From a7580ea7599b1a3e0a5252d7ec17927872afb81d Mon Sep 17 00:00:00 2001 From: mwiegand Date: Fri, 15 May 2026 20:35:18 +0200 Subject: [PATCH] deploy/tests: assert both hardening drop-ins allow x86 syscalls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The web and server hardening drop-ins both fork-exec 32-bit binaries on critical paths (steamcmd_linux from the install job, srcds_linux on the game side). When the web drop-in had SystemCallArchitectures=native and the server had native x86, the asymmetry silently broke the install flow — bash exit 159 (SIGSYS) — for as long as nobody re-triggered it. Pin the constraint as a test: both drop-ins must agree on SystemCallArchitectures, and both must include x86. Co-Authored-By: Claude Opus 4.7 (1M context) --- deploy/tests/test_example_units.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/deploy/tests/test_example_units.py b/deploy/tests/test_example_units.py index dac8b31..a1b2338 100644 --- a/deploy/tests/test_example_units.py +++ b/deploy/tests/test_example_units.py @@ -306,3 +306,25 @@ def test_server_hardening_dropin_present_with_directives(): for line in text.splitlines(): bare = line.split("#", 1)[0].strip() assert bare != "ProcSubset=pid", "ProcSubset=pid must not be active in the server drop-in" + + +def test_hardening_dropins_agree_on_syscall_architectures(): + # Both units fork-exec a 32-bit binary on critical paths: the web + # service runs the install job (steamcmd_linux), the server unit runs + # srcds_linux. Either drop-in without `x86` in SystemCallArchitectures + # SIGSYS-kills its child on first syscall (bash exit 159). They must + # agree, and both must include x86 — caught the hard way on + # 2026-05-15 when web had `native` only and the install job died. + import re + + pat = re.compile(r"^SystemCallArchitectures=(.+)$", re.MULTILINE) + web_arch = pat.search(WEB_HARDENING_DROPIN.read_text()).group(1).strip() + srv_arch = pat.search(SERVER_HARDENING_DROPIN.read_text()).group(1).strip() + assert web_arch == srv_arch, ( + f"hardening drop-ins disagree on SystemCallArchitectures: " + f"web={web_arch!r} server={srv_arch!r}. Both must include `x86`." + ) + assert "x86" in web_arch.split(), ( + f"SystemCallArchitectures missing x86: {web_arch!r}. Required for " + "steamcmd_linux (install job) and srcds_linux." + )