Comment 4 for bug 1661030

Steve Beattie (sbeattie) wrote :

Okay, thanks to jj for providing kernels, I've now reproduced this in zesty with his patch set applied.

It's failing in the 'confined/complain' tests. There's a bug in the environ.c test that prevents the test harness from detecting/reporting the failure correctly. When that's fixed, the output looks like:

ok: ENVIRON (elf): ux & regular env
ok: ENVIRON (elf): ux & sensitive env
ok: ENVIRON (elf): Ux & regular env
ok: ENVIRON (elf): Ux & sensitive env
ok: ENVIRON (elf): ix & regular env
ok: ENVIRON (elf): ix & sensitive env
ok: ENVIRON (elf): px & regular env
ok: ENVIRON (elf): px & sensitive env
ok: ENVIRON (elf): Px & regular env
ok: ENVIRON (elf): Px & sensitive env
ok: ENVIRON (elf): unconfined --> confined & regular env
ok: ENVIRON (elf): unconfined --> confined & sensitive env
Error: environ failed. Test 'ENVIRON (elf): confined/complain & regular env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
Error: environ failed. Test 'ENVIRON (elf): confined/complain & sensitive env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
ok: ENVIRON (shell script): ux & regular env
ok: ENVIRON (shell script): ux & sensitive env
ok: ENVIRON (shell script): Ux & regular env
ok: ENVIRON (shell script): Ux & sensitive env
ok: ENVIRON (shell script): px & regular env
ok: ENVIRON (shell script): px & sensitive env
ok: ENVIRON (shell script): Px & regular env
ok: ENVIRON (shell script): Px & sensitive env
ok: ENVIRON (shell script): ix & regular env
ok: ENVIRON (shell script): ix & sensitive env
ok: ENVIRON (shell script): unconfined --> confined & regular env
ok: ENVIRON (shell script): unconfined --> confined & sensitive env
Error: environ failed. Test 'ENVIRON (shell script): confined/complain & regular env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
Error: environ failed. Test 'ENVIRON (shell script): confined/complain & sensitive env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
ok: ENVIRON (elf): unconfined setuid helper
ok: ENVIRON (elf): unconfined setuid helper

Examining the individual test, the environ program is attempting to run the env_check program while confined by a complain mode profile, but is not permitted to do so. From strace output:

[pid 5706] execve("/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/env_check", ["/home/ubuntu/tmp/apparmor-2.10.9"..., "FOO=BAR"], [/* 24 vars */]) = -1 EACCES (Permission denied)

The apparmor audit message is correctly claiming that its allowing it (but isn't permitted by the loaded policy):

[ 1726.404464] audit: type=1400 audit(1485991672.366:348): apparmor="ALLOWED" operation="exec" profile="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/environ" name="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/env_check" pid=5700 comm="environ" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 target="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/environ//null-/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/env_check"

but that doesn't seem to be the case. So I think there's something wonky in John's patch set.

John, can you take a look at what's going on?