Re: [PATCH] selftests/landlock: explicitly disable audit

["Mickaël Salaün" <mic@digikod.net>]

Thanks for this patch.  I merged a few fixes and I'd be interested to
know if this one fix the issue you spotted:
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/commit/?h=next&id=d8dfb4c7faa87c3e41a8678f38f136c2c7c036fa


On Fri, May 29, 2026 at 08:03:41PM +0000, Maximilian Heyne wrote:
> I'm seeing sporadic selftest failures, such as
> 
>   #  RUN           scoped_audit.connect_to_child ...
>   # scoped_abstract_unix_test.c:314:connect_to_child:Expected 0 (0) == records.access (8)
>   # connect_to_child: Test failed
>   #          FAIL  scoped_audit.connect_to_child
>   not ok 19 scoped_audit.connect_to_child
> 
> This seems similar to what commit 3647a4977fb73d ("selftests/landlock:
> Drain stale audit records on init") tried to fix. However, the added
> drain loop is not effective. When setting the AUDIT_STATUS_PID, the
> kauditd_thread is woken up starting to send messages from the hold queue
> to the netlink. Depending on scheduling of this kthread not all messages
> might be send via the netlink in the 1 us interval.
> 
> Therefore, instead of trying to drain the queue, let's just disable
> audit when running non-audit tests or more precisely disable it after
> audit-tests. This way we won't generate any new audit message that could
> interfere with the other tests.
> 
> The comment saying that on process exit audit will be disabled is wrong.
> The closed file descriptor just causes an auditd_reset(), not a
> disablement. So future messages will be queued in the hold queue.
> 
> Cc: stable@vger.kernel.org
> Fixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs")
> Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
> ---
> 
> I've seen the failures on the 6.18 kernels but haven't tested on latest
> upstream. However, I still think this is an issue.
> 
> ---
>  tools/testing/selftests/landlock/audit.h | 13 +++++--------
>  1 file changed, 5 insertions(+), 8 deletions(-)
> 
> diff --git a/tools/testing/selftests/landlock/audit.h b/tools/testing/selftests/landlock/audit.h
> index 834005b2b0f09..7842330875f53 100644
> --- a/tools/testing/selftests/landlock/audit.h
> +++ b/tools/testing/selftests/landlock/audit.h
> @@ -494,10 +494,9 @@ static int audit_init_filter_exe(struct audit_filter *filter, const char *path)
>  static int audit_cleanup(int audit_fd, struct audit_filter *filter)

audit_cleanup() should be called for audit_exec tests too.

>  {
>  	struct audit_filter new_filter;
> +	int err;
>  
>  	if (audit_fd < 0 || !filter) {
> -		int err;
> -
>  		/*
>  		 * Simulates audit_init_with_exe_filter() when called from
>  		 * FIXTURE_TEARDOWN_PARENT().
> @@ -518,12 +517,10 @@ static int audit_cleanup(int audit_fd, struct audit_filter *filter)
>  	audit_filter_exe(audit_fd, filter, AUDIT_DEL_RULE);
>  	audit_filter_drop(audit_fd, AUDIT_DEL_RULE);
>  
> -	/*
> -	 * Because audit_cleanup() might not be called by the test auditd
> -	 * process, it might not be possible to explicitly set it.  Anyway,
> -	 * AUDIT_STATUS_ENABLED will implicitly be set to 0 when the auditd
> -	 * process will exit.
> -	 */

Please add a comment that explains that the audit state is not restored
but just disabled.

> +	err = audit_set_status(audit_fd, AUDIT_STATUS_ENABLED, 0);
> +	if (err)
> +		return err;
> +
>  	return close(audit_fd);

FDs should always be closed.

>  }
>  
> -- 
> 2.50.1
> 
> 
> 
> 
> Amazon Web Services Development Center Germany GmbH
> Tamara-Danz-Str. 13
> 10243 Berlin
> Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
> Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
> Sitz: Berlin
> Ust-ID: DE 365 538 597
> 
>