Re: [lxc-devel] Question: Some confusion about lxc-test-apparmor #2206
Dose it mean that I should unenable the files listed in files_to_deny[], when using lxc-test-apparmor ? On 2018年03月07日 16:57, Hongzhi, Song wrote: I have some confusion about source code of lxc-test-apparmor defined in 'lxc/src/tests/aa.c'. * The output of|| * |lxc-test-apparmor| |passed with /sys/kernel/uevent_helper passed with /proc/sys/fs/file-nr failed - opened /sys/kernel/mm/ksm/pages_to_scan | * |ls -l /sys/kernel/uevent_helper| * |ls -l /sys/kernel/mm/ksm/pages_to_scan| |root@intel-x86-64:# ls -l /sys/kernel/uevent_helper ls: cannot access '/sys/kernel/uevent_helper': No such file or directory root@intel-x86-64:# ls -l /sys/kernel/mm/ksm/pages_to_scan -rw-r--r-- 1 root root 4096 Mar 6 19:17 /sys/kernel/mm/ksm/pages_to_scan | Issue description As shown above, /sys/kernel/mm/ksm/pages_to_scan is exist, and can be opened. But error message prompts that fail to open it. I refer to source code lxc/src/tests/aa.c, branch master. |108 char *files_to_deny[] = { 109 "/sys/kernel/uevent_helper", 110 "/proc/sys/fs/file-nr", 111 "/sys/kernel/mm/ksm/pages_to_scan", 112 "/proc/sys/kernel/sysrq", 113 NULL }; | |115 static bool test_aa_policy(struct lxc_container *c) 116 { 117 int i, ret; 118 119 for (i = 0; files_to_deny[i]; i++) { 120 ret = do_test_file_open(c, files_to_deny[i]); 121 if (ret < 0) { 122 fprintf(stderr, "attach failed; skipping test\n"); 123 return true; 124 } 125 if (ret > 0) { 126 fprintf(stderr, "failed - opened %s\n", 127 files_to_deny[i]); 128 return false; 129 } 130 fprintf(stderr, "passed with %s\n", files_to_deny[i]); 131 } .. | |63 static int do_test_file_open(struct lxc_container *c, char *fnam) 64 { 65 int fret = -1; 66 int ret; 67 pid_t pid; 68 int pipefd[2]; 69 char result[1024]; 70 lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT; 71 72 ret = pipe(pipefd); 73 if (ret < 0) { 74 fprintf(stderr, "pipe failed %d\n", ret); 75 return fret; 76 } 77 attach_options.stdout_fd = pipefd[1]; 78 attach_options.attach_flags &= ~(LXC_ATTACH_LSM_EXEC|LXC_ATTACH_DROP_CAPABILITIES); 79 attach_options.attach_flags |= LXC_ATTACH_LSM_NOW; 80 ret = c->attach(c, test_attach_write_file, fnam, _options, ); .. 85 86 ret = read(pipefd[0], result, sizeof(result)-1); 87 if (ret < 0) { 88 fprintf(stderr, "read failed %d\n", ret); 89 goto err2; 90 } 91 92 fret = 1; 93 if (strncmp(result, "no", 2) == 0) 94 fret = 0; .. 101 return fret; 102 } | |41 static int test_attach_write_file(void* payload) 42 { 43 char *fnam = payload; 44 FILE *f; 45 46 f = fopen(fnam, "w"); 47 if (f) { 48 printf("yes\n"); 49 fclose(f); 50 fflush(NULL); 51 return 1; 52 } 53 printf("no\n"); 54 fflush(NULL); 55 return 0; 56 } | Line46-48: If open interfaces successfully listed in files_to_deny[], Line108, printf 'yes' into pipe[1]. Line86: And then pipe[0] reads out 'yes'. Line92-101: If result is 'yes', do_test_file_open() will return 1. Line125-128: If the return of do_test_file_open() is 1, then fprintf( failed open). So can anyone tell me why files listed in files_to_deny[] exit but print fail. Thanks. || ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] Question: Some confusion about lxc-test-apparmor #2206
