public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Ondrej Mosnacek <omosnace@redhat.com>
To: git-commits@fedoraproject.org
Subject: [tests/selinux] main: kernel/overlayfs-mmap-bugs: test for execmem regression
Date: Wed, 17 Jun 2026 19:36:08 GMT [thread overview]
Message-ID: <178172496850.1.9180609822408951732.tests-selinux-bcf00d44c626@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : tests/selinux
Branch : main
Commit : bcf00d44c6262a160a2ba67805542dfe260a7119
Author : Ondrej Mosnacek <omosnace@redhat.com>
Date : 2026-06-16T13:44:16+02:00
Stats : +36/-16 in 4 file(s)
URL : https://src.fedoraproject.org/tests/selinux/c/bcf00d44c6262a160a2ba67805542dfe260a7119?branch=main
Log:
kernel/overlayfs-mmap-bugs: test for execmem regression
The original CVE fix has a bug in that it incorrectly checks execmem
permission for the mounter domain. Test for the regression in the test
so that we can verify its fix.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
diff --git a/kernel/overlayfs-mmap-bugs/main.fmf b/kernel/overlayfs-mmap-bugs/main.fmf
index dddb9db..8ff2402 100644
--- a/kernel/overlayfs-mmap-bugs/main.fmf
+++ b/kernel/overlayfs-mmap-bugs/main.fmf
@@ -1,7 +1,7 @@
summary: Regression test for overlayfs mmap/mprotect bugs
description: |
- Tests various scenarios with overlayfs and mmap/mprotect syscalls.
- This also covers CVE-2026-46054.
+ Tests various scenarios with overlayfs and mmap/mprotect syscalls.
+ This also covers CVE-2026-46054.
contact: Ondrej Mosnacek <omosnace@redhat.com>
component:
- kernel
@@ -13,10 +13,15 @@ duration: 5m
tier: 2
enabled: true
link:
- - verifies: https://issues.redhat.com/browse/RHEL-127505
+ - verifies: https://redhat.atlassian.net/browse/RHEL-127505
- verifies: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2026-46054
+ - verifies: https://redhat.atlassian.net/browse/RHEL-185115
+ - verifies: https://redhat.atlassian.net/browse/RHEL-185117
+ - verifies: https://redhat.atlassian.net/browse/RHEL-185118
environment:
- AVC_ERROR: +no_avc_check
+ AVC_ERROR: +no_avc_check
check:
- how: avc
result: xfail
+extra-nitrate: TC#0620043
+id: 2ee56bc8-01f3-4b77-8cdb-494ad9a12451
diff --git a/kernel/overlayfs-mmap-bugs/map_access.c b/kernel/overlayfs-mmap-bugs/map_access.c
index 9300365..0bd4530 100644
--- a/kernel/overlayfs-mmap-bugs/map_access.c
+++ b/kernel/overlayfs-mmap-bugs/map_access.c
@@ -11,16 +11,22 @@ int main(int argc, const char **argv)
{
const char *file, *context;
void *ptr;
- int rdonly, fd, ctxfd, ret;
+ int rdonly, execmem, flags, prot, fd, ctxfd, ret;
- if (argc < 3 || argc > 4 || (strcmp(argv[2], "RDONLY") && strcmp(argv[2], "RDWR"))) {
+ if (argc < 4 || argc > 5 ||
+ (strcmp(argv[2], "RDONLY") && strcmp(argv[2], "RDWR")) ||
+ (strcmp(argv[3], "SHARED") && strcmp(argv[3], "PRIVATE"))
+ ) {
fprintf(stderr, "Usage %s <file> RDONLY|RDWR\n", argv[0]);
return EINVAL;
}
file = argv[1];
rdonly = strcmp(argv[2], "RDONLY") == 0;
- context = argc >= 4 ? argv[3] : NULL;
+ execmem = strcmp(argv[3], "PRIVATE") == 0;
+ flags = strcmp(argv[3], "PRIVATE") == 0 ? MAP_PRIVATE : MAP_SHARED;
+ prot = PROT_READ | (!rdonly || execmem ? PROT_WRITE : 0) | (execmem ? PROT_EXEC : 0);
+ context = argc >= 5 ? argv[4] : NULL;
fd = open(file, rdonly ? O_RDONLY : O_RDWR);
if (fd == -1) {
@@ -29,8 +35,7 @@ int main(int argc, const char **argv)
}
/* try direct mmap */
- ptr = mmap(NULL, 1, rdonly ? PROT_READ : PROT_READ|PROT_WRITE,
- MAP_SHARED, fd, 0);
+ ptr = mmap(NULL, 1, prot, flags, fd, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
return 3;
@@ -38,7 +43,7 @@ int main(int argc, const char **argv)
munmap(ptr, 1);
/* try mmap with PROT_NONE followed by mprotect with full access */
- ptr = mmap(NULL, 1, PROT_NONE, MAP_SHARED, fd, 0);
+ ptr = mmap(NULL, 1, PROT_NONE, flags, fd, 0);
if (ptr == MAP_FAILED) {
