<html><head><meta http-equiv="content-type" content="text/html; charset=us-ascii"><style>body { line-height: 1.5; }blockquote { margin-top: 0px; margin-bottom: 0px; margin-left: 0.5em; }body { font-size: 14px; font-family: 'Microsoft YaHei UI'; color: rgb(0, 0, 0); line-height: 1.5; }</style></head><body>
<div><span></span>Thanks for your rewritten!</div>
<blockquote style="margin-Top: 0px; margin-Bottom: 0px; margin-Left: 0.5em; margin-Right: inherit"><div> </div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div style="PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-SIZE: 12px;FONT-FAMILY:tahoma;COLOR:#000000; BACKGROUND: #efefef; PADDING-BOTTOM: 8px; PADDING-TOP: 8px"><div><b>From:</b> <a href="mailto:pvorel@suse.cz">Petr Vorel</a></div><div><b>Date:</b> 2021-01-19 20:33</div><div><b>To:</b> <a href="mailto:ltp@lists.linux.it">ltp</a></div><div><b>CC:</b> <a href="mailto:liuxp11@chinatelecom.cn">Xinpeng Liu</a>; <a href="mailto:chrubis@suse.cz">Cyril Hrubis</a>; <a href="mailto:joerg.vehlow@aox-tech.de">Joerg Vehlow</a>; <a href="mailto:jstancek@redhat.com">Jan Stancek</a>; <a href="mailto:pvorel@suse.cz">Petr Vorel</a></div><div><b>Subject:</b> [PATCH v2 1/1] fs/proc01.c: Whitelist attr and task files for apparmor and smack</div></div></div><div><div>From: Xinpeng Liu <liuxp11@chinatelecom.cn></div>
<div> </div>
<div>We are already whitelisting LSM files (/proc/self/attr/* and</div>
<div>/proc/self/task/[0-9]*/attr/*) since 2009. That's probably due the</div>
<div>default value for {g,s}etprocattr LSM_HOOK is -EINVAL when LSM module</div>
<div>not enabled.</div>
<div> </div>
<div>Both AppArmor and SMACK allow to read only</div>
<div>/proc/self/attr/apparmor/current, the rest return EINVAL.</div>
<div> </div>
<div>While reading /proc/self/attr/apparmor/current (for AppArmor) and</div>
<div>/proc/self/attr/current (for both AppArmor and SELinux) mostly work</div>
<div>(e.g. value contains unconfined), in some cases it's not working (e.g.</div>
<div>AppArmor module loaded, but filesystem is not mounted). Thus keep it</div>
<div>also disabled.</div>
<div> </div>
<div>Ubuntu 20.10 (AppArmor and SMACK enabled):</div>
<div>proc01 1 TFAIL : proc01.c:396: read failed: /proc/self/task/61595/attr/smack/current: errno=EINVAL(22): Invalid argument</div>
<div>proc01 2 TFAIL : proc01.c:396: read failed: /proc/self/task/61595/attr/apparmor/prev: errno=EINVAL(22): Invalid argument</div>
<div>proc01 3 TFAIL : proc01.c:396: read failed: /proc/self/task/61595/attr/apparmor/exec: errno=EINVAL(22): Invalid argument</div>
<div>proc01 4 TFAIL : proc01.c:396: read failed: /proc/self/attr/smack/current: errno=EINVAL(22): Invalid argument</div>
<div>proc01 5 TFAIL : proc01.c:396: read failed: /proc/self/attr/apparmor/prev: errno=EINVAL(22): Invalid argument</div>
<div>proc01 6 TFAIL : proc01.c:396: read failed: /proc/self/attr/apparmor/exec: errno=EINVAL(22): Invalid argument</div>
<div> </div>
<div>openSUSE (kernel 5.10.7, AppArmor enabled):</div>
<div>proc01 1 TFAIL : proc01.c:396: read failed: /proc/self/task/6367/attr/apparmor/prev: errno=EINVAL(22): Invalid argument</div>
<div>proc01 2 TFAIL : proc01.c:396: read failed: /proc/self/task/6367/attr/apparmor/exec: errno=EINVAL(22): Invalid argument</div>
<div>proc01 3 TFAIL : proc01.c:396: read failed: /proc/self/attr/apparmor/prev: errno=EINVAL(22): Invalid argument</div>
<div>proc01 4 TFAIL : proc01.c:396: read failed: /proc/self/attr/apparmor/exec: errno=EINVAL(22): Invalid argument</div>
<div> </div>
<div>+ While at it, fix a comparison warning.</div>
<div> </div>
<div>Reviewed-by: Joerg Vehlow <joerg.vehlow@aox-tech.de></div>
<div>Reviewed-by: Jan Stancek <jstancek@redhat.com></div>
<div>Reviewed-by: Petr Vorel <pvorel@suse.cz></div>
<div>Signed-off-by: Xinpeng Liu <liuxp11@chinatelecom.cn></div>
<div>[ pvorel: rewritten commit message ]</div>
<div>Signed-off-by: Petr Vorel <pvorel@suse.cz></div>
<div>---</div>
<div>Hi Liu, Jan,</div>
<div> </div>
<div>as we agreed with Cyril that this is a valid fix, I dared to do the</div>
<div>investigation and send v2 with improved commit message.</div>
<div> </div>
<div>Kind regards,</div>
<div>Petr</div>
<div> </div>
<div> testcases/kernel/fs/proc/proc01.c | 6 +++++-</div>
<div> 1 file changed, 5 insertions(+), 1 deletion(-)</div>
<div> </div>
<div>diff --git a/testcases/kernel/fs/proc/proc01.c b/testcases/kernel/fs/proc/proc01.c</div>
<div>index 96843695c..96441d153 100644</div>
<div>--- a/testcases/kernel/fs/proc/proc01.c</div>
<div>+++ b/testcases/kernel/fs/proc/proc01.c</div>
<div>@@ -63,7 +63,7 @@ static char *opt_maxmbytesstr;</div>
<div> static char *procpath = "/proc";</div>
<div> static const char selfpath[] = "/proc/self";</div>
<div> size_t buffsize = 1024;</div>
<div>-static long long maxbytes;</div>
<div>+static unsigned long long maxbytes;</div>
<div> </div>
<div> unsigned long long total_read;</div>
<div> unsigned int total_obj;</div>
<div>@@ -97,7 +97,11 @@ static const struct mapping known_issues[] = {</div>
<div> {"read", "/proc/self/mem", EIO},</div>
<div> {"read", "/proc/self/task/[0-9]*/mem", EIO},</div>
<div> {"read", "/proc/self/attr/*", EINVAL},</div>
<div>+ {"read", "/proc/self/attr/smack/*", EINVAL},</div>
<div>+ {"read", "/proc/self/attr/apparmor/*", EINVAL},</div>
<div> {"read", "/proc/self/task/[0-9]*/attr/*", EINVAL},</div>
<div>+ {"read", "/proc/self/task/[0-9]*/attr/smack/*", EINVAL},</div>
<div>+ {"read", "/proc/self/task/[0-9]*/attr/apparmor/*", EINVAL},</div>
<div> {"read", "/proc/self/ns/*", EINVAL},</div>
<div> {"read", "/proc/self/task/[0-9]*/ns/*", EINVAL},</div>
<div> {"read", "/proc/ppc64/rtas/error_log", EINVAL},</div>
<div>-- </div>
<div>2.30.0</div>
<div> </div>
</div></blockquote>
</body></html>