tests/kola: Add lockdown LSM test

travier · travier · commit c8f236f1bcb9 · 2025-03-10T10:58:42.000+01:00
See: https://bugzilla.redhat.com/show_bug.cgi?id=2333706
diff --git a/tests/kola/security/data/commonlib.sh b/tests/kola/security/data/commonlib.sh
@@ -0,0 +1 @@
+../../data/commonlib.sh
diff --git a/tests/kola/security/lockdown b/tests/kola/security/lockdown
@@ -0,0 +1,27 @@
+#!/bin/bash
+## kola:
+##   exclusive: false
+##   architectures: x86_64 aarch64
+##   description: Verify that the lockdown LSM is set to integrity when booted using Secure Boot
+#
+# See https://bugzilla.redhat.com/show_bug.cgi?id=2333706
+
+set -xeuo pipefail
+
+. $KOLA_EXT_DATA/commonlib.sh
+
+lockdown_state="$(cat "/sys/kernel/security/lockdown")"
+
+if [[ "$(mokutil --sb)" == "SecureBoot enabled" ]]; then
+    if [[ "${lockdown_state}" == "none [integrity] confidentiality" ]]; then
+        ok "lockdown LSM set to integrity on a Secure Boot system"
+    else
+        fatal "lockdown LSM not set to integrity on a Secure Boot system"
+    fi
+else
+    if [[ "${lockdown_state}" == "[none] integrity confidentiality" ]]; then
+        ok "lockdown LSM set to non on a non Secure Boot system"
+    else
+        fatal "lockdown LSM not set to none on a non Secure Boot system"
+    fi
+fi
