diff --git a/base/test/.gitignore b/base/test/.gitignore deleted file mode 100644 index 474150492..000000000 --- a/base/test/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -etc/ssl -bin/mksh -bin/sh diff --git a/base/test/Dockerfile b/base/test/Dockerfile deleted file mode 100644 index 9f654f60d..000000000 --- a/base/test/Dockerfile +++ /dev/null @@ -1,3 +0,0 @@ -FROM scratch -COPY . ./ -CMD ["/bin/sh", "/bin/test.sh"] diff --git a/base/test/Makefile b/base/test/Makefile deleted file mode 100644 index 2568a4cc4..000000000 --- a/base/test/Makefile +++ /dev/null @@ -1,57 +0,0 @@ -MKSH_IMAGE=mobylinux/mksh:b784b685b2c39b9bed4d58a989d06d8f0281b87c@sha256:b3ca9febef294d002894b91e0ce0f794235db73a3024be3cae16d34022913de3 -MKSH_BINARY=bin/mksh -SH_BINARY=bin/sh - -CACERT_IMAGE=mobylinux/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f@sha256:a4e217ab2036bc128dc57a639a25fd285dbd68c47f9a46a91f1a9afab2bab3d3 -CACERT_FILE=etc/ssl/certs/ca-certificates.crt - -TEST_SCRIPT=bin/test.sh -MOBY_WHALE=etc/moby - -.PHONY: tag push clean container -default: push - -$(MKSH_BINARY): - mkdir -p $(dir $@) - docker run --rm --net=none $(MKSH_IMAGE) tar cf - $@ | tar xf - - -$(SH_BINARY): $(MKSH_BINARY) - mv $(MKSH_BINARY) $(SH_BINARY) - -$(CACERT_FILE): - mkdir -p $(dir $@) - docker run --rm --net=none $(CACERT_IMAGE) tar cf - $@ | tar xf - - -SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8 - -IMAGE=test - -DIRS=dev proc sys -$(DIRS): - mkdir -p $@ - -DEPS=$(DIRS) $(SH_BINARY) $(CACERT_FILE) $(TEST_SCRIPT) $(MOBY_WHALE) - -container: Dockerfile $(DEPS) - tar cf - $^ | docker build --no-cache -t $(IMAGE):build - - -hash: Dockerfile $(DEPS) - find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash - -push: hash container - docker pull mobylinux/$(IMAGE):$(shell cat hash) || \ - (docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \ - docker push mobylinux/$(IMAGE):$(shell cat hash)) - docker rmi $(IMAGE):build - rm -f hash - -tag: hash container - docker pull mobylinux/$(IMAGE):$(shell cat hash) || \ - docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) - docker rmi $(IMAGE):build - rm -f hash - -clean: - rm -rf hash $(DIRS) $(MKSH_BINARY) etc/ssl - -.DELETE_ON_ERROR: diff --git a/base/test/bin/test.sh b/base/test/bin/test.sh deleted file mode 100755 index 699785c66..000000000 --- a/base/test/bin/test.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh - -set -ex - -docker version -docker info -docker ps -DOCKER_CONTENT_TRUST=1 docker pull alpine:3.5 -docker run --rm alpine true -docker pull armhf/alpine -docker run --rm armhf/alpine uname -a -docker swarm init -docker run mobylinux/check-config:dc29b05bb5cca871f83421e4c4aaa8f5d3c682f4@sha256:5dcdf0e3386ed506a28a59191eaa1ea48261e15199fcbbe8caf8dc1889405b2d -docker run mobylinux/check-kernel-config:3d64e3ddd9315bdc1e82ea652ea27c8b149be5d3@sha256:450c641e045b346e11f3e892d31d0bd9a94874e0129be4715d3741f252439140 -cat /etc/moby diff --git a/base/test/etc/moby b/base/test/etc/moby deleted file mode 100644 index bcb34ed49..000000000 --- a/base/test/etc/moby +++ /dev/null @@ -1,10 +0,0 @@ - - ## . - ## ## ## == - ## ## ## ## ## === - /"""""""""""""""""\___/ === - ~~~ {~~ ~~~~ ~~~ ~~~~ ~~~ ~ / ===- ~~~ - \______ o __/ - \ \ __/ - \____\_______/ - diff --git a/tools/check-config/Dockerfile b/tools/check-config/Dockerfile deleted file mode 100644 index e7401a738..000000000 --- a/tools/check-config/Dockerfile +++ /dev/null @@ -1,4 +0,0 @@ -FROM alpine:3.5 -RUN apk update && apk upgrade && apk add --no-cache bash -ADD https://raw.githubusercontent.com/docker/docker/master/contrib/check-config.sh /usr/bin/check-config.sh -ENTRYPOINT ["/bin/bash", "/usr/bin/check-config.sh"] diff --git a/tools/check-config/Makefile b/tools/check-config/Makefile deleted file mode 100644 index 52e71e652..000000000 --- a/tools/check-config/Makefile +++ /dev/null @@ -1,29 +0,0 @@ -.PHONY: tag push - -BASE=alpine:3.5 -IMAGE=check-config - -default: push - -hash: - DOCKER_CONTENT_TRUST=1 docker pull $(BASE) - tar cf - Dockerfile | docker build --no-cache -t $(IMAGE):build - - docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c 'cat /usr/bin/check-config.