[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20140324093426.GA10565@localhost>
Date: Mon, 24 Mar 2014 17:34:26 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: Kees Cook <keescook@...omium.org>
Cc: linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: [LSM] Kernel panic - not syncing: Could not register MntRestrict
security module
Hi Kees,
I got the below dmesg and the first bad commit is
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git lsm-mnt-restrict
commit 2301503dfef14f2fd017a850f080c63ac5c022b7
Author: Kees Cook <keescook@...omium.org>
AuthorDate: Sat Sep 21 15:52:51 2013 -0700
Commit: Kees Cook <keescook@...omium.org>
CommitDate: Sat Mar 22 21:21:26 2014 -0700
LSM: MntRestrict blocks mounts on symlink targets
On systems where certain filesystem contents cannot be entirely trusted,
it is beneficial to block mounts on symlinks. This makes sure that
malicious filesystem contents cannot trigger the over-mounting of trusted
filesystems. (For example, a bind-mounted subdirectory of /var cannot be
redirected to mount on /etc via a symlink: a daemon cannot elevate privs
to uid-0.)
Signed-off-by: Kees Cook <keescook@...omium.org>
+-------------------------------------------------------------------------+------------+
| | 2301503dfe |
+-------------------------------------------------------------------------+------------+
| boot_successes | 0 |
| boot_failures | 20 |
| Kernel_panic-not_syncing:Could_not_register_MntRestrict_security_module | 20 |
| backtrace:panic | 20 |
| backtrace:mntrestrict_init | 20 |
| backtrace:security_init | 20 |
+-------------------------------------------------------------------------+------------+
[ 0.014599] ACPI: All ACPI Tables successfully acquired
[ 0.016134] Security Framework initialized
[ 0.017212] AppArmor: AppArmor initialized
[ 0.018274] Kernel panic - not syncing: Could not register MntRestrict security module
[ 0.020000] CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.0-rc7-00067-g2301503 #8
[ 0.020000] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 0.020000] c1d321b4 c1d321b4 c1a8bf88 c17517b0 c1a8bfa8 c17497a4 c199edd4 c1d4c280
[ 0.020000] c1cc2c55 c1d321b4 00000000 c1d41800 c1a8bfb4 c1cc3d6d c19e5a2c c1a8bfc4
[ 0.020000] c1cc2c1b c19e5170 00000000 c1a8bfec c1c9face 00000139 ffffffff ffffffff
[ 0.020000] Call Trace:
[ 0.020000] [<c17517b0>] dump_stack+0x16/0x18
[ 0.020000] [<c17497a4>] panic+0x87/0x16f
[ 0.020000] [<c1cc2c55>] ? register_security+0x12/0x4d
[ 0.020000] [<c1cc3d6d>] mntrestrict_init+0x1e/0x2e
[ 0.020000] [<c1cc2c1b>] security_init+0x2e/0x3f
[ 0.020000] [<c1c9face>] start_kernel+0x35a/0x3f1
[ 0.020000] [<c1c9f569>] ? repair_env_string+0x51/0x51
[ 0.020000] [<c1c9f384>] i386_start_kernel+0x12e/0x131
git bisect start 9d75006403b56a9702d32c686d983177154a15cf dcb99fd9b08cfe1afe426af4d8d3cbc429190f15 --
git bisect bad c38bb1f78b1ebfad745879c1827d17e4d3b9d5d5 # 14:25 0- 20 Merge 'kees/ptdump' into devel-hourly-2014032413
git bisect good c561c526ad68116fea77947b2996c7b0f0b94431 # 14:30 20+ 0 Merge 'pm/acpi-video' into devel-hourly-2014032413
git bisect bad d8e463d588233b2bc3badcc38beeb82c190cde07 # 14:42 0- 16 Merge 'kees/lsm-mnt-restrict' into devel-hourly-2014032413
git bisect good 9b40431289e8e1dc51919a30a34c32bacf426975 # 14:56 20+ 0 Merge 'rusty/virtio-next' into devel-hourly-2014032413
git bisect good 259cc2d0f7882b58f398e0cbf5760633517652d9 # 15:07 20+ 1 Merge 'pm/master' into devel-hourly-2014032413
git bisect bad 2301503dfef14f2fd017a850f080c63ac5c022b7 # 15:12 0- 12 LSM: MntRestrict blocks mounts on symlink targets
# first bad commit: [2301503dfef14f2fd017a850f080c63ac5c022b7] LSM: MntRestrict blocks mounts on symlink targets
git bisect good 774868c7094d35b4518be3d0e654de000a5d11fc # 15:16 60+ 0 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect bad 9d75006403b56a9702d32c686d983177154a15cf # 15:16 0- 19 0day head guard for 'devel-hourly-2014032413'
git bisect good 774868c7094d35b4518be3d0e654de000a5d11fc # 15:17 60+ 0 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good 06ed26d1de59ce7cbbe68378b7e470be169750e5 # 15:22 60+ 0 Add linux-next specific files for 20140321
This script may reproduce the error.
-----------------------------------------------------------------------------
#!/bin/bash
kernel=$1
initrd=yocto-minimal-i386.cgz
wget --no-clobber https://github.com/fengguang/reproduce-kernel-bug/blob/master/initrd/$initrd
kvm=(
qemu-system-x86_64 -cpu kvm64 -enable-kvm
-kernel $kernel
-initrd $initrd
-smp 2
-m 256M
-net nic,vlan=0,macaddr=00:00:00:00:00:00,model=virtio
-net user,vlan=0
-net nic,vlan=1,model=e1000
-net user,vlan=1
-boot order=nc
-no-reboot
-watchdog i6300esb
-serial stdio
-display none
-monitor null
)
append=(
debug
sched_debug
apic=debug
ignore_loglevel
sysrq_always_enabled
panic=10
prompt_ramdisk=0
earlyprintk=ttyS0,115200
console=ttyS0,115200
console=tty0
vga=normal
root=/dev/ram0
rw
)
"${kvm[@]}" --append "${append[*]}"
-----------------------------------------------------------------------------
Thanks,
Fengguang
View attachment "dmesg-yocto-jaketown-10:20140324151244:i386-randconfig-iv4-0324::" of type "text/plain" (12057 bytes)
Download attachment "i386-randconfig-iv4-0324-9d75006403b56a9702d32c686d983177154a15cf-Kernel-panic---not-syncing:-Could-not-register-MntRestrict-security-module-91194.log" of type "application/octet-stream" (33918 bytes)
View attachment "config-3.14.0-rc7-00067-g2301503" of type "text/plain" (81182 bytes)
Powered by blists - more mailing lists