All of lore.kernel.org
 help / color / mirror / Atom feed
* [LTP] [PATCH v2 1/1] fs/proc01.c: Whitelist attr and task files for apparmor and smack
@ 2021-01-19 12:33 Petr Vorel
  2021-01-19 13:08 ` Cyril Hrubis
  2021-01-20  0:42 ` liuxp11
  0 siblings, 2 replies; 4+ messages in thread
From: Petr Vorel @ 2021-01-19 12:33 UTC (permalink / raw)
  To: ltp

From: Xinpeng Liu <liuxp11@chinatelecom.cn>

We are already whitelisting LSM files (/proc/self/attr/* and
/proc/self/task/[0-9]*/attr/*) since 2009. That's probably due the
default value for {g,s}etprocattr LSM_HOOK is -EINVAL when LSM module
not enabled.

Both AppArmor and SMACK allow to read only
/proc/self/attr/apparmor/current, the rest return EINVAL.

While reading /proc/self/attr/apparmor/current (for AppArmor) and
/proc/self/attr/current (for both AppArmor and SELinux) mostly work
(e.g. value contains unconfined), in some cases it's not working (e.g.
AppArmor module loaded, but filesystem is not mounted). Thus keep it
also disabled.

Ubuntu 20.10 (AppArmor and SMACK enabled):
proc01      1  TFAIL  :  proc01.c:396: read failed: /proc/self/task/61595/attr/smack/current: errno=EINVAL(22): Invalid argument
proc01      2  TFAIL  :  proc01.c:396: read failed: /proc/self/task/61595/attr/apparmor/prev: errno=EINVAL(22): Invalid argument
proc01      3  TFAIL  :  proc01.c:396: read failed: /proc/self/task/61595/attr/apparmor/exec: errno=EINVAL(22): Invalid argument
proc01      4  TFAIL  :  proc01.c:396: read failed: /proc/self/attr/smack/current: errno=EINVAL(22): Invalid argument
proc01      5  TFAIL  :  proc01.c:396: read failed: /proc/self/attr/apparmor/prev: errno=EINVAL(22): Invalid argument
proc01      6  TFAIL  :  proc01.c:396: read failed: /proc/self/attr/apparmor/exec: errno=EINVAL(22): Invalid argument

openSUSE (kernel 5.10.7, AppArmor enabled):
proc01      1  TFAIL  :  proc01.c:396: read failed: /proc/self/task/6367/attr/apparmor/prev: errno=EINVAL(22): Invalid argument
proc01      2  TFAIL  :  proc01.c:396: read failed: /proc/self/task/6367/attr/apparmor/exec: errno=EINVAL(22): Invalid argument
proc01      3  TFAIL  :  proc01.c:396: read failed: /proc/self/attr/apparmor/prev: errno=EINVAL(22): Invalid argument
proc01      4  TFAIL  :  proc01.c:396: read failed: /proc/self/attr/apparmor/exec: errno=EINVAL(22): Invalid argument

+ While at it, fix a comparison warning.

Reviewed-by: Joerg Vehlow <joerg.vehlow@aox-tech.de>
Reviewed-by: Jan Stancek <jstancek@redhat.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Xinpeng Liu <liuxp11@chinatelecom.cn>
[ pvorel: rewritten commit message ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Hi Liu, Jan,

as we agreed with Cyril that this is a valid fix, I dared to do the
investigation and send v2 with improved commit message.

Kind regards,
Petr

 testcases/kernel/fs/proc/proc01.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/testcases/kernel/fs/proc/proc01.c b/testcases/kernel/fs/proc/proc01.c
index 96843695c..96441d153 100644
--- a/testcases/kernel/fs/proc/proc01.c
+++ b/testcases/kernel/fs/proc/proc01.c
@@ -63,7 +63,7 @@ static char *opt_maxmbytesstr;
 static char *procpath = "/proc";
 static const char selfpath[] = "/proc/self";
 size_t buffsize = 1024;
-static long long maxbytes;
+static unsigned long long maxbytes;
 
 unsigned long long total_read;
 unsigned int total_obj;
@@ -97,7 +97,11 @@ static const struct mapping known_issues[] = {
 	{"read", "/proc/self/mem", EIO},
 	{"read", "/proc/self/task/[0-9]*/mem", EIO},
 	{"read", "/proc/self/attr/*", EINVAL},
+	{"read", "/proc/self/attr/smack/*", EINVAL},
+	{"read", "/proc/self/attr/apparmor/*", EINVAL},
 	{"read", "/proc/self/task/[0-9]*/attr/*", EINVAL},
+	{"read", "/proc/self/task/[0-9]*/attr/smack/*", EINVAL},
+	{"read", "/proc/self/task/[0-9]*/attr/apparmor/*", EINVAL},
 	{"read", "/proc/self/ns/*", EINVAL},
 	{"read", "/proc/self/task/[0-9]*/ns/*", EINVAL},
 	{"read", "/proc/ppc64/rtas/error_log", EINVAL},
-- 
2.30.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [LTP] [PATCH v2 1/1] fs/proc01.c: Whitelist attr and task files for apparmor and smack
  2021-01-19 12:33 [LTP] [PATCH v2 1/1] fs/proc01.c: Whitelist attr and task files for apparmor and smack Petr Vorel
@ 2021-01-19 13:08 ` Cyril Hrubis
  2021-01-19 13:17   ` Petr Vorel
  2021-01-20  0:42 ` liuxp11
  1 sibling, 1 reply; 4+ messages in thread
From: Cyril Hrubis @ 2021-01-19 13:08 UTC (permalink / raw)
  To: ltp

Hi!
> as we agreed with Cyril that this is a valid fix, I dared to do the
> investigation and send v2 with improved commit message.

Acked for release.

-- 
Cyril Hrubis
chrubis@suse.cz

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [LTP] [PATCH v2 1/1] fs/proc01.c: Whitelist attr and task files for apparmor and smack
  2021-01-19 13:08 ` Cyril Hrubis
@ 2021-01-19 13:17   ` Petr Vorel
  0 siblings, 0 replies; 4+ messages in thread
From: Petr Vorel @ 2021-01-19 13:17 UTC (permalink / raw)
  To: ltp

> Hi!
> > as we agreed with Cyril that this is a valid fix, I dared to do the
> > investigation and send v2 with improved commit message.

> Acked for release.
Thanks, merged!

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [LTP] [PATCH v2 1/1] fs/proc01.c: Whitelist attr and task files for apparmor and smack
  2021-01-19 12:33 [LTP] [PATCH v2 1/1] fs/proc01.c: Whitelist attr and task files for apparmor and smack Petr Vorel
  2021-01-19 13:08 ` Cyril Hrubis
@ 2021-01-20  0:42 ` liuxp11
  1 sibling, 0 replies; 4+ messages in thread
From: liuxp11 @ 2021-01-20  0:42 UTC (permalink / raw)
  To: ltp

Thanks for your rewritten!
 
From: Petr Vorel
Date: 2021-01-19 20:33
To: ltp
CC: Xinpeng Liu; Cyril Hrubis; Joerg Vehlow; Jan Stancek; Petr Vorel
Subject: [PATCH v2 1/1] fs/proc01.c: Whitelist attr and task files for apparmor and smack
From: Xinpeng Liu <liuxp11@chinatelecom.cn>
 
We are already whitelisting LSM files (/proc/self/attr/* and
/proc/self/task/[0-9]*/attr/*) since 2009. That's probably due the
default value for {g,s}etprocattr LSM_HOOK is -EINVAL when LSM module
not enabled.
 
Both AppArmor and SMACK allow to read only
/proc/self/attr/apparmor/current, the rest return EINVAL.
 
While reading /proc/self/attr/apparmor/current (for AppArmor) and
/proc/self/attr/current (for both AppArmor and SELinux) mostly work
(e.g. value contains unconfined), in some cases it's not working (e.g.
AppArmor module loaded, but filesystem is not mounted). Thus keep it
also disabled.
 
