[apparmor] [PATCH] tests: Fix exec_stack.sh errors under 4.8 and newer kernels

Seth Arnold seth.arnold at canonical.com
Thu Sep 29 02:45:35 UTC 2016 

On Wed, Sep 28, 2016 at 09:05:09PM -0500, Tyler Hicks wrote:
> https://launchpad.net/bugs/1628745
> 
> The following upstream kernel commit changed the semantics of the exec
> permission check in the 4.8 kernel:
> 
>  commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
>  Author: Linus Torvalds <torvalds at linux-foundation.org>
>  Date: Mon Aug 22 16:41:46 2016 -0700
> 
>      binfmt_elf: switch to new creds when switching to new mm
> 
> That change means that the target profile of an exec transition must
> have permission to map the binary being executed. This patch fixes
> regression test failures while the exec_stack.sh test is running against
> 4.8 and newer kernels by granting mapping permission to the target
> profile.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

This looks good as-is but I think we should also be alerted in the future
if AppArmor fails to enforce this requirement. What would you think about
duplicating these tests -- one with these changes, and then the originals
but with the segmentation violation as the expected outcome? (Made ugly of
course by this change being conditional on kernel versions.. so not as
simple as I described it, but I hope you get the idea.)

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> ---
>  tests/regression/apparmor/exec_stack.sh | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/tests/regression/apparmor/exec_stack.sh b/tests/regression/apparmor/exec_stack.sh
> index 2423dea..069e658 100755
> --- a/tests/regression/apparmor/exec_stack.sh
> +++ b/tests/regression/apparmor/exec_stack.sh
> @@ -66,7 +66,7 @@ runchecktest "EXEC_STACK (not stacked - bad mode)" fail -l "$test" -m complain
>  
>  # Verify file access and contexts by 2 stacked profiles
>  genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
> -	image=$othertest addimage:$test $otherok $sharedok $getcon $test:r
> +	image=$othertest addimage:$test $otherok $sharedok $getcon $test:rm
>  runchecktest_errno EACCES "EXEC_STACK (2 stacked - file)" fail -- $test -f $file
>  runchecktest_errno EACCES "EXEC_STACK (2 stacked - otherfile)" fail -- $test -f $otherfile
>  runchecktest_errno EACCES "EXEC_STACK (2 stacked - thirdfile)" fail -- $test -f $thirdfile
> @@ -79,7 +79,7 @@ runchecktest "EXEC_STACK (2 stacked - bad mode)" fail -- $test -l "${test}//&${t
>  # Verify file access and contexts by 3 stacked profiles
>  genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
>  	image=$othertest addimage:$test $otherok $sharedok $getcon $test:"rix -> &$thirdtest" -- \
> -	image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:r
> +	image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:rm
>  runchecktest_errno EACCES "EXEC_STACK (3 stacked - file)" fail -- $test -- $test -f $file
>  runchecktest_errno EACCES "EXEC_STACK (3 stacked - otherfile)" fail -- $test -- $test -f $otherfile
>  runchecktest_errno EACCES "EXEC_STACK (3 stacked - thirdfile)" fail -- $test -- $test -f $thirdfile
> @@ -89,7 +89,7 @@ runchecktest "EXEC_STACK (3 stacked - okcon)" pass -- $test -- $test -l "${third
>  
>  genprofile -I $sharedok $stackotherok $stackthirdok $test:"rix -> &$othertest" -- \
>  	image=$othertest addimage:$test $sharedok $stackthirdok $test:"rix -> &$thirdtest" -- \
> -	image=$thirdtest addimage:$test $sharedok $stackthirdok $test:r
> +	image=$thirdtest addimage:$test $sharedok $stackthirdok $test:rm
>  # Triggered an AppArmor WARN in the initial stacking patch set
>  runchecktest "EXEC_STACK (3 stacked - old AA WARN)" pass -p $othertest -- $test -p $thirdtest -f $sharedfile
>  
> @@ -120,7 +120,7 @@ runchecktest "EXEC_STACK (stacked with namespaced profile - okcon)" pass -- $tes
>  
>  # Verify file access and contexts in mixed mode
>  genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
> -	image=$othertest flag:complain addimage:$test $otherok $sharedok $getcon $test:r
> +	image=$othertest flag:complain addimage:$test $otherok $sharedok $getcon $test:rm
>  runchecktest "EXEC_STACK (mixed mode - file)" pass -- $test -f $file
>  runchecktest_errno EACCES "EXEC_STACK (mixed mode - otherfile)" fail -- $test -f $otherfile
>  runchecktest "EXEC_STACK (mixed mode - sharedfile)" pass -- $test -f $sharedfile
> -- 
> 2.7.4
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160928/e0811164/attachment-0001.pgp>

More information about the AppArmor mailing list