[apparmor] query_label regression test failures

Steve Beattie steve at nxnw.org
Thu Jun 25 22:02:38 UTC 2015 

On Thu, Jun 25, 2015 at 02:57:21PM -0700, Steve Beattie wrote:
> On Thu, Jun 25, 2015 at 04:30:46PM -0500, Tyler Hicks wrote:
> > On 2015-06-25 13:55:47, Tyler Hicks wrote:
> > > On 2015-06-25 01:21:39, Steve Beattie wrote:
> > > > Hi,
> > > > 
> > > > When running the apparmor regression tests on wily with the trunk of
> > > > the userspace tools, I'm getting the following two failures in the
> > > > query_label test:
> > > > 
> > > > Error: query_label failed. Test 'QUERY file (all base perms #1)' was expected to 'pass'. Reason for failure 'FAIL: the access should not be allowed and should be audited'
> > > > Error: query_label failed. Test 'QUERY file (all base perms #2)' was expected to 'pass'. Reason for failure 'FAIL: the access should not be allowed and should be audited'
> > > 
> > > Note that the test passes when we run them against the wily apparmor
> > > userspace (2.9.2-0ubuntu1). Seems to be something broken specifically in
> > > trunk.
> >  
> > The tests start failing after r3081:
> > 
> >   http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3081
> > 
> > That patch defined values for AA_MAY_* perms, in apparmor.h, related to
> > file operations:
> > 
> >   http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/libraries/libapparmor/include/sys/apparmor.h#L34
> > 
> > The query_label.c binary already defined many of the macros:
> > 
> >   http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/tests/regression/apparmor/query_label.c#L22
> > 
> > The problem is that the new macros in apparmor.h do not match the old
> > macros in query_label.c. Which ones are correct? I assume that the
> > apparmor.h ones are correct but would like confirmation before I go
> > modify the query_label.c test program.
> 
> Right, running the query_label test compiled against the trunk
> definitions but with the 2.9.2-0ubuntu1 parser fails in the same way.
> 
> Note that changed definition of the AA_MAY_* perms also causes
> compilation of the link_subset test to generate a number of warnings,
> due to link_subset.c defining them differently than in apparmor.h:
> 
>   http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/tests/regression/apparmor/link_subset.c#L18
> 
> I was working on a patch to address the warnings, but it becomes
> difficult to work in both a USE_SYSTEM environment where 2.9 libraries
> are available and against the different trunk definitions. I
> didn't want to merely protect with #ifndef AA_MAY_*, because
> link_subset.c defines some macros that aren't defined in either
> libraries/libapparmor/include/sys/apparmor.h or parser/immunix.h:
> http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/parser/immunix.h#L25

Sorry I didn't finish the reasoning here; I was afraid that with the
differing definitions and link_subset.c defining additional things that
relying on #ifndef protection could result in two different AA_MAY_*
permissions defined to the same value, which would probably break
things.

> One of the questions I have is that with rev 3081, the macro definitions
> become part of the library API, which means that it gets harder to
> change them in the future. Are we sure we want that? (We don't have any
> releases out there with them visible in the header yet.)

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150625/7980902d/attachment.pgp>

More information about the AppArmor mailing list