| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 06 Feb 2008 08:55:00 -0500 From: Stephen Smalley <sds@...ho.nsa.gov> To: Ingo Molnar <mingo@...e.hu> Cc: David Miller <davem@...emloft.net>, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, Linus Torvalds <torvalds@...ux-foundation.org>, Casey Schaufler <casey@...aufler-ca.com> Subject: Re: [bisected] Re: [bug] networking broke, ssh: connect to port 22: Protocol error On Wed, 2008-02-06 at 14:35 +0100, Ingo Molnar wrote: > * Ingo Molnar <mingo@...e.hu> wrote: > > > yeah, although various other upstream breakages prevented real long > > randconfig series in the past 2-3 days. I'd say it's either in this > > pull from your tree: > > ok, i have bisected it down but the result made no sense, so i > double-checked it and noticed that the .config mutated during the test. > > the diff below is the diff between the 'good' and 'bad' .config, with > this notable detail: > > @@ -2336,7 +2350,7 @@ CONFIG_SECURITY_NETWORK=y > CONFIG_SECURITY_CAPABILITIES=y > # CONFIG_SECURITY_FILE_CAPABILITIES is not set > # CONFIG_SECURITY_ROOTPLUG is not set > -# CONFIG_SECURITY_SMACK is not set > +CONFIG_SECURITY_SMACK=y > CONFIG_XOR_BLOCKS=m > CONFIG_ASYNC_CORE=m > CONFIG_ASYNC_MEMCPY=m > > so i disabled CONFIG_SECURITY_SMACK, and viola, just 2 hours of hard > work later networking works on my testbox again :-/ > > And we have this 1 day old commit: > > commit e114e473771c848c3cfec05f0123e70f1cdbdc99 > Author: Casey Schaufler <casey@...aufler-ca.com> > Date: Mon Feb 4 22:29:50 2008 -0800 > > Smack: Simplified Mandatory Access Control Kernel > > that adds SMACK. > > So unlike some other security modules like SELINUX, enabling SMACK > breaks un-aware userspace and breaks TCP networking? > > I dont think that's expected behavior - and i'd definitely like to > enable SMACK in automated tests to check for regressions, etc. It is expected behavior for Smack due to default use of CIPSO for packet labeling, see: http://lkml.org/lkml/2007/10/14/210 > Ingo > > --- .config.good 2008-02-06 14:13:35.000000000 +0100 > +++ .config.bad 2008-02-06 14:17:28.000000000 +0100 > @@ -1,7 +1,7 @@ > # > # Automatically generated make config: don't edit > # Linux kernel version: 2.6.24 > -# Wed Feb 6 14:11:27 2008 > +# Wed Feb 6 14:15:22 2008 > # > # CONFIG_64BIT is not set > CONFIG_X86_32=y > @@ -94,15 +94,16 @@ CONFIG_FUTEX=y > CONFIG_ANON_INODES=y > # CONFIG_EPOLL is not set > CONFIG_SIGNALFD=y > -CONFIG_TIMERFD=y > +# CONFIG_TIMERFD is not set > CONFIG_EVENTFD=y > # CONFIG_SHMEM is not set > # CONFIG_VM_EVENT_COUNTERS is not set > # CONFIG_SLAB is not set > # CONFIG_SLUB is not set > CONFIG_SLOB=y > -# CONFIG_PROFILING is not set > +CONFIG_PROFILING=y > # CONFIG_MARKERS is not set > +CONFIG_OPROFILE=y > CONFIG_HAVE_OPROFILE=y > # CONFIG_KPROBES is not set > CONFIG_HAVE_KPROBES=y > @@ -691,7 +692,7 @@ CONFIG_MAC80211_RC_DEFAULT="" > # CONFIG_MAC80211_RC_PID is not set > # CONFIG_MAC80211_RC_SIMPLE is not set > # CONFIG_MAC80211_DEBUGFS is not set > -# CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT is not set > +CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT=y > # CONFIG_MAC80211_DEBUG is not set > CONFIG_IEEE80211=m > # CONFIG_IEEE80211_DEBUG is not set > @@ -744,6 +745,7 @@ CONFIG_CDROM_PKTCDVD=y > CONFIG_CDROM_PKTCDVD_BUFFERS=8 > CONFIG_CDROM_PKTCDVD_WCACHE=y > CONFIG_ATA_OVER_ETH=y > +CONFIG_VIRTIO_BLK=y > # CONFIG_MISC_DEVICES is not set > # CONFIG_IDE is not set > > @@ -796,9 +798,19 @@ CONFIG_BLK_DEV_3W_XXXX_RAID=y > CONFIG_SCSI_3W_9XXX=m > CONFIG_SCSI_ACARD=y > # CONFIG_SCSI_AACRAID is not set > -# CONFIG_SCSI_AIC7XXX is not set > -# CONFIG_SCSI_AIC7XXX_OLD is not set > -# CONFIG_SCSI_AIC79XX is not set > +CONFIG_SCSI_AIC7XXX=y > +CONFIG_AIC7XXX_CMDS_PER_DEVICE=32 > +CONFIG_AIC7XXX_RESET_DELAY_MS=5000 > +# CONFIG_AIC7XXX_DEBUG_ENABLE is not set > +CONFIG_AIC7XXX_DEBUG_MASK=0 > +# CONFIG_AIC7XXX_REG_PRETTY_PRINT is not set > +CONFIG_SCSI_AIC7XXX_OLD=m > +CONFIG_SCSI_AIC79XX=y > +CONFIG_AIC79XX_CMDS_PER_DEVICE=32 > +CONFIG_AIC79XX_RESET_DELAY_MS=5000 > +CONFIG_AIC79XX_DEBUG_ENABLE=y > +CONFIG_AIC79XX_DEBUG_MASK=0 > +# CONFIG_AIC79XX_REG_PRETTY_PRINT is not set > CONFIG_SCSI_AIC94XX=m > # CONFIG_AIC94XX_DEBUG is not set > CONFIG_SCSI_DPT_I2O=m > @@ -1181,6 +1193,7 @@ CONFIG_NETCONSOLE=y > CONFIG_NETPOLL=y > # CONFIG_NETPOLL_TRAP is not set > CONFIG_NET_POLL_CONTROLLER=y > +# CONFIG_VIRTIO_NET is not set > CONFIG_ISDN=y > # CONFIG_ISDN_I4L is not set > # CONFIG_ISDN_CAPI is not set > @@ -2043,7 +2056,8 @@ CONFIG_INFINIBAND_AMSO1100=m > CONFIG_INFINIBAND_AMSO1100_DEBUG=y > # CONFIG_INFINIBAND_CXGB3 is not set > CONFIG_MLX4_INFINIBAND=m > -# CONFIG_INFINIBAND_NES is not set > +CONFIG_INFINIBAND_NES=m > +CONFIG_INFINIBAND_NES_DEBUG=y > CONFIG_INFINIBAND_IPOIB=m > CONFIG_INFINIBAND_IPOIB_CM=y > CONFIG_INFINIBAND_IPOIB_DEBUG=y > @@ -2336,7 +2350,7 @@ CONFIG_SECURITY_NETWORK=y > CONFIG_SECURITY_CAPABILITIES=y > # CONFIG_SECURITY_FILE_CAPABILITIES is not set > # CONFIG_SECURITY_ROOTPLUG is not set > -# CONFIG_SECURITY_SMACK is not set > +CONFIG_SECURITY_SMACK=y > CONFIG_XOR_BLOCKS=m > CONFIG_ASYNC_CORE=m > CONFIG_ASYNC_MEMCPY=m > @@ -2396,7 +2410,9 @@ CONFIG_CRYPTO_AUTHENC=y > # CONFIG_CRYPTO_HW is not set > CONFIG_VIRTUALIZATION=y > # CONFIG_LGUEST is not set > -# CONFIG_VIRTIO_PCI is not set > +CONFIG_VIRTIO=y > +CONFIG_VIRTIO_RING=y > +CONFIG_VIRTIO_PCI=y > # CONFIG_VIRTIO_BALLOON is not set > > # > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- Stephen Smalley National Security Agency -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists