Merge tests/regression/apparmor/syscall.sh: fail iopl/ioperm with lockdown

When kernel lockdown is enabled the ioperm and iopl tests will fail regardless since lockdown prevents these syscalls before AppArmor has a chance to mediate them. So workaround this by detecting when lockdown is enabled and expect the tests to fail in that case. Fixes issue #226. Signed-off-by: Alex Murray <alex.murray@canonical.com> Closes #226 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1063 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-03-04 08:24:42 +01:00 · 2023-07-04 06:52:33 +00:00 · 2023-07-04 06:52:33 +00:00 · 7393aaac21
commit 7393aaac21
parent 271f0e2366 6ca4992107
1 changed files with 8 additions and 2 deletions
--- a/tests/regression/apparmor/syscall.sh
+++ b/tests/regression/apparmor/syscall.sh
@ -150,13 +150,19 @@ i386 | i486 | i586 | i686 | x86 | x86_64)
 # But don't run them on xen kernels
 if [ ! -d /proc/xen ] ; then

+# lockdown thwarts both ioperm and iopl
+expected=pass
+if [ -f /sys/kernel/security/lockdown ] && ! grep -q "\[none\]" /sys/kernel/security/lockdown; then
+  expected=fail
+fi
+
 ##
 ## F. IOPERM
 ##
 settest syscall_ioperm

 # TEST F1
-runchecktest "IOPERM (no confinement)" pass 0 0x3ff
+runchecktest "IOPERM (no confinement)" $expected 0 0x3ff

 # TEST F2. ioperm will fail
 genprofile
@ -169,7 +175,7 @@ runchecktest "IOPERM (confinement)" fail 0 0x3ff
 settest syscall_iopl

 # TEST G1
-runchecktest "IOPL (no confinement)" pass 3
+runchecktest "IOPL (no confinement)" $expected 3

 # TEST G2. iopl will fail
 genprofile