kola: Add AVC checks in docker.selinux test

flatcar · Jan 8, 2025 · ad45596 · ad45596
1 parent 9c870d1
commit ad45596
Showing 1 changed file with 54 additions and 0 deletions.
diff --git a/kola/tests/docker/docker.go b/kola/tests/docker/docker.go
@@ -15,10 +15,12 @@
 package docker
 
 import (
+	"bufio"
 	"bytes"
 	"encoding/json"
 	"fmt"
 	"os"
+	"regexp"
 	"sort"
 	"strings"
 	"time"
@@ -27,6 +29,7 @@ import (
 	"golang.org/x/net/context"
 
 	"github.com/coreos/go-semver/semver"
+	"github.com/flatcar/mantle/kola"
 	"github.com/flatcar/mantle/kola/cluster"
 	"github.com/flatcar/mantle/kola/register"
 	"github.com/flatcar/mantle/lang/worker"
@@ -62,6 +65,8 @@ func init() {
 		MinVersion:  semver.Version{Major: 2942},
 		// This test is normally not related to the cloud environment
 		Platforms: []string{"qemu", "qemu-unpriv"},
+		// Skip AVC checks, we will do our own.
+		Flags: []register.Flag{register.NoSELinuxAVCChecks},
 	})
 	register.Register(&register.Test{
 		Run:         dockerNetworkNmapNcat,
@@ -782,6 +787,55 @@ docker run -v "/etc/misc:/opt" --rm ghcr.io/flatcar/busybox true`
 	if string(out) != "world" {
 		c.Fatal("/etc/misc/hello should holds 'world'")
 	}
+
+	// We disabled AVC checks, because we want to make sure that
+	// there is a specific AVC in logs. We need to be more lenient
+	// on the older versions of Flatcar and ignore the unexpected
+	// AVCs.
+	version := string(c.MustSSH(m, `set -euo pipefail; grep -m 1 "^VERSION=" /usr/lib/os-release | cut -d = -f 2`))
+	if version == "" {
+		c.Fatalf("got an empty version from os-release")
+	}
+
+	sv, err := semver.NewVersion(version)
+	if err != nil {
+		c.Fatalf("failed to parse os-release version: %v", err)
+	}
+
+	out, err = c.SSH(m, `journalctl | grep -ie 'avc:[[:space:]]*denied'`)
+	if err != nil {
+		c.Fatalf("failed to get AVC messages from journal: %v", err)
+	}
+	s := bufio.NewScanner(bytes.NewReader(out))
+	r := regexp.MustCompile(`avc:  denied  { write } for  pid=[0-9]* comm="sh" name="misc" dev="overlay" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0`)
+	if sv.LessThan(semver.Version{Major: kola.AVCChecksMajorVersion}) {
+		// old Flatcar, lenient checks
+		found := false
+		for s.Scan() {
+			if r.MatchString(s.Text()) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			c.Fatalf("missing the expected AVC in logs")
+		}
+	} else {
+		// new Flatcar, strict checks
+		found := false
+		for s.Scan() {
+			if found {
+				c.Fatalf("too many AVCs, expected only one")
+			}
+			found = true
+			if !r.MatchString(s.Text()) {
+				c.Fatalf("unexpected AVC: %s", s.Text())
+			}
+		}
+		if !found {
+			c.Fatalf("missing the expected AVC in logs")
+		}
+	}
 }
 
 // Reported by a user: a regression on stable