test kernel patch is downloaded

playbooks/roles/jenkins_worker/defaults/main.yml

@@ -40,3 +40,12 @@ pip_accel_reqs:
   - "pip-accel==0.21.1"
   # pip-accel only makes the s3 functionality available if boto is installed
   - "boto=={{ common_boto_version }}"
+
+# For each ubuntu release, the minimum kernel version to contain a patch for
+# CVE-2016-5195. Note: for ease of dealing with the version_compare filter,
+# "-"s have been replaced with "."s
+patched_kernel_releases:
+    - { os_release: '12.04', min_kernel_version: '3.2.0.113' }
+    - { os_release: '14.04', min_kernel_version: '3.13.0.100' }
+    - { os_release: '16.04', min_kernel_version: '4.4.0.45' }
+    - { os_release: '16.10', min_kernel_version: '4.8.0.26' }

playbooks/roles/jenkins_worker/tasks/main.yml

@@ -20,6 +20,7 @@
 
 # Run appropriate tests
 - include: test.yml
+- include: test_security.yml
 - include: test_platform_worker.yml
   when: platform_worker is defined
 - include: test_sitespeed_worker.yml

playbooks/roles/jenkins_worker/tasks/test_security.yml

+---
+- name: Get os release number
+  shell: "lsb_release -r |cut -f2"
+  register: os_version
+- name: Check which kernel version grub is linked to for next boot
+  shell: basename $(readlink /vmlinuz) |cut -d'-' -f2,3 |tr '-' '.'
+  register: grub_kernel
+# Test that the kernel version which grub will use on next boot is above the
+# minimum version number for the system being built.
+# For more information on version numbering, see:
+# https://github.com/dirtycow/dirtycow.github.io/wiki/Patched-Kernel-Versions
+- assert:
+    that:
+      - "{{ grub_kernel.stdout | version_compare(item.min_kernel_version, '>=', strict=False) }}"
+    when: "{{ item.os_release }} == os_version.stdout"
+  with_items: patched_kernel_releases
+