The lack of a space after $testtype is a syntax error and was causing the
equality tests on Ubuntu Xenial to be silently skipped and marked PASS.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1670
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit bd46a02e478036d838f73f14dadfab33649f8a9e)
17ee87ad parser: fix if condition at the bottom of equality.sh
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
glibc defines bsd's rlimit ofile as nofile, however musl does not define
rlimit ofile at all.
Instead of just dropping ofile which would be bad for policy portability
make sure it is defined to be nofile.
This is a partial fie for
https://gitlab.com/apparmor/apparmor/-/issues/513
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1648
Approved-by: Steve Beattie <steve+gitlab@nxnw.org>
Merged-by: Steve Beattie <steve+gitlab@nxnw.org>
(cherry picked from commit 887ff42043e98a4bf59b206056a8a740c57c7c4d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
... and adjust the tools to raise an exception if such a rule is found.
While this is not nice, it's better than the previous behaviour where
only the last 'fstype' was kept, and the others were lost when writing
the rule.
(cherry picked from commit b5894687edd1e6c398eb72b7cffb05a003e3af53)
Signed-off-by: John Johansen <john.johansen@canonical.com>
... and adjust the tools to raise an exception if such a rule is found.
While this is not nice, it's better than the previous behaviour where
only the last 'options' was kept, and the others were lost when writing
the rule.
(cherry picked from commit 171e0b1fa92fa3a6e732fb964e923c4f85f4bdb9)
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: 1561 Added the ability to specify special a keyword to allow
detached mounts. Unfortunately it updated remount to use the device
and devbuffer when remounts current encoding doesn't support it.
This caused the mount.sh regression test to fail in the following
way.
```
$ sudo bash mount.sh
[sudo] password for jj:
using mount rules ...
Error: mount failed. Test 'MOUNT (confined cap bind mount remount rprivate conflict)' was expected to 'pass'. Reason for failure 'FAIL: mount /tmp/sdtest.358520-12403-ASaOnn/mountpoint2 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
not supported by parser - skipping mount options=(nodirsync),
Error: mount failed. Test 'MOUNT (confined cap mount remount option)' was expected to 'pass'. Reason for failure 'FAIL: mount /dev/loop40 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
Error: mount failed. Test 'MOUNT (confined cap mount remount)' was expected to 'pass'. Reason for failure 'FAIL: mount /dev/loop40 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
Error: mount passed. Test 'MOUNT (confined cap mount remount deny option)' was expected to 'fail'
```
Revert the change to remount. This fixes the regression failure.
fa0746f2e parser: add special casing for detached move mounts
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 89e8fe9c1c1546177d3b9b0401b10e974c4518ea)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 63857a79727cc0f6fd2d39d260685f645570af26)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 315d999013911e8af7be8b9028d1da9d02edb630)
Signed-off-by: John Johansen <john.johansen@canonical.com>
upsteam move_mount mediation now allows for a detached (disconnected)
mount to be move mounted into a namespace.
Add support for this by detecting 'detached' as a keyword for the
source/device and using it to create a null match. Because existing
mount encoding using a null separator between the mount terms null
match followed by the null seperator will separate detached mounts
within the existing encoding.
Eg.
mount detached -> /destination,
mount options=(ro) fstype=ext4 detached -> /destination,
This is functionally equivalent to using
mount "" -> /destination,
However using "" does not provide any context that about what the rule is allowing or why so the 'detached' form is preferred.
This is not a perfect solution, but is what can be currently supported
by the kernel without more LSM hooks.
On kernels that don't support detached mount detection, rules using
the detached souce conditional will be ignored (never matched).
This encoding also allows the existing
mount,
mount options=(move),
mount options=(move) -> /destination,
to continue to work with both detached and regular mounts on kernels
that support the move_mount() syscall.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit fa0746f2e21e8263630d20e5007d3be9673800f3)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Fixes https://bugs.launchpad.net/apparmor/+bug/2106033
Improve the validation of AARE file paths by introducing a new regex
that supports paths starting with '{' (e.g. '{/,/org/freedesktop/DBus}').
These paths are notably used in snap.lxd.* profiles.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
(cherry picked from commit dbf4c27154c65eded170cb73d08cc6918b667b54)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 8beac326a56be900163ca099b4fe4299b3a47a7d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
In the following policy, "ptrace" would be dropped during merging:
$FOO=true
/bin/true {
if $FOO {
ptrace,
}
}
Current behavior:
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
With patch:
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
ptrace,
(cherry picked from commit dad66f663b0099c7f2dab99935b31d1e76dd07b0)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 6da10ef98f424e13fcbec4e189c79ccf6e8fa5a5)
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The original location in the middle of the priority function helper was
completely nonsensical. We can instead do this check just once after
running all the tests.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 1f32c1175e080da201ce010c1f3650dab34e1a92)
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Similarly to apparmor/apparmor!403, we don't really need to pass these flags
here, but if we don't, blhc raises a false positive, and I don't want to get
used to ignoring blhc failures on Debian's GitLab CI.
