Azure: Warn about Host's AVC and SECCOMP

Azure's VM distro is Ubuntu, which has enabled AppArmor.
This security module sometimes interferes with CI Docker containers,
but to be completely disabled it requires reboot(this is impossible,
at least for now). So, Azure will warn about AVC records in Host's
journal as a possible clue.

It will be equally important to be warned about SECCOMP records to
see possible blocked syscalls(requires SCMP_ACT_LOG as defaultAction in
seccomp profile).

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

ipatests/azure/Dockerfiles/seccomp.json

@@ -1,5 +1,6 @@
 {
-	"defaultAction": "SCMP_ACT_ERRNO",
+	"__defaultAction": "Change defaultAction to SCMP_ACT_LOG and then check Host's journal for SECCOMP",
+        "defaultAction": "SCMP_ACT_ERRNO",
 	"archMap": [
 		{
 			"architecture": "SCMP_ARCH_X86_64",

ipatests/azure/templates/test-jobs.yml

@@ -64,6 +64,16 @@ steps:
     HOST_JOURNAL_PATH="${IPA_TESTS_ENV_WORKING_DIR}/${HOST_JOURNAL}.tar.gz"
     sudo journalctl -b | tee "$HOST_JOURNAL"
 
+    function emit_warning() {
+        printf "##vso[task.logissue type=warning]%s\n" "$1"
+    }
+
+    printf "AVC:\n"
+    grep 'AVC apparmor="DENIED"' "$HOST_JOURNAL" && \
+        emit_warning "There are Host's AVCs. Please, check the logs."
+    printf "SECCOMP:\n"
+    grep ' SECCOMP ' "$HOST_JOURNAL" && \
+        emit_warning "There are reported SECCOMP syscalls. Please, check the logs."
     tar --ignore-failed-read -czf "$HOST_JOURNAL_PATH" "$HOST_JOURNAL"
   condition: succeededOrFailed()
   displayName: Host's systemd journal