[PATCH] selftests/landlock: skip ptrace_test when YAMA is enabled
Jeff Xu
jeffxu at google.com
Fri Jul 15 21:41:52 UTC 2022
Jeff Xu <jeffxu at google.com>
> Jul 14, 2022, 5:35 PM (20 hours ago)
> to Guenter, Mickaël, linux-security-module, Jorge, Guenter, Kees
> > On Thu, Jul 14, 2022 at 11:37 AM Jeff Xu <jeffxu at google.com> wrote:
> > >
> > > > > > Hmm, well, it is not related to Yama then. Could it be linked to other
> > > > > > Chromium OS non-upstream patches?
> > > > >
> > > > >
> > > > > fs_test.c 47 and 48 are failing in chromeOS because OVERLAYFS is not
> > > > > enabled in chromeOS.
> > > > > If there is a reliable way of detecting OVERLAYFS (checking mount
> > > > > overlayfs is successful ? ), this is a good candidate to add SKIP.
> > > > >
> > >
> > > > IS_ENABLED(CONFIG_OVERLAY_FS) ?
> > >
> > > Could be. Landlock selftest currently is a user space program though,
> > > IS_ENABLED will depend on the kernel header during compile time.
> > >
> > Ah, sorry, I thought it was an in-kernel test. Userspace should be
> > able to determine if overlayfs is supported by checking /sys/fs/ or
> > possibly /proc/fs/.
> Thanks for clarifying.
> lsmod might be the one, such as:
> lsmod | grep overlayfs
I built a kernel with overlayfs on chromeos, and lsmod didn't give me
what I wanted.
/sys/fs and /proc/fs also doesn't show anything about overlayfs
@Mickaël Salaün
Are you OK with SKIP the overlay test when mount("overlay",...) fails
in FIXTURE_SETUP() ? Mount failure can be used as an indication.
Jeff
On Thu, Jul 14, 2022 at 5:35 PM Jeff Xu <jeffxu at google.com> wrote:
>
> > On Thu, Jul 14, 2022 at 11:37 AM Jeff Xu <jeffxu at google.com> wrote:
> > >
> > > > > > Hmm, well, it is not related to Yama then. Could it be linked to other
> > > > > > Chromium OS non-upstream patches?
> > > > >
> > > > >
> > > > > fs_test.c 47 and 48 are failing in chromeOS because OVERLAYFS is not
> > > > > enabled in chromeOS.
> > > > > If there is a reliable way of detecting OVERLAYFS (checking mount
> > > > > overlayfs is successful ? ), this is a good candidate to add SKIP.
> > > > >
> > >
> > > > IS_ENABLED(CONFIG_OVERLAY_FS) ?
> > >
> > > Could be. Landlock selftest currently is a user space program though,
> > > IS_ENABLED will depend on the kernel header during compile time.
> > >
>
>
> > Ah, sorry, I thought it was an in-kernel test. Userspace should be
> > able to determine if overlayfs is supported by checking /sys/fs/ or
> > possibly /proc/fs/.
>
> Thanks for clarifying.
>
> lsmod might be the one, such as:
> lsmod | grep overlayfs
>
>
> Thanks
> Jeff
>
>
>
> On Thu, Jul 14, 2022 at 1:40 PM Guenter Roeck <groeck at google.com> wrote:
> >
> > On Thu, Jul 14, 2022 at 11:37 AM Jeff Xu <jeffxu at google.com> wrote:
> > >
> > > > > > Hmm, well, it is not related to Yama then. Could it be linked to other
> > > > > > Chromium OS non-upstream patches?
> > > > >
> > > > >
> > > > > fs_test.c 47 and 48 are failing in chromeOS because OVERLAYFS is not
> > > > > enabled in chromeOS.
> > > > > If there is a reliable way of detecting OVERLAYFS (checking mount
> > > > > overlayfs is successful ? ), this is a good candidate to add SKIP.
> > > > >
> > >
> > > > IS_ENABLED(CONFIG_OVERLAY_FS) ?
> > >
> > > Could be. Landlock selftest currently is a user space program though,
> > > IS_ENABLED will depend on the kernel header during compile time.
> > >
> >
> > Ah, sorry, I thought it was an in-kernel test. Userspace should be
> > able to determine if overlayfs is supported by checking /sys/fs/ or
> > possibly /proc/fs/.
> >
> > Guenter
> >
> > >
> > > On Wed, Jul 13, 2022 at 5:30 PM Guenter Roeck <groeck at google.com> wrote:
> > > >
> > > > On Wed, Jul 13, 2022 at 4:44 PM Jeff Xu <jeffxu at google.com> wrote:
> > > > >
> > > > > > > a correction:
> > > > > > >
> > > > > > > =====================================
> > > > > > > case 0 - classic ptrace permissions: a process can PTRACE_ATTACH to
> > > > > > > any other
> > > > > > > process running under the same uid, as long as it is dumpable (i.e.
> > > > > > > did not transition uids, start privileged, or have called
> > > > > > > prctl(PR_SET_DUMPABLE...) already). Similarly, PTRACE_TRACEME is
> > > > > > > unchanged.
> > > > > > >
> > > > > > > Test: All passing
> > > > > > >
> > > > > > > // Base_test: 7/7 pass.
> > > > > > > // Fs_test 46/48 pass
> > > > > > > //. not ok 47 layout2_overlay.no_restriction
> > > > > > > //. not ok 48 layout2_overlay.same_content_different_file
> > > > > > > // Ptrace 8/8 pass
> > > > >
> > > > >
> > > > > > Hmm, well, it is not related to Yama then. Could it be linked to other
> > > > > > Chromium OS non-upstream patches?
> > > > >
> > > > >
> > > > > fs_test.c 47 and 48 are failing in chromeOS because OVERLAYFS is not
> > > > > enabled in chromeOS.
> > > > > If there is a reliable way of detecting OVERLAYFS (checking mount
> > > > > overlayfs is successful ? ), this is a good candidate to add SKIP.
> > > > >
> > > >
> > > > IS_ENABLED(CONFIG_OVERLAY_FS) ?
> > > >
> > > > > Overall, all the failure of landlock selftest seen in chromeOS are
> > > > > expected, we just need to modify the test.
> > > > >
> > > > > Thanks
> > > > > Best Regards
> > > > > Jeff
> > > > >
> > > > >
> > > > >
> > > > > On Thu, Jul 7, 2022 at 7:25 AM Mickaël Salaün <mic at digikod.net> wrote:
> > > > > >
> > > > > >
> > > > > > On 07/07/2022 01:35, Jeff Xu wrote:
> > > > > > > a correction:
> > > > > > >
> > > > > > > =====================================
> > > > > > > case 0 - classic ptrace permissions: a process can PTRACE_ATTACH to
> > > > > > > any other
> > > > > > > process running under the same uid, as long as it is dumpable (i.e.
> > > > > > > did not transition uids, start privileged, or have called
> > > > > > > prctl(PR_SET_DUMPABLE...) already). Similarly, PTRACE_TRACEME is
> > > > > > > unchanged.
> > > > > > >
> > > > > > > Test: All passing
> > > > > > >
> > > > > > > // Base_test: 7/7 pass.
> > > > > > > // Fs_test 46/48 pass
> > > > > > > //. not ok 47 layout2_overlay.no_restriction
> > > > > > > //. not ok 48 layout2_overlay.same_content_different_file
> > > > > > > // Ptrace 8/8 pass
> > > > > >
> > > > > > Hmm, well, it is not related to Yama then. Could it be linked to other
> > > > > > Chromium OS non-upstream patches?
More information about the Linux-security-module-archive
mailing list