On Tue, Oct 04, 2016 at 04:31:30PM -0700, John Johansen wrote: > exec_stack picked up a fix to address a semantic change introduced in > 4.8 kernels. However this breaks the exec_stack test for kernel pre > 4.8. This patch uses an apparmor kernel flag to detect whether the > semantic change is present and adjusts the test accordingly.
Acked-by: Seth Arnold <[email protected]> Thanks > --- > > === modified file 'tests/regression/apparmor/exec_stack.sh' > --- tests/regression/apparmor/exec_stack.sh 2016-09-29 04:11:29 +0000 > +++ tests/regression/apparmor/exec_stack.sh 2016-10-04 21:15:48 +0000 > @@ -43,6 +43,12 @@ > > touch $file $otherfile $sharedfile $thirdfile > > +if [ "$(kernel_features domain/fix_binfmt_elf_mmap)" == "true" ]; then > + elfmmap="m" > +else > + elfmmap="" > +fi > + > # Verify file access and contexts by an unconfined process > runchecktest "EXEC_STACK (unconfined - file)" pass -f $file > runchecktest "EXEC_STACK (unconfined - otherfile)" pass -f $otherfile > @@ -66,7 +72,7 @@ > > # Verify file access and contexts by 2 stacked profiles > genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \ > - image=$othertest addimage:$test $otherok $sharedok $getcon $test:rm > + image=$othertest addimage:$test $otherok $sharedok $getcon > $test:r$elfmmap > runchecktest_errno EACCES "EXEC_STACK (2 stacked - file)" fail -- $test -f > $file > runchecktest_errno EACCES "EXEC_STACK (2 stacked - otherfile)" fail -- $test > -f $otherfile > runchecktest_errno EACCES "EXEC_STACK (2 stacked - thirdfile)" fail -- $test > -f $thirdfile > @@ -79,7 +85,7 @@ > # Verify file access and contexts by 3 stacked profiles > genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \ > image=$othertest addimage:$test $otherok $sharedok $getcon $test:"rix > -> &$thirdtest" -- \ > - image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:rm > + image=$thirdtest addimage:$test $thirdok $sharedok $getcon > $test:r$elfmmap > runchecktest_errno EACCES "EXEC_STACK (3 stacked - file)" fail -- $test -- > $test -f $file > runchecktest_errno EACCES "EXEC_STACK (3 stacked - otherfile)" fail -- $test > -- $test -f $otherfile > runchecktest_errno EACCES "EXEC_STACK (3 stacked - thirdfile)" fail -- $test > -- $test -f $thirdfile > @@ -89,7 +95,7 @@ > > genprofile -I $sharedok $stackotherok $stackthirdok $test:"rix -> > &$othertest" -- \ > image=$othertest addimage:$test $sharedok $stackthirdok $test:"rix -> > &$thirdtest" -- \ > - image=$thirdtest addimage:$test $sharedok $stackthirdok $test:rm > + image=$thirdtest addimage:$test $sharedok $stackthirdok $test:r$elfmmap > # Triggered an AppArmor WARN in the initial stacking patch set > runchecktest "EXEC_STACK (3 stacked - old AA WARN)" pass -p $othertest -- > $test -p $thirdtest -f $sharedfile > > @@ -120,7 +126,7 @@ > > # Verify file access and contexts in mixed mode > genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \ > - image=$othertest flag:complain addimage:$test $otherok $sharedok > $getcon $test:rm > + image=$othertest flag:complain addimage:$test $otherok $sharedok > $getcon $test:r$elfmmap > runchecktest "EXEC_STACK (mixed mode - file)" pass -- $test -f $file > runchecktest_errno EACCES "EXEC_STACK (mixed mode - otherfile)" fail -- > $test -f $otherfile > runchecktest "EXEC_STACK (mixed mode - sharedfile)" pass -- $test -f > $sharedfile >
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
