mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-28 12:58:07 +00:00
Code Issues Releases Wiki Activity

Merge tests/regression/apparmor/syscall.sh: fail iopl/ioperm with lockdown

Browse Source 
When kernel lockdown is enabled the ioperm and iopl tests will fail regardless
since lockdown prevents these syscalls before AppArmor has a chance to mediate
them. So workaround this by detecting when lockdown is enabled and expect the
tests to fail in that case.

Fixes issue #226.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Closes #226
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1063
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen 2023-07-04 06:52:33 +00:00
commit 7393aaac21
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
tests/regression/apparmor/syscall.sh
View File

@ -150,13 +150,19 @@ i386 | i486 | i586 | i686 | x86 | x86_64)
# But don't run them on xen kernels # But don't run them on xen kernels
if [ ! -d /proc/xen ] ; then if [ ! -d /proc/xen ] ; then
# lockdown thwarts both ioperm and iopl
expected=pass
if [ -f /sys/kernel/security/lockdown ] && ! grep -q "\[none\]" /sys/kernel/security/lockdown; then
expected=fail
fi
## ##
## F. IOPERM ## F. IOPERM
## ##
settest syscall_ioperm settest syscall_ioperm
# TEST F1 # TEST F1
runchecktest "IOPERM (no confinement)" pass 0 0x3ff runchecktest "IOPERM (no confinement)" $expected 0 0x3ff
# TEST F2. ioperm will fail # TEST F2. ioperm will fail
genprofile genprofile
@ -169,7 +175,7 @@ runchecktest "IOPERM (confinement)" fail 0 0x3ff
settest syscall_iopl settest syscall_iopl
# TEST G1 # TEST G1
runchecktest "IOPL (no confinement)" pass 3 runchecktest "IOPL (no confinement)" $expected 3
# TEST G2. iopl will fail # TEST G2. iopl will fail
genprofile genprofile