lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACYkzJ6NuGQchRaj-QD_XzQWNT8c3zb0ZEBXWjzjAckQdNDCWw@mail.gmail.com>
Date: Mon, 12 Aug 2024 19:12:16 +0200
From: KP Singh <kpsingh@...nel.org>
To: Paul Moore <paul@...l-moore.com>
Cc: Guenter Roeck <linux@...ck-us.net>, Nathan Chancellor <nathan@...nel.org>, linux-kernel@...r.kernel.org, 
	linux-security-module@...r.kernel.org, bp@...en8.de, sfr@...b.auug.org.au, 
	peterz@...radead.org, ink@...assic.park.msu.ru, richard.henderson@...aro.org
Subject: Re: [PATCH] init/main.c: Initialize early LSMs after arch code

On Thu, Aug 8, 2024 at 10:49 PM Paul Moore <paul@...l-moore.com> wrote:
>
> On Thu, Aug 8, 2024 at 2:00 PM Guenter Roeck <linux@...ck-us.net> wrote:
> > On Thu, Aug 08, 2024 at 01:32:37PM -0400, Paul Moore wrote:
> > > On Thu, Aug 8, 2024 at 12:43 PM Guenter Roeck <linux@...ck-us.net> wrote:
> > > >
> > > > Also, there is a backtrace on ppc (also see below), but that is unrelated
> > > > to your patches and only seen now because I enabled the security modules
> > > > on that architecture. I'll bring that up with ppc maintainers.
> > >
> > > Thanks for all your help testing this Guenter.  I see you've also
> > > already submitted an AppArmor fix for the endian issue, that's very
> > > helpful and I'm sure John will be happy to see it.
> > >
> > > Beyond this work testing the static call patches from KP, would you be
> > > willing to add a LSM configuration to your normal testing?  While most
> > > of the LSM subsystem should be architecture agnostic, there are
> > > definitely bits and pieces that can vary (as you've seen), and I think
> > > it would be great to get more testing across a broad range of
> > > supported arches, even if it is just some simple "does it boot" tests.
> > >
> >
> > That really depends. I already enabled some of the kernel security modules.
> >
> > CONFIG_SECURITY=y
> > CONFIG_SECURITY_APPARMOR=y
> > CONFIG_SECURITY_APPARMOR_KUNIT_TEST=y
> > CONFIG_SECURITY_LANDLOCK=y
> > CONFIG_SECURITY_LANDLOCK_KUNIT_TEST=y
> > CONFIG_SECURITY_LOCKDOWN_LSM=y
> > CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> > CONFIG_SECURITY_YAMA=y
> > CONFIG_SECURITY_LOADPIN=y
> > CONFIG_SECURITY_SAFESETID=y
> > CONFIG_BPF_LSM=y
> > CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,bpf"
> >
> > I can easily add more if you tell me what else I should enable.
>
> Thanks, I just added a todo item to send you a list.  I appreciate the help.
>
> > Userspace is more difficult. My root file systems are generated using
> > buildroot. I run some basic tests, such as network interface tests
> > and TPM tests, but those are just simple scripts utilizing packages
> > provided by buildroot. I can add more, but I would need to know what
> > exactly to add and how to execute it.
>
> Of course.  As far as I'm concerned, simply enabling the LSMs and
> making sure the various arches boot without additional faults would be
> a nice boost in testing.
>
> > > Out of curiosity, do you have your test setup documented anywhere?  It
> > > sounds fairly impressive and I'd be curious to learn more about it.
> >
> > Not really. The code is at https://github.com/groeck/linux-build-test.
> > My clone of buildroot is at https://github.com/groeck/buildroot (look
> > for local- branches to see my changes). Please feel free to have a look,
> > but documentation is seriously lacking (and README is completely out
> > of date).
>

JFYI, I synced with Guenter and all arch seem to pass and alpha does
not work due to a reason that I am unable to debug. I will try doing
more debugging but I will need more alpha help here (Added the
maintainers to this thread).



> Thanks for the pointers.
>
> --
> paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