lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAFqZXNtNipvJLt3kvhQ0hB-P_Niyn0fQK0VTp-+Ce15WiJYO+A@mail.gmail.com>
Date: Tue, 30 Jul 2024 10:15:21 +0200
From: Ondrej Mosnacek <omosnace@...hat.com>
To: Stephen Smalley <stephen.smalley.work@...il.com>
Cc: Gong Ruiqi <gongruiqi1@...wei.com>, Paul Moore <paul@...l-moore.com>, selinux@...r.kernel.org, 
	linux-kernel@...r.kernel.org, Wang Weiyang <wangweiyang2@...wei.com>
Subject: Re: [PATCH testsuite] tests/task_setscheduler: add cgroup v2 case for
 moving proc to root cgroup

On Mon, Jul 29, 2024 at 1:55 PM Stephen Smalley
<stephen.smalley.work@...il.com> wrote:
>
> On Mon, Jul 29, 2024 at 6:29 AM Ondrej Mosnacek <omosnace@...hat.com> wrote:
> >
> > On Sat, Jul 27, 2024 at 4:55 AM Gong Ruiqi <gongruiqi1@...wei.com> wrote:
> > >
> > >
> > > On 2024/07/26 21:43, Ondrej Mosnacek wrote:
> > > > On Thu, Jul 18, 2024 at 2:34 PM Gong Ruiqi <gongruiqi1@...wei.com> wrote:
> > > >>
> > > >>
> > > >> On 2024/07/18 0:17, Paul Moore wrote:
> > > >>> ...
> > > >>>
> > > >>> Where (what distribution, version, etc.) did you see this problem?
> > > >>
> > > >> The problem occurred when I ran the testsuite on Fedora 40 with v6.6
> > > >> kernel, and it was the only failed testcase.
> > > >
> > > > Sorry for the delay... For some reason the test passes for me even
> > > > with cgroup v2 only and without the patch (also when run from a
> > > > regular user account with sudo). Do you happen to know what
> > > > circumstances are needed for it to fail when the cgroup is not
> > > > switched?
> > > >
> > >
> > > As the comment in the script says, a process need to be in the root
> > > cgroup in order to switch its scheduler policy to SCHED_{RR,FIFO}. So
> > > maybe in your case the shell process is already in the root cgroup?
> > >
> > > In my case I need to ssh to a Fedora VM, and that makes my shell process
> > > to be in a sub cgroup called /user.slice/.../XXX.scope (looks like some
> > > systemd stuff). And since /sys/fs/cgroup/cpu/tasks doesn't exit in the
> > > system with cgroup v2 only, the script skips moving the target process
> > > to the root cgroup, and therefore the subsequent test fails.
> >
> > In my case I ssh as root and end up in
> > /user.slice/user-0.slice/session-1.scope cgroup,
> > /sys/fs/cgroup/cpu/tasks also doesn't exist, and yet the test passes.
> > The same also happens when I ssh as a regular user (with cgroup
> > /user.slice/user-1000.slice/session-3.scope) and run the testsuite
> > with sudo. So there must be something more to it... maybe some kernel
> > config or sysctl setting?
>
> As a further data point, I also have been unable to reproduce the
> reported behavior.
> That said, since tasks doesn't exist, isn't the passing test a false
> negative (i.e. it isn't truly testing as intended)?

I don't think it is. The test wants to verify that it is possible to
change the scheduling policy with the SELinux permission and that it
is not possible without it - and it tests basically identical
conditions with the permission allowed and denied, so it indeed
verifies it correctly. The cgroup switch is just a preparation step so
that changing the policy to realtime policies can succeed at all. When
the test fully passes without switching the cgroup, then it just means
that the switch wasn't necessary for whatever reason.

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