mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 18:17:09 +00:00
Code Issues Releases Wiki Activity

tests: regression: fix test failure due to mmap semantic changes

Browse Source 
The regression tests are failing on some older kernels due to
commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 being cherry-picked
back to them without the corresponding apparmor patch
34c426acb75cc21bdf84685e106db0c1a3565057.

This means we can not rely on a simple features/flag check to determine
how the kernel is behaving with regard to mmap. Since this test is
not concerned with testing mmap, instead of adding a more complex
conditional simplify by always adding the m permission.

Fixes: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1830984
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Georgia Garcia  <georgia.garcia@canonical.com>
(cherry picked from commit e6e112fba12ce6992dd6382c3b27e7fe7251c33c)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2021-07-01 11:13:10 -07:00
parent 911a4ded2e
commit 0f0e268b38
1 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
tests/regression/apparmor/exec_stack.sh
View File

@ -43,11 +43,19 @@ stackthirdok="change_profile->:&$thirdtest"
touch $file $otherfile $sharedfile $thirdfile touch $file $otherfile $sharedfile $thirdfile
if [ "$(kernel_features domain/fix_binfmt_elf_mmap)" == "true" ]; then # We used to do a conditional test (below) for mmap permissions to
elfmmap="m" # address the change introduced by
else # 9f834ec18defc369d73ccf9e87a2790bfa05bf46 but there are too many
elfmmap="" # kernels in the wild with a backport/cherrypick of that commit that
fi # skipped cherry-picking 34c426acb75cc21bdf84685e106db0c1a3565057
# meaning the below conditional check has the wrong results for those
# kernels. Since this test is not about testing mmap just always add
# the mmap perm
#if [ "$(kernel_features domain/fix_binfmt_elf_mmap)" == "true" ]; then
# elfmmap="m"
#else
# elfmmap=""
#fi
# Verify file access and contexts by an unconfined process # Verify file access and contexts by an unconfined process
runchecktest "EXEC_STACK (unconfined - file)" pass -f $file runchecktest "EXEC_STACK (unconfined - file)" pass -f $file
@ -72,7 +80,7 @@ runchecktest "EXEC_STACK (not stacked - bad mode)" fail -l "$test" -m complain
# Verify file access and contexts by 2 stacked profiles # Verify file access and contexts by 2 stacked profiles
genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \ genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
image=$othertest addimage:$test $otherok $sharedok $getcon $test:r$elfmmap image=$othertest addimage:$test $otherok $sharedok $getcon $test:rm
runchecktest_errno EACCES "EXEC_STACK (2 stacked - file)" fail -- $test -f $file runchecktest_errno EACCES "EXEC_STACK (2 stacked - file)" fail -- $test -f $file
runchecktest_errno EACCES "EXEC_STACK (2 stacked - otherfile)" fail -- $test -f $otherfile runchecktest_errno EACCES "EXEC_STACK (2 stacked - otherfile)" fail -- $test -f $otherfile
runchecktest_errno EACCES "EXEC_STACK (2 stacked - thirdfile)" fail -- $test -f $thirdfile runchecktest_errno EACCES "EXEC_STACK (2 stacked - thirdfile)" fail -- $test -f $thirdfile
@ -85,7 +93,7 @@ runchecktest "EXEC_STACK (2 stacked - bad mode)" fail -- $test -l "${test}//&${t
# Verify file access and contexts by 3 stacked profiles # Verify file access and contexts by 3 stacked profiles
genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \ genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
image=$othertest addimage:$test $otherok $sharedok $getcon $test:"rix -> &$thirdtest" -- \ image=$othertest addimage:$test $otherok $sharedok $getcon $test:"rix -> &$thirdtest" -- \
image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:r$elfmmap image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:rm
runchecktest_errno EACCES "EXEC_STACK (3 stacked - file)" fail -- $test -- $test -f $file runchecktest_errno EACCES "EXEC_STACK (3 stacked - file)" fail -- $test -- $test -f $file
runchecktest_errno EACCES "EXEC_STACK (3 stacked - otherfile)" fail -- $test -- $test -f $otherfile runchecktest_errno EACCES "EXEC_STACK (3 stacked - otherfile)" fail -- $test -- $test -f $otherfile
runchecktest_errno EACCES "EXEC_STACK (3 stacked - thirdfile)" fail -- $test -- $test -f $thirdfile runchecktest_errno EACCES "EXEC_STACK (3 stacked - thirdfile)" fail -- $test -- $test -f $thirdfile
@ -95,7 +103,7 @@ runchecktest "EXEC_STACK (3 stacked - okcon)" pass -- $test -- $test -l "${third
genprofile -I $sharedok $stackotherok $stackthirdok $test:"rix -> &$othertest" -- \ genprofile -I $sharedok $stackotherok $stackthirdok $test:"rix -> &$othertest" -- \
image=$othertest addimage:$test $sharedok $stackthirdok $test:"rix -> &$thirdtest" -- \ image=$othertest addimage:$test $sharedok $stackthirdok $test:"rix -> &$thirdtest" -- \
image=$thirdtest addimage:$test $sharedok $stackthirdok $test:r$elfmmap image=$thirdtest addimage:$test $sharedok $stackthirdok $test:rm
# Triggered an AppArmor WARN in the initial stacking patch set # Triggered an AppArmor WARN in the initial stacking patch set
runchecktest "EXEC_STACK (3 stacked - old AA WARN)" pass -p $othertest -- $test -p $thirdtest -f $sharedfile runchecktest "EXEC_STACK (3 stacked - old AA WARN)" pass -p $othertest -- $test -p $thirdtest -f $sharedfile
@ -126,7 +134,7 @@ runchecktest "EXEC_STACK (stacked with namespaced profile - okcon)" pass -- $tes
# Verify file access and contexts in mixed mode # Verify file access and contexts in mixed mode
genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \ genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
image=$othertest flag:complain addimage:$test $otherok $sharedok $getcon $test:r$elfmmap image=$othertest flag:complain addimage:$test $otherok $sharedok $getcon $test:rm
runchecktest "EXEC_STACK (mixed mode - file)" pass -- $test -f $file runchecktest "EXEC_STACK (mixed mode - file)" pass -- $test -f $file
runchecktest_errno EACCES "EXEC_STACK (mixed mode - otherfile)" fail -- $test -f $otherfile runchecktest_errno EACCES "EXEC_STACK (mixed mode - otherfile)" fail -- $test -f $otherfile
runchecktest "EXEC_STACK (mixed mode - sharedfile)" pass -- $test -f $sharedfile runchecktest "EXEC_STACK (mixed mode - sharedfile)" pass -- $test -f $sharedfile