perror("mmap PROT_NONE");
return 4;
@@ -58,7 +63,7 @@ int main(int argc, const char **argv)
close(ctxfd);
}
- ret = mprotect(ptr, 1, rdonly ? PROT_READ : PROT_READ|PROT_WRITE);
+ ret = mprotect(ptr, 1, prot);
if (ret == -1) {
perror("mprotect");
return 5;
diff --git a/kernel/overlayfs-mmap-bugs/runtest.sh b/kernel/overlayfs-mmap-bugs/runtest.sh
index 3d15777..1cb3ab0 100755
--- a/kernel/overlayfs-mmap-bugs/runtest.sh
+++ b/kernel/overlayfs-mmap-bugs/runtest.sh
@@ -41,28 +41,32 @@ rlJournalStart
"Clear the audit log"
rlPhaseEnd
- rlPhaseStartTest
+ rlPhaseStartTest "CVE-2026-46054"
# Bug 1
# Should get below AVC:
# avc: denied { map } for scontext=...test_mounter_t... tcontext=...test_lowerfile_no_map_t... tclass=file
- rlRun "runcon -t test_access_full_t ./map_access ./mountpoint/file_no_map RDONLY" 3 "Test Bug 1"
+ rlRun "runcon -t test_access_full_t ./map_access ./mountpoint/file_no_map RDONLY SHARED" 3 "Test Bug 1"
# Bug 2, result 1
# Shouldn't get below AVC:
# avc: denied { use } for scontext=...test_access_full_t... tcontext=...test_mounter_t... tclass=fd
rlRun "setsebool domain_fd_use 0"
- rlRun "runcon -t test_access_full_t ./map_access ./mountpoint/file_ok RDONLY" 0 "Test Bug 2, result 1"
+ rlRun "runcon -t test_access_full_t ./map_access ./mountpoint/file_ok RDONLY SHARED" 0 "Test Bug 2, result 1"
rlRun "setsebool domain_fd_use 1"
# Bug 2, result 2
# Shouldn't get below AVC:
# avc: denied { read } for scontext=...test_access_full_t... tcontext=...test_lowerfile_t... tclass=file
- rlRun "runcon -t test_access_full_t ./map_access ./mountpoint/file_ok RDONLY" 0 "Test Bug 2, result 2"
+ rlRun "runcon -t test_access_full_t ./map_access ./mountpoint/file_ok RDONLY SHARED" 0 "Test Bug 2, result 2"
# Bug 2, result 3
# Should get below AVC:
# avc: denied { read } for scontext=...test_access_exploit_t... tcontext=...test_mountedfile_t... tclass=file
- rlRun "runcon -t test_access_full_t ./map_access ./mountpoint/file_ok RDONLY $DYNTRANSCON" 5 "Test Bug 2, result 3"
+ rlRun "runcon -t test_access_full_t ./map_access ./mountpoint/file_ok RDONLY SHARED $DYNTRANSCON" 5 "Test Bug 2, result 3"
+ rlPhaseEnd
+
+ rlPhaseStartTest "execmem regression"
+ rlRun "runcon -t test_access_full_t ./map_access ./mountpoint/file_ok RDONLY PRIVATE" 0 "Verify no execmem denied"
rlPhaseEnd
rlPhaseStartCleanup
diff --git a/kernel/overlayfs-mmap-bugs/test_policy.te b/kernel/overlayfs-mmap-bugs/test_policy.te
index 5260f28..73f05cc 100644
--- a/kernel/overlayfs-mmap-bugs/test_policy.te
+++ b/kernel/overlayfs-mmap-bugs/test_policy.te
@@ -25,6 +25,8 @@ manage_dirs_pattern(test_mounter_t, test_lowerfile_t, test_lowerfile_t)
manage_files_pattern(test_mounter_t, test_lowerfile_t, test_lowerfile_t)
manage_chr_files_pattern(test_mounter_t, test_lowerfile_t, test_lowerfile_t)
allow test_mounter_t test_lowerfile_t:file map;
+# extra permission for execmem regression test
+allow test_mounter_t test_lowerfile_t:file { execute };
# test_mounter_t can't map test_lowerfile_t
rw_files_pattern(test_mounter_t, test_lowerfile_no_map_t, test_lowerfile_no_map_t)
@@ -77,6 +79,10 @@ corecmd_bin_entry_type(test_access_exploit_t)
allow test_access_full_t self:process { setcurrent };
allow test_access_full_t test_access_exploit_t:process { dyntransition };
+# extra permissions for execmem regression test
+allow test_access_full_t test_mountedfile_t:file { execute };
+allow test_access_full_t self:process { execmem };
+
attribute test_domain;
typeattribute test_mounter_t test_domain;
typeattribute test_access_full_t test_domain;
reply other threads:[~2026-06-17 19:36 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178172496850.1.9180609822408951732.tests-selinux-bcf00d44c626@fedoraproject.org \
--to=omosnace@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox