diff --git a/integration-tests/Earthfile b/integration-tests/Earthfile index 06ecdde7..339b2746 100644 --- a/integration-tests/Earthfile +++ b/integration-tests/Earthfile @@ -3,7 +3,6 @@ PROJECT blue-build/cli all: BUILD +test-image - BUILD +test-secureblue BUILD +test-legacy-image BUILD +build BUILD +rebase @@ -24,20 +23,6 @@ test-legacy-image: DO +RUN_TESTS -test-secureblue: - FROM +build-template --src=template-secureblue - WORKDIR /tmp/test - COPY ./test-scripts/secureblue/*.sh ./ - - DO +RUN_TESTS - -test-secureblue-ucore: - FROM +build-template --src=template-secureblue-ucore - WORKDIR /tmp/test - COPY ./test-scripts/secureblue/*.sh ./ - - DO +RUN_TESTS - build-template: ARG --required src FROM DOCKERFILE \ @@ -56,18 +41,6 @@ template-legacy-containerfile: SAVE ARTIFACT /test -template-secureblue: - FROM +secureblue-base - RUN bluebuild -vv generate -o Containerfile recipes/general/recipe-silverblue-nvidia.yml - - SAVE ARTIFACT /test - -template-secureblue-ucore: - FROM +secureblue-base - RUN bluebuild -vv generate -o Containerfile recipes/server/recipe-server-main.yml - - SAVE ARTIFACT /test - build: FROM +test-base @@ -90,14 +63,6 @@ switch: RUN mkdir -p /etc/bluebuild && touch $BB_TEST_LOCAL_IMAGE RUN bluebuild -vv switch recipes/recipe.yml -secureblue-base: - FROM +test-base - - RUN rm -fr /test - GIT CLONE https://github.com/secureblue/secureblue.git /test - - DO +GEN_KEYPAIR - legacy-base: FROM ../+blue-build-cli-alpine RUN apk update --no-cache && apk add bash grep jq sudo coreutils diff --git a/integration-tests/test-scripts/secureblue/100-test-chmod.sh b/integration-tests/test-scripts/secureblue/100-test-chmod.sh deleted file mode 100644 index c805b9a3..00000000 --- a/integration-tests/test-scripts/secureblue/100-test-chmod.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -# Function to check if hardening has been applied correctly -check_hardening() { - local sysctl_conf="/usr/etc/sysctl.d/hardening.conf" - local bwrap="/usr/bin/bwrap" - - # Check for the presence of user namespace hardening - if grep -q "user.max_user_namespaces = 0" "$sysctl_conf" && - grep -q "kernel.unprivileged_userns_clone = 0" "$sysctl_conf"; then - printf "Hardening settings are correctly applied in %s\n" "$sysctl_conf" - else - printf "Hardening settings are missing or incorrect in %s\n" "$sysctl_conf" >&2 - return 1 - fi - - # Check ownership and SUID bit of bwrap - if [ "$(stat -c '%U' "$bwrap")" = "root" ] && [ "$(stat -c '%a' "$bwrap")" -eq 4755 ]; then - printf "%s ownership and permissions are correctly set\n" "$bwrap" - else - printf "%s ownership or permissions are incorrect\n" "$bwrap" >&2 - return 1 - fi -} - -# Main function to orchestrate the checks -main() { - set -euo pipefail - - # Perform the checks - if ! check_hardening; then - printf "Hardening checks failed\n" >&2 - exit 1 - else - printf "All hardening checks passed\n" - fi -} - -main "$@"