kernel: Fix IsKernelLockdownMode

Passing `/bin/sh -c xxx` to `RunCommand` requires xxx to be a single string representing a full command. Multiple arguments shifts the executed command from: ``` /bin/sh -c "cat file.txt" ``` to: ``` /bin/sh -c cat file.txt ``` This regression has been introduced by: - k8snetworkplumbingwg#553 Signed-off-by: Andrea Panattoni <[email protected]>
zeeke · Mar 14, 2024 · db9cc04 · db9cc04
1 parent 82a6d6f
commit db9cc04
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/pkg/host/internal/kernel/kernel.go b/pkg/host/internal/kernel/kernel.go
@@ -579,7 +579,7 @@ func (k *kernel) IsKernelLockdownMode() bool {
 	path := utils.GetHostExtension()
 	path = filepath.Join(path, "/sys/kernel/security/lockdown")
 
-	stdout, stderr, err := k.utilsHelper.RunCommand("/bin/sh", "-c", "cat", path)
+	stdout, stderr, err := k.utilsHelper.RunCommand("cat", path)
 	log.Log.V(2).Info("IsKernelLockdownMode()", "output", stdout, "error", err)
 	if err != nil {
 		log.Log.Error(err, "IsKernelLockdownMode(): failed to check for lockdown file", "stderr", stderr)

diff --git a/pkg/host/internal/kernel/kernel_test.go b/pkg/host/internal/kernel/kernel_test.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/consts"
 	"github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/host/types"
+	"github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/utils"
 	"github.com/k8snetworkplumbingwg/sriov-network-operator/test/util/fakefilesystem"
 	"github.com/k8snetworkplumbingwg/sriov-network-operator/test/util/helpers"
 )
@@ -16,7 +17,7 @@ var _ = Describe("Kernel", func() {
 			k types.KernelInterface
 		)
 		BeforeEach(func() {
-			k = New(nil)
+			k = New(utils.New())
 		})
 		Context("Unbind, UnbindDriverByBusAndDevice", func() {
 			It("unknown device", func() {
@@ -217,5 +218,27 @@ var _ = Describe("Kernel", func() {
 				Expect(driver).To(BeEmpty())
 			})
 		})
+
+		Context("IsKernelLockdownMode", func() {
+			It("should return true when kernel boots in lockdown integrity", func() {
+				helpers.GinkgoConfigureFakeFS(&fakefilesystem.FS{
+					Dirs: []string{"/host/sys/kernel/security"},
+					Files: map[string][]byte{
+						"/host/sys/kernel/security/lockdown": []byte("none [integrity] confidentiality")},
+				})
+
+				Expect(k.IsKernelLockdownMode()).To(BeTrue())
+			})
+
+			It("should return false when kernel lockdown is none", func() {
+				helpers.GinkgoConfigureFakeFS(&fakefilesystem.FS{
+					Dirs: []string{"/host/sys/kernel/security"},
+					Files: map[string][]byte{
+						"/host/sys/kernel/security/lockdown": []byte("[none] integrity confidentiality")},
+				})
+
+				Expect(k.IsKernelLockdownMode()).To(BeFalse())
+			})
+		})
 	})
 })