Okay, thanks to jj for providing kernels, I've now reproduced this in
zesty with his patch set applied.
It's failing in the 'confined/complain' tests. There's a bug in the
environ.c test that prevents the test harness from detecting/reporting
the failure correctly. When that's fixed, the output looks like:
ok: ENVIRON (elf): ux & regular env
ok: ENVIRON (elf): ux & sensitive env
ok: ENVIRON (elf): Ux & regular env
ok: ENVIRON (elf): Ux & sensitive env
ok: ENVIRON (elf): ix & regular env
ok: ENVIRON (elf): ix & sensitive env
ok: ENVIRON (elf): px & regular env
ok: ENVIRON (elf): px & sensitive env
ok: ENVIRON (elf): Px & regular env
ok: ENVIRON (elf): Px & sensitive env
ok: ENVIRON (elf): unconfined --> confined & regular env
ok: ENVIRON (elf): unconfined --> confined & sensitive env
Error: environ failed. Test 'ENVIRON (elf): confined/complain & regular env'
was expected to 'pass'. Reason for failure 'FAIL: child failed'
Error: environ failed. Test 'ENVIRON (elf): confined/complain & sensitive env'
was expected to 'pass'. Reason for failure 'FAIL: child failed'
ok: ENVIRON (shell script): ux & regular env
ok: ENVIRON (shell script): ux & sensitive env
ok: ENVIRON (shell script): Ux & regular env
ok: ENVIRON (shell script): Ux & sensitive env
ok: ENVIRON (shell script): px & regular env
ok: ENVIRON (shell script): px & sensitive env
ok: ENVIRON (shell script): Px & regular env
ok: ENVIRON (shell script): Px & sensitive env
ok: ENVIRON (shell script): ix & regular env
ok: ENVIRON (shell script): ix & sensitive env
ok: ENVIRON (shell script): unconfined --> confined & regular env
ok: ENVIRON (shell script): unconfined --> confined & sensitive env
Error: environ failed. Test 'ENVIRON (shell script): confined/complain &
regular env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
Error: environ failed. Test 'ENVIRON (shell script): confined/complain &
sensitive env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
ok: ENVIRON (elf): unconfined setuid helper
ok: ENVIRON (elf): unconfined setuid helper
Examining the individual test, the environ program is attempting to run
the env_check program while confined by a complain mode profile, but is
not permitted to do so. From strace output:
[pid 5706]
execve("/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/env_check",
["/home/ubuntu/tmp/apparmor-2.10.9"..., "FOO=BAR"], [/* 24 vars */]) =
-1 EACCES (Permission denied)
The apparmor audit message is correctly claiming that its allowing it
(but isn't permitted by the loaded policy):
[ 1726.404464] audit: type=1400 audit(1485991672.366:348):
apparmor="ALLOWED" operation="exec"
profile="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/environ"
name="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/env_check"
pid=5700 comm="environ" requested_mask="x" denied_mask="x" fsuid=1000
ouid=1000
target="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/environ//null-/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/env_check"
but that doesn't seem to be the case. So I think there's something wonky
in John's patch set.
John, can you take a look at what's going on?
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1661030
Title:
regession tests failing after stackprofile test is run
Status in apparmor package in Ubuntu:
Incomplete
Bug description:
from source, I'm running the tests and the makefile fails at the end
with:
running stackprofile
Makefile:303: recipe for target 'tests' failed
make: *** [tests] Error 1
No idea why that is happening. It's breaking on our kernel team
regression tests runs, so can this be investigated? The source was
fetched using "apt-get source apparmor".
