From 6ca4992107d0306cf8c3a0324757685c3cb9d56b Mon Sep 17 00:00:00 2001
From: Alex Murray <alex.murray@canonical.com>
Date: Tue, 4 Jul 2023 15:45:45 +0930
Subject: [PATCH] tests/regression/apparmor/syscall.sh: fail iopl/ioperm with
 lockdown

When kernel lockdown is enabled the ioperm and iopl tests will fail regardless
since lockdown prevents these syscalls before AppArmor has a chance to mediate
them. So workaround this by detecting when lockdown is enabled and expect the
tests to fail in that case.

Fixes issue #226.

Signed-off-by: Alex Murray <alex.murray@canonical.com>
---
 tests/regression/apparmor/syscall.sh | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/tests/regression/apparmor/syscall.sh b/tests/regression/apparmor/syscall.sh
index 8d98b40a4..b9d68d471 100755
--- a/tests/regression/apparmor/syscall.sh
+++ b/tests/regression/apparmor/syscall.sh
@@ -150,13 +150,19 @@ i386 | i486 | i586 | i686 | x86 | x86_64)
 # But don't run them on xen kernels
 if [ ! -d /proc/xen ] ; then
 
+# lockdown thwarts both ioperm and iopl
+expected=pass
+if [ -f /sys/kernel/security/lockdown ] && ! grep -q "\[none\]" /sys/kernel/security/lockdown; then
+  expected=fail
+fi
+
 ##
 ## F. IOPERM
 ##
 settest syscall_ioperm
 
 # TEST F1
-runchecktest "IOPERM (no confinement)" pass 0 0x3ff
+runchecktest "IOPERM (no confinement)" $expected 0 0x3ff
 
 # TEST F2. ioperm will fail
 genprofile
@@ -169,7 +175,7 @@ runchecktest "IOPERM (confinement)" fail 0 0x3ff
 settest syscall_iopl
 
 # TEST G1
-runchecktest "IOPL (no confinement)" pass 3
+runchecktest "IOPL (no confinement)" $expected 3
 
 # TEST G2. iopl will fail
 genprofile