** Description changed: [ Impact ] The parser did not handle the norelatime mount flag correctly, essentially treating its addition to a list of mount flags as a no-op. A test should also be included to ensure that the behavior is fixed and not broken again. [ Test Plan ] This bug is caught by an addition to AppArmor's regression test suite, which is also invoked via its QRT test suite via - `ApparmorTestsuites.test_regression_testsuite`. Unfortunately, the - regression testsuite itself has no way of printing the full list of - tests it successfully executed. + `ApparmorTestsuites.test_regression_testsuite`. - * To prepare the QRT test suite (can be done on any machine): - - `git clone https://git.launchpad.net/qa-regression-testing` - - `./scripts/make-test-tarball ./scripts/test-apparmor.py` - * To run the QRT test suite: - - Copy the tarball onto the machine with the new AppArmor installed and extract it - - `sudo ./install-packages test-apparmor.py` - - Reboot the machine - - `sudo ./test-apparmor.py -v` + * To prepare the QRT test suite (can be done on any machine): + - `git clone https://git.launchpad.net/qa-regression-testing` + - `./scripts/make-test-tarball ./scripts/test-apparmor.py` + * To run the QRT test suite: + - Copy the tarball onto the machine with the new AppArmor installed and extract it + - `sudo ./install-packages test-apparmor.py` + - Reboot the machine + - `sudo ./test-apparmor.py -v` + + Unfortunately, the regression testsuite itself has no way of printing + the full list of tests it successfully executed. Below are instructions + for running the regression test suite by hand, including the modified + mount test: + + * `apt-get source apparmor` + * Verify that the downloaded version is 4.1.0~beta5-0ubuntu14.1 or greater + * Verify that patch debian/patches/ubuntu/regression-verify-documented-mount-flag-behavior.patch was applied upon download + * cd [source]/tests/regression/apparmor + * Ensure that all the parent directories of the regression test folder are world-readable and world-executable, and 'chmod o+rx' any that are not + * make -j[num] + * If running the whole regression testsuite, the `make` command might print out warnings about skipped tests due to missing packages. Install any packages that it says are missing + * If running the whole regression testsuite, 'sudo make tests' + * If running just the mount tests, 'sudo bash mount.sh' and manually 'echo $?' afterwards to check that it exited with a status of 0 [ Where problems could occur ] This parser fix changes the behavior of mount rules that explicitly specify the norelatime flag. In particular, a custom profile containing `mount options in (norelatime)` will have different, more permissive behavior than before (reducing regression risk as compared to tightening behavior). However, this flag is not used in any of the commonly used profiles (including the ones in our repo and the profile fragments used by snapd), so this will not change the behavior of existing packaged profiles being used. [ Other Info ] This bug was originally reported at https://gitlab.com/apparmor/apparmor/-/merge_requests/1679.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2110688 Title: apparmor parser incorrectly treats norelatime mount flag as a no-op To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2110688/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
