Okay, thanks to jj for providing kernels, I've now reproduced this in zesty with his patch set applied.
It's failing in the 'confined/complain' tests. There's a bug in the environ.c test that prevents the test harness from detecting/reporting the failure correctly. When that's fixed, the output looks like:
ok: ENVIRON (elf): ux & regular env
ok: ENVIRON (elf): ux & sensitive env
ok: ENVIRON (elf): Ux & regular env
ok: ENVIRON (elf): Ux & sensitive env
ok: ENVIRON (elf): ix & regular env
ok: ENVIRON (elf): ix & sensitive env
ok: ENVIRON (elf): px & regular env
ok: ENVIRON (elf): px & sensitive env
ok: ENVIRON (elf): Px & regular env
ok: ENVIRON (elf): Px & sensitive env
ok: ENVIRON (elf): unconfined --> confined & regular env
ok: ENVIRON (elf): unconfined --> confined & sensitive env
Error: environ failed. Test 'ENVIRON (elf): confined/complain & regular env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
Error: environ failed. Test 'ENVIRON (elf): confined/complain & sensitive env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
ok: ENVIRON (shell script): ux & regular env
ok: ENVIRON (shell script): ux & sensitive env
ok: ENVIRON (shell script): Ux & regular env
ok: ENVIRON (shell script): Ux & sensitive env
ok: ENVIRON (shell script): px & regular env
ok: ENVIRON (shell script): px & sensitive env
ok: ENVIRON (shell script): Px & regular env
ok: ENVIRON (shell script): Px & sensitive env
ok: ENVIRON (shell script): ix & regular env
ok: ENVIRON (shell script): ix & sensitive env
ok: ENVIRON (shell script): unconfined --> confined & regular env
ok: ENVIRON (shell script): unconfined --> confined & sensitive env
Error: environ failed. Test 'ENVIRON (shell script): confined/complain & regular env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
Error: environ failed. Test 'ENVIRON (shell script): confined/complain & sensitive env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
ok: ENVIRON (elf): unconfined setuid helper
ok: ENVIRON (elf): unconfined setuid helper
Examining the individual test, the environ program is attempting to run the env_check program while confined by a complain mode profile, but is not permitted to do so. From strace output:
Okay, thanks to jj for providing kernels, I've now reproduced this in zesty with his patch set applied.
It's failing in the 'confined/complain' tests. There's a bug in the environ.c test that prevents the test harness from detecting/reporting the failure correctly. When that's fixed, the output looks like:
ok: ENVIRON (elf): ux & regular env
ok: ENVIRON (elf): ux & sensitive env
ok: ENVIRON (elf): Ux & regular env
ok: ENVIRON (elf): Ux & sensitive env
ok: ENVIRON (elf): ix & regular env
ok: ENVIRON (elf): ix & sensitive env
ok: ENVIRON (elf): px & regular env
ok: ENVIRON (elf): px & sensitive env
ok: ENVIRON (elf): Px & regular env
ok: ENVIRON (elf): Px & sensitive env
ok: ENVIRON (elf): unconfined --> confined & regular env
ok: ENVIRON (elf): unconfined --> confined & sensitive env
Error: environ failed. Test 'ENVIRON (elf): confined/complain & regular env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
Error: environ failed. Test 'ENVIRON (elf): confined/complain & sensitive env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
ok: ENVIRON (shell script): ux & regular env
ok: ENVIRON (shell script): ux & sensitive env
ok: ENVIRON (shell script): Ux & regular env
ok: ENVIRON (shell script): Ux & sensitive env
ok: ENVIRON (shell script): px & regular env
ok: ENVIRON (shell script): px & sensitive env
ok: ENVIRON (shell script): Px & regular env
ok: ENVIRON (shell script): Px & sensitive env
ok: ENVIRON (shell script): ix & regular env
ok: ENVIRON (shell script): ix & sensitive env
ok: ENVIRON (shell script): unconfined --> confined & regular env
ok: ENVIRON (shell script): unconfined --> confined & sensitive env
Error: environ failed. Test 'ENVIRON (shell script): confined/complain & regular env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
Error: environ failed. Test 'ENVIRON (shell script): confined/complain & sensitive env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
ok: ENVIRON (elf): unconfined setuid helper
ok: ENVIRON (elf): unconfined setuid helper
Examining the individual test, the environ program is attempting to run the env_check program while confined by a complain mode profile, but is not permitted to do so. From strace output:
[pid 5706] execve( "/home/ ubuntu/ tmp/apparmor- 2.10.95/ tests/regressio n/apparmor/ env_check" , ["/home/ ubuntu/ tmp/apparmor- 2.10.9" ..., "FOO=BAR"], [/* 24 vars */]) = -1 EACCES (Permission denied)
The apparmor audit message is correctly claiming that its allowing it (but isn't permitted by the loaded policy):
[ 1726.404464] audit: type=1400 audit(148599167 2.366:348) : apparmor="ALLOWED" operation="exec" profile= "/home/ ubuntu/ tmp/apparmor- 2.10.95/ tests/regressio n/apparmor/ environ" name="/ home/ubuntu/ tmp/apparmor- 2.10.95/ tests/regressio n/apparmor/ env_check" pid=5700 comm="environ" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 target= "/home/ ubuntu/ tmp/apparmor- 2.10.95/ tests/regressio n/apparmor/ environ/ /null-/ home/ubuntu/ tmp/apparmor- 2.10.95/ tests/regressio n/apparmor/ env_check"
but that doesn't seem to be the case. So I think there's something wonky in John's patch set.
John, can you take a look at what's going on?