-
Notifications
You must be signed in to change notification settings - Fork 686
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use paxtest for validating grsecurity config #1039
Comments
Looks like we now have this in testinfra in |
Unfortunately those checks aren't actually running, they're being skipped conditionally. That's a tiny edit, so I'll knock it out in discrete commit. Note that the grsecurity checks only run in local staging, not in CI (yet). |
We still have the As we work on Focal support, particularly creating a new metapackage, it'd be great to have the additional validation of these tests running. Let's just add the "paxtest" package to the grsec install tasks, so it's available immediately in test environments. We can consider marking it as a dependency of "securedrop-grsec" as well. |
Given that our QA matrix includes running these commands manually, we should indeed click the tests back on soon, to save developers some time, now that we have testinfra on prod (#5318). Some things have changed since the tests were originally written, though, so I'm noting that here. Under a Xenial host with
However, on Foal with
More recent versions of paxtest will show "Vulnerable" on the memcpy tests. You can try downloading the Focal deb onto a Xenial host and rerunning, you'll see the output change. Looks like the change was intentional, as the changelog for 0.9.14 states:
See some relevant (but much older) discussion of these checks in https://forums.grsecurity.net/viewtopic.php?t=1420#p5560. Easy enough to update the tests to match, but stating explicitly here that the "Vulnerable" results on the |
The
paxtest
package can be used to validatepaxctl
flags, used as part of the grsecurity configuration. Thepaxtest
package has been implemented in a feature branch via theapp-test
role (see 247b997), but a better place for it would be in thegrsecurity
role, since that role applies to both*-staging
hosts. There are already serverspec tests written for checkingpaxtest
output, but the tests are currently disabled (see 837d6d3).As long as there are no concerns with including
paxtest
in staging and production, the package could be used for a post-validation of a working setup. It's also quite useful for checking for regressions in virtualbox testing during config management changes to the*-staging
hosts.Example output
Running
paxtest
on a default Ubuntu kernel yields output like this:Whereas on a grsecurity kernel:
The text was updated successfully, but these errors were encountered: