<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Dose it mean that I should unenable the files listed in
files_to_deny[], when using lxc-test-apparmor ?</p>
<br>
<div class="moz-cite-prefix">On 2018年03月07日 16:57, Hongzhi, Song
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:9c6ae59b-6015-acdd-bdb4-a25a30b7ddd6@windriver.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<p>I have some confusion about source code of lxc-test-apparmor
defined in 'lxc/src/tests/aa.c'.</p>
<ul>
<li>The output of<code></code></li>
<li><code>lxc-test-apparmor</code> </li>
</ul>
<pre><code> passed with /sys/kernel/uevent_helper
passed with /proc/sys/fs/file-nr
failed - opened /sys/kernel/mm/ksm/pages_to_scan
</code></pre>
<ul>
<li><code>ls -l /sys/kernel/uevent_helper</code></li>
<li><code>ls -l /sys/kernel/mm/ksm/pages_to_scan</code></li>
</ul>
<pre><code> root@intel-x86-64:# ls -l /sys/kernel/uevent_helper
ls: cannot access '/sys/kernel/uevent_helper': No such file or directory
root@intel-x86-64:# ls -l /sys/kernel/mm/ksm/pages_to_scan
-rw-r--r-- 1 root root 4096 Mar 6 19:17 /sys/kernel/mm/ksm/pages_to_scan
</code></pre>
<h4>Issue description</h4>
<p>As shown above, /sys/kernel/mm/ksm/pages_to_scan is exist, and
can be opened. But error message prompts that fail to open it.<br>
I refer to source code lxc/src/tests/aa.c, branch master.</p>
<pre><code>108 char *files_to_deny[] = {
109 "/sys/kernel/uevent_helper",
110 "/proc/sys/fs/file-nr",
111 "/sys/kernel/mm/ksm/pages_to_scan",
112 "/proc/sys/kernel/sysrq",
113 NULL };
</code></pre>
<pre><code>115 static bool test_aa_policy(struct lxc_container *c)
116 {
117 int i, ret;
118
119 for (i = 0; files_to_deny[i]; i++) {
120 ret = do_test_file_open(c, files_to_deny[i]);
121 if (ret < 0) {
122 fprintf(stderr, "attach failed; skipping test\n");
123 return true;
124 }
125 if (ret > 0) {
126 fprintf(stderr, "failed - opened %s\n",
127 files_to_deny[i]);
128 return false;
129 }
130 fprintf(stderr, "passed with %s\n", files_to_deny[i]);
131 }
......
</code></pre>
<pre><code> 63 static int do_test_file_open(struct lxc_container *c, char *fnam)
64 {
65 int fret = -1;
66 int ret;
67 pid_t pid;
68 int pipefd[2];
69 char result[1024];
70 lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT;
71
72 ret = pipe(pipefd);
73 if (ret < 0) {
74 fprintf(stderr, "pipe failed %d\n", ret);
75 return fret;
76 }
77 attach_options.stdout_fd = pipefd[1];
78 attach_options.attach_flags &= ~(LXC_ATTACH_LSM_EXEC|LXC_ATTACH_DROP_CAPABILITIES);
79 attach_options.attach_flags |= LXC_ATTACH_LSM_NOW;
80 ret = c->attach(c, test_attach_write_file, fnam, &attach_options, &pid);
......
85
86 ret = read(pipefd[0], result, sizeof(result)-1);
87 if (ret < 0) {
88 fprintf(stderr, "read failed %d\n", ret);
89 goto err2;
90 }
91
92 fret = 1;
93 if (strncmp(result, "no", 2) == 0)
94 fret = 0;
......
101 return fret;
102 }
</code></pre>
<pre><code> 41 static int test_attach_write_file(void* payload)
42 {
43 char *fnam = payload;
44 FILE *f;
45
46 f = fopen(fnam, "w");
47 if (f) {
48 printf("yes\n");
49 fclose(f);
50 fflush(NULL);
51 return 1;
52 }
53 printf("no\n");
54 fflush(NULL);
55 return 0;
56 }
</code></pre>
<p>Line46-48: If open interfaces successfully listed in
files_to_deny[], Line108, printf 'yes' into pipe[1].<br>
Line86: And then pipe[0] reads out 'yes'.<br>
Line92-101: If result is 'yes', do_test_file_open() will return
1.<br>
Line125-128: If the return of do_test_file_open() is 1, then
fprintf( failed open).<br>
So can anyone tell me why files listed in files_to_deny[] exit
but print fail.</p>
<p>Thanks.</p>
<p><br>
</p>
<pre><code></code></pre>
</blockquote>
<br>
</body>
</html>