(cherry picked from commit 187c244056b959065c43365125fcbe5ea3a6b524)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This imports translations from launchpad up to commit
revno: 2523
committer: Launchpad Translations on behalf of apparmor-dev
branch nick: apparmor
timestamp: Fri 2025-02-21 09:32:26 +0000
message:
Launchpad automatic translations update.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1559
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit d52b301ee8097a887ee7c4f2c260009d949f6e0c)
2a87a921 Import translations from launchpad
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
The documentation was missing information about path sanitization, and
why you shouldn't do a leading @{VAR} on path rules. While the example
doing this was fixed, actual information about why you shouldn't do
this was missing.
Document how apparmor will collapse consecutive / characters into a
single character for paths, except when this occurs at the start of
the path.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit cce5bd6e95ae9a9f01caceea0d5d75b612dd3fbc)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The current behavior of priority rules can be non-intuitive with
higher priority rules completely overriding lower priority rules even in
permissions not held in common. This behavior does have use cases but
its can be very confusing, and does not normal policy behavior
Eg.
priority=0 allow r /**,
priority=1 deny w /**,
will result in no allowed permissions even though the deny rule is
only removing the w permission, beause the higher priority rule
completely over ride lower priority permissions sets (including
none shared permissions).
Instead move to tracking the priority at a per permission level. This
allows the w permission to still override at priority 1, while the
read permission is allowed at priority 0.
The final constructed state will still drop priority for the final
permission set on the state.
Note: this patch updates the equality tests for the cases where
the complete override behavior was being tested for.
The complete override behavior will be reintroduced in a future
patch with a keyword extension, enabling that behavior to be used
for ordered blocks etc.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 1ebd991155c800a7c998d2d068adecad358f5365)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The original patch adding priority to the set of prefixes failed to
update the prefix dump to include the priority priority field.
Fixes: e3fca60d1 ("parser: add the ability to specify a priority prefix to rules")
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit e56dbc20847535db3307ff9ee1840ec747822f76)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The priority field is only used during state construction, and can
even prevent later optimizations like minimization. The parser already
explcitily clears the states priority field as part of the last thing
done during construction so it doesn't prevent minimization
optimizations.
This means the state priority not only wastes storage because it is
unused post construction but if used it could introduce regressions,
or other issues.
The change to the minimization tests just removes looking for the
priority field that is no longer reported.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit cc31a0da223321e18324cc58aa9cdc9e025c6ea8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Like was done for the other MatchFlags switch to using a node type
instead of dynamic_cast as this will result in a performance
improvement.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 9221d291ec2441d3dc6098916a9f9b19df820bf0)
Signed-off-by: John Johansen <john.johansen@canonical.com>
As pointed out by https://bugs.launchpad.net/apparmor/+bug/2087875 ,
profile transitions with pivot_root are currently not supported on any
kernel.
This commit makes this limitation more obvious to users.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
(cherry picked from commit cf51f7aadd11bbb6a009ee5d3d9b4a96fa2e22e5)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This allows building the tst_* binaries in parallel independently of running the parser test suite
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 2e841655cfa872d50b1e67f7d67f2fda5a725969)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Construction of the chfa can reorder states from what the numbering
given during the hfa constuctions because of reordering for better
compression, dead state removal to ensure better packing etc.
This however means the dfa dump is difficult (it is possible using
multiple dumpes) to match up to the chfa that the kernel is
using. Make this easier by making the dfa dump be able to take the
emapping as input, and provide an option to dump the chfa equivalent
hfa.
Renumbered states will show up as {new <== {orig}} in the dump
Eg.
