| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACYkzJ6NuGQchRaj-QD_XzQWNT8c3zb0ZEBXWjzjAckQdNDCWw@mail.gmail.com> Date: Mon, 12 Aug 2024 19:12:16 +0200 From: KP Singh <kpsingh@...nel.org> To: Paul Moore <paul@...l-moore.com> Cc: Guenter Roeck <linux@...ck-us.net>, Nathan Chancellor <nathan@...nel.org>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, bp@...en8.de, sfr@...b.auug.org.au, peterz@...radead.org, ink@...assic.park.msu.ru, richard.henderson@...aro.org Subject: Re: [PATCH] init/main.c: Initialize early LSMs after arch code On Thu, Aug 8, 2024 at 10:49 PM Paul Moore <paul@...l-moore.com> wrote: > > On Thu, Aug 8, 2024 at 2:00 PM Guenter Roeck <linux@...ck-us.net> wrote: > > On Thu, Aug 08, 2024 at 01:32:37PM -0400, Paul Moore wrote: > > > On Thu, Aug 8, 2024 at 12:43 PM Guenter Roeck <linux@...ck-us.net> wrote: > > > > > > > > Also, there is a backtrace on ppc (also see below), but that is unrelated > > > > to your patches and only seen now because I enabled the security modules > > > > on that architecture. I'll bring that up with ppc maintainers. > > > > > > Thanks for all your help testing this Guenter. I see you've also > > > already submitted an AppArmor fix for the endian issue, that's very > > > helpful and I'm sure John will be happy to see it. > > > > > > Beyond this work testing the static call patches from KP, would you be > > > willing to add a LSM configuration to your normal testing? While most > > > of the LSM subsystem should be architecture agnostic, there are > > > definitely bits and pieces that can vary (as you've seen), and I think > > > it would be great to get more testing across a broad range of > > > supported arches, even if it is just some simple "does it boot" tests. > > > > > > > That really depends. I already enabled some of the kernel security modules. > > > > CONFIG_SECURITY=y > > CONFIG_SECURITY_APPARMOR=y > > CONFIG_SECURITY_APPARMOR_KUNIT_TEST=y > > CONFIG_SECURITY_LANDLOCK=y > > CONFIG_SECURITY_LANDLOCK_KUNIT_TEST=y > > CONFIG_SECURITY_LOCKDOWN_LSM=y > > CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y > > CONFIG_SECURITY_YAMA=y > > CONFIG_SECURITY_LOADPIN=y > > CONFIG_SECURITY_SAFESETID=y > > CONFIG_BPF_LSM=y > > CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,bpf" > > > > I can easily add more if you tell me what else I should enable. > > Thanks, I just added a todo item to send you a list. I appreciate the help. > > > Userspace is more difficult. My root file systems are generated using > > buildroot. I run some basic tests, such as network interface tests > > and TPM tests, but those are just simple scripts utilizing packages > > provided by buildroot. I can add more, but I would need to know what > > exactly to add and how to execute it. > > Of course. As far as I'm concerned, simply enabling the LSMs and > making sure the various arches boot without additional faults would be > a nice boost in testing. > > > > Out of curiosity, do you have your test setup documented anywhere? It > > > sounds fairly impressive and I'd be curious to learn more about it. > > > > Not really. The code is at https://github.com/groeck/linux-build-test. > > My clone of buildroot is at https://github.com/groeck/buildroot (look > > for local- branches to see my changes). Please feel free to have a look, > > but documentation is seriously lacking (and README is completely out > > of date). > JFYI, I synced with Guenter and all arch seem to pass and alpha does not work due to a reason that I am unable to debug. I will try doing more debugging but I will need more alpha help here (Added the maintainers to this thread). > Thanks for the pointers. > > -- > paul-moore.com
Powered by blists - more mailing lists