diff --git a/dom0/sd-export.sls b/dom0/sd-export.sls index 36ff844e..73169aef 100644 --- a/dom0/sd-export.sls +++ b/dom0/sd-export.sls @@ -32,6 +32,9 @@ sd-export-usb-dvm: - tags: - add: - sd-workstation + - features: + - enable: + - service.paxctld - require: - qvm: sd-export-template diff --git a/dom0/sd-svs-disp-files.sls b/dom0/sd-svs-disp-files.sls index 184a9967..9d418cd4 100644 --- a/dom0/sd-svs-disp-files.sls +++ b/dom0/sd-svs-disp-files.sls @@ -19,3 +19,11 @@ sd-svs-disp-install-mimetype-handler-package: - securedrop-workstation-svs-disp - require: - sls: fpf-apt-test-repo + +sd-svs-disp-install-libreoffice: + pkg.installed: + - name: libreoffice + - retry: + attempts: 3 + interval: 60 + - install_recommends: False diff --git a/dom0/sd-svs-disp.sls b/dom0/sd-svs-disp.sls index 2f67cf5a..e8eecca9 100644 --- a/dom0/sd-svs-disp.sls +++ b/dom0/sd-svs-disp.sls @@ -36,5 +36,8 @@ sd-svs-disp: - add: - sd-workstation - sd-svs-disp-vm + - features: + - enable: + - service.paxctld - require: - qvm: sd-svs-disp-template diff --git a/dom0/sd-svs.sls b/dom0/sd-svs.sls index 364ad1cd..648a1f1a 100644 --- a/dom0/sd-svs.sls +++ b/dom0/sd-svs.sls @@ -34,6 +34,9 @@ sd-svs: - tags: - add: - sd-workstation + - features: + - enable: + - service.paxctld - require: - qvm: sd-svs-template diff --git a/dom0/sd-workstation-template-files.sls b/dom0/sd-workstation-template-files.sls index 20cd9a0d..70efef85 100644 --- a/dom0/sd-workstation-template-files.sls +++ b/dom0/sd-workstation-template-files.sls @@ -10,3 +10,13 @@ sd-workstation-template-install-kernel-config-packages: - securedrop-workstation-grsec - require: - sls: fpf-apt-test-repo + +# Ensure that paxctld starts immediately. For AppVMs, +# use qvm.features.enabled = ["paxctld"] to ensure service start. +sd-workstation-template-enable-paxctld: + service.running: + - name: paxctld + - enable: True + - reload: True + - require: + - pkg: sd-workstation-template-install-kernel-config-packages diff --git a/dom0/sd-workstation-template.sls b/dom0/sd-workstation-template.sls index 59b373d5..16a14fdf 100644 --- a/dom0/sd-workstation-template.sls +++ b/dom0/sd-workstation-template.sls @@ -14,5 +14,8 @@ sd-workstation-template: - tags: - add: - sd-workstation + - features: + - enable: + - service.paxctld - require: - pkg: dom0-install-securedrop-workstation-template diff --git a/tests/test_svs.py b/tests/test_svs.py index 9ba186b1..61133469 100644 --- a/tests/test_svs.py +++ b/tests/test_svs.py @@ -27,16 +27,6 @@ def test_sd_client_package_installed(self): self.assertTrue(self._package_is_installed("securedrop-client")) -class SD_SVS_Disp_Tests(SD_VM_Local_Test): - def setUp(self): - self.vm_name = "sd-svs-disp" - super(SD_SVS_Disp_Tests, self).setUp() - - def test_sd_client_package_installed(self): - pkg = "securedrop-workstation-svs-disp" - self.assertTrue(self._package_is_installed(pkg)) - - def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_SVS_Tests) return suite diff --git a/tests/test_svs_disp.py b/tests/test_svs_disp.py new file mode 100644 index 00000000..fd8edbfe --- /dev/null +++ b/tests/test_svs_disp.py @@ -0,0 +1,21 @@ +import unittest + +from base import SD_VM_Local_Test + + +class SD_SVS_Disp_Tests(SD_VM_Local_Test): + def setUp(self): + self.vm_name = "sd-svs-disp" + super(SD_SVS_Disp_Tests, self).setUp() + + def test_sd_svs_disp_config_package_installed(self): + pkg = "securedrop-workstation-svs-disp" + self.assertTrue(self._package_is_installed(pkg)) + + def test_sd_svs_disp_libreoffice_installed(self): + self.assertTrue(self._package_is_installed("libreoffice")) + + +def load_tests(loader, tests, pattern): + suite = unittest.TestLoader().loadTestsFromTestCase(SD_SVS_Disp_Tests) + return suite diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py index b246b712..0e8692c2 100644 --- a/tests/test_vms_exist.py +++ b/tests/test_vms_exist.py @@ -33,6 +33,16 @@ def _check_kernel(self, vm): assert kernel_version.endswith("-grsec") assert kernel_version == EXPECTED_KERNEL_VERSION + def _check_service_running(self, vm, service): + """ + Ensures a given service is running inside a given VM. + Uses systemctl is-active to query the service state. + """ + cmd = "systemctl is-active {}".format(service) + stdout, stderr = vm.run(cmd) + service_status = stdout.decode("utf-8").rstrip() + assert service_status == "active" + def test_sd_whonix_config(self): vm = self.app.domains["sd-whonix"] nvm = vm.netvm @@ -65,6 +75,7 @@ def test_sd_svs_config(self): self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) self._check_kernel(vm) + self._check_service_running(vm, "paxctld") self.assertTrue('sd-workstation' in vm.tags) def test_sd_svs_disp_config(self): @@ -75,6 +86,7 @@ def test_sd_svs_disp_config(self): self.assertFalse(vm.provides_network) self.assertTrue(vm.template_for_dispvms) self._check_kernel(vm) + self._check_service_running(vm, "paxctld") self.assertTrue('sd-workstation' in vm.tags) def test_sd_gpg_config(self): @@ -97,6 +109,7 @@ def test_sd_workstation_template(self): self.assertTrue(vm.kernel == "") self.assertTrue('sd-workstation' in vm.tags) self._check_kernel(vm) + self._check_service_running(vm, "paxctld") def test_sd_proxy_template(self): vm = self.app.domains["sd-proxy-template"]