--D dfa-states
{1} <== priority (allow/deny/prompt/audit/quiet)
{5} 0 (0x 4/0//0/0/0)
{1} perms: none
0x2 -> {5} 0 (0x 4/0//0/0/0)
0x4 -> {5} 0 (0x 4/0//0/0/0)
\a 0x7 -> {5} 0 (0x 4/0//0/0/0)
\t 0x9 -> {5} 0 (0x 4/0//0/0/0)
\n 0xa -> {5} 0 (0x 4/0//0/0/0)
\ 0x20 -> {5} 0 (0x 4/0//0/0/0)
4 0x34 -> {3}
{3} perms: none
0x0 -> {6}
{6} perms: none
1 0x31 -> {5} 0 (0x 4/0//0/0/0)
-D dfa-compressed-states
{1} <== priority (allow/deny/prompt/audit/quiet)
{2 == {5}} 0 (0x 4/0//0/0/0)
{1} perms: none
0x2 -> {2 == {5}} 0 (0x 4/0//0/0/0)
0x4 -> {2 == {5}} 0 (0x 4/0//0/0/0)
\a 0x7 -> {2 == {5}} 0 (0x 4/0//0/0/0)
\t 0x9 -> {2 == {5}} 0 (0x 4/0//0/0/0)
\n 0xa -> {2 == {5}} 0 (0x 4/0//0/0/0)
\ 0x20 -> {2 == {5}} 0 (0x 4/0//0/0/0)
4 0x34 -> {3}
{3} perms: none
0x0 -> {4 == {6}}
{4 == {6}} perms: none
1 0x31 -> {2 == {5}} 0 (0x 4/0//0/0/0)
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 50452e114729cfcfb07945015e41f36430b4ab2f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1527
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry-picked from commit b4caf8782cf677b5128adbbcbb872f663247b3ba)
41be573b Fix leading slash var typo in apparmor.d var example
Co-authored-by: John Johansen <john@jjmx.net>
... in aa-teardown (actually everything that uses rc.apparmor.functions)
and aa-remove-unknown.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2093797
I propose this fix for 3.0..master, since the apparmor.d manpage in all these branches mentions the `kill` flag.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1484
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 9629bc8b6ff6881bba247c065dc55f5d6a77d00a)
1c2d79de Support unloading profiles in kill and prompt mode
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
As reported in https://gitlab.com/apparmor/apparmor/-/merge_requests/1475
uint requires the inclusion of sys/types.h for use in musl libc.
Including that would be fine but since it is only used for the
cast for the owner type comparison, just convert to use a more
standard type.
Reported-by: @fossd <fossdd@pwned.life>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit ff03702fdebb6c6c55532a6768b404706823c339)
Signed-off-by: John Johansen <john.johansen@canonical.com>
There is a general industry wide effort to move off of md5 and even
sha1 (see recent kernel changes). While in this particular use case it
doesn't make a difference (besides slightly lowering the chance of a
collision) switch to sha256sum to make sure our code doesn't depend on
tools that are deprecated and there is an effort to remove.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 027b508da8e12979ae893610f6336c31e6af2be5)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similar to the deny x permission tests, the tests that test carving
out r permissions need to be updated to be conditional on what
priority is being used on the rule.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit bf7b80c478071382c8ef9aef3905a32597ae9e1f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
With priority rules, deny does not carve out permissions from the
higher priority rule. Technically it doesn't from lower priority either
as it completely overrides them, but that case already results in
an inequality so does not cause the tests to fail.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 25f16b239d735023f2010d43f529fd79cd28326b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
cx rules using a specified profile transition, may be emulated by
using px and a hierarchical profile name. That is
cx -> b
may be transformed into
px -> profile//b
which will generate an xtable entry of
profile//b
which means the previous patch using
pivot_root -> b,
to reliably add b to the xtable will not cover this case.
transition to using two pivot_root rules to provide the xtable entries
pivot_root /a -> b,
pivot_root /c -> /t//b,
the paths /a and /c are irrelavent as long as they don't have an
overlap with the generic globbing expression in the test, Two table
entries will be generated. We guarantee no overlap by converting the
/** to /f**
Also the xtable reserving rules are moved to the end of the profile so
the table order can be reliably created. A follow on MR around xtable
improvements should add reliability to xtable order.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 369029dc074cf292ebab61392a1bead2d2f78d08)
Signed-off-by: John Johansen <john.johansen@canonical.com>
exec rules that specify an specific target profile generate an entry
in the xtable. The test entries containing " -> b" are an example of
this.
Currently the parser allocates the xtable entry before priorities are
applied in the backend, or minimization is done. Further more the
parser does not ref count the xtable entry to know what it is no
longer referenced.
The equality tests generate rules that are designed to completely
override and remove a lower priority rule, and remove it. Eg.
/t { priority=1 /* ux, /f px -> b, }
and then compares the generated profile to the functionaly equivalent
profile eg.
/t { priority=1 /* ux, }
To verify the overridden rule has been completely removed.
Unfortunately the compilation is not removing the unused xtable entry
for the specified transition, causing the equality comparison to fail.
Ideally the parser should be fixed so unused xtable entries are removed,
but that should be done in a different MR, and have its own test.