Ubuntu 20.10 (AppArmor and SMACK enabled):
proc01      1  TFAIL  :  proc01.c:396: read failed: /proc/self/task/61595/attr/smack/current: errno=EINVAL(22): Invalid argument
proc01      2  TFAIL  :  proc01.c:396: read failed: /proc/self/task/61595/attr/apparmor/prev: errno=EINVAL(22): Invalid argument
proc01      3  TFAIL  :  proc01.c:396: read failed: /proc/self/task/61595/attr/apparmor/exec: errno=EINVAL(22): Invalid argument
proc01      4  TFAIL  :  proc01.c:396: read failed: /proc/self/attr/smack/current: errno=EINVAL(22): Invalid argument
proc01      5  TFAIL  :  proc01.c:396: read failed: /proc/self/attr/apparmor/prev: errno=EINVAL(22): Invalid argument
proc01      6  TFAIL  :  proc01.c:396: read failed: /proc/self/attr/apparmor/exec: errno=EINVAL(22): Invalid argument
 
openSUSE (kernel 5.10.7, AppArmor enabled):
proc01      1  TFAIL  :  proc01.c:396: read failed: /proc/self/task/6367/attr/apparmor/prev: errno=EINVAL(22): Invalid argument
proc01      2  TFAIL  :  proc01.c:396: read failed: /proc/self/task/6367/attr/apparmor/exec: errno=EINVAL(22): Invalid argument
proc01      3  TFAIL  :  proc01.c:396: read failed: /proc/self/attr/apparmor/prev: errno=EINVAL(22): Invalid argument
proc01      4  TFAIL  :  proc01.c:396: read failed: /proc/self/attr/apparmor/exec: errno=EINVAL(22): Invalid argument
 
+ While at it, fix a comparison warning.
 
Reviewed-by: Joerg Vehlow <joerg.vehlow@aox-tech.de>
Reviewed-by: Jan Stancek <jstancek@redhat.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Xinpeng Liu <liuxp11@chinatelecom.cn>
[ pvorel: rewritten commit message ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Hi Liu, Jan,
 
as we agreed with Cyril that this is a valid fix, I dared to do the
investigation and send v2 with improved commit message.
 
Kind regards,
Petr
 
testcases/kernel/fs/proc/proc01.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
 
diff --git a/testcases/kernel/fs/proc/proc01.c b/testcases/kernel/fs/proc/proc01.c
index 96843695c..96441d153 100644
--- a/testcases/kernel/fs/proc/proc01.c
+++ b/testcases/kernel/fs/proc/proc01.c
@@ -63,7 +63,7 @@ static char *opt_maxmbytesstr;
static char *procpath = "/proc";
static const char selfpath[] = "/proc/self";
size_t buffsize = 1024;
-static long long maxbytes;
+static unsigned long long maxbytes;
unsigned long long total_read;
unsigned int total_obj;
@@ -97,7 +97,11 @@ static const struct mapping known_issues[] = {
{"read", "/proc/self/mem", EIO},
{"read", "/proc/self/task/[0-9]*/mem", EIO},
{"read", "/proc/self/attr/*", EINVAL},
+ {"read", "/proc/self/attr/smack/*", EINVAL},
+ {"read", "/proc/self/attr/apparmor/*", EINVAL},
{"read", "/proc/self/task/[0-9]*/attr/*", EINVAL},
+ {"read", "/proc/self/task/[0-9]*/attr/smack/*", EINVAL},
+ {"read", "/proc/self/task/[0-9]*/attr/apparmor/*", EINVAL},
{"read", "/proc/self/ns/*", EINVAL},
{"read", "/proc/self/task/[0-9]*/ns/*", EINVAL},
{"read", "/proc/ppc64/rtas/error_log", EINVAL},
-- 
2.30.0
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.it/pipermail/ltp/attachments/20210120/fc8d8159/attachment-0001.htm>

^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-01-20  0:42 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-01-19 12:33 [LTP] [PATCH v2 1/1] fs/proc01.c: Whitelist attr and task files for apparmor and smack Petr Vorel
2021-01-19 13:08 ` Cyril Hrubis
2021-01-19 13:17   ` Petr Vorel
2021-01-20  0:42 ` liuxp11

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.