Change in kernel exec transition behavior causes regression tests to fail
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Low
|
Tyler Hicks | ||
apparmor (Ubuntu) |
Fix Released
|
Low
|
Tyler Hicks | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* The exec_stack.sh regression test fails due to a behavior change in 4.8 kernels from this patch:
commit 9f834ec18defc36
Author: Linus Torvalds <email address hidden>
Date: Mon Aug 22 16:41:46 2016 -0700
binfmt_elf: switch to new creds when switching to new mm
* Adjusting the regression tests appropriately allows the kernel and security teams to use QRT's test-apparmor.py to test kernel and userspace AppArmor changes with confidence
[Test Case]
$ apt-get source apparmor # make sure this fetches the new apparmor source
$ sudo apt-get install libapparmor-dev
$ cd tests/regressio
$ make USE_SYSTEM=1
$ sudo bash exec_stack.sh
running exec_stack
/tmp/testlibRpZ
Error: transition failed. Test 'EXEC_STACK (2 stacked - file)' was expected to 'fail'. Reason for failure expect errno 13 != 139
/tmp/testlibRpZ
Error: transition failed. Test 'EXEC_STACK (2 stacked - otherfile)' was expected to 'fail'. Reason for failure expect errno 13 != 139
/tmp/testlibRpZ
Error: transition failed. Test 'EXEC_STACK (2 stacked - thirdfile)' was expected to 'fail'. Reason for failure expect errno 13 != 139
/tmp/testlibRpZ
Error: transition failed. Test 'EXEC_STACK (2 stacked - sharedfile)' was expected to 'pass'. Reason for failure 'killed by signal 11'
/tmp/testlibRpZ
Error: transition failed. Test 'EXEC_STACK (2 stacked - okcon)' was expected to 'pass'. Reason for failure 'killed by signal 11'
/tmp/testlibRpZ
Error: transition failed. Test 'EXEC_STACK (2 stacked - bad label)' was expected to 'fail'. Reason for failure 'killed by signal 11'
/tmp/testlibRpZ
Error: transition failed. Test 'EXEC_STACK (2 stacked - bad mode)' was expected to 'fail'. Reason for failure 'killed by signal 11'
/tmp/testlibRpZ
Error: transition failed. Test 'EXEC_STACK (3 stacked - file)' was expected to 'fail'. Reason for failure expect errno 13 != 139
/tmp/testlibRpZ
Error: transition failed. Test 'EXEC_STACK (3 stacked - otherfile)' was expected to 'fail'. Reason for failure expect errno 13 != 139
/tmp/testlibRpZ
Error: transition failed. Test 'EXEC_STACK (3 stacked - thirdfile)' was expected to 'fail'. Reason for failure expect errno 13 != 139
/tmp/testlibRpZ
Error: transition failed. Test 'EXEC_STACK (3 stacked - sharedfile)' was expected to 'pass'. Reason for failure 'killed by signal 11'
/tmp/testlibRpZ
Error: transition failed. Test 'EXEC_STACK (3 stacked - okcon)' was expected to 'pass'. Reason for failure 'killed by signal 11'
/tmp/testlibRpZ
Error: transition failed. Test 'EXEC_STACK (3 stacked - old AA WARN)' was expected to 'pass'. Reason for failure 'killed by signal 11'
The previous command should result in no output and return value of 0 once the regression test is properly updated.
[Regression Potential]
* This is an extremely low risk change since it only touches regression testing code that is not user-facing.
[Other]
* Fixed in upstream lp:apparmor tree:
https:/
description: | updated |
Changed in apparmor: | |
status: | New → Fix Committed |
importance: | Undecided → Low |
assignee: | nobody → Tyler Hicks (tyhicks) |
milestone: | none → 2.11 |
description: | updated |
Changed in apparmor: | |
status: | Fix Committed → Fix Released |
This bug was fixed in the package apparmor - 2.10.95-4ubuntu5
---------------
apparmor (2.10.95-4ubuntu5) yakkety; urgency=medium
* debian/ lib/apparmor/ functions, debian/ apparmor. init, apparmor. service, debian/ apparmor. upstart, lib/apparmor/ profile- load: Adjust the checks that previously kept patches/ r3505-tests- fix-stacking- mode-checks. patch: Fix the ec.sh and stackprofile.sh tests (LP: #1628295) patches/ r3509-tests- fix-exec_ stack-errors. patch: Fix the
debian/
debian/
AppArmor policy from being loaded while booting a container. Now we
attempt to load policy if we're in a LXD or LXC managed container that is
using profile stacking inside of a policy namespace. (LP: #1628285)
* Fix regression tests so that the kernel SRU process is not interrupted by
failing tests
- debian/
stackonex
- debian/
exec_stack.sh test (LP: #1628745)
-- Tyler Hicks <email address hidden> Thu, 29 Sep 2016 00:38:47 -0500