[apparmor] [PATCH] tests: Fix exec_stack.sh errors under 4.8 and newer kernels

John Johansen john.johansen at canonical.com
Thu Sep 29 03:42:32 UTC 2016 

On 09/28/2016 07:45 PM, Seth Arnold wrote:
> On Wed, Sep 28, 2016 at 09:05:09PM -0500, Tyler Hicks wrote:
>> https://launchpad.net/bugs/1628745
>>
>> The following upstream kernel commit changed the semantics of the exec
>> permission check in the 4.8 kernel:
>>
>>  commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
>>  Author: Linus Torvalds <torvalds at linux-foundation.org>
>>  Date: Mon Aug 22 16:41:46 2016 -0700
>>
>>      binfmt_elf: switch to new creds when switching to new mm
>>
>> That change means that the target profile of an exec transition must
>> have permission to map the binary being executed. This patch fixes
>> regression test failures while the exec_stack.sh test is running against
>> 4.8 and newer kernels by granting mapping permission to the target
>> profile.
>>
>> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> 
> This looks good as-is but I think we should also be alerted in the future
> if AppArmor fails to enforce this requirement. What would you think about
> duplicating these tests -- one with these changes, and then the originals
> but with the segmentation violation as the expected outcome? (Made ugly of
> course by this change being conditional on kernel versions.. so not as
> simple as I described it, but I hope you get the idea.)
> 
instead of a kernel version we could stick a flag in apparmorfs indicating
when a kernel has this change. That way it could be set for kernels that
get the fix that caused this back ported.

I would however do that as a separate patch as we would need to add
the flag to the kernel first.

> Acked-by: Seth Arnold <seth.arnold at canonical.com>
Acked-by: John Johansen <john.johansen at canonical.com>

> 
> Thanks
> 
>> ---
>>  tests/regression/apparmor/exec_stack.sh | 8 ++++----
>>  1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/tests/regression/apparmor/exec_stack.sh b/tests/regression/apparmor/exec_stack.sh
>> index 2423dea..069e658 100755
>> --- a/tests/regression/apparmor/exec_stack.sh
>> +++ b/tests/regression/apparmor/exec_stack.sh
>> @@ -66,7 +66,7 @@ runchecktest "EXEC_STACK (not stacked - bad mode)" fail -l "$test" -m complain
>>  
>>  # Verify file access and contexts by 2 stacked profiles
>>  genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
>> -	image=$othertest addimage:$test $otherok $sharedok $getcon $test:r
>> +	image=$othertest addimage:$test $otherok $sharedok $getcon $test:rm
>>  runchecktest_errno EACCES "EXEC_STACK (2 stacked - file)" fail -- $test -f $file
>>  runchecktest_errno EACCES "EXEC_STACK (2 stacked - otherfile)" fail -- $test -f $otherfile
>>  runchecktest_errno EACCES "EXEC_STACK (2 stacked - thirdfile)" fail -- $test -f $thirdfile
>> @@ -79,7 +79,7 @@ runchecktest "EXEC_STACK (2 stacked - bad mode)" fail -- $test -l "${test}//&${t
>>  # Verify file access and contexts by 3 stacked profiles
>>  genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
>>  	image=$othertest addimage:$test $otherok $sharedok $getcon $test:"rix -> &$thirdtest" -- \
>> -	image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:r
>> +	image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:rm
>>  runchecktest_errno EACCES "EXEC_STACK (3 stacked - file)" fail -- $test -- $test -f $file
>>  runchecktest_errno EACCES "EXEC_STACK (3 stacked - otherfile)" fail -- $test -- $test -f $otherfile
>>  runchecktest_errno EACCES "EXEC_STACK (3 stacked - thirdfile)" fail -- $test -- $test -f $thirdfile
>> @@ -89,7 +89,7 @@ runchecktest "EXEC_STACK (3 stacked - okcon)" pass -- $test -- $test -l "${third
>>  
>>  genprofile -I $sharedok $stackotherok $stackthirdok $test:"rix -> &$othertest" -- \
>>  	image=$othertest addimage:$test $sharedok $stackthirdok $test:"rix -> &$thirdtest" -- \
>> -	image=$thirdtest addimage:$test $sharedok $stackthirdok $test:r
>> +	image=$thirdtest addimage:$test $sharedok $stackthirdok $test:rm
>>  # Triggered an AppArmor WARN in the initial stacking patch set
>>  runchecktest "EXEC_STACK (3 stacked - old AA WARN)" pass -p $othertest -- $test -p $thirdtest -f $sharedfile
>>  
>> @@ -120,7 +120,7 @@ runchecktest "EXEC_STACK (stacked with namespaced profile - okcon)" pass -- $tes
>>  
>>  # Verify file access and contexts in mixed mode
>>  genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
>> -	image=$othertest flag:complain addimage:$test $otherok $sharedok $getcon $test:r
>> +	image=$othertest flag:complain addimage:$test $otherok $sharedok $getcon $test:rm
>>  runchecktest "EXEC_STACK (mixed mode - file)" pass -- $test -f $file
>>  runchecktest_errno EACCES "EXEC_STACK (mixed mode - otherfile)" fail -- $test -f $otherfile
>>  runchecktest "EXEC_STACK (mixed mode - sharedfile)" pass -- $test -f $sharedfile
>> -- 
>> 2.7.4
>>
>>
>> -- 
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>>
>>
>>

More information about the AppArmor mailing list