[apparmor] query_label regression test failures
John Johansen
john.johansen at canonical.com
Mon Jun 29 07:18:42 UTC 2015
On 06/25/2015 03:30 PM, Tyler Hicks wrote:
> On 2015-06-25 13:55:47, Tyler Hicks wrote:
>> On 2015-06-25 01:21:39, Steve Beattie wrote:
>>> Hi,
>>>
>>> When running the apparmor regression tests on wily with the trunk of
>>> the userspace tools, I'm getting the following two failures in the
>>> query_label test:
>>>
>>> Error: query_label failed. Test 'QUERY file (all base perms #1)' was expected to 'pass'. Reason for failure 'FAIL: the access should not be allowed and should be audited'
>>> Error: query_label failed. Test 'QUERY file (all base perms #2)' was expected to 'pass'. Reason for failure 'FAIL: the access should not be allowed and should be audited'
>>
>> Note that the test passes when we run them against the wily apparmor
>> userspace (2.9.2-0ubuntu1). Seems to be something broken specifically in
>> trunk.
>
> The tests start failing after r3081:
>
> http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3081
>
> That patch defined values for AA_MAY_* perms, in apparmor.h, related to
> file operations:
>
> http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/libraries/libapparmor/include/sys/apparmor.h#L34
>
> The query_label.c binary already defined many of the macros:
>
> http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/tests/regression/apparmor/query_label.c#L22
>
> The problem is that the new macros in apparmor.h do not match the old
> macros in query_label.c. Which ones are correct? I assume that the
> apparmor.h ones are correct but would like confirmation before I go
> modify the query_label.c test program.
>
Correct. And they are both correct just different versions of how the
permissions are mapped.
What is in the test and pre r3081 is the old permission mapping used
in the dfa. It has a limited set of bits which are fully allocated.
Basically there are 2 32 bit masks. Sliced into 4 14 bit fields and
4 global bits.
The bits encode the permissions, auditing, quite, exec index, ...
Internally in the kernel these are converted into a newer flatter
mapping, and what is being exposed here.
The tests needs some reworking, I will see what I can do
More information about the AppArmor
mailing list