linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Shuah Khan <shuahkh@osg.samsung.com>
To: Naresh Kamboju <naresh.kamboju@linaro.org>,
	luto@kernel.org, keescook@chromium.org
Cc: linux-kselftest@vger.kernel.org,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Shuah Khan <shuahkh@osg.samsung.com>,
	Shuah Khan <shuah@kernel.org>
Subject: Re: selftests/capabilities: test FAIL on linux mainline and linux-next and PASS on linux-4.4.70+
Date: Tue, 27 Jun 2017 09:32:45 -0600	[thread overview]
Message-ID: <72ee8828-c708-8889-b2c8-95fe3bb28117@osg.samsung.com> (raw)
In-Reply-To: <CA+G9fYtpFW+SHcaWCgt5ZAvPx3PO3x3nM+oRBUiOiQPbHVmw=w@mail.gmail.com>

Hi Naresh,

On 06/27/2017 02:40 AM, Naresh Kamboju wrote:
> selftest capabilities test failed on linux mainline and linux-next and
> PASS on linux-4.4.70+
> Tested on HiKey ARM64 Development board.
> 
> A bug reported in Linaro bug tracking system,
> LKFT: Capabilities test_execve fail Wrong effective state AT_SECURE is not set
> https://bugs.linaro.org/show_bug.cgi?id=2947
> 
> Please guide me to debug the reason for failure.
> Kernel config link,
> https://pastebin.com/P1uYmdMG
> 
> Linux version 4.12.0-rc7-00004-gda8b14e (buildslave@x86-64-08) (gcc
> version 6.2.1 20161016 (Linaro GCC 6.2-2016.11) ) #1 SMP PREEMPT Mon
> Jun 26 20:04:35 UTC 2017
> 
> Linux version 4.12.0-rc7-next-20170627 (buildslave@x86-64-07) (gcc
> version 6.2.1 20161016 (Linaro GCC 6.2-2016.11)) #1 SMP PREEMPT Tue
> Jun 27 06:33:39 UTC 2017
> 
> LAVA job id:
> https://lkft.validation.linaro.org/scheduler/job/4397#L1412
> 
> Running tests in capabilities
> ========================================
> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [FAIL] Wrong effective state (AT_SECURE is not set)
> [OK] Capabilities after execve were correct
> [FAIL] Wrong ambient state (AT_SECURE is not set)
> [FAIL] Wrong ambient state (AT_SECURE is not set)
> [RUN] +++ Tests with uid == 0 +++
> [NOTE] Using global UIDs for tests
> [RUN] Root => ep
> [OK] Child succeeded
> [OK] Check cap_ambient manipulation rules
> [OK] PR_CAP_AMBIENT_RAISE failed on non-inheritable cap
> [OK] PR_CAP_AMBIENT_RAISE failed on non-permitted cap
> [OK] PR_CAP_AMBIENT_RAISE worked
> [OK] Basic manipulation appears to work
> [RUN] Root +i => eip
> [OK] Child succeeded
> [RUN] UID 0 +ia => eipa
> [OK] Child succeeded
> [RUN] Root +ia, suidroot => eipa
> [OK] Child succeeded

Okay the following appears to be the first difference
between the runs on the mainline and 4.4.74

When udi != 0 case, these tests fail. Could it be that
there are security related changes to this area and the
tests need updates?

Kees/Andy: Do you have any insight

thanks,
-- Shuah

------------------------------------
> [RUN] Root +ia, suidnonroot => ip
> [FAIL] Child failed
> [RUN] Root +ia, sgidroot => eipa
> [OK] Child succeeded
> [FAIL] Child failed
> [RUN] Root +ia, sgidnonroot => eip
> [FAIL] Child failed
-------------------------------------

> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [FAIL] Wrong effective state (AT_SECURE is not set)
> [FAIL] Child failed
> [FAIL] Child failed
> selftests: test_execve [FAIL]
> 
> capabilities test PASS on Linux-4.4.70+.
> 
> Running tests in capabilities
> ========================================
> case: step_after_suspend_test
> definition: 1_kselftest
> result: skip
> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [RUN] +++ Tests with uid == 0 +++
> [NOTE] Using global UIDs for tests
> [RUN] Root => ep
> [OK] Child succeeded
> [OK] Check cap_ambient manipulation rules
> [OK] PR_CAP_AMBIENT_RAISE failed on non-inheritable cap
> [OK] PR_CAP_AMBIENT_RAISE failed on non-permitted cap
> [OK] PR_CAP_AMBIENT_RAISE worked
> [OK] Basic manipulation appears to work
> [RUN] Root +i => eip
> [OK] Child succeeded
> [RUN] UID 0 +ia => eipa
> [OK] Child succeeded
> [RUN] Root +ia, suidroot => eipa
> [OK] Child succeeded
> [RUN] Root +ia, suidnonroot => ip
> [OK] Child succeeded
> [RUN] Root +ia, sgidroot => eipa
> [OK] Child succeeded
> [OK] Child succeeded
> [RUN] Root +ia, sgidnonroot => eip
> [OK] Child succeeded
> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [OK] Capabilities after execve were correct
> [OK] Child succeeded
> [OK] Child succeeded
> selftests: test_execve [PASS]
> 
> Thanks and best regards,
> Naresh Kamboju
> 

  parent reply	other threads:[~2017-06-27 15:33 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-27  8:40 selftests/capabilities: test FAIL on linux mainline and linux-next and PASS on linux-4.4.70+ Naresh Kamboju
2017-06-27 15:13 ` Greg KH
2017-06-27 15:16   ` Greg KH
2017-06-27 15:48     ` Paul Elder
2017-06-27 23:16     ` Shuah Khan
2017-06-28  4:35       ` Kees Cook
2017-06-28 21:21         ` Andy Lutomirski
2017-06-29 14:02           ` Eric W. Biederman
2017-06-29 14:23             ` Eric W. Biederman
2017-06-29 15:39               ` Andy Lutomirski
2017-06-29 16:26                 ` Eric W. Biederman
2017-06-27 15:32 ` Shuah Khan [this message]
2017-06-27 15:40   ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=72ee8828-c708-8889-b2c8-95fe3bb28117@osg.samsung.com \
    --to=shuahkh@osg.samsung.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=naresh.kamboju@linaro.org \
    --cc=shuah@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).