Regression tests cannot write to apparmor path_max module parameter in artful/4.11
Bug #1692543 reported by
Seth Forshee
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
The longpath regression tests tries to write to /sys/module/
commit cdc8e09e16bb7eb
Author: John Johansen <email address hidden>
Date: Thu Apr 6 05:14:20 2017 -0700
apparmor: Make path_max parameter readonly
This is causing ADT to fail.
running longpath
longpath.sh: line 53: /sys/module/
Fatal Error (longpath): Unexpected shell error. Run with -x to debug
tags: | added: patch |
To post a comment you must log in.
This is caused do a change made upstream in the 4.11 kernel, which forbids writing the buffer size parameter after boot. The change to boot time preallocated work buffers made this parameter useless, but 4.11 only partially merged that work, making writing the buffer size an attack vector on the kernel memory and with user namespaces enabled any user could exploit it. Hence a follow-on patch to make the buffer size read-only after boot.
We have 2 choices for dealing with this, either fix the regression tests OR we can virtualize the buffer size parameter per namespace, capping the virtualized size by what was allocated at boot.