Merge test: detect if setuid environ test in running under nosuid

If the test ran under a fs mounted with nosuid option, then these bits would be ignored and the test would fail. In that case, detect it and run the test in a tmpfs mountpoint without nosuid. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1285 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit bc68bc51caf3346d74dfd5b14dea45e76b347073) Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-22 10:07:12 +00:00 · 2024-08-01 18:45:58 +00:00 · 2024-08-01 18:45:58 +00:00 · feb4e75e47
commit feb4e75e47
parent f686f7c0ff
1 changed files with 26 additions and 0 deletions
--- a/tests/regression/apparmor/environ.sh
+++ b/tests/regression/apparmor/environ.sh
@ -85,6 +85,32 @@ runchecktest "ENVIRON (shell script): confined/complain & sensitive env" pass ${
 # TEST environment filtering still works on setuid apps
 removeprofile

+tmpfs_dir=${tmpdir}/tmpfs_dir
+remove_mnt() {
+	mountpoint -q "$tmpfs_dir"
+	if [ $? -eq 0 ] ; then
+		umount "$tmpfs_dir"
+	fi
+}
+do_onexit="remove_mnt"
+
+# setuid apps mounted in a fs with "nosuid" option do not honor those
+# bits during execution, so run the test in a mounted tmpdir without nosuid
+FINDMNT=/bin/findmnt
+if [ -x "${FINDMNT}" ] && ${FINDMNT} -no TARGET,OPTIONS -T $tmpdir > /dev/null 2>&1 ; then
+	output="$(${FINDMNT} -no TARGET,OPTIONS -T $tmpdir)"
+	target="$(echo $output | cut -d' ' -f1)"
+	options="$(echo $output | cut -d' ' -f2)"
+	case "$options" in
+		*nosuid* )
+			echo "    $target is mounted with nosuid, creating a new mountpoint..."
+			setuid_helper=${tmpfs_dir}/env_check
+			mkdir ${tmpfs_dir}
+			mount -t tmpfs tmpfs ${tmpfs_dir}
+			;;
+	esac
+fi
+
 cp $helper ${setuid_helper}
 chown nobody ${setuid_helper}
 chmod u+s ${setuid_helper}