I have some confusion about source code of lxc-test-apparmor defined in 'lxc/src/tests/aa.c'. * The output of|| * |lxc-test-apparmor| |passed with /sys/kernel/uevent_helper passed with /proc/sys/fs/file-nr failed - opened /sys/kernel/mm/ksm/pages_to_scan | * |ls -l /sys/kernel/uevent_helper| * |ls -l /sys/kernel/mm/ksm/pages_to_scan| |root@intel-x86-64:# ls -l /sys/kernel/uevent_helper ls: cannot access '/sys/kernel/uevent_helper': No such file or directory root@intel-x86-64:# ls -l /sys/kernel/mm/ksm/pages_to_scan -rw-r--r-- 1 root root 4096 Mar 6 19:17 /sys/kernel/mm/ksm/pages_to_scan | Issue description As shown above, /sys/kernel/mm/ksm/pages_to_scan is exist, and can be opened. But error message prompts that fail to open it. I refer to source code lxc/src/tests/aa.c, branch master. |108 char *files_to_deny[] = { 109 "/sys/kernel/uevent_helper", 110 "/proc/sys/fs/file-nr", 111 "/sys/kernel/mm/ksm/pages_to_scan", 112 "/proc/sys/kernel/sysrq", 113 NULL }; | |115 static bool test_aa_policy(struct lxc_container *c) 116 { 117 int i, ret; 118 119 for (i = 0; files_to_deny[i]; i++) { 120 ret = do_test_file_open(c, files_to_deny[i]); 121 if (ret < 0) { 122 fprintf(stderr, "attach failed; skipping test\n"); 123 return true; 124 } 125 if (ret > 0) { 126 fprintf(stderr, "failed - opened %s\n", 127 files_to_deny[i]); 128 return false; 129 } 130 fprintf(stderr, "passed with %s\n", files_to_deny[i]); 131 } .. | |63 static int do_test_file_open(struct lxc_container *c, char *fnam) 64 { 65 int fret = -1; 66 int ret; 67 pid_t pid; 68 int pipefd[2]; 69 char result[1024]; 70 lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT; 71 72 ret = pipe(pipefd); 73 if (ret < 0) { 74 fprintf(stderr, "pipe failed %d\n", ret); 75 return fret; 76 } 77 attach_options.stdout_fd = pipefd[1]; 78 attach_options.attach_flags &= ~(LXC_ATTACH_LSM_EXEC|LXC_ATTACH_DROP_CAPABILITIES); 79 attach_options.attach_flags |= LXC_ATTACH_LSM_NOW; 80 ret = c->attach(c, test_attach_write_file, fnam, _options, ); .. 85 86 ret = read(pipefd[0], result, sizeof(result)-1); 87 if (ret < 0) { 88 fprintf(stderr, "read failed %d\n", ret); 89 goto err2; 90 } 91 92 fret = 1; 93 if (strncmp(result, "no", 2) == 0) 94 fret = 0; .. 101 return fret; 102 } | |41 static int test_attach_write_file(void* payload) 42 { 43 char *fnam = payload; 44 FILE *f; 45 46 f = fopen(fnam, "w"); 47 if (f) { 48 printf("yes\n"); 49 fclose(f); 50 fflush(NULL); 51 return 1; 52 } 53 printf("no\n"); 54 fflush(NULL); 55 return 0; 56 } | Line46-48: If open interfaces successfully listed in files_to_deny[], Line108, printf 'yes' into pipe[1]. Line86: And then pipe[0] reads out 'yes'. Line92-101: If result is 'yes', do_test_file_open() will return 1. Line125-128: If the return of do_test_file_open() is 1, then fprintf( failed open). So can anyone tell me why files listed in files_to_deny[] exit but print fail. Thanks. || ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] Question: Some confusion about lxc-test-apparmor #2206
