On 09/28/2016 07:45 PM, Seth Arnold wrote: > On Wed, Sep 28, 2016 at 09:05:09PM -0500, Tyler Hicks wrote: >> https://launchpad.net/bugs/1628745 >> >> The following upstream kernel commit changed the semantics of the exec >> permission check in the 4.8 kernel: >> >> commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 >> Author: Linus Torvalds <torva...@linux-foundation.org> >> Date: Mon Aug 22 16:41:46 2016 -0700 >> >> binfmt_elf: switch to new creds when switching to new mm >> >> That change means that the target profile of an exec transition must >> have permission to map the binary being executed. This patch fixes >> regression test failures while the exec_stack.sh test is running against >> 4.8 and newer kernels by granting mapping permission to the target >> profile. >> >> Signed-off-by: Tyler Hicks <tyhi...@canonical.com> > > This looks good as-is but I think we should also be alerted in the future > if AppArmor fails to enforce this requirement. What would you think about > duplicating these tests -- one with these changes, and then the originals > but with the segmentation violation as the expected outcome? (Made ugly of > course by this change being conditional on kernel versions.. so not as > simple as I described it, but I hope you get the idea.) > instead of a kernel version we could stick a flag in apparmorfs indicating when a kernel has this change. That way it could be set for kernels that get the fix that caused this back ported.
I would however do that as a separate patch as we would need to add the flag to the kernel first. > Acked-by: Seth Arnold <seth.arn...@canonical.com> Acked-by: John Johansen <john.johan...@canonical.com> > > Thanks > >> --- >> tests/regression/apparmor/exec_stack.sh | 8 ++++---- >> 1 file changed, 4 insertions(+), 4 deletions(-) >> >> diff --git a/tests/regression/apparmor/exec_stack.sh >> b/tests/regression/apparmor/exec_stack.sh >> index 2423dea..069e658 100755 >> --- a/tests/regression/apparmor/exec_stack.sh >> +++ b/tests/regression/apparmor/exec_stack.sh >> @@ -66,7 +66,7 @@ runchecktest "EXEC_STACK (not stacked - bad mode)" fail -l >> "$test" -m complain >> >> # Verify file access and contexts by 2 stacked profiles >> genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \ >> - image=$othertest addimage:$test $otherok $sharedok $getcon $test:r >> + image=$othertest addimage:$test $otherok $sharedok $getcon $test:rm >> runchecktest_errno EACCES "EXEC_STACK (2 stacked - file)" fail -- $test -f >> $file >> runchecktest_errno EACCES "EXEC_STACK (2 stacked - otherfile)" fail -- >> $test -f $otherfile >> runchecktest_errno EACCES "EXEC_STACK (2 stacked - thirdfile)" fail -- >> $test -f $thirdfile >> @@ -79,7 +79,7 @@ runchecktest "EXEC_STACK (2 stacked - bad mode)" fail -- >> $test -l "${test}//&${t >> # Verify file access and contexts by 3 stacked profiles >> genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \ >> image=$othertest addimage:$test $otherok $sharedok $getcon $test:"rix >> -> &$thirdtest" -- \ >> - image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:r >> + image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:rm >> runchecktest_errno EACCES "EXEC_STACK (3 stacked - file)" fail -- $test -- >> $test -f $file >> runchecktest_errno EACCES "EXEC_STACK (3 stacked - otherfile)" fail -- >> $test -- $test -f $otherfile >> runchecktest_errno EACCES "EXEC_STACK (3 stacked - thirdfile)" fail -- >> $test -- $test -f $thirdfile >> @@ -89,7 +89,7 @@ runchecktest "EXEC_STACK (3 stacked - okcon)" pass -- >> $test -- $test -l "${third >> >> genprofile -I $sharedok $stackotherok $stackthirdok $test:"rix -> >> &$othertest" -- \ >> image=$othertest addimage:$test $sharedok $stackthirdok $test:"rix -> >> &$thirdtest" -- \ >> - image=$thirdtest addimage:$test $sharedok $stackthirdok $test:r >> + image=$thirdtest addimage:$test $sharedok $stackthirdok $test:rm >> # Triggered an AppArmor WARN in the initial stacking patch set >> runchecktest "EXEC_STACK (3 stacked - old AA WARN)" pass -p $othertest -- >> $test -p $thirdtest -f $sharedfile >> >> @@ -120,7 +120,7 @@ runchecktest "EXEC_STACK (stacked with namespaced >> profile - okcon)" pass -- $tes >> >> # Verify file access and contexts in mixed mode >> genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \ >> - image=$othertest flag:complain addimage:$test $otherok $sharedok >> $getcon $test:r >> + image=$othertest flag:complain addimage:$test $otherok $sharedok >> $getcon $test:rm >> runchecktest "EXEC_STACK (mixed mode - file)" pass -- $test -f $file >> runchecktest_errno EACCES "EXEC_STACK (mixed mode - otherfile)" fail -- >> $test -f $otherfile >> runchecktest "EXEC_STACK (mixed mode - sharedfile)" pass -- $test -f >> $sharedfile >> -- >> 2.7.4 >> >> >> -- >> AppArmor mailing list >> AppArmor@lists.ubuntu.com >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/apparmor >> >> >> -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor