From eafae0dd038d3e5231a988da423fc859326e9e17 Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Wed, 5 Jul 2023 11:32:24 +0930 Subject: [PATCH] tests/regression/apparmor/capabilities.sh: fail iopl/ioperm with lockdown In MR #1063 the tests/regression/apparmor/syscall.sh script was updated to account for kernel lockdown, but the capabilities.sh script also exercises these system calls so this also needs to be updated as well. Also required to fix issue #226. Signed-off-by: Alex Murray --- tests/regression/apparmor/capabilities.sh | 30 +++++++++++++++++------ 1 file changed, 23 insertions(+), 7 deletions(-) mode change 100644 => 100755 tests/regression/apparmor/capabilities.sh diff --git a/tests/regression/apparmor/capabilities.sh b/tests/regression/apparmor/capabilities.sh old mode 100644 new mode 100755 index 4ee55723f..446a28372 --- a/tests/regression/apparmor/capabilities.sh +++ b/tests/regression/apparmor/capabilities.sh @@ -49,14 +49,20 @@ CAPABILITIES="chown dac_override dac_read_search fowner fsetid kill \ sys_admin sys_boot sys_nice sys_resource sys_time \ sys_tty_config mknod lease audit_write audit_control" +# lockdown thwarts both ioperm and iopl +notlockeddown=TRUE +if [ -f /sys/kernel/security/lockdown ] && ! grep -q "\[none\]" /sys/kernel/security/lockdown; then + notlockeddown=FALSE +fi + # defines which test+capability pairs should succeed. syscall_reboot_sys_boot=TRUE syscall_sethostname_sys_admin=TRUE syscall_setdomainname_sys_admin=TRUE syscall_setpriority_sys_nice=TRUE syscall_setscheduler_sys_nice=TRUE -syscall_ioperm_sys_rawio=TRUE -syscall_iopl_sys_rawio=TRUE +syscall_ioperm_sys_rawio=$notlockeddown +syscall_iopl_sys_rawio=$notlockeddown syscall_chroot_sys_chroot=TRUE syscall_mlockall_ipc_lock=TRUE syscall_sysctl_sys_admin=TRUE @@ -93,7 +99,13 @@ for TEST in ${TESTS} ; do settest ${TEST} # base case, unconfined - runchecktest "${TEST} -- unconfined" pass ${my_arg} + if [ "${TEST}" = "syscall_ioperm" -a "$notlockeddown" = "FALSE" ] || + [ "${TEST}" = "syscall_iopl" -a "$notlockeddown" = "FALSE" ]; then + expected=fail + else + expected=pass + fi + runchecktest "${TEST} -- unconfined" ${expected} ${my_arg} # no capabilities allowed genprofile ${my_entries} @@ -107,11 +119,13 @@ for TEST in ${TESTS} ; do # all capabilities allowed genprofile cap:ALL ${my_entries} - runchecktest "${TEST} -- all caps" pass ${my_arg} + runchecktest "${TEST} -- all caps" ${expected} ${my_arg} # iterate through each of the capabilities for cap in ${CAPABILITIES} ; do - if [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then + if [ ${expected} = "fail" ]; then + expected_result=fail + elif [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then expected_result=pass elif [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ]; then expected_result=pass @@ -136,10 +150,12 @@ for TEST in ${TESTS} ; do # all capabilities allowed genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:ALL ${my_entries} - runchecktest "${TEST} changehat -- all caps" pass $bin/${TEST} ${my_arg} + runchecktest "${TEST} changehat -- all caps" ${expected} $bin/${TEST} ${my_arg} for cap in ${CAPABILITIES} ; do - if [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then + if [ ${expected} = "fail" ]; then + expected_result=fail + elif [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then expected_result=pass elif [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ]; then expected_result=pass