I use the same lxc-test-apparmor on Ubuntu16.04. And part of files listed in files_to_deny[] also exit in Ubunut system, but the results pass. On 2018年03月07日 17:00, Hongzhi, Song wrote: Dose it mean that I should unenable the files listed in files_to_deny[], when using lxc-test-apparmor ? On 2018年03月07日 16:57, Hongzhi, Song wrote: I have some confusion about source code of lxc-test-apparmor defined in 'lxc/src/tests/aa.c'. * The output of|| * |lxc-test-apparmor| |passed with /sys/kernel/uevent_helper passed with /proc/sys/fs/file-nr failed - opened /sys/kernel/mm/ksm/pages_to_scan | * |ls -l /sys/kernel/uevent_helper| * |ls -l /sys/kernel/mm/ksm/pages_to_scan| |root@intel-x86-64:# ls -l /sys/kernel/uevent_helper ls: cannot access '/sys/kernel/uevent_helper': No such file or directory root@intel-x86-64:# ls -l /sys/kernel/mm/ksm/pages_to_scan -rw-r--r-- 1 root root 4096 Mar 6 19:17 /sys/kernel/mm/ksm/pages_to_scan | Issue description As shown above, /sys/kernel/mm/ksm/pages_to_scan is exist, and can be opened. But error message prompts that fail to open it. I refer to source code lxc/src/tests/aa.c, branch master. |108 char *files_to_deny[] = { 109 "/sys/kernel/uevent_helper", 110 "/proc/sys/fs/file-nr", 111 "/sys/kernel/mm/ksm/pages_to_scan", 112 "/proc/sys/kernel/sysrq", 113 NULL }; | |115 static bool test_aa_policy(struct lxc_container *c) 116 { 117 int i, ret; 118 119 for (i = 0; files_to_deny[i]; i++) { 120 ret = do_test_file_open(c, files_to_deny[i]); 121 if (ret < 0) { 122 fprintf(stderr, "attach failed; skipping test\n"); 123 return true; 124 } 125 if (ret > 0) { 126 fprintf(stderr, "failed - opened %s\n", 127 files_to_deny[i]); 128 return false; 129 } 130 fprintf(stderr, "passed with %s\n", files_to_deny[i]); 131 } .. | |63 static int do_test_file_open(struct lxc_container *c, char *fnam) 64 { 65 int fret = -1; 66 int ret; 67 pid_t pid; 68 int pipefd[2]; 69 char result[1024]; 70 lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT; 71 72 ret = pipe(pipefd); 73 if (ret < 0) { 74 fprintf(stderr, "pipe failed %d\n", ret); 75 return fret; 76 } 77 attach_options.stdout_fd = pipefd[1]; 78 attach_options.attach_flags &= ~(LXC_ATTACH_LSM_EXEC|LXC_ATTACH_DROP_CAPABILITIES); 79 attach_options.attach_flags |= LXC_ATTACH_LSM_NOW; 80 ret = c->attach(c, test_attach_write_file, fnam, _options, ); .. 85 86 ret = read(pipefd[0], result, sizeof(result)-1); 87 if (ret < 0) { 88 fprintf(stderr, "read failed %d\n", ret); 89 goto err2; 90 } 91 92 fret = 1; 93 if (strncmp(result, "no", 2) == 0) 94 fret = 0; .. 101 return fret; 102 } | |41 static int test_attach_write_file(void* payload) 42 { 43 char *fnam = payload; 44 FILE *f; 45 46 f = fopen(fnam, "w"); 47 if (f) { 48 printf("yes\n"); 49 fclose(f); 50 fflush(NULL); 51 return 1; 52 } 53 printf("no\n"); 54 fflush(NULL); 55 return 0; 56 } | Line46-48: If open interfaces successfully listed in files_to_deny[], Line108, printf 'yes' into pipe[1]. Line86: And then pipe[0] reads out 'yes'. Line92-101: If result is 'yes', do_test_file_open() will return 1. Line125-128: If the return of do_test_file_open() is 1, then fprintf( failed open). So can anyone tell me why files listed in files_to_deny[] exit but print fail. Thanks. || ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel