From cd67638618fd95030f42b7e869bd3dadad4c5c73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 27 Apr 2026 16:33:47 +0200 Subject: [PATCH] runtime-rs: hypervisor: don't assert kernel LSM behaviour in selinux test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `selinux::tests::test_set_exec_label` had two branches: when SELinux is enabled it asserts that `set_exec_label` succeeds and round-trips the label through `/proc/thread-self/attr/exec`, and when SELinux is NOT enabled it asserted that `set_exec_label` returns `Err`. The second assertion is wrong -- it's a claim about the kernel/LSM interface, not about `set_exec_label` itself. `/proc/thread-self/attr/exec` is a generic LSM interface, not SELinux-specific. When no LSM owns the slot, kernel behaviour is arch/distro/build dependent: some kernels return `EINVAL` (observed on x86_64 Ubuntu CI runners, where the test was originally written and was passing), others silently accept the write (observed on ppc64le Ubuntu CI runners, which is what made this surface): thread 'selinux::tests::test_set_exec_label' panicked at src/runtime-rs/crates/hypervisor/src/selinux.rs:62:13: Expecting error, Got Ok(()) The reason this never blew up before is that the previous-but-one commit's `ifeq UNSUPPORTED_ARCHS ... exit 0` block in the runtime-rs `Makefile` made `make test` a no-op on s390x/ppc64le/riscv64gc. Dropping that gate (so `make test` actually runs on every arch that runtime-rs builds on) is what surfaced the latent bug. Drop the `else { assert!(ret.is_err(), ...); }` branch and replace it with a comment explaining why we deliberately don't assert on `ret` in that path. The "SELinux is enabled" branch is the only side that exercises anything we own; the no-SELinux path is a kernel detail that's not ours to normalize. Made-with: Cursor Signed-off-by: Fabiano FidĂȘncio Made-with: Cursor --- src/runtime-rs/crates/hypervisor/src/selinux.rs | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/runtime-rs/crates/hypervisor/src/selinux.rs b/src/runtime-rs/crates/hypervisor/src/selinux.rs index 44cb3ce42d..72541bf760 100644 --- a/src/runtime-rs/crates/hypervisor/src/selinux.rs +++ b/src/runtime-rs/crates/hypervisor/src/selinux.rs @@ -58,8 +58,15 @@ mod tests { } let label = std::fs::read_to_string(attr_path).unwrap(); assert_eq!(label.trim_end_matches('\0'), TEST_LABEL); - } else { - assert!(ret.is_err(), "Expecting error, Got {:?}", ret); } + // When SELinux is not enabled, deliberately don't assert on `ret`. + // /proc/thread-self/attr/exec is a generic LSM interface, not + // SELinux-specific, and the kernel's behaviour when no LSM owns + // the slot varies by arch/distro/build: some kernels return + // EINVAL (observed on x86_64 Ubuntu CI runners), others silently + // accept the write (observed on ppc64le Ubuntu CI runners). + // Either is fine -- it's a kernel-side detail, not something + // set_exec_label() can or should normalize, so all we can + // meaningfully require here is that the call doesn't panic. } }