A full run is below:
king@ubuntu:~/apparmor-2.10.95/tests/regression/apparmor$ sudo make
USE_SYSTEM=1 tests
running aa_exec
running access
xfail: ACCESS file rx (r)
xfail: ACCESS file rwx (r)
xfail: ACCESS file r (wx)
xfail: ACCESS file rx (wx)
xfail: ACCESS file rwx (wx)
xfail: ACCESS dir rwx (r)
xfail: ACCESS dir r (wx)
xfail: ACCESS dir rx (wx)
xfail: ACCESS dir rwx (wx)
running at_secure
running introspect
running capabilities
(ptrace)
(sethostname)
(setdomainname)
(setpriority)
(setscheduler)
(reboot)
(chroot)
(mlockall)
(net_raw)
(ioperm)
(iopl)
running changeprofile
running onexec
running changehat
running changehat_fork
running changehat_misc
*** A 'Killed' message from bash is expected for the following test
/home/king/apparmor-2.10.95/tests/regression/apparmor/prologue.inc: line 219:
12503 Killed $testexec "$@" > $outfile 2>&1
*** A 'Killed' message from bash is expected for the following test
/home/king/apparmor-2.10.95/tests/regression/apparmor/prologue.inc: line 219:
12537 Killed $testexec "$@" > $outfile 2>&1
running chdir
running clone
running coredump
*** A 'Segmentation Fault' message from bash is expected for the following
test
/home/king/apparmor-2.10.95/tests/regression/apparmor/prologue.inc: line 219:
12803 Segmentation fault (core dumped) $testexec "$@" > $outfile 2>&1
*** A 'Segmentation Fault' message from bash is expected for the following
test
/home/king/apparmor-2.10.95/tests/regression/apparmor/prologue.inc: line 219:
12833 Segmentation fault $testexec "$@" > $outfile 2>&1
*** A 'Segmentation Fault' message from bash is expected for the following
test
/home/king/apparmor-2.10.95/tests/regression/apparmor/prologue.inc: line 219:
12869 Segmentation fault $testexec "$@" > $outfile 2>&1
*** A 'Segmentation Fault' message from bash is expected for the following
test
/home/king/apparmor-2.10.95/tests/regression/apparmor/prologue.inc: line 219:
12905 Segmentation fault $testexec "$@" > $outfile 2>&1
*** A 'Segmentation Fault' message from bash is expected for the following
test
/home/king/apparmor-2.10.95/tests/regression/apparmor/prologue.inc: line 219:
12941 Segmentation fault $testexec "$@" > $outfile 2>&1
XFAIL: Error: corefile present when not expected -- COREDUMP (ix confinement)
running deleted
running environ
Fatal Error (environ): Unable to run test sub-executable
running exec
running exec_qual
running fchdir
running fd_inheritance
running fork
running i18n
running link
running link_subset
running mkdir
running mmap
running mount
using mount rules ...
running mult_mount
running named_pipe
running namespaces
running net_raw
running open
running openat
running pipe
running pivot_root
running ptrace
using ptrace v6 tests ...
running pwrite
running query_label
Alert: query_label passed. Test 'QUERY file (all base perms #1)' was marked
as expected pass but known problem (xpass)
xpass: QUERY file (all base perms #1)
Alert: query_label passed. Test 'QUERY file (all base perms #2)' was marked
as expected pass but known problem (xpass)
xpass: QUERY file (all base perms #2)
running regex
running rename
running readdir
running rw
running socketpair
running swap
mkswap: /tmp/sdtest.21272-20356-eRXvtR/swapfile: insecure permissions 0644,
0600 suggested.
swapon: /tmp/sdtest.21272-20356-eRXvtR/swapfile: insecure permissions 0644,
0600 suggested.
running sd_flags
running setattr
running symlink
running syscall
running tcp
running unix_fd_server
running unix_socket_pathname
xpass: AF_UNIX pathname socket (dgram); confined server w/ access (rw)
xpass: AF_UNIX pathname socket (dgram); confined client w/ access (rw)
running unix_socket_abstract
running unix_socket_unnamed
xpass: AF_UNIX unnamed socket (dgram); confined server (peer label w/
implicit perms)
xpass: AF_UNIX unnamed socket (dgram); confined server (peer label w/
explicit perms)
xpass: AF_UNIX unnamed socket (dgram); confined server (peer label, peer addr)
xpass: AF_UNIX unnamed socket (dgram); confined server (type, peer label,
peer addr)
xpass: AF_UNIX unnamed socket (dgram); confined server (type, addr, peer
label)
xpass: AF_UNIX unnamed socket (dgram); confined server (type, addr, peer
label, peer addr)
running unlink
running xattrs
Required feature 'file/xattr' not available.. Skipping tests ...
running longpath
running dbus_eavesdrop
running dbus_message
running dbus_service
running dbus_unrequested_reply
running aa_policy_cache
running exec_stack
running stackonexec
running stackprofile
Makefile:303: recipe for target 'tests' failed
make: *** [tests] Error 1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1661030/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
