Hi Vitaly, On Thu, 2022-12-01 at 03:26 +0300, Vitaly Chikunov wrote: > From: Mimi Zohar <zohar@xxxxxxxxxxxxx> > > This does not make fsverity.test working on GA CI, though. > > - `--device /dev/loop-control' is required for losetup(8) to work. > - `--privileged' is required foo mount(8) to work, and this makes > `--security-opt seccomp=unconfined' redundant. > - GA container does not have `/sys/kernel/security' mounted which is > needed for `/sys/kernel/security/integrity/ima/policy'. > - Enable `set -x` in CI as the logs is everything we have to analyze on > failures. > Agreed, even with these changes the fsverity test will not be executed, but skipped. However, the reason for them being skipped is totally different than prior to this patch. Once the distros have enabled both fsverity support and are running a recent enough kernel with IMA support for fsverity, the fsverity test should succeed. So the problem isn't the GitHub actions architecture or the fsverity test itself, but the lack of IMA kernel support for it. In addition to the ima-evm-utils distro tests, there needs to be a way for testing new kernel integrity features. Roberto's proposed ima-evm-utils UML patch set downloads and uses a UML kernel for this purpose. Unless someone can recommend a better alternative, a single UML "distro" test could be defined and would be executed if a UML kernel is supplied. Additional UML tests could be specified. thanks, Mimi
