apparmor mount regression test fails when CONFIG_MANDATORY_FILE_LOCKING is disabled

Bug #1765025 reported by Po-Hsu Lin on 2018-04-18
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Steve Beattie
QA Regression Testing
Undecided
Steve Beattie
ubuntu-kernel-tests
Undecided
Unassigned
linux (Ubuntu)
High
Unassigned
Bionic
High
Unassigned
linux-kvm (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

Like bug 1760672, the test_regression_testsuite in ubuntu_qrt_apparmor failed with 4.15.0-1004-kvm

But the error message is a little bit different. The "mount" test failed in this case.

  FAIL: test_regression_testsuite (__main__.ApparmorTestsuites)
  Run kernel regression tests
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-apparmor.py", line 1716, in test_regression_testsuite
      self.assertEqual(expected, rc, result + report)
  AssertionError: Got exit code 2, expected 0

  running aa_exec

  running access
  xfail: ACCESS file rx (r)
  xfail: ACCESS file rwx (r)
  xfail: ACCESS file r (wx)
  xfail: ACCESS file rx (wx)
  xfail: ACCESS file rwx (wx)
  xfail: ACCESS dir rwx (r)
  xfail: ACCESS dir r (wx)
  xfail: ACCESS dir rx (wx)
  xfail: ACCESS dir rwx (wx)

  running at_secure

  running introspect

  running capabilities
          (ptrace)
          (sethostname)
          (setdomainname)
          (setpriority)
          (setscheduler)
          (reboot)
          (chroot)
          (mlockall)
          (net_raw)
          (ioperm)
          (iopl)

  running changeprofile

  running onexec

  running changehat

  running changehat_fork

  running changehat_misc

  *** A 'Killed' message from bash is expected for the following test
  /tmp/testlibvqbxov/source/bionic/apparmor-2.12/tests/regression/apparmor/prologue.inc: line 264: 3444 Killed $testexec "$@" > $outfile 2>&1

  *** A 'Killed' message from bash is expected for the following test
  /tmp/testlibvqbxov/source/bionic/apparmor-2.12/tests/regression/apparmor/prologue.inc: line 264: 3481 Killed $testexec "$@" > $outfile 2>&1

  running chdir

  running clone

  running coredump
  *** A 'Segmentation Fault' message from bash is expected for the following test
  /tmp/testlibvqbxov/source/bionic/apparmor-2.12/tests/regression/apparmor/prologue.inc: line 264: 3769 Segmentation fault (core dumped) $testexec "$@" > $outfile 2>&1

  *** A 'Segmentation Fault' message from bash is expected for the following test
  /tmp/testlibvqbxov/source/bionic/apparmor-2.12/tests/regression/apparmor/prologue.inc: line 264: 3803 Segmentation fault $testexec "$@" > $outfile 2>&1

  *** A 'Segmentation Fault' message from bash is expected for the following test
  /tmp/testlibvqbxov/source/bionic/apparmor-2.12/tests/regression/apparmor/prologue.inc: line 264: 3842 Segmentation fault $testexec "$@" > $outfile 2>&1

  *** A 'Segmentation Fault' message from bash is expected for the following test
  /tmp/testlibvqbxov/source/bionic/apparmor-2.12/tests/regression/apparmor/prologue.inc: line 264: 3881 Segmentation fault $testexec "$@" > $outfile 2>&1

  *** A 'Segmentation Fault' message from bash is expected for the following test
  /tmp/testlibvqbxov/source/bionic/apparmor-2.12/tests/regression/apparmor/prologue.inc: line 264: 3920 Segmentation fault $testexec "$@" > $outfile 2>&1
  XFAIL: Error: corefile present when not expected -- COREDUMP (ix confinement)

  running deleted

  running environ

  running exec

  running exec_qual

  running fchdir

  running fd_inheritance

  running fork

  running i18n

  running link

  running link_subset

  running mkdir

  running mmap

  running mount
  Error: mount failed. Test 'MOUNT (unconfined)' was expected to 'pass'. Reason for failure 'FAIL: mount /dev/loop0 on /tmp/sdtest.2351-23651-C7r5Aj/mountpoint failed - Operation not permitted'
      using mount rules ...
  Error: mount failed. Test 'MOUNT (confined cap mount:ALL)' was expected to 'pass'. Reason for failure 'FAIL: mount /dev/loop0 on /tmp/sdtest.2351-23651-C7r5Aj/mountpoint failed - Operation not permitted'
  Error: mount failed. Test 'MOUNT (confined cap mount -> mntpnt)' was expected to 'pass'. Reason for failure 'FAIL: mount /dev/loop0 on /tmp/sdtest.2351-23651-C7r5Aj/mountpoint failed - Operation not permitted'
  Error: mount failed. Test 'MOUNT (confined cap mount fstype)' was expected to 'pass'. Reason for failure 'FAIL: mount /dev/loop0 on /tmp/sdtest.2351-23651-C7r5Aj/mountpoint failed - Operation not permitted'

  running mult_mount

  running named_pipe

  running namespaces

  running net_raw

  running open

  running openat

  running pipe

  running pivot_root
   kernel does not support pivot_root domain transitions - skipping tests ...

  running ptrace
     using ptrace v6 tests ...

  running pwrite

  running query_label

  running regex

  running rename

  running readdir

  running rw

  running socketpair

  running swap
  mkswap: /tmp/sdtest.342-4732-I1N8gh/swapfile: insecure permissions 0644, 0600 suggested.
  swapon: /tmp/sdtest.342-4732-I1N8gh/swapfile: insecure permissions 0644, 0600 suggested.

