On 09/28/2016 09:45 PM, Seth Arnold wrote: > On Wed, Sep 28, 2016 at 09:05:09PM -0500, Tyler Hicks wrote: >> https://launchpad.net/bugs/1628745 >> >> The following upstream kernel commit changed the semantics of the exec >> permission check in the 4.8 kernel: >> >> commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 >> Author: Linus Torvalds <torva...@linux-foundation.org> >> Date: Mon Aug 22 16:41:46 2016 -0700 >> >> binfmt_elf: switch to new creds when switching to new mm >> >> That change means that the target profile of an exec transition must >> have permission to map the binary being executed. This patch fixes >> regression test failures while the exec_stack.sh test is running against >> 4.8 and newer kernels by granting mapping permission to the target >> profile. >> >> Signed-off-by: Tyler Hicks <tyhi...@canonical.com> > > This looks good as-is but I think we should also be alerted in the future > if AppArmor fails to enforce this requirement. What would you think about > duplicating these tests -- one with these changes, and then the originals > but with the segmentation violation as the expected outcome? (Made ugly of > course by this change being conditional on kernel versions.. so not as > simple as I described it, but I hope you get the idea.)
Thanks for the review. I think it is a good idea to have tests that
verify this particular behavior. However, I don't think exec_stack.sh is
the right place to test for that since that test script is focused on
stacking across exec and this change in behavior has nothing to do with
stacking. We just got lucky (?) that exec_stack.sh had some policy that
triggered the bug. The exec.sh test script is probably the right place
to check for this.
Tyler
>
> Acked-by: Seth Arnold <seth.arn...@canonical.com>
>
> Thanks
>
>> ---
>> tests/regression/apparmor/exec_stack.sh | 8 ++++----
>> 1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/tests/regression/apparmor/exec_stack.sh
>> b/tests/regression/apparmor/exec_stack.sh
>> index 2423dea..069e658 100755
>> --- a/tests/regression/apparmor/exec_stack.sh
>> +++ b/tests/regression/apparmor/exec_stack.sh
>> @@ -66,7 +66,7 @@ runchecktest "EXEC_STACK (not stacked - bad mode)" fail -l
>> "$test" -m complain
>>
>> # Verify file access and contexts by 2 stacked profiles
>> genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
>> - image=$othertest addimage:$test $otherok $sharedok $getcon $test:r
>> + image=$othertest addimage:$test $otherok $sharedok $getcon $test:rm
>> runchecktest_errno EACCES "EXEC_STACK (2 stacked - file)" fail -- $test -f
>> $file
>> runchecktest_errno EACCES "EXEC_STACK (2 stacked - otherfile)" fail --
>> $test -f $otherfile
>> runchecktest_errno EACCES "EXEC_STACK (2 stacked - thirdfile)" fail --
>> $test -f $thirdfile
>> @@ -79,7 +79,7 @@ runchecktest "EXEC_STACK (2 stacked - bad mode)" fail --
>> $test -l "${test}//&${t
>> # Verify file access and contexts by 3 stacked profiles
>> genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
>> image=$othertest addimage:$test $otherok $sharedok $getcon $test:"rix
>> -> &$thirdtest" -- \
>> - image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:r
>> + image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:rm
>> runchecktest_errno EACCES "EXEC_STACK (3 stacked - file)" fail -- $test --
>> $test -f $file
>> runchecktest_errno EACCES "EXEC_STACK (3 stacked - otherfile)" fail --
>> $test -- $test -f $otherfile
>> runchecktest_errno EACCES "EXEC_STACK (3 stacked - thirdfile)" fail --
>> $test -- $test -f $thirdfile
>> @@ -89,7 +89,7 @@ runchecktest "EXEC_STACK (3 stacked - okcon)" pass --
>> $test -- $test -l "${third
>>
>> genprofile -I $sharedok $stackotherok $stackthirdok $test:"rix ->
>> &$othertest" -- \
>> image=$othertest addimage:$test $sharedok $stackthirdok $test:"rix ->
>> &$thirdtest" -- \
>> - image=$thirdtest addimage:$test $sharedok $stackthirdok $test:r
>> + image=$thirdtest addimage:$test $sharedok $stackthirdok $test:rm
>> # Triggered an AppArmor WARN in the initial stacking patch set
>> runchecktest "EXEC_STACK (3 stacked - old AA WARN)" pass -p $othertest --
>> $test -p $thirdtest -f $sharedfile
>>
>> @@ -120,7 +120,7 @@ runchecktest "EXEC_STACK (stacked with namespaced
>> profile - okcon)" pass -- $tes
>>
>> # Verify file access and contexts in mixed mode
>> genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
>> - image=$othertest flag:complain addimage:$test $otherok $sharedok
>> $getcon $test:r
>> + image=$othertest flag:complain addimage:$test $otherok $sharedok
>> $getcon $test:rm
>> runchecktest "EXEC_STACK (mixed mode - file)" pass -- $test -f $file
>> runchecktest_errno EACCES "EXEC_STACK (mixed mode - otherfile)" fail --
>> $test -f $otherfile
>> runchecktest "EXEC_STACK (mixed mode - sharedfile)" pass -- $test -f
>> $sharedfile
>> --
>> 2.7.4
>>
>>
>> --
>> AppArmor mailing list
>> AppArmor@lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/apparmor
>>
>>
>>
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
