saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Configure apparmor

Browse source
This commit is contained in:
Daniel A. Wozniak 2025-01-15 01:03:33 -07:00 committed by Daniel Wozniak
parent dc43eba7b7
commit 306bdf8425
5 changed files with 39 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/build-deps-ci-action.yml vendored
View file

@ -54,6 +54,7 @@ jobs:
linux-dependencies:
name: Linux
if: ${{ toJSON(fromJSON(inputs.matrix)['linux']) != '[]' }}
runs-on:
- ${{ matrix.arch == 'x86_64' && 'ubuntu-latest' || 'linux-arm64' }}
env:
@ -147,6 +148,7 @@ jobs:
macos-dependencies:
name: MacOS
runs-on: ${{ matrix.arch == 'x86_64' && 'macos-13' || 'macos-14' }}
if: ${{ toJSON(fromJSON(inputs.matrix)['macos']) != '[]' }}
timeout-minutes: 90
strategy:
fail-fast: false
@ -234,6 +236,7 @@ jobs:
windows-dependencies:
name: Windows
runs-on: windows-latest
if: ${{ toJSON(fromJSON(inputs.matrix)['windows']) != '[]' }}
env:
USE_S3_CACHE: 'false'
GITHUB_WORKSPACE: 'C:\Windows\Temp\testing'

3
.github/workflows/build-deps-onedir.yml vendored
View file

@ -39,6 +39,7 @@ jobs:
build-deps-linux:
name: Linux
if: ${{ toJSON(fromJSON(inputs.matrix)['linux']) != '[]' }}
runs-on:
- ${{ matrix.arch == 'x86_64' && 'ubuntu-22.04' || 'linux-arm64' }}
strategy:
@ -81,6 +82,7 @@ jobs:
build-deps-macos:
name: macOS
if: ${{ toJSON(fromJSON(inputs.matrix)['macos']) != '[]' }}
strategy:
fail-fast: false
max-parallel: 2
@ -134,6 +136,7 @@ jobs:
build-deps-windows:
name: Windows
if: ${{ toJSON(fromJSON(inputs.matrix)['windows']) != '[]' }}
strategy:
fail-fast: false
max-parallel: 2

4
.github/workflows/build-packages.yml vendored
View file

@ -52,6 +52,7 @@ jobs:
build-deb-packages:
name: DEB
if: ${{ toJSON(fromJSON(inputs.matrix)['linux']) != '[]' }}
runs-on:
- ${{ matrix.arch == 'x86_64' && 'ubuntu-22.04' || 'linux-arm64' }}
strategy:
@ -144,6 +145,7 @@ jobs:
build-rpm-packages:
name: RPM
if: ${{ toJSON(fromJSON(inputs.matrix)['linux']) != '[]' }}
runs-on:
- ${{ matrix.arch == 'x86_64' && 'ubuntu-22.04' || 'linux-arm64' }}
strategy:
@ -218,6 +220,7 @@ jobs:
build-macos-pkgs:
name: macOS
if: ${{ toJSON(fromJSON(inputs.matrix)['macos']) != '[]' }}
environment: ${{ inputs.environment }}
strategy:
fail-fast: false
@ -332,6 +335,7 @@ jobs:
build-windows-pkgs:
name: Windows
if: ${{ toJSON(fromJSON(inputs.matrix)['windows']) != '[]' }}
environment: ${{ inputs.environment }}
strategy:
fail-fast: false

3
.github/workflows/build-salt-onedir.yml vendored
View file

@ -40,6 +40,7 @@ jobs:
build-salt-linux:
name: Linux
if: ${{ toJSON(fromJSON(inputs.matrix)['linux']) != '[]' }}
env:
USE_S3_CACHE: 'false'
runs-on:
@ -89,6 +90,7 @@ jobs:
build-salt-macos:
name: macOS
if: ${{ toJSON(fromJSON(inputs.matrix)['macos']) != '[]' }}
strategy:
fail-fast: false
max-parallel: 2
@ -147,6 +149,7 @@ jobs:
build-salt-windows:
name: Windows
if: ${{ toJSON(fromJSON(inputs.matrix)['windows']) != '[]' }}
strategy:
fail-fast: false
max-parallel: 2

26
.github/workflows/test-action.yml vendored
View file

@ -251,6 +251,32 @@ jobs:
run: |
free -h
- name: Configure apparmor
run: |
# Apparmor's unix-chkpwd profile gets in the way of tests needing to
# authenticate from inside a container.
cat <<'EOF' | sudo tee /etc/apparmor.d/unix-chkpwd
abi <abi/4.0>,
include <tunables/global>
profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd flags=(unconfined) {
include <abstractions/base>
include <abstractions/nameservice>
# To write records to the kernel auditing log.
capability audit_write,
network netlink raw,
/{,usr/}{,s}bin/unix_chkpwd mr,
/etc/shadow r,
# systemd userdb, used in nspawn
/run/host/userdb/*.user r,
/run/host/userdb/*.user-privileged r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/unix-chkpwd>
}
EOF
sudo systemctl restart apparmor
sudo aa-status
- name: Run Changed Tests
id: run-fast-changed-tests
if: ${{ fromJSON(inputs.testrun)['type'] != 'full' }}