Removes paxtest after test run

We don't install it by default, and it's only useful in QA, so let's have the test-only dependency automatically cleaned up after install.
freedomofpress · Mar 17, 2021 · b7e051c · b7e051c
1 parent 8f79af7
commit b7e051c
Showing 1 changed file with 29 additions and 26 deletions.
diff --git a/molecule/testinfra/common/test_grsecurity.py b/molecule/testinfra/common/test_grsecurity.py
@@ -114,32 +114,35 @@ def test_grsecurity_paxtest(host):
         warnings.warn("Installing paxtest to run kernel tests")
         with host.sudo():
             host.run("apt-get install -y paxtest")
-    with host.sudo():
-        # Log to /tmp to avoid cluttering up /root.
-        paxtest_cmd = "paxtest blackhat /tmp/paxtest.log"
-        # Select only predictably formatted lines; omit
-        # the guesses, since the number of bits can vary
-        paxtest_cmd += " | grep -P '^(Executable|Return)'"
-        paxtest_results = host.check_output(paxtest_cmd)
-
-    paxtest_template_path = "{}/paxtest_results.j2".format(
-        os.path.dirname(os.path.abspath(__file__)))
-
-    memcpy_result = "Killed"
-    # Versions of paxtest newer than 0.9.12 or so will report
-    # "Vulnerable" on memcpy tests, see details in
-    # https://github.com/freedomofpress/securedrop/issues/1039
-    if host.system_info.codename == "focal":
-        memcpy_result = "Vulnerable"
-    with io.open(paxtest_template_path, 'r') as f:
-        paxtest_template = Template(f.read().rstrip())
-        paxtest_expected = paxtest_template.render(memcpy_result=memcpy_result)
-
-    # The stdout prints here will only be displayed if the test fails
-    for paxtest_diff in difflib.context_diff(paxtest_expected.split('\n'),
-                                             paxtest_results.split('\n')):
-        print(paxtest_diff)
-    assert paxtest_results == paxtest_expected
+    try:
+        with host.sudo():
+            # Log to /tmp to avoid cluttering up /root.
+            paxtest_cmd = "paxtest blackhat /tmp/paxtest.log"
+            # Select only predictably formatted lines; omit
+            # the guesses, since the number of bits can vary
+            paxtest_cmd += " | grep -P '^(Executable|Return)'"
+            paxtest_results = host.check_output(paxtest_cmd)
+
+        paxtest_template_path = "{}/paxtest_results.j2".format(
+            os.path.dirname(os.path.abspath(__file__)))
+
+        memcpy_result = "Killed"
+        # Versions of paxtest newer than 0.9.12 or so will report
+        # "Vulnerable" on memcpy tests, see details in
+        # https://github.com/freedomofpress/securedrop/issues/1039
+        if host.system_info.codename == "focal":
+            memcpy_result = "Vulnerable"
+        with io.open(paxtest_template_path, 'r') as f:
+            paxtest_template = Template(f.read().rstrip())
+            paxtest_expected = paxtest_template.render(memcpy_result=memcpy_result)
+
+        # The stdout prints here will only be displayed if the test fails
+        for paxtest_diff in difflib.context_diff(paxtest_expected.split('\n'),
+                                                 paxtest_results.split('\n')):
+            print(paxtest_diff)
+        assert paxtest_results == paxtest_expected
+    finally:
+        host.run("apt-get remove -y paxtest")
 
 
 @pytest.mark.skip_in_prod