[apparmor] query_label regression test failures

Steve Beattie steve at nxnw.org
Thu Jun 25 21:57:21 UTC 2015


On Thu, Jun 25, 2015 at 04:30:46PM -0500, Tyler Hicks wrote:
> On 2015-06-25 13:55:47, Tyler Hicks wrote:
> > On 2015-06-25 01:21:39, Steve Beattie wrote:
> > > Hi,
> > > 
> > > When running the apparmor regression tests on wily with the trunk of
> > > the userspace tools, I'm getting the following two failures in the
> > > query_label test:
> > > 
> > > Error: query_label failed. Test 'QUERY file (all base perms #1)' was expected to 'pass'. Reason for failure 'FAIL: the access should not be allowed and should be audited'
> > > Error: query_label failed. Test 'QUERY file (all base perms #2)' was expected to 'pass'. Reason for failure 'FAIL: the access should not be allowed and should be audited'
> > 
> > Note that the test passes when we run them against the wily apparmor
> > userspace (2.9.2-0ubuntu1). Seems to be something broken specifically in
> > trunk.
>  
> The tests start failing after r3081:
> 
>   http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3081
> 
> That patch defined values for AA_MAY_* perms, in apparmor.h, related to
> file operations:
> 
>   http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/libraries/libapparmor/include/sys/apparmor.h#L34
> 
> The query_label.c binary already defined many of the macros:
> 
>   http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/tests/regression/apparmor/query_label.c#L22
> 
> The problem is that the new macros in apparmor.h do not match the old
> macros in query_label.c. Which ones are correct? I assume that the
> apparmor.h ones are correct but would like confirmation before I go
> modify the query_label.c test program.

Right, running the query_label test compiled against the trunk
definitions but with the 2.9.2-0ubuntu1 parser fails in the same way.

Note that changed definition of the AA_MAY_* perms also causes
compilation of the link_subset test to generate a number of warnings,
due to link_subset.c defining them differently than in apparmor.h:

  http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/tests/regression/apparmor/link_subset.c#L18

I was working on a patch to address the warnings, but it becomes
difficult to work in both a USE_SYSTEM environment where 2.9 libraries
are available and against the different trunk definitions. I
didn't want to merely protect with #ifndef AA_MAY_*, because
link_subset.c defines some macros that aren't defined in either
libraries/libapparmor/include/sys/apparmor.h or parser/immunix.h:
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/parser/immunix.h#L25

One of the questions I have is that with rev 3081, the macro definitions
become part of the library API, which means that it gets harder to
change them in the future. Are we sure we want that? (We don't have any
releases out there with them visible in the header yet.)

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150625/86d076da/attachment.pgp>


More information about the AppArmor mailing list