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash - -push: hash - docker pull mobylinux/$(IMAGE):$(shell cat hash) || \ - (docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \ - docker push mobylinux/$(IMAGE):$(shell cat hash)) - docker rmi $(IMAGE):build - rm -f hash - -tag: hash - docker pull mobylinux/$(IMAGE):$(shell cat hash) || \ - docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) - docker rmi $(IMAGE):build - rm -f hash - -clean: - rm -f hash - -.DELETE_ON_ERROR: diff --git a/tools/check-kernel-config/Dockerfile b/tools/check-kernel-config/Dockerfile deleted file mode 100644 index f50375306..000000000 --- a/tools/check-kernel-config/Dockerfile +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.5 -ADD check-kernel-config.sh /usr/bin/check-kernel-config.sh -ENTRYPOINT ["/bin/sh", "/usr/bin/check-kernel-config.sh"] diff --git a/tools/check-kernel-config/Makefile b/tools/check-kernel-config/Makefile deleted file mode 100644 index 94c5503f8..000000000 --- a/tools/check-kernel-config/Makefile +++ /dev/null @@ -1,29 +0,0 @@ -.PHONY: tag push - -BASE=alpine:3.5 -IMAGE=check-kernel-config - -default: push - -hash: Dockerfile check-kernel-config.sh - DOCKER_CONTENT_TRUST=1 docker pull $(BASE) - tar cf - $^ | docker build --no-cache -t $(IMAGE):build - - docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c 'cat /usr/bin/check-kernel-config.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash - -push: hash - docker pull mobylinux/$(IMAGE):$(shell cat hash) || \ - (docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \ - docker push mobylinux/$(IMAGE):$(shell cat hash)) - docker rmi $(IMAGE):build - rm -f hash - -tag: hash - docker pull mobylinux/$(IMAGE):$(shell cat hash) || \ - docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) - docker rmi $(IMAGE):build - rm -f hash - -clean: - rm -f hash - -.DELETE_ON_ERROR: diff --git a/tools/check-kernel-config/check-kernel-config.sh b/tools/check-kernel-config/check-kernel-config.sh deleted file mode 100755 index 64bc89e45..000000000 --- a/tools/check-kernel-config/check-kernel-config.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/sh - -set -e - -echo "starting kernel config sanity test with /proc/config.gz" - -# decompress /proc/config.gz from the Moby host -zcat /proc/config.gz > unzipped_config - -kernelVersion="$(uname -r)" -kernelMajor="${kernelVersion%%.*}" -kernelMinor="${kernelVersion#$kernelMajor.}" -kernelMinor="${kernelMinor%%.*}" - -# Most tests against https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project -# Positive cases -cat unzipped_config | grep CONFIG_BUG=y -cat unzipped_config | grep CONFIG_DEBUG_KERNEL=y -cat unzipped_config | grep CONFIG_DEBUG_RODATA=y -cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR=y -cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR_STRONG=y -cat unzipped_config | grep CONFIG_STRICT_DEVMEM=y -cat unzipped_config | grep CONFIG_SYN_COOKIES=y -cat unzipped_config | grep CONFIG_DEBUG_CREDENTIALS=y -cat unzipped_config | grep CONFIG_DEBUG_NOTIFIERS=y -cat unzipped_config | grep CONFIG_DEBUG_LIST=y -cat unzipped_config | grep CONFIG_SECCOMP=y -cat unzipped_config | grep CONFIG_SECCOMP_FILTER=y -cat unzipped_config | grep CONFIG_SECURITY=y -cat unzipped_config | grep CONFIG_SECURITY_YAMA=y -cat unzipped_config | grep CONFIG_PANIC_ON_OOPS=y -cat unzipped_config | grep CONFIG_DEBUG_SET_MODULE_RONX=y -cat unzipped_config | grep CONFIG_SYN_COOKIES=y -cat unzipped_config | grep CONFIG_LEGACY_VSYSCALL_NONE=y -cat unzipped_config | grep CONFIG_RANDOMIZE_BASE=y - -# Conditional on kernel version -if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 5 ]; then - cat unzipped_config | grep CONFIG_IO_STRICT_DEVMEM=y - cat unzipped_config | grep CONFIG_UBSAN=y -fi -if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 7 ]; then - cat unzipped_config | grep CONFIG_SLAB_FREELIST_RANDOM=y -fi -if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 8 ]; then - cat unzipped_config | grep CONFIG_HARDENED_USERCOPY=y - cat unzipped_config | grep CONFIG_RANDOMIZE_MEMORY=y -fi - -# poisoning cannot be enabled in 4.4 -if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 9 ]; then - cat unzipped_config | grep CONFIG_PAGE_POISONING=y - cat unzipped_config | grep CONFIG_PAGE_POISONING_NO_SANITY=y - cat unzipped_config | grep CONFIG_PAGE_POISONING_ZERO=y -fi - -if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 10 ]; then - cat unzipped_config | grep CONFIG_BUG_ON_DATA_CORRUPTION=y -fi - -# Negative cases -cat unzipped_config | grep 'CONFIG_ACPI_CUSTOM_METHOD is not set' -cat unzipped_config | grep 'CONFIG_COMPAT_BRK is not set' -cat unzipped_config | grep 'CONFIG_DEVKMEM is not set' -cat unzipped_config | grep 'CONFIG_COMPAT_VDSO is not set' -cat unzipped_config | grep 'CONFIG_KEXEC is not set' -cat unzipped_config | grep 'CONFIG_HIBERNATION is not set' -cat unzipped_config | grep 'CONFIG_LEGACY_PTYS is not set' -cat unzipped_config | grep 'CONFIG_X86_X32 is not set' -cat unzipped_config | grep 'CONFIG_MODIFY_LDT_SYSCALL is not set'