cephadm: add a test case to cover reading apparmor profiles

Add a test case that covers the HostFacts functionality regarding
the apparmor kernel security (lsm) feature.
Put it in the test_enclosure.py file for now because enclosure is
part of host_facts module.

Signed-off-by: John Mulligan <jmulligan@redhat.com>
(cherry picked from commit 8f237d46e4b8d0b85907fd7a6fb9bc044d16b354)

diff --git a/src/cephadm/tests/test_enclosure.py b/src/cephadm/tests/test_enclosure.py
index 1ea419fb3c0e08272e3955e5ce5ff6e7df78161d..b825fb6b32e4e37577ba5be4270608060e9e9875 100644 (file)
--- a/src/cephadm/tests/test_enclosure.py
+++ b/src/cephadm/tests/test_enclosure.py
@@ -1,7 +1,7 @@
 import pytest
 
 from unittest import mock
-from tests.fixtures import host_sysfs, import_cephadm
+from tests.fixtures import host_sysfs, import_cephadm, cephadm_fs
 
 _cephadm = import_cephadm()
 
@@ -70,3 +70,38 @@ class TestEnclosure:
 
         for serial, slot in enclosure.device_lookup.items():
             assert enclosure.slot_map[slot].get('serial') == serial
+
+
+def test_host_facts_security(cephadm_fs):
+    cephadm_fs.create_file('/sys/kernel/security/lsm', contents='apparmor\n')
+    cephadm_fs.create_file('/etc/apparmor', contents='foo\n')
+    # List from https://tracker.ceph.com/issues/66389
+    profiles_lines = [
+        'foo (complain)',
+        '/usr/bin/man (enforce)',
+        '1password (unconfined)',
+        'Discord (unconfined)',
+        # These examples with spaces in the name fail currently
+        # 'MongoDB Compass (unconfined)',
+        # 'profile name with spaces (enforce)',
+    ]
+    cephadm_fs.create_file(
+        '/sys/kernel/security/apparmor/profiles',
+        contents='\n'.join(profiles_lines),
+    )
+
+    from cephadmlib.host_facts import HostFacts
+
+    class TestHostFacts(HostFacts):
+        def _populate_sysctl_options(self):
+            return {}
+
+    ctx = mock.MagicMock()
+    hfacts = TestHostFacts(ctx)
+    ksec = hfacts.kernel_security
+    assert ksec
+    assert ksec['type'] == 'AppArmor'
+    assert ksec['type'] == 'AppArmor'
+    assert ksec['complain'] == 0
+    assert ksec['enforce'] == 0
+    assert ksec['unconfined'] == 1