Merge tests/regression/apparmor/capabilities.sh: fail iopl/ioperm with lockdown

In MR #1063 the tests/regression/apparmor/syscall.sh script was updated to account for kernel lockdown, but the capabilities.sh script also exercises these system calls so this also needs to be updated as well. Also required to fix issue #226. Signed-off-by: Alex Murray <alex.murray@canonical.com> Closes #226 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1064 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
2025-08-31 14:25:52 +00:00 · 2023-07-10 13:09:48 +00:00
parent f6b179010e eafae0dd03
commit 3b832dd313
1 changed files with 23 additions and 7 deletions
--- a/tests/regression/apparmor/capabilities.sh
+++ b/tests/regression/apparmor/capabilities.sh
@@ -49,14 +49,20 @@ CAPABILITIES="chown dac_override dac_read_search fowner fsetid kill \
 	      sys_admin sys_boot sys_nice sys_resource sys_time \
 	      sys_tty_config mknod lease audit_write audit_control"
 # lockdown thwarts both ioperm and iopl
 notlockeddown=TRUE
 if [ -f /sys/kernel/security/lockdown ] && ! grep -q "\[none\]" /sys/kernel/security/lockdown; then
  notlockeddown=FALSE
 fi
 # defines which test+capability pairs should succeed.
 syscall_reboot_sys_boot=TRUE
 syscall_sethostname_sys_admin=TRUE
 syscall_setdomainname_sys_admin=TRUE
 syscall_setpriority_sys_nice=TRUE
 syscall_setscheduler_sys_nice=TRUE
-syscall_ioperm_sys_rawio=TRUE
+syscall_ioperm_sys_rawio=$notlockeddown
-syscall_iopl_sys_rawio=TRUE
+syscall_iopl_sys_rawio=$notlockeddown
 syscall_chroot_sys_chroot=TRUE
 syscall_mlockall_ipc_lock=TRUE
 syscall_sysctl_sys_admin=TRUE
@@ -93,7 +99,13 @@ for TEST in ${TESTS} ; do
 	settest ${TEST}
 	# base case, unconfined
-	runchecktest "${TEST} -- unconfined" pass ${my_arg}
+	if [ "${TEST}" = "syscall_ioperm" -a "$notlockeddown" = "FALSE" ] ||
 	   [ "${TEST}" = "syscall_iopl" -a "$notlockeddown" = "FALSE" ]; then
 	    expected=fail
 	else
 	    expected=pass
 	fi
 	runchecktest "${TEST} -- unconfined" ${expected} ${my_arg}
 	# no capabilities allowed
 	genprofile ${my_entries}
@@ -107,11 +119,13 @@ for TEST in ${TESTS} ; do
 	# all capabilities allowed
 	genprofile cap:ALL ${my_entries}
-	runchecktest "${TEST} -- all caps" pass ${my_arg}
+	runchecktest "${TEST} -- all caps" ${expected} ${my_arg}
 	# iterate through each of the capabilities
 	for cap in ${CAPABILITIES} ; do
-		if [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
+		if [ ${expected} = "fail" ]; then
 			expected_result=fail
 		elif [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
 			expected_result=pass
 		elif [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ]; then
 			expected_result=pass
@@ -136,10 +150,12 @@ for TEST in ${TESTS} ; do
 	# all capabilities allowed
 	genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:ALL ${my_entries}
-	runchecktest "${TEST} changehat -- all caps" pass $bin/${TEST} ${my_arg}
+	runchecktest "${TEST} changehat -- all caps" ${expected} $bin/${TEST} ${my_arg}
 	for cap in ${CAPABILITIES} ; do
-		if [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
+		if [ ${expected} = "fail" ]; then
 			expected_result=fail
 		elif [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
 			expected_result=pass
 		elif [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ]; then
 			expected_result=pass