| Message ID | 20250324112155.3051460-1-Sai.Sathujoda@toshiba-tsip.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [isar-cip-core,v1] .gitlab-ci.yml: Deploy seperate home partition for qemu security targets | expand |
On 24.03.25 12:21, Sai.Sathujoda@toshiba-tsip.com wrote: > From: sai ashrith sathujoda <sai.sathujoda@toshiba-tsip.com> > > IEC layer tests run with /home as working directory. aide is unable to aide? > detect changes made to a temporary file created under /home which is > now symlinked to /var/home. This resulted in failure of the following test cases > TC_CR3.4-RE2_1, TC_CR3.4_1, TC_CR6.2_1. > Is this a limitation of test cases or an issue of our merged home partition approach? Jan > Signed-off-by: sai ashrith sathujoda <sai.sathujoda@toshiba-tsip.com> > --- > .gitlab-ci.yml | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml > index ec9ec2e..146eb33 100644 > --- a/.gitlab-ci.yml > +++ b/.gitlab-ci.yml > @@ -122,6 +122,7 @@ build:qemu-amd64-base: > security_test: enable > use_rt: disable > build_swu_v2: enable > + separate_home_partition: enable > > build:qemu-amd64-base-kernelci: > extends: > @@ -142,6 +143,7 @@ build:qemu-arm64-base: > security_test: enable > use_rt: disable > build_swu_v2: enable > + separate_home_partition: enable > > build:qemu-arm64-base-kernelci: > extends: > @@ -162,6 +164,7 @@ build:qemu-arm-base: > security_test: enable > use_rt: disable > build_swu_v2: enable > + separate_home_partition: enable > > build:qemu-arm-base-kernelci: > extends:
Hi Jan, Across all QEMU targets, the mentioned test cases are failing -> TC_CR3.4-RE2_1, TC_CR3.4_1, TC_CR6.2_1 All three of them are related to aide where we explicitly modify a file and check if aide is able to detect that. If I run these test cases in /var/home/.. Aide is able to detect that the file has been modified reporting an integrity failure to journal logs. But if I do this in /home as working directory to run these tests, the changes are not detected. We can also change the working directory to /var/home here, instead of deploying separate home partition here -> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/tests/templates/IEC_template.yml?ref_type=heads#L74 Regards, Sai Ashrith
On 24.03.25 12:35, Sai.Sathujoda@toshiba-tsip.com wrote: > Hi Jan, > > Across all QEMU targets, the mentioned test cases are failing -> > TC_CR3.4-RE2_1, TC_CR3.4_1, TC_CR6.2_1 > > All three of them are related to aide where we explicitly modify a file > and check if aide is able to detect that. If I run these test cases in / > var/home/.. Aide is able to detect that the file has been modified > reporting an integrity failure to journal logs. But if I do this in / > home as working directory to run these tests, the changes are not detected. > > We can also change the working directory to /var/home here, instead of > deploying separate home partition here -> https://gitlab.com/cip- > project/cip-core/isar-cip-core/-/blob/master/tests/templates/ > IEC_template.yml?ref_type=heads#L74 <https://gitlab.com/cip-project/cip- > core/isar-cip-core/-/blob/master/tests/templates/IEC_template.yml? > ref_type=heads#L74> > The idea of linking /home to /var/home is that it is (widely) transparent to its users. What is aide exactly doing to let that fail? Does it reject to follow symbolic links? Why? Jan
Hi Jan, There is a possibility that this can be limitation in aide. From the test cases perspective, aide is not detecting that the file has been modified after an aide check if the file is created under a sub-directory in /home. I am looking if this bug has already been reported by someone. As of now to handle this, we can either add home as a separate partition and run the tests there or change the test execution directory to /var/home. Thanks and regards, Sai Ashrith
On 24.03.25 13:03, Sai.Sathujoda@toshiba-tsip.com wrote: > Hi Jan, > > There is a possibility that this can be limitation in aide. From the > test cases perspective, aide is not detecting that the file has been > modified after an aide check if the file is created under a sub- > directory in /home. I am looking if this bug has already been reported > by someone. Thanks, please help clarifying the root cause. > > As of now to handle this, we can either add home as a separate partition > and run the tests there or change the test execution directory to /var/home. The latter would make the tests depend on where we relocate /home which may also change again - that would be bad. Let's turn off the separation for now until the real issue has been understood. But this commit here should be considered temporary. I'm augmenting its description. Thanks, applied. Jan > > > Thanks and regards, > Sai Ashrith > ------------------------------------------------------------------------ > *From:* Jan Kiszka <jan.kiszka@siemens.com> > *Sent:* Monday, March 24, 2025 5:24 PM > *To:* ashrith sai(TSIP DITC_DIT-OST) <Sai.Sathujoda@toshiba- > tsip.com>; cip-dev@lists.cip-project.org <cip-dev@lists.cip- > project.org>; quirin.gylstorff@siemens.com <quirin.gylstorff@siemens.com> > *Cc:* dinesh kumar(TSIP DITC_DIT-OST) <dinesh.kumar@toshiba- > tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) > <kazuhiro3.hayashi@toshiba.co.jp> > *Subject:* Re: [isar-cip-core v1] .gitlab-ci.yml: Deploy seperate home > partition for qemu security targets > > On 24.03.25 12:35, Sai.Sathujoda@toshiba-tsip.com wrote: >> Hi Jan, >> >> Across all QEMU targets, the mentioned test cases are failing -> >> TC_CR3.4-RE2_1, TC_CR3.4_1, TC_CR6.2_1 >> >> All three of them are related to aide where we explicitly modify a file >> and check if aide is able to detect that. If I run these test cases in / >> var/home/.. Aide is able to detect that the file has been modified >> reporting an integrity failure to journal logs. But if I do this in / >> home as working directory to run these tests, the changes are not detected. >> >> We can also change the working directory to /var/home here, instead of >> deploying separate home partition here -> https://gitlab.com/cip- <https://gitlab.com/cip-> >> project/cip-core/isar-cip-core/-/blob/master/tests/templates/ >> IEC_template.yml?ref_type=heads#L74 <https://gitlab.com/cip-project/cip- >> core/isar-cip-core/-/blob/master/tests/templates/IEC_template.yml? >> ref_type=heads#L74> >> > > The idea of linking /home to /var/home is that it is (widely) > transparent to its users. What is aide exactly doing to let that fail? > Does it reject to follow symbolic links? Why? > > Jan > > -- > Siemens AG, Foundational Technologies > Linux Expert Center
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ec9ec2e..146eb33 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -122,6 +122,7 @@ build:qemu-amd64-base: security_test: enable use_rt: disable build_swu_v2: enable + separate_home_partition: enable build:qemu-amd64-base-kernelci: extends: @@ -142,6 +143,7 @@ build:qemu-arm64-base: security_test: enable use_rt: disable build_swu_v2: enable + separate_home_partition: enable build:qemu-arm64-base-kernelci: extends: @@ -162,6 +164,7 @@ build:qemu-arm-base: security_test: enable use_rt: disable build_swu_v2: enable + separate_home_partition: enable build:qemu-arm-base-kernelci: extends: