From: John Mulligan <jmulligan@redhat.com>
Date: Mon, 10 Jun 2024 18:27:51 +0000 (-0400)
Subject: cephadm: add a test case to cover reading apparmor profiles
X-Git-Tag: testing/wip-pdonnell-testing-20240622.145006-debug~47^2~3
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=8f237d46e4b8d0b85907fd7a6fb9bc044d16b354;p=ceph-ci.git

cephadm: add a test case to cover reading apparmor profiles

Add a test case that covers the HostFacts functionality regarding
the apparmor kernel security (lsm) feature.
Put it in the test_enclosure.py file for now because enclosure is
part of host_facts module.

Signed-off-by: John Mulligan <jmulligan@redhat.com>
---

diff --git a/src/cephadm/tests/test_enclosure.py b/src/cephadm/tests/test_enclosure.py
index 48d05cf8318..243f07e8577 100644
--- a/src/cephadm/tests/test_enclosure.py
+++ b/src/cephadm/tests/test_enclosure.py
@@ -1,7 +1,7 @@
 import pytest
 
 from unittest import mock
-from tests.fixtures import host_sysfs, import_cephadm
+from tests.fixtures import host_sysfs, import_cephadm, cephadm_fs
 
 from cephadmlib.host_facts import Enclosure
 
@@ -72,3 +72,38 @@ class TestEnclosure:
 
         for serial, slot in enclosure.device_lookup.items():
             assert enclosure.slot_map[slot].get('serial') == serial
+
+
+def test_host_facts_security(cephadm_fs):
+    cephadm_fs.create_file('/sys/kernel/security/lsm', contents='apparmor\n')
+    cephadm_fs.create_file('/etc/apparmor', contents='foo\n')
+    # List from https://tracker.ceph.com/issues/66389
+    profiles_lines = [
+        'foo (complain)',
+        '/usr/bin/man (enforce)',
+        '1password (unconfined)',
+        'Discord (unconfined)',
+        # These examples with spaces in the name fail currently
+        # 'MongoDB Compass (unconfined)',
+        # 'profile name with spaces (enforce)',
+    ]
+    cephadm_fs.create_file(
+        '/sys/kernel/security/apparmor/profiles',
+        contents='\n'.join(profiles_lines),
+    )
+
+    from cephadmlib.host_facts import HostFacts
+
+    class TestHostFacts(HostFacts):
+        def _populate_sysctl_options(self):
+            return {}
+
+    ctx = mock.MagicMock()
+    hfacts = TestHostFacts(ctx)
+    ksec = hfacts.kernel_security
+    assert ksec
+    assert ksec['type'] == 'AppArmor'
+    assert ksec['type'] == 'AppArmor'
+    assert ksec['complain'] == 0
+    assert ksec['enforce'] == 0
+    assert ksec['unconfined'] == 1