tests: fix security-udev-input-subsystem test

[sergiocazzolato]

Permission denied could also be returned instead of 'Operation not permitted'.

[codecov-commenter]

Codecov Report

Merging #11390 (80e03f8) into master (52b49e1) will increase coverage by 0.00%.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master   #11390   +/-   ##
=======================================
  Coverage   78.37%   78.37%           
=======================================
  Files         931      931           
  Lines      106681   106702   +21     
=======================================
+ Hits        83611    83633   +22     
+ Misses      17867    17866    -1     
  Partials     5203     5203           

Flag	Coverage Δ
unittests	78.37% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
osutil/synctree.go	76.41% <0.00%> (-2.84%)	⬇️
asserts/asserts.go	91.84% <0.00%> (+0.26%)	⬆️
overlord/ifacestate/helpers.go	77.45% <0.00%> (+0.48%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 52b49e1...80e03f8. Read the comment docs.

[mardy]

I'm afraid that this change is not what we want, because when the error is "Permission denied" it means that our cgroup configuration was not setup/enforced, and this is exactly what this test is for.

What we could do, is disabling this test altogether and create an issue for it.

[sergiocazzolato]

@mardy hi, thanks for taking a look, this is an old one, at some point @anonymouse64 confirmed that both messages could be expected, I don't remember the reason, I would add a comment in the test explaining the reason once Ian confirms that.

[anonymouse64]

the issue with this test is that the underlying assumption here was true for a long time in the kernel, but only on accident. As per talking with the security team (specifically jj), the order in which the kernel evaluates LSM's is not defined and it just so happened to be that the device cgroup would be evaluated first for along time with ubuntu kernels, but that has recently changed so it is no longer deterministic.

That being said, I think we need to change these tests at some point to instead manually craft apparmor and device cgroup policy such that the expected one fails and we get the right message. I think this specific change in this PR is okay as long as we file a JIRA issue or launchpad bug etc to have someone look into manually modifying the policies in these tests (note it's not just this one that fails like this, there are others which have this same assumption built into them)

[stolowski]

@anonymouse64 thanks for extra insight into this!

[anonymouse64]

looks fine to me as a temporary change until someone has time to modify these tests to not have the wrong assumption that the evaluation order of LSMs in the kernel is non-deterministic

[stolowski]

LGTM

[stolowski]

@anonymouse64 thanks for extra insight into this!

[mardy]

After Ian's explanation, I'm fine with the change :-) Thanks!