mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Azure: Warn about Host's AVC and SECCOMP
Azure's VM distro is Ubuntu, which has enabled AppArmor. This security module sometimes interferes with CI Docker containers, but to be completely disabled it requires reboot(this is impossible, at least for now). So, Azure will warn about AVC records in Host's journal as a possible clue. It will be equally important to be warned about SECCOMP records to see possible blocked syscalls(requires SCMP_ACT_LOG as defaultAction in seccomp profile). Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
committed by
Florence Blanc-Renaud
parent
45d2381037
commit
5daa41fc55
@@ -1,5 +1,6 @@
|
||||
{
|
||||
"defaultAction": "SCMP_ACT_ERRNO",
|
||||
"__defaultAction": "Change defaultAction to SCMP_ACT_LOG and then check Host's journal for SECCOMP",
|
||||
"defaultAction": "SCMP_ACT_ERRNO",
|
||||
"archMap": [
|
||||
{
|
||||
"architecture": "SCMP_ARCH_X86_64",
|
||||
|
||||
@@ -64,6 +64,16 @@ steps:
|
||||
HOST_JOURNAL_PATH="${IPA_TESTS_ENV_WORKING_DIR}/${HOST_JOURNAL}.tar.gz"
|
||||
sudo journalctl -b | tee "$HOST_JOURNAL"
|
||||
|
||||
function emit_warning() {
|
||||
printf "##vso[task.logissue type=warning]%s\n" "$1"
|
||||
}
|
||||
|
||||
printf "AVC:\n"
|
||||
grep 'AVC apparmor="DENIED"' "$HOST_JOURNAL" && \
|
||||
emit_warning "There are Host's AVCs. Please, check the logs."
|
||||
printf "SECCOMP:\n"
|
||||
grep ' SECCOMP ' "$HOST_JOURNAL" && \
|
||||
emit_warning "There are reported SECCOMP syscalls. Please, check the logs."
|
||||
tar --ignore-failed-read -czf "$HOST_JOURNAL_PATH" "$HOST_JOURNAL"
|
||||
condition: succeededOrFailed()
|
||||
displayName: Host's systemd journal
|
||||
|
||||
Reference in New Issue
Block a user