dev/loop-control
steps:
- name: Show OS
diff --git a/build.sh b/build.sh
index cc5a258..4e2f1bb 100755
--- a/build.sh
+++ b/build.sh
@@ -1,6 +1,16 @@
#!/bin/sh
# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+if [ -n "$CI" ]; then
+ # If we under CI only thing we can analyze is logs so better to enable
+ # verbosity to a maximum.
+ set -x
+ # This is to make stdout and stderr synchronous in the logs.
+ exec 2>&1
+
+ mount -t securityfs -o rw securityfs /sys/kernel/security
+fi
+
set -e
CC="${CC:-gcc}"
@@ -100,7 +110,7 @@ if [ $ret -eq 0 ]; then
tail -20 tests/boot_aggregate.log
if [ -f tests/fsverity.log ]; then
- tail -4 tests/fsverity.log
+ [ -n "$CI" ] && cat tests/fsverity.log || tail tests/fsverity.log
grep "skipped" tests/fsverity.log && \
grep "skipped" tests/fsverity.log | wc -l
fi
diff --git a/tests/fsverity.test b/tests/fsverity.test
index def06f8..1bb8362 100755
--- a/tests/fsverity.test
+++ b/tests/fsverity.test
@@ -78,7 +78,7 @@ mount_loopback_file() {
exit "$FAIL"
fi
- mount -o loop ${TST_IMG} $TST_MNT
+ mount -v -o loop ${TST_IMG} $TST_MNT
ret=$?
if [ "${ret}" -eq 0 ]; then
--
2.33.4
next reply other threads:[~2022-12-01 0:27 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-01 0:26 Vitaly Chikunov [this message]
2022-12-01 0:36 ` [PATCH ima-evm-utils] Experimental fsverity.test related GA CI improvements Vitaly Chikunov
2022-12-05 13:39 ` Mimi Zohar
2022-12-05 14:44 ` Vitaly Chikunov
2022-12-05 15:07 ` Roberto Sassu
2023-01-25 22:34 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221201002654.2238906-1-vt@altlinux.org \
--to=vt@altlinux.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox