[apparmor] [PATCH] tests: Fix exec_stack.sh errors under 4.8 and newer kernels
Tyler Hicks
tyhicks at canonical.com
Thu Sep 29 02:05:09 UTC 2016
https://launchpad.net/bugs/1628745
The following upstream kernel commit changed the semantics of the exec
permission check in the 4.8 kernel:
commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
Author: Linus Torvalds <torvalds at linux-foundation.org>
Date: Mon Aug 22 16:41:46 2016 -0700
binfmt_elf: switch to new creds when switching to new mm
That change means that the target profile of an exec transition must
have permission to map the binary being executed. This patch fixes
regression test failures while the exec_stack.sh test is running against
4.8 and newer kernels by granting mapping permission to the target
profile.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
tests/regression/apparmor/exec_stack.sh | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tests/regression/apparmor/exec_stack.sh b/tests/regression/apparmor/exec_stack.sh
index 2423dea..069e658 100755
--- a/tests/regression/apparmor/exec_stack.sh
+++ b/tests/regression/apparmor/exec_stack.sh
@@ -66,7 +66,7 @@ runchecktest "EXEC_STACK (not stacked - bad mode)" fail -l "$test" -m complain
# Verify file access and contexts by 2 stacked profiles
genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
- image=$othertest addimage:$test $otherok $sharedok $getcon $test:r
+ image=$othertest addimage:$test $otherok $sharedok $getcon $test:rm
runchecktest_errno EACCES "EXEC_STACK (2 stacked - file)" fail -- $test -f $file
runchecktest_errno EACCES "EXEC_STACK (2 stacked - otherfile)" fail -- $test -f $otherfile
runchecktest_errno EACCES "EXEC_STACK (2 stacked - thirdfile)" fail -- $test -f $thirdfile
@@ -79,7 +79,7 @@ runchecktest "EXEC_STACK (2 stacked - bad mode)" fail -- $test -l "${test}//&${t
# Verify file access and contexts by 3 stacked profiles
genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
image=$othertest addimage:$test $otherok $sharedok $getcon $test:"rix -> &$thirdtest" -- \
- image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:r
+ image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:rm
runchecktest_errno EACCES "EXEC_STACK (3 stacked - file)" fail -- $test -- $test -f $file
runchecktest_errno EACCES "EXEC_STACK (3 stacked - otherfile)" fail -- $test -- $test -f $otherfile
runchecktest_errno EACCES "EXEC_STACK (3 stacked - thirdfile)" fail -- $test -- $test -f $thirdfile
@@ -89,7 +89,7 @@ runchecktest "EXEC_STACK (3 stacked - okcon)" pass -- $test -- $test -l "${third
genprofile -I $sharedok $stackotherok $stackthirdok $test:"rix -> &$othertest" -- \
image=$othertest addimage:$test $sharedok $stackthirdok $test:"rix -> &$thirdtest" -- \
- image=$thirdtest addimage:$test $sharedok $stackthirdok $test:r
+ image=$thirdtest addimage:$test $sharedok $stackthirdok $test:rm
# Triggered an AppArmor WARN in the initial stacking patch set
runchecktest "EXEC_STACK (3 stacked - old AA WARN)" pass -p $othertest -- $test -p $thirdtest -f $sharedfile
@@ -120,7 +120,7 @@ runchecktest "EXEC_STACK (stacked with namespaced profile - okcon)" pass -- $tes
# Verify file access and contexts in mixed mode
genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
- image=$othertest flag:complain addimage:$test $otherok $sharedok $getcon $test:r
+ image=$othertest flag:complain addimage:$test $otherok $sharedok $getcon $test:rm
runchecktest "EXEC_STACK (mixed mode - file)" pass -- $test -f $file
runchecktest_errno EACCES "EXEC_STACK (mixed mode - otherfile)" fail -- $test -f $otherfile
runchecktest "EXEC_STACK (mixed mode - sharedfile)" pass -- $test -f $sharedfile
--
2.7.4
More information about the AppArmor
mailing list