The capabilities tests where failing in the changehat_wrapper test. This was because they could not the changehat_wrapper sub executable, which trying to exec a binary in the tmpdir.
Specifically if the test was for syscall_ptrace. It would generate a profile with a hat for ^syscall_ptrace and attempt to execute ./syscall_ptrace. However this was failing in some situations, including when trying to debug from the tmpdir, as the syscall_XXX binary is no longer local. Instead use the fully qualified path for the hat name, and the exec path. Signed-off-by: John Johansen <[email protected]> --- tests/regression/apparmor/capabilities.sh | 8 ++++---- tests/regression/apparmor/changehat_wrapper.c | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/regression/apparmor/capabilities.sh b/tests/regression/apparmor/capabilities.sh index f682481..50feacc 100644 --- a/tests/regression/apparmor/capabilities.sh +++ b/tests/regression/apparmor/capabilities.sh @@ -109,16 +109,16 @@ for TEST in ${TESTS} ; do # okay, now check to see if the capability functions from within # a subprofile. settest ${testwrapper} - genprofile hat:${TEST} addimage:${bin}/${TEST} ${my_entries} - runchecktest "${TEST} changehat -- no caps" fail ${TEST} ${my_arg} + genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} ${my_entries} + runchecktest "${TEST} changehat -- no caps" fail $bin/${TEST} ${my_arg} for cap in ${CAPABILITIES} ; do if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then expected_result=pass else expected_result=fail fi - genprofile hat:${TEST} addimage:${bin}/${TEST} cap:${cap} ${my_entries} - runchecktest "${TEST} changehat -- capability ${cap}" ${expected_result} ${TEST} ${my_arg} + genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:${cap} ${my_entries} + runchecktest "${TEST} changehat -- capability ${cap}" ${expected_result} $bin/${TEST} ${my_arg} done done diff --git a/tests/regression/apparmor/changehat_wrapper.c b/tests/regression/apparmor/changehat_wrapper.c index bb66633..63d506c 100644 --- a/tests/regression/apparmor/changehat_wrapper.c +++ b/tests/regression/apparmor/changehat_wrapper.c @@ -154,7 +154,7 @@ int main(int argc, char *argv[]) { perror ("FAIL: child malloc"); return -1; } - sprintf (pname, "./%s", argv[optind]); + sprintf (pname, "%s", argv[optind]); rc = !manual ? change_hat(argv[optind], magic_token) : manual_change_hat(argv[optind], manual_string); @@ -173,7 +173,7 @@ int main(int argc, char *argv[]) { perror("FAIL: pipe failed"); exit(1); } - + exit(execv(pname, &argv[optind])); } @@ -190,7 +190,7 @@ int main(int argc, char *argv[]) { if ((WEXITSTATUS(waitstatus) == 0) && strcmp("PASS\n", buf) == 0) { printf("PASS\n"); - } + } return WEXITSTATUS(waitstatus); } -- 1.7.9.1 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
