forked from autotest/tp-libvirt
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request autotest#5259 from meinaLi/selinux
guest_os_booting: new case of booting vm with seclabel in backed nvram
- Loading branch information
Showing
2 changed files
with
114 additions
and
0 deletions.
There are no files selected for viewing
34 changes: 34 additions & 0 deletions
34
libvirt/tests/cfg/guest_os_booting/ovmf_firmware/ovmf_seclabel_in_nvram.cfg
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| - guest_os_booting.ovmf_seclabel_in_nvram: | ||
| type = ovmf_seclabel_in_nvram | ||
| start_vm = no | ||
| loader_path = "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd" | ||
| template_path = "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd" | ||
| os_dict = {'secure': 'yes', 'loader_readonly': 'yes', 'loader_type': 'pflash', 'loader': '${loader_path}'} | ||
| nvram_attrs = {'nvram_attrs': {'template': '${template_path}', 'type': 'file'}} | ||
| nvram_source = {'nvram_source': {'seclabels': [{'label': '%s', 'model': '%s', 'relabel': 'yes'}], 'attrs': {'file': '%s'}}} | ||
| firmware_type = "ovmf" | ||
| func_supported_since_libvirt_ver = (8, 5, 0) | ||
| only q35 | ||
| only x86_64 | ||
| variants: | ||
| - positive_test: | ||
| variants: | ||
| - with_selinux_seclabel: | ||
| seclabel_model = "selinux" | ||
| seclabel_label = "system_u:object_r:svirt_image_t:s0" | ||
| - with_dac_seclabel: | ||
| seclabel_model = "dac" | ||
| seclabel_label = "qemu:qemu" | ||
| - negative_test: | ||
| error_msg = "Could not open .*: Permission denied" | ||
| variants: | ||
| - invalid_selinux_seclabel: | ||
| seclabel_model = "selinux" | ||
| seclabel_label = "unconfined_u:object_r:virt_image_t:s0" | ||
| - invalid_dac_seclabel: | ||
| seclabel_model = "dac" | ||
| seclabel_label = "test:test" | ||
| - with_no_relabel: | ||
| without_label = "yes" | ||
| seclabel_model = "selinux" | ||
| nvram_source = {'nvram_source': {'seclabels': [{'model': '%s', 'relabel': 'no'}], 'attrs': {'file': '%s'}}} |
80 changes: 80 additions & 0 deletions
80
libvirt/tests/src/guest_os_booting/ovmf_firmware/ovmf_seclabel_in_nvram.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| # Copyright Red Hat | ||
| # SPDX-License-Identifier: GPL-2.0 | ||
| # Author: Meina Li <[email protected]> | ||
|
|
||
| import os | ||
|
|
||
| from avocado.utils import process | ||
|
|
||
| from virttest import libvirt_version | ||
| from virttest import virsh | ||
| from virttest.data_dir import get_data_dir | ||
| from virttest.libvirt_xml import vm_xml | ||
| from provider.guest_os_booting import guest_os_booting_base as guest_os | ||
|
|
||
|
|
||
| def run(test, params, env): | ||
| """ | ||
| This case is to verify the ovmf backed nvram. | ||
| 1) Prepare a guest with related backed nvram elements. | ||
| 2) Start and boot the guest. | ||
| 3) Check the dumpxml and the label if necessary. | ||
| """ | ||
| def compare_guest_xml(vmxml, os_attrs): | ||
| """ | ||
| Compare current xml with the configured values | ||
| :params vmxml: the guest xml | ||
| :params os_attrs: the os attributes dict | ||
| """ | ||
| os_xml = vmxml.os | ||
| current_os_attrs = os_xml.fetch_attrs() | ||
| for key in os_attrs: | ||
| if key in current_os_attrs: | ||
| if os_attrs[key] != current_os_attrs[key]: | ||
| test.fail("Configured os xml value {} doesn't match the" | ||
| " entry {} in guest xml".format(os_attrs[key], current_os_attrs[key])) | ||
| else: | ||
| test.fail("Configured os attributes {} don't existed in guest.".format(key)) | ||
|
|
||
| vm_name = guest_os.get_vm(params) | ||
| firmware_type = params.get("firmware_type") | ||
| nvram_file = os.path.join(get_data_dir(), "test.fd") | ||
| nvram_attrs = eval(params.get("nvram_attrs")) | ||
| os_dict = eval(params.get("os_dict")) | ||
| seclabel_label = params.get("seclabel_label") | ||
| seclabel_model = params.get("seclabel_model") | ||
| error_msg = params.get("error_msg", "") | ||
| without_label = "yes" == params.get("without_label", "no") | ||
| libvirt_version.is_libvirt_feature_supported(params) | ||
|
|
||
| vm = env.get_vm(vm_name) | ||
| vmxml = vm_xml.VMXML.new_from_inactive_dumpxml(vm_name) | ||
| bkxml = vmxml.copy() | ||
|
|
||
| try: | ||
| if without_label: | ||
| nvram_source = eval(params.get("nvram_source") % (seclabel_model, nvram_file)) | ||
| else: | ||
| nvram_source = eval(params.get("nvram_source") % (seclabel_label, seclabel_model, nvram_file)) | ||
| os_attrs = {**os_dict, **nvram_attrs, **nvram_source} | ||
| guest_os.prepare_os_xml(vm_name, os_attrs, firmware_type) | ||
| vmxml = guest_os.check_vm_startup(vm, vm_name, error_msg) | ||
| if error_msg: | ||
| return | ||
| test.log.info("Check the os xml in dumpxml") | ||
| compare_guest_xml(vmxml, os_attrs) | ||
| test.log.info("Check the nvram file label in host") | ||
| label_result = process.run("ls -lZ {}".format(nvram_file)).stdout_text | ||
| if seclabel_model == "dac": | ||
| seclabel_label = seclabel_label.replace(":", " ") | ||
| if seclabel_label in label_result: | ||
| test.log.info("Get expected nvram file label: {}".format(label_result)) | ||
| else: | ||
| test.fail("The nvram file label {} is not expected".format(label_result)) | ||
| finally: | ||
| if vm.is_alive(): | ||
| virsh.destroy(vm_name) | ||
| if os.path.exists(nvram_file): | ||
| os.remove(nvram_file) | ||
| bkxml.sync() |