tests: regression: fix test failure due to mmap semantic changes

The regression tests are failing on some older kernels due to commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 being cherry-picked back to them without the corresponding apparmor patch 34c426acb75cc21bdf84685e106db0c1a3565057. This means we can not rely on a simple features/flag check to determine how the kernel is behaving with regard to mmap. Since this test is not concerned with testing mmap, instead of adding a more complex conditional simplify by always adding the m permission. Fixes: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1830984 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Georgia Garcia <georgia.garcia@canonical.com> (cherry picked from commit e6e112fba12ce6992dd6382c3b27e7fe7251c33c) Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-22 18:17:09 +00:00 · 2021-07-01 11:13:10 -07:00 · 2021-07-01 11:13:10 -07:00 · 0f0e268b38
commit 0f0e268b38
parent 911a4ded2e
1 changed files with 17 additions and 9 deletions
--- a/tests/regression/apparmor/exec_stack.sh
+++ b/tests/regression/apparmor/exec_stack.sh
@ -43,11 +43,19 @@ stackthirdok="change_profile->:&$thirdtest"

 touch $file $otherfile $sharedfile $thirdfile

-if [ "$(kernel_features domain/fix_binfmt_elf_mmap)" == "true" ]; then
-    elfmmap="m"
-else
-    elfmmap=""
-fi
+# We used to do a conditional test (below) for mmap permissions to
+# address the change introduced by
+# 9f834ec18defc369d73ccf9e87a2790bfa05bf46 but there are too many
+# kernels in the wild with a backport/cherrypick of that commit that
+# skipped cherry-picking 34c426acb75cc21bdf84685e106db0c1a3565057
+# meaning the below conditional check has the wrong results for those
+# kernels. Since this test is not about testing mmap just always add
+# the mmap perm
+#if [ "$(kernel_features domain/fix_binfmt_elf_mmap)" == "true" ]; then
+#    elfmmap="m"
+#else
+#    elfmmap=""
+#fi

 # Verify file access and contexts by an unconfined process
 runchecktest "EXEC_STACK (unconfined - file)" pass -f $file
@ -72,7 +80,7 @@ runchecktest "EXEC_STACK (not stacked - bad mode)" fail -l "$test" -m complain

 # Verify file access and contexts by 2 stacked profiles
 genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
-	image=$othertest addimage:$test $otherok $sharedok $getcon $test:r$elfmmap
+	image=$othertest addimage:$test $otherok $sharedok $getcon $test:rm
 runchecktest_errno EACCES "EXEC_STACK (2 stacked - file)" fail -- $test -f $file
 runchecktest_errno EACCES "EXEC_STACK (2 stacked - otherfile)" fail -- $test -f $otherfile
 runchecktest_errno EACCES "EXEC_STACK (2 stacked - thirdfile)" fail -- $test -f $thirdfile
@ -85,7 +93,7 @@ runchecktest "EXEC_STACK (2 stacked - bad mode)" fail -- $test -l "${test}//&${t
 # Verify file access and contexts by 3 stacked profiles
 genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
 	image=$othertest addimage:$test $otherok $sharedok $getcon $test:"rix -> &$thirdtest" -- \
-	image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:r$elfmmap
+	image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:rm
 runchecktest_errno EACCES "EXEC_STACK (3 stacked - file)" fail -- $test -- $test -f $file
 runchecktest_errno EACCES "EXEC_STACK (3 stacked - otherfile)" fail -- $test -- $test -f $otherfile
 runchecktest_errno EACCES "EXEC_STACK (3 stacked - thirdfile)" fail -- $test -- $test -f $thirdfile
@ -95,7 +103,7 @@ runchecktest "EXEC_STACK (3 stacked - okcon)" pass -- $test -- $test -l "${third

 genprofile -I $sharedok $stackotherok $stackthirdok $test:"rix -> &$othertest" -- \
 	image=$othertest addimage:$test $sharedok $stackthirdok $test:"rix -> &$thirdtest" -- \
-	image=$thirdtest addimage:$test $sharedok $stackthirdok $test:r$elfmmap
+	image=$thirdtest addimage:$test $sharedok $stackthirdok $test:rm
 # Triggered an AppArmor WARN in the initial stacking patch set
 runchecktest "EXEC_STACK (3 stacked - old AA WARN)" pass -p $othertest -- $test -p $thirdtest -f $sharedfile

@ -126,7 +134,7 @@ runchecktest "EXEC_STACK (stacked with namespaced profile - okcon)" pass -- $tes

 # Verify file access and contexts in mixed mode
 genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
-	image=$othertest flag:complain addimage:$test $otherok $sharedok $getcon $test:r$elfmmap
+	image=$othertest flag:complain addimage:$test $otherok $sharedok $getcon $test:rm
 runchecktest "EXEC_STACK (mixed mode - file)" pass -- $test -f $file
 runchecktest_errno EACCES "EXEC_STACK (mixed mode - otherfile)" fail -- $test -f $otherfile
 runchecktest "EXEC_STACK (mixed mode - sharedfile)" pass -- $test -f $sharedfile