Okay, thanks to jj for providing kernels, I've now reproduced this in
zesty with his patch set applied.
It's failing in the 'confined/complain' tests. There's a bug in the
environ.c test that prevents the test harness from detecting/reporting
the failure correctly. When that's fixed, the output looks like:
ok: ENVIRON (elf): ux & regular env
ok: ENVIRON (elf): ux & sensitive env
ok: ENVIRON (elf): Ux & regular env
ok: ENVIRON (elf): Ux & sensitive env
ok: ENVIRON (elf): ix & regular env
ok: ENVIRON (elf): ix & sensitive env
ok: ENVIRON (elf): px & regular env
ok: ENVIRON (elf): px & sensitive env
ok: ENVIRON (elf): Px & regular env
ok: ENVIRON (elf): Px & sensitive env
ok: ENVIRON (elf): unconfined --> confined & regular env
ok: ENVIRON (elf): unconfined --> confined & sensitive env
Error: environ failed. Test 'ENVIRON (elf): confined/complain & regular env'
was expected to 'pass'. Reason for failure 'FAIL: child failed'
Error: environ failed. Test 'ENVIRON (elf): confined/complain & sensitive env'
was expected to 'pass'. Reason for failure 'FAIL: child failed'
ok: ENVIRON (shell script): ux & regular env
ok: ENVIRON (shell script): ux & sensitive env
ok: ENVIRON (shell script): Ux & regular env
ok: ENVIRON (shell script): Ux & sensitive env
ok: ENVIRON (shell script): px & regular env
ok: ENVIRON (shell script): px & sensitive env
ok: ENVIRON (shell script): Px & regular env
ok: ENVIRON (shell script): Px & sensitive env
ok: ENVIRON (shell script): ix & regular env
ok: ENVIRON (shell script): ix & sensitive env
ok: ENVIRON (shell script): unconfined --> confined & regular env
ok: ENVIRON (shell script): unconfined --> confined & sensitive env
Error: environ failed. Test 'ENVIRON (shell script): confined/complain &
regular env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
Error: environ failed. Test 'ENVIRON (shell script): confined/complain &
sensitive env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
ok: ENVIRON (elf): unconfined setuid helper
ok: ENVIRON (elf): unconfined setuid helper
Examining the individual test, the environ program is attempting to run
the env_check program while confined by a complain mode profile, but is
not permitted to do so. From strace output:
[pid 5706]
execve("/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/env_check",
["/home/ubuntu/tmp/apparmor-2.10.9"..., "FOO=BAR"], [/* 24 vars */]) =
-1 EACCES (Permission denied)
The apparmor audit message is correctly claiming that its allowing it
(but isn't permitted by the loaded policy):
[ 1726.404464] audit: type=1400 audit(1485991672.366:348):
apparmor="ALLOWED" operation="exec"
profile="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/environ"
name="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/env_check"
pid=5700 comm="environ" requested_mask="x" denied_mask="x" fsuid=1000
ouid=1000
target="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/environ//null-/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/env_check"
but that doesn't seem to be the case. So I think there's something wonky
in John's patch set.
John, can you take a look at what's going on?
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1661030
Title:
regession tests failing after stackprofile test is run
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1661030/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
