Add option to enforce AppArmor profiles in tests

Introduce variable `USE_APPARMOR` to allow enforcing AppArmor profiles inside tests. Use the new variable inside nginx install variant of the test. Reference: https://progress.opensuse.org/issues/155413
os-autoinst · Aug 22, 2024 · 543a857 · 543a857
1 parent 4bc896b
commit 543a857
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/main.pm b/main.pm
@@ -24,6 +24,7 @@ sub load_install_tests() {
     # interaction
     return 1 if get_var('OPENQA_FROM_GIT');
     loadtest 'install/openqa_worker' unless get_var('OPENQA_FROM_BOOTSTRAP');
+    loadtest 'install/apparmor' if get_var('USE_APPARMOR');
     loadtest 'install/test_distribution';
 }
 

diff --git a/scenario-definitions.yaml b/scenario-definitions.yaml
@@ -55,6 +55,7 @@ job_templates:
     settings:
       DESKTOP: minimalx
       OPENQA_WEB_PROXY: 'nginx'
+      USE_APPARMOR: "1"
   openqa_install_multimachine:
     <<: *common_4g
     settings:

diff --git a/tests/install/apparmor.pm b/tests/install/apparmor.pm
@@ -0,0 +1,17 @@
+use Mojo::Base 'openQAcoretest', -signatures;
+use testapi;
+use utils qw(install_packages);
+
+sub run {
+    # Make sure AppArmor is installed and enabled
+    install_packages('-t pattern apparmor');
+    assert_script_run('systemctl enable --now apparmor');
+    assert_script_run('aa-enabled');
+    # Reload AppArmor to enforce newly installed profiles
+    assert_script_run('systemctl reload apparmor');
+    # Restart running services to apply loaded profiles
+    assert_script_run('systemctl try-restart openqa-*');
+    assert_script_run('aa-status --filter.profiles="usr.share.openqa.*"');
+}
+
+1;