Kernel security test 060, 072 failed on arm64 Yakkety

This 072 failure can be seen on s2lp4 Yakkety as well (060 is fine with s2lp4)

FAIL: test_072_config_debug_rodata (__main__.KernelSecurityTest)
Traceback (most recent call last):
File "./test-kernel-security.py", line 624, in test_072_config_debug_rodata
self.assertEqual(self._test_config('DEBUG_RODATA'), expected)
AssertionError: True != False

Hi Po-Hsu,

I don't know what s2lp4 is. Test 072 succeeding on arm64 would indicate that bug 1501645 ("arm64 kernel has READ_IMPLIES_EXEC in personality, makes data areas executable") has been fixed, but if it's not that way on all yakkety arm64 hosts, then I don't know what's going on. Can you check the contents of /proc/self/personality on hosts where the test is "succeeding" (really, it's configured to expect failure on arm64), as well as "failing".

Also, while it's a bit subtle, the first machine is showing that test test_072_config_debug_set_module_ronx is failing (which checks that the 'DEBUG_SET_MODULE_RONX' kernel config option is set, while s2lp4 shows that the test test_072_config_debug_rodata is failing (which checks for the slightly different 'DEBUG_RODATA' kernel config option).

For the 'DEBUG_SET_MODULE_RONX' config option, it looks like arm64 support for that has been added to the kernel, so I've fixed the test_072_config_debug_set_module_ronx test to expect success there.

For 'DEBUG_RODATA', somethings gone wonky with the test, as the test should be expecting the it to be set, but doesn't appear to be (the 'expected' value looks to be False). Is there a full output of the test run somewhere?

Thanks.

Oops,
s2lp4 is s390x (Ubuntu on LPAR), the arch for these two systems are different, sorry about the confusion.

In summary:
060, 072 failed on arm64 Yakkety
072 failed on s390x Yakkety

072 didn't pass on the arm host, so I think this is expected as you mentioned in the comment.

The /proc/self/personality content on the failing arm64 system
ubuntu@ms10-35-mcdivittB0-kernel:~$ cat /proc/self/personality
00000000

Thanks for the fix to DEBUG_SET_MODULE_RONX.

For the "DEBUG_RODATA" issue on s390x, the complete log can be found here: http://pastebin.ubuntu.com/23744549/

Ah, thanks for the explanation. Okay, it looks like CONFIG_DEBUG_RODATA is supported/enabled on s390x in yakkety's kernel. And it looks like READ_IMPLIES_EXEC isn't always forced on on arm64 anymore either (though it looks like it's still getting set on pid 1, or else a different test would fail).

I've updated the lp:qa-regression-testing tests to take these changes into account, so rerunning the tests with the updated tree should all pass now (it should also address the test_213_setscokopt_sndbufforce_negative_value() failure that is also present in the s390x log that was pasted). Therefore, I'm closing this bug (please re-open if testing shows I messed something up).

Thanks!

It looks like I mis-read the test_050_personality() in test-kernel-security.py; it should fail if pid 1 also has the READ_IMPLIES_EXEC personality set, and since it's not failing, I think that's all good on arm64.