To fix the current tests, and another rule that adds an xtable entry
to the same target that can not be overriden by the x rule using
pivot_root. The parser will dedup the xtable entry resulting in the
known and test profile both having the same xtable. So the test will
pass and meet the original goal of verifying the x rule being overriden
and eliminated.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 84650beb2f06d90eb1e600f20cb7f1b7b3dcb8b2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Failed equality tests can be hard to debug. The profiles aren't always
enough to figure out what is going on. Add several options that will
help in debugging, and developing new tests.
Add switches and arg parsing.
Add the ability to run tests individually
Add a -r flag to allow retaining the test and output
similar to the regression tests, so the exact output from the
tests can be examined.
Add a -d flag to dump dfa build information.
Allow overriding the parser, features, and description for a given
test run.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit cca842b897f861eb6057f842c5b75d40345afd10)
Signed-off-by: John Johansen <john.johansen@canonical.com>
In preparation for some additional abilities wrap the current tests in
a function.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 05ddc61246888b9f5ccc0aaf848415afdaf6fb19)
Signed-off-by: John Johansen <john.johansen@canonical.com>
printf of failure/error info should be going to stderr. Unfortunately
the test has a mix of 2>&1 and 1>&2. Having a mix is just wrong, we
could standardize on either but since the info is error info 1>&2
seems to be the better choice.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 31e60baab22dd542005a55329d666e2e7e36f4ed)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The test was passing because the file priority was always zero bug
resulting in the priority rule always being correctly combined
with the specific match x rule, instead of overriding it.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 57c57f198ced77eb76e1e30252ea0c024ca1a42f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The test was passing because the file priority always being zero bug,
the supplied rule always had the same priority as the implied
rule. Resulting in binary_equality always passing even though the
specified priority should have resulted in a failure.
Fix this by checking if the priorities are equal to the implied
rule other wise it should result in an inequality.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 4b410b67f165aa1768975714b5fa8aabc8f7692c)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When there is a failure output the exact call info used to invoke the
parser. To facilitate manually recreating the test.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit d275dfdd42a9195862b89cfe73fded85fb91726e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
With the file priority fix the xequality (expected equal but known
failure) tests are now passing. So convert them to regular equality
tests.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit fcee32a37e6aeb44aa8d541394a7e7014ba40e88)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The dfa goes through several stages during the build. Allow dumping it
at the various stages instead of only at the end.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 5d2a38e816eacd00bc76502aa8725502fd65eee7)
Signed-off-by: John Johansen <john.johansen@canonical.com>
File rules could drop priority info when rule matched a rule
that was the same except for having different priority. For now
fix this by treating them as a different rule.
The priority was also be dropped when add_prefix was used to
add the priority during the parse resulting in file rules always
getting a default priority of 0.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 9d5b86bc9d9f1fb31e1633145b1506975af0039c)
Signed-off-by: John Johansen <john.johansen@canonical.com>
While the mount syscall documentation disallows this, the kernel silently
ignores make-* flags when doing a remount, and real applications were
passing this conflicting set of flags. Because changing the kernel to
reject this combination would break userspace, we should allow them
instead.
For an example: see https://bugs.launchpad.net/apparmor/+bug/2091424.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 52babe8054c6428f83c5c028f15063c33ef88e3e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The previous code would concatenate all of them together without spacing.
While dump_flags and the corresponding operator<< function aren't currently used,
this will help for when dump_flags is used to debug parser problems.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 96718ea4d15b0a4551fece1c36b8360c2e44fad3)
Signed-off-by: John Johansen <john.johansen@canonical.com>
MS_SYNC is a flag for msync(2) while MS_SYNCHRONOUS is a flag for mount(2).
The header used to define MS_SYNC but IMO this is confusing since that's an
unrelated flag.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit d164e877f5fbd0d435c89c6645db9ea34061316d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit b925d8acff9fa83159901f2a25d15551222fc580)
Signed-off-by: John Johansen <john.johansen@canonical.com>
These are marked as expected fail due to a bug in the parser's priority
handling.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 7b5f4c0d6f0d0a51b489ad83a2d31a941d28f1ac)
Signed-off-by: John Johansen <john.johansen@canonical.com>
currently the equality tests require the tests to PASS as known equality
or inequality. Add the ability to add tests that are a known problem
and are expected to fail the equality, or inequality test.
This is done by using
verify_binary_xequality
verify_binary_xinequality
This allows new tests to be added to document a known issue, without
having to develop the fix for the issue. The use of this facility
is expected to be temporary, so any test marked as xequality or
xinequality will be noisy but not fail the other tests until they
are fixed, at which point they will cause the tests to fail to
force them to be updated to the correct equality or inequality
test.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit b81ea65c1c35e1114dd402c8a1d34aeab7aaf5aa)
Signed-off-by: John Johansen <john.johansen@canonical.com>
