From 0f0e268b38e42717d456be1b32fdbd6edf7715e9 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 1 Jul 2021 11:13:10 -0700 Subject: [PATCH] tests: regression: fix test failure due to mmap semantic changes The regression tests are failing on some older kernels due to commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 being cherry-picked back to them without the corresponding apparmor patch 34c426acb75cc21bdf84685e106db0c1a3565057. This means we can not rely on a simple features/flag check to determine how the kernel is behaving with regard to mmap. Since this test is not concerned with testing mmap, instead of adding a more complex conditional simplify by always adding the m permission. Fixes: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1830984 Signed-off-by: John Johansen Acked-by: Georgia Garcia (cherry picked from commit e6e112fba12ce6992dd6382c3b27e7fe7251c33c) Signed-off-by: John Johansen --- tests/regression/apparmor/exec_stack.sh | 26 ++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/tests/regression/apparmor/exec_stack.sh b/tests/regression/apparmor/exec_stack.sh index 8914ce64f..9a8f64239 100755 --- a/tests/regression/apparmor/exec_stack.sh +++ b/tests/regression/apparmor/exec_stack.sh @@ -43,11 +43,19 @@ stackthirdok="change_profile->:&$thirdtest" touch $file $otherfile $sharedfile $thirdfile -if [ "$(kernel_features domain/fix_binfmt_elf_mmap)" == "true" ]; then - elfmmap="m" -else - elfmmap="" -fi +# We used to do a conditional test (below) for mmap permissions to +# address the change introduced by +# 9f834ec18defc369d73ccf9e87a2790bfa05bf46 but there are too many +# kernels in the wild with a backport/cherrypick of that commit that +# skipped cherry-picking 34c426acb75cc21bdf84685e106db0c1a3565057 +# meaning the below conditional check has the wrong results for those +# kernels. Since this test is not about testing mmap just always add +# the mmap perm +#if [ "$(kernel_features domain/fix_binfmt_elf_mmap)" == "true" ]; then +# elfmmap="m" +#else +# elfmmap="" +#fi # Verify file access and contexts by an unconfined process runchecktest "EXEC_STACK (unconfined - file)" pass -f $file @@ -72,7 +80,7 @@ runchecktest "EXEC_STACK (not stacked - bad mode)" fail -l "$test" -m complain # Verify file access and contexts by 2 stacked profiles genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \ - image=$othertest addimage:$test $otherok $sharedok $getcon $test:r$elfmmap + image=$othertest addimage:$test $otherok $sharedok $getcon $test:rm runchecktest_errno EACCES "EXEC_STACK (2 stacked - file)" fail -- $test -f $file runchecktest_errno EACCES "EXEC_STACK (2 stacked - otherfile)" fail -- $test -f $otherfile runchecktest_errno EACCES "EXEC_STACK (2 stacked - thirdfile)" fail -- $test -f $thirdfile @@ -85,7 +93,7 @@ runchecktest "EXEC_STACK (2 stacked - bad mode)" fail -- $test -l "${test}//&${t # Verify file access and contexts by 3 stacked profiles genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \ image=$othertest addimage:$test $otherok $sharedok $getcon $test:"rix -> &$thirdtest" -- \ - image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:r$elfmmap + image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:rm runchecktest_errno EACCES "EXEC_STACK (3 stacked - file)" fail -- $test -- $test -f $file runchecktest_errno EACCES "EXEC_STACK (3 stacked - otherfile)" fail -- $test -- $test -f $otherfile runchecktest_errno EACCES "EXEC_STACK (3 stacked - thirdfile)" fail -- $test -- $test -f $thirdfile @@ -95,7 +103,7 @@ runchecktest "EXEC_STACK (3 stacked - okcon)" pass -- $test -- $test -l "${third genprofile -I $sharedok $stackotherok $stackthirdok $test:"rix -> &$othertest" -- \ image=$othertest addimage:$test $sharedok $stackthirdok $test:"rix -> &$thirdtest" -- \ - image=$thirdtest addimage:$test $sharedok $stackthirdok $test:r$elfmmap + image=$thirdtest addimage:$test $sharedok $stackthirdok $test:rm # Triggered an AppArmor WARN in the initial stacking patch set runchecktest "EXEC_STACK (3 stacked - old AA WARN)" pass -p $othertest -- $test -p $thirdtest -f $sharedfile @@ -126,7 +134,7 @@ runchecktest "EXEC_STACK (stacked with namespaced profile - okcon)" pass -- $tes # Verify file access and contexts in mixed mode genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \ - image=$othertest flag:complain addimage:$test $otherok $sharedok $getcon $test:r$elfmmap + image=$othertest flag:complain addimage:$test $otherok $sharedok $getcon $test:rm runchecktest "EXEC_STACK (mixed mode - file)" pass -- $test -f $file runchecktest_errno EACCES "EXEC_STACK (mixed mode - otherfile)" fail -- $test -f $otherfile runchecktest "EXEC_STACK (mixed mode - sharedfile)" pass -- $test -f $sharedfile