Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't use zgrep in check-config if apparmor profile is enforced #7939

Merged
merged 2 commits into from
Jul 12, 2023
Merged

Don't use zgrep in check-config if apparmor profile is enforced #7939

merged 2 commits into from
Jul 12, 2023

Conversation

dereknola
Copy link
Member

@dereknola dereknola commented Jul 10, 2023
edited
Loading

Signed-off-by: Derek Nola derek.nola@suse.com

Proposed Changes

Bypass zgrep on opensuse 15.4+, with an apparmor profile for zgrep due to CVE-2022-1271.

Types of Changes

Verification

  1. Setup opensuse-leap vm (Just use the tests/e2e/validatecluster )and call:
    E2E_NODE_BOXES="opensuse/Leap-15.4.x86_64" vagrant up server-0 --no-provision
  2. Run zypper in apparmor-utils apparmor-parser apparmor-profiles
  3. Run aa-enforce zgrep
  4. Install K3s
  5. Run k3s check-config

Check config should pass with no issues

Testing

Linked Issues

#6278

User-Facing Change

Further Comments

@dereknola
Don't use zgrep if apparmor is enforced for it
b6f1b13 
Signed-off-by: Derek Nola <derek.nola@suse.com>
@dereknola dereknola requested a review from a team as a code owner July 10, 2023 21:27
@dereknola
Bump e2e se timeouts for reencryption time
69115be 
Signed-off-by: Derek Nola <derek.nola@suse.com>
@codecov
Copy link

codecov bot commented Jul 11, 2023

Codecov Report

Patch coverage has no change and project coverage change: +4.46 🎉

Comparison is base (2eddfe6) 46.95% compared to head (69115be) 51.42%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #7939      +/-   ##
==========================================
+ Coverage   46.95%   51.42%   +4.46%     
==========================================
  Files         143      143              
  Lines       14560    14564       +4     
==========================================
+ Hits         6837     7489     +652     
+ Misses       6628     5890     -738     
- Partials     1095     1185      +90
Flag Coverage Δ
e2etests 49.24% <ø> (?)
inttests 44.42% <ø> (+0.09%) ⬆️
unittests 19.85% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 42 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@dereknola dereknola merged commit 3eb4e12 into k3s-io:master Jul 12, 2023
6 checks passed
dereknola added a commit to dereknola/k3s that referenced this pull request Jul 12, 2023
@dereknola
Don't use zgrep in check-config if apparmor porfile is enforced (k3…
1af9cd1 
…s-io#7939)

* Don't use zgrep if apparmor is enforced for it

* Bump e2e se timeouts for reencryption time

Signed-off-by: Derek Nola <derek.nola@suse.com>
dereknola added a commit to dereknola/k3s that referenced this pull request Jul 12, 2023
@dereknola
Don't use zgrep in check-config if apparmor porfile is enforced (k3…
fab052c 
…s-io#7939)

* Don't use zgrep if apparmor is enforced for it

* Bump e2e se timeouts for reencryption time

Signed-off-by: Derek Nola <derek.nola@suse.com>
dereknola added a commit to dereknola/k3s that referenced this pull request Jul 12, 2023
@dereknola
Don't use zgrep in check-config if apparmor porfile is enforced (k3…
5a8d605 
…s-io#7939)

* Don't use zgrep if apparmor is enforced for it

* Bump e2e se timeouts for reencryption time

Signed-off-by: Derek Nola <derek.nola@suse.com>
This was referenced Jul 12, 2023
Merged
Merged
Merged
@dereknola dereknola deleted the zgrep_bypass branch July 18, 2023 18:39
@cguertin14 cguertin14 mentioned this pull request Aug 1, 2023
Closed
@dereknola dereknola changed the title Don't use zgrep in check-config if apparmor porfile is enforced Don't use zgrep in check-config if apparmor profile is enforced Oct 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brandond brandond brandond approved these changes

@briandowns briandowns briandowns approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dereknola @brandond @briandowns