github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2026-05-04 04:00:07 +00:00
Code Issues Projects Releases Wiki Activity

runtime-rs: hypervisor: don't assert kernel LSM behaviour in selinux test

Browse Source 
`selinux::tests::test_set_exec_label` had two branches: when SELinux
is enabled it asserts that `set_exec_label` succeeds and round-trips
the label through `/proc/thread-self/attr/exec`, and when SELinux is
NOT enabled it asserted that `set_exec_label` returns `Err`. The
second assertion is wrong -- it's a claim about the kernel/LSM
interface, not about `set_exec_label` itself.

`/proc/thread-self/attr/exec` is a generic LSM interface, not
SELinux-specific. When no LSM owns the slot, kernel behaviour is
arch/distro/build dependent: some kernels return `EINVAL` (observed
on x86_64 Ubuntu CI runners, where the test was originally written
and was passing), others silently accept the write (observed on
ppc64le Ubuntu CI runners, which is what made this surface):

  thread 'selinux::tests::test_set_exec_label' panicked at
  src/runtime-rs/crates/hypervisor/src/selinux.rs:62:13:
  Expecting error, Got Ok(())

The reason this never blew up before is that the previous-but-one
commit's `ifeq UNSUPPORTED_ARCHS ... exit 0` block in the runtime-rs
`Makefile` made `make test` a no-op on s390x/ppc64le/riscv64gc.
Dropping that gate (so `make test` actually runs on every arch
that runtime-rs builds on) is what surfaced the latent bug.

Drop the `else { assert!(ret.is_err(), ...); }` branch and replace
it with a comment explaining why we deliberately don't assert on
`ret` in that path. The "SELinux is enabled" branch is the only
side that exercises anything we own; the no-SELinux path is a
kernel detail that's not ours to normalize.

Made-with: Cursor
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Made-with: Cursor
This commit is contained in:
Fabiano Fidêncio
2026-04-27 16:33:47 +02:00
parent 8ab97a60f3
commit cd67638618
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/runtime-rs/crates/hypervisor/src/selinux.rs
View File

@@ -58,8 +58,15 @@ mod tests {
}
let label = std::fs::read_to_string(attr_path).unwrap();
assert_eq!(label.trim_end_matches('\0'), TEST_LABEL);
} else {
assert!(ret.is_err(), "Expecting error, Got {:?}", ret);
}
// When SELinux is not enabled, deliberately don't assert on `ret`.
// /proc/thread-self/attr/exec is a generic LSM interface, not
// SELinux-specific, and the kernel's behaviour when no LSM owns
// the slot varies by arch/distro/build: some kernels return
// EINVAL (observed on x86_64 Ubuntu CI runners), others silently
// accept the write (observed on ppc64le Ubuntu CI runners).
// Either is fine -- it's a kernel-side detail, not something
// set_exec_label() can or should normalize, so all we can
// meaningfully require here is that the call doesn't panic.
}
}