Add test that LD_LIBRARY_PATH doesn't have any effect

Author: bjorn3

.github/workflows/ci.yaml

@@ -42,7 +42,7 @@ jobs:
 
       - name: Run all E2E tests
         working-directory: test-framework
-        run: cargo test -p e2e-tests
+        run: cargo test -p e2e-tests --features apparmor
 
       - name: prevent the cache from growing too large
         run: |

test-framework/e2e-tests/Cargo.toml

@@ -6,3 +6,6 @@ version = "0.0.0"
 
 [dependencies]
 sudo-test.path = "../sudo-test"
+
+[features]
+apparmor = ["sudo-test/apparmor"]

test-framework/e2e-tests/src/lib.rs

@@ -13,3 +13,48 @@ fn sanity_check() {
         "you must set `SUDO_UNDER_TEST=ours` when running this test suite"
     );
 }
+
+#[test]
+#[cfg(feature = "apparmor")]
+fn dlopen_apparmor_ignores_ld_library_path() -> Result<(), Box<dyn std::error::Error>> {
+    use sudo_test::{Command, Env};
+
+    let env = Env("foo ALL=(ALL:ALL) APPARMOR_PROFILE=docker-default NOPASSWD: ALL")
+        .file(
+            "/tmp/crash_me.c",
+            "#include <stdlib.h>
+
+void __attribute__((constructor)) do_not_load() {
+    abort();
+}
+",
+        )
+        .user("foo")
+        .apparmor("unconfined")
+        .build();
+
+    Command::new("gcc")
+        .args(["/tmp/crash_me.c", "-shared", "-o", "/tmp/libapparmor.so.1"])
+        .output(&env)
+        .assert_success();
+
+    let output = Command::new("sh")
+        .args([
+            "-c",
+            "LD_LIBRARY_PATH=/tmp sudo -s cat /proc/\\$\\$/attr/current",
+        ])
+        .as_user("foo")
+        .output(&env);
+
+    output.assert_success();
+    assert_eq!(output.stdout(), "docker-default (enforce)");
+
+    let output = Command::new("sh")
+        .args(["-c", "LD_PRELOAD=/tmp/libapparmor.so.1 ls"])
+        .output(&env);
+
+    output.assert_exit_code(134); // SIGABRT
+    assert_eq!(output.stderr(), "Aborted (core dumped)");
+
+    Ok(())
+}

test-framework/sudo-compliance-tests/src/sudo/apparmor.rs

@@ -11,7 +11,6 @@ fn can_switch_the_apparmor_profile() -> Result<()> {
     let output = Command::new("sudo")
         .args(["-s", "cat", "/proc/$$/attr/current"])
         .output(&env);
-    dbg!(&output);
 
     output.assert_success();
     assert_eq!(output.stdout(), "docker-default (enforce)");
@@ -25,8 +24,6 @@ fn cannot_switch_to_nonexisting_profile() -> Result<()> {
 
     let output = Command::new("sudo").arg("true").output(&env);
 
-    dbg!(&output);
-
     output.assert_exit_code(1);
     assert_contains!(output.stderr(), "unable to change AppArmor profile");
 
@@ -44,7 +41,6 @@ Defaults apparmor_profile=docker-default
     let output = Command::new("sudo")
         .args(["-s", "cat", "/proc/$$/attr/current"])
         .output(&env);
-    dbg!(&output);
 
     output.assert_success();
     assert_eq!(output.stdout(), "docker-default (enforce)");
@@ -63,7 +59,6 @@ Defaults apparmor_profile=docker-default
     let output = Command::new("sudo")
         .args(["-s", "cat", "/proc/$$/attr/current"])
         .output(&env);
-    dbg!(&output);
 
     output.assert_success();
     assert_eq!(output.stdout(), "unconfined");