On 06/27/2017 09:32 AM, Shuah Khan wrote: > Hi Naresh, > > On 06/27/2017 02:40 AM, Naresh Kamboju wrote: >> selftest capabilities test failed on linux mainline and linux-next and >> PASS on linux-4.4.70+ >> Tested on HiKey ARM64 Development board. >> >> A bug reported in Linaro bug tracking system, >> LKFT: Capabilities test_execve fail Wrong effective state AT_SECURE is not set >> https://bugs.linaro.org/show_bug.cgi?id=2947 >> >> Please guide me to debug the reason for failure. >> Kernel config link, >> https://pastebin.com/P1uYmdMG >> >> Linux version 4.12.0-rc7-00004-gda8b14e (buildslave@x86-64-08) (gcc >> version 6.2.1 20161016 (Linaro GCC 6.2-2016.11) ) #1 SMP PREEMPT Mon >> Jun 26 20:04:35 UTC 2017 >> >> Linux version 4.12.0-rc7-next-20170627 (buildslave@x86-64-07) (gcc >> version 6.2.1 20161016 (Linaro GCC 6.2-2016.11)) #1 SMP PREEMPT Tue >> Jun 27 06:33:39 UTC 2017 >> >> LAVA job id: >> https://lkft.validation.linaro.org/scheduler/job/4397#L1412 >> >> Running tests in capabilities >> ======================================== >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [FAIL] Wrong effective state (AT_SECURE is not set) >> [OK] Capabilities after execve were correct >> [FAIL] Wrong ambient state (AT_SECURE is not set) >> [FAIL] Wrong ambient state (AT_SECURE is not set) >> [RUN] +++ Tests with uid == 0 +++ >> [NOTE] Using global UIDs for tests >> [RUN] Root => ep >> [OK] Child succeeded >> [OK] Check cap_ambient manipulation rules >> [OK] PR_CAP_AMBIENT_RAISE failed on non-inheritable cap >> [OK] PR_CAP_AMBIENT_RAISE failed on non-permitted cap >> [OK] PR_CAP_AMBIENT_RAISE worked >> [OK] Basic manipulation appears to work >> [RUN] Root +i => eip >> [OK] Child succeeded >> [RUN] UID 0 +ia => eipa >> [OK] Child succeeded >> [RUN] Root +ia, suidroot => eipa >> [OK] Child succeeded > > Okay the following appears to be the first difference > between the runs on the mainline and 4.4.74 > > When udi != 0 case, these tests fail. Could it be that > there are security related changes to this area and the > tests need updates? uid is still 0! > > Kees/Andy: Do you have any insight > Sorry hit return too soon. There is no change to the test itself. I wonder if this is new in mainline or the failure occurs in 4.11 - I am building stables now, I will try the test on 4.9 and 4.11 and see how it behaves and let you know > > ------------------------------------ >> [RUN] Root +ia, suidnonroot => ip >> [FAIL] Child failed >> [RUN] Root +ia, sgidroot => eipa >> [OK] Child succeeded >> [FAIL] Child failed >> [RUN] Root +ia, sgidnonroot => eip >> [FAIL] Child failed > ------------------------------------- > >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [FAIL] Wrong effective state (AT_SECURE is not set) >> [FAIL] Child failed >> [FAIL] Child failed >> selftests: test_execve [FAIL] >> >> capabilities test PASS on Linux-4.4.70+. >> >> Running tests in capabilities >> ======================================== >> case: step_after_suspend_test >> definition: 1_kselftest >> result: skip >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [RUN] +++ Tests with uid == 0 +++ >> [NOTE] Using global UIDs for tests >> [RUN] Root => ep >> [OK] Child succeeded >> [OK] Check cap_ambient manipulation rules >> [OK] PR_CAP_AMBIENT_RAISE failed on non-inheritable cap >> [OK] PR_CAP_AMBIENT_RAISE failed on non-permitted cap >> [OK] PR_CAP_AMBIENT_RAISE worked >> [OK] Basic manipulation appears to work >> [RUN] Root +i => eip >> [OK] Child succeeded >> [RUN] UID 0 +ia => eipa >> [OK] Child succeeded >> [RUN] Root +ia, suidroot => eipa >> [OK] Child succeeded >> [RUN] Root +ia, suidnonroot => ip >> [OK] Child succeeded >> [RUN] Root +ia, sgidroot => eipa >> [OK] Child succeeded >> [OK] Child succeeded >> [RUN] Root +ia, sgidnonroot => eip >> [OK] Child succeeded >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [OK] Capabilities after execve were correct >> [OK] Child succeeded >> [OK] Child succeeded >> selftests: test_execve [PASS] >> >> Thanks and best regards, >> Naresh Kamboju >> > -- To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html