  running sd_flags

  running setattr

  running symlink

  running syscall
   WARNING: syscall sysctl not implemented, skipping tests ...

  running tcp

  running unix_fd_server

  running unix_socket_pathname
  xpass: AF_UNIX pathname socket (dgram); confined server w/ access (rw)
  xpass: AF_UNIX pathname socket (dgram); confined client w/ access (rw)

  running unix_socket_abstract

  running unix_socket_unnamed
  xpass: AF_UNIX unnamed socket (dgram); confined server (peer label w/ implicit perms)
  xpass: AF_UNIX unnamed socket (dgram); confined server (peer label w/ explicit perms)
  xpass: AF_UNIX unnamed socket (dgram); confined server (peer label, peer addr)
  xpass: AF_UNIX unnamed socket (dgram); confined server (type, peer label, peer addr)
  xpass: AF_UNIX unnamed socket (dgram); confined server (type, addr, peer label)
  xpass: AF_UNIX unnamed socket (dgram); confined server (type, addr, peer label, peer addr)

  running unlink

  running xattrs
  Required feature 'file/xattr' not available.. Skipping tests ...

  running longpath
  XFAIL: This version of AppArmor does not support changing buffer size.

  running dbus_eavesdrop
  dbus[1212]: Unable to set up transient service directory: XDG_RUNTIME_DIR "/run/user/1000" is owned by uid 1000, not our uid 0

  running dbus_message
  dbus[1540]: Unable to set up transient service directory: XDG_RUNTIME_DIR "/run/user/1000" is owned by uid 1000, not our uid 0

  running dbus_service
  dbus[2320]: Unable to set up transient service directory: XDG_RUNTIME_DIR "/run/user/1000" is owned by uid 1000, not our uid 0

  running dbus_unrequested_reply
  dbus[2754]: Unable to set up transient service directory: XDG_RUNTIME_DIR "/run/user/1000" is owned by uid 1000, not our uid 0

  running aa_policy_cache

  running exec_stack

  running stackonexec

  running stackprofile
  Makefile:303: recipe for target 'tests' failed
  make: *** [tests] Error 1

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-1004-kvm 4.15.0-1004.4
ProcVersionSignature: User Name 4.15.0-1004.4-kvm 4.15.15
Uname: Linux 4.15.0-1004-kvm x86_64
ApportVersion: 2.20.9-0ubuntu5
Architecture: amd64
Date: Wed Apr 18 10:36:57 2018
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=C.UTF-8
 SHELL=/bin/bash
SourcePackage: linux-kvm
UpgradeStatus: No upgrade log present (probably fresh install)

Po-Hsu Lin (cypressyew) wrote :

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1765025

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Bionic):
status: Incomplete → Triaged
importance: Undecided → High

Hi Po-Hsu,

The apparmor mount test is failing because while testing mounting, it is attempting to mount with the option MS_MANDLOCK and bionic's linux-kvm kernel has CONFIG_MANDATORY_FILE_LOCKING disabled, causing the operation to fail even when apparmor is not involved. Given that upstream seems to believe the code enabled by CONFIG_MANDATORY_FILE_LOCKING is little-used and buggy, I do not believe that disabling this option in the linux-kvm kernel is a bug (though it is a difference in behavior with the generic kernel).

The correct fix here is probably to have the apparmor test use a different mount option.

Thanks.

Changed in qa-regression-testing:
status: New → Confirmed
status: Confirmed → Triaged
Changed in linux (Ubuntu Bionic):
status: Triaged → Invalid
summary: - test_regression_testsuite in ubuntu_qrt_apparmor failed with 4.15 kvm
+ apparmor mount regression test fails when CONFIG_MANDATORY_FILE_LOCKING
+ is disabled
Changed in apparmor:
status: New → Triaged
Changed in qa-regression-testing:
assignee: nobody → Steve Beattie (sbeattie)
Changed in apparmor:
assignee: nobody → Steve Beattie (sbeattie)
Steve Beattie (sbeattie) wrote :

This has been addressed upstream in apparmor in https://gitlab.com/apparmor/apparmor/commit/49ba6af2bf49be9eff89ce760cca60f33eb8e341 (and cherry-picked to older releases). A fix has been applied to qrt to incorporate the patch in https://git.launchpad.net/qa-regression-testing/commit/?id=0e2d55c657e40fc8acd0526a1382f2be19211abc .

The Ubuntu kernel team should probbly decide whether or not linux-kvm should be consistent with the generic ubuntu kernel on CONFIG_MANDATORY_FILE_LOCKING.

Thanks!

Changed in apparmor:
status: Triaged → Fix Released
Changed in qa-regression-testing:
status: Triaged → Fix Released
Po-Hsu Lin (cypressyew) wrote :

After some discussion with Kamal,

Although this MANDATORY_FILE_LOCKING is considered to be a "very common feature", we decided not to enable it since its on its way to being removed altogether (unless some customer were to ask for it, then I'd say switch it on for sure).

Thanks

Changed in linux-kvm (Ubuntu):
status: New → Won't Fix
Changed in linux-kvm (Ubuntu Bionic):
status: New → Won't Fix
Changed in ubuntu-kernel-tests:
status: New → Fix Released
Brad Figg (brad-figg) on 2019-07-24
tags: added: cscc
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers