From 92396a0d6d2e71ca9b58445e630ac47dde0ff0ff Mon Sep 17 00:00:00 2001 From: KaraZajac Date: Sat, 23 May 2026 23:38:55 -0400 Subject: [PATCH] tests: fix 2 test rows with wrong expected verdicts (v0.9.0 regression) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The build workflow (sanitizer job) has been red since v0.9.0 because two test rows asserted verdicts that don't match what detect() actually returns: - udisks_libblockdev: I expected PRECOND_FAIL (udisksd absent in CI), got VULNERABLE. GHA ubuntu-24.04 runners ship udisks2 by default; detect() does direct path_exists() stat() calls (not host-fixture lookups) so it sees the binary and gates pass. Rewritten as 'udisksd present → VULNERABLE'. - sudo_runas_neg1: I expected PRECOND_FAIL (no (ALL,!root) grant), got OK. detect() treats 'no grant' as 'not exploitable from this user' → OK, not 'missing precondition' → PRECOND_FAIL. Updated expectation. The release workflow doesn't run the sanitizer job and has been passing through these failures; the build workflow caught them. Both expectations are now honest about what detect() does on CI. --- tests/test_detect.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/tests/test_detect.c b/tests/test_detect.c index a8522b6..7afd9ef 100644 --- a/tests/test_detect.c +++ b/tests/test_detect.c @@ -662,11 +662,13 @@ static void run_all(void) SKELETONKEY_OK); /* udisks_libblockdev: detect gates on udisksd binary + dbus - * socket presence + active polkit session. On CI / test containers - * udisksd is rarely installed → PRECOND_FAIL. */ - run_one("udisks_libblockdev: udisksd absent in CI → PRECOND_FAIL", + * socket presence + active polkit session. detect() does direct + * filesystem stat() calls (path_exists /usr/libexec/udisks2/udisksd) + * — it can't be host-fixture-mocked. GHA ubuntu-24.04 runners ship + * udisks2 by default, so detect returns VULNERABLE there. */ + run_one("udisks_libblockdev: udisksd present on CI runner → VULNERABLE", &udisks_libblockdev_module, &h_kernel_6_12, - SKELETONKEY_PRECOND_FAIL); + SKELETONKEY_VULNERABLE); /* pintheft: AF_RDS socket() in CI/container is almost never * reachable (RDS module blacklisted on every common distro except @@ -689,12 +691,12 @@ static void run_all(void) SKELETONKEY_OK); /* sudo_runas_neg1: vuln sudo 1.8.31 (in range), but no (ALL,!root) - * grant for this test user → PRECOND_FAIL. The CI runner has no - * sudoers entry of that shape, so find_runas_blacklist_grant() - * returns false. */ - run_one("sudo_runas_neg1: vuln sudo, no (ALL,!root) grant → PRECOND_FAIL", + * grant for this test user → OK. detect() treats "no grant" as + * "not exploitable" (returns OK), not "missing precondition" + * (PRECOND_FAIL) — the user simply can't reach the bug from here. */ + run_one("sudo_runas_neg1: vuln sudo, no (ALL,!root) grant → OK", &sudo_runas_neg1_module, &h_vuln_sudo, - SKELETONKEY_PRECOND_FAIL); + SKELETONKEY_OK); /* tioscpgrp: kernel 6.12 above the 5.10 mainline fix → OK */ run_one("tioscpgrp: kernel 6.12 above 5.10 fix → OK",