From bcefbbba84d162b3078a5e0d08ac47026d4a766b Mon Sep 17 00:00:00 2001
From: Jeremy Frasier <jeremy.frasier@gwe.cisa.dhs.gov>
Date: Tue, 21 Jan 2025 12:01:14 -0500
Subject: [PATCH] Disable unix-chkpwd AppArmor profile

This is necessary when running Molecule tests against Fedora 40 and
41; otherwise, the privileged container cannot successfully sudo and
hence Ansible is unable to do anything.

Note that this change is reverted after the Molecule tests are run.

For now, disabling the unix-chkpwd AppArmor profile also requires an
apt-get purge of the firefox and passt packages.  It should be
possible to remove this purge (and the ensuing systemctl reload
apparmor.service) at a future date.  See
cisagov/skeleton-ansible-role#215 for more details.
---
 .github/workflows/build.yml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a30b335..bfa1595 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -238,11 +238,43 @@ jobs:
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+      # Disabling the unix-chkpwd AppArmor profile is necessary when
+      # running Molecule tests against Fedora 40 and 41; otherwise,
+      # the privileged container cannot successfully run sudo and
+      # hence Ansible is unable to do anything.  See
+      # fedora-cloud/docker-brew-fedora#117 for more details.
+      #
+      # Purging firefox is currently necessary because the
+      # installation available on the GitHub runner instance provides
+      # two conflicting AppArmor profiles:
+      # /etc/apparmor.d/usr.bin.firefox and /etc/apparmor.d/firefox.
+      # This conflict causes the aa-disable /usr/sbin/unix_chkpwd`
+      # command to fail.
+      #
+      # Purging passt is currently necessary because the installation
+      # available on the GitHub runner instance contains a wonky
+      # AppArmor file (/etc/apparmor.d/abstractions/passt) that causes
+      # the aa-disable command to fail.
+      #
+      # TODO: Remove the apt-get purge and systemctl reload commands
+      # when possible.  See cisagov/skeleton-ansible-role#215 for more
+      # details.
+      - name: Disable unix-chkpwd AppArmor profile
+        run: |
+          sudo apt-get purge firefox passt
+          sudo systemctl reload apparmor.service
+          sudo apt-get install apparmor-utils
+          sudo aa-disable /usr/sbin/unix_chkpwd
+        if: ${{ startsWith(matrix.platform, 'fedora') }}
       - name: Run molecule tests
         run: >-
           molecule test
           --platform-name ${{ matrix.platform }}-${{ matrix.architecture }}
           --scenario-name ${{ matrix.scenario }}
+      - name: Re-enable unix-chkpwd AppArmor profile
+        run: >-
+          sudo aa-enforce /usr/sbin/unix_chkpwd
+        if: ${{ startsWith(matrix.platform, 'fedora') }}
       - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE