summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTails developers <amnesia@boum.org>2015-02-11 23:46:35 +0100
committerTails developers <amnesia@boum.org>2015-02-11 23:46:35 +0100
commit689d43a8df18b103cc7e4766ac1dd73c7fe74d32 (patch)
treef6be0455b81f3ca53860ed756e1b9a205cf2b823
parent149aab32fb869bdca06ba3293371f3643ba0a4a2 (diff)
parentcf2095f3a14659b85cd39bcf9f721abb877ac923 (diff)
Merge remote-tracking branch 'origin/devel' into testing
-rw-r--r--config/chroot_local-patches/electrum-persistence.patch29
-rw-r--r--features/checks.feature11
-rw-r--r--features/step_definitions/checks.rb19
3 files changed, 27 insertions, 32 deletions
diff --git a/config/chroot_local-patches/electrum-persistence.patch b/config/chroot_local-patches/electrum-persistence.patch
deleted file mode 100644
index 07b2f63..0000000
--- a/config/chroot_local-patches/electrum-persistence.patch
+++ /dev/null
@@ -1,29 +0,0 @@
---- chroot.orig/usr/share/perl5/Tails/Persistence/Configuration/Button.pm 2014-10-03 08:33:03.131999033 +0000
-+++ chroot/usr/share/perl5/Tails/Persistence/Configuration/Button.pm 2014-10-03 08:36:31.507998939 +0000
-@@ -80,6 +80,7 @@
- $theme->append_search_path('/usr/share/pixmaps/cryptui/48x48');
- $theme->append_search_path('/usr/share/pixmaps/seahorse/48x48');
- $theme->append_search_path('/usr/share/icons/gnome-colors-common/32x32/apps/');
-+ $theme->append_search_path('/usr/share/app-install/icons/');
-
- return $theme;
- }
---- chroot.orig/usr/share/perl5/Tails/Persistence/Configuration/Presets.pm 2014-10-03 08:33:03.131999033 +0000
-+++ chroot/usr/share/perl5/Tails/Persistence/Configuration/Presets.pm 2014-10-03 08:36:31.507998939 +0000
-@@ -135,6 +135,16 @@
- icon_name => 'printer',
- },
- {
-+ name => $self->encoding->decode(gettext(q{Bitcoin client})),
-+ description => $self->encoding->decode(gettext(
-+ q{Electrum's bitcoin wallet and configuration}
-+ )),
-+ destination => '/home/amnesia/.electrum',
-+ options => [ 'source=electrum' ],
-+ enabled => 0,
-+ icon_name => 'electrum',
-+ },
-+ {
- name => $self->encoding->decode(gettext(q{APT Packages})),
- description => $self->encoding->decode(gettext(
- q{Packages downloaded by APT}
diff --git a/features/checks.feature b/features/checks.feature
index aa49ddf..a6ee516 100644
--- a/features/checks.feature
+++ b/features/checks.feature
@@ -41,9 +41,14 @@ Feature: Various checks
And process "vidalia" is running within 30 seconds
Scenario: The 'Tor is ready' notification is shown when Tor has bootstrapped
- Given the network is plugged
- When I see the 'Tor is ready' notification
- Then Tor is ready
+ Given the network is plugged
+ When I see the 'Tor is ready' notification
+ Then Tor is ready
+
+ Scenario: The tor process should be confined with Seccomp
+ Given the network is plugged
+ And Tor is ready
+ Then the running process "tor" is confined with Seccomp in filter mode
Scenario: No unexpected network services
When the network is plugged
diff --git a/features/step_definitions/checks.rb b/features/step_definitions/checks.rb
index ad3fb16..348df8c 100644
--- a/features/step_definitions/checks.rb
+++ b/features/step_definitions/checks.rb
@@ -140,3 +140,22 @@ Then /^some AppArmor profiles are enforced$/ do
assert(@vm.execute("aa-status --enforced").stdout.chomp.to_i > 0,
"No AppArmor profile is enforced")
end
+
+def get_seccomp_status(process)
+ assert(@vm.has_process?(process), "Process #{process} not running.")
+ pid = @vm.pidof(process)[0]
+ status = @vm.file_content("/proc/#{pid}/status")
+ return status.match(/^Seccomp:\s+([0-9])/)[1].chomp.to_i
+end
+
+Then /^the running process "(.+)" is confined with Seccomp in (filter|strict) mode$/ do |process,mode|
+ next if @skip_steps_while_restoring_background
+ status = get_seccomp_status(process)
+ if mode == 'strict'
+ assert_equal(1, status, "#{process} not confined with Seccomp in strict mode")
+ elsif mode == 'filter'
+ assert_equal(2, status, "#{process} not confined with Seccomp in filter mode")
+ else
+ raise "Unsupported mode #{mode} passed"
+ end
+end