| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cd35aa283cf010188a3b0e318f2c16655224767c.camel@gmail.com> Date: Thu, 25 Sep 2025 16:56:55 +0200 From: Filip Hejsek <filip.hejsek@...il.com> To: Paul Moore <paul@...l-moore.com> Cc: linux-security-module@...r.kernel.org, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, bpf@...r.kernel.org, linux-kernel@...r.kernel.org, regressions@...ts.linux.dev Subject: Re: [bug report] [regression?] bpf lsm breaks /proc/*/attr/current with security= on commandline On Wed, 2025-09-24 at 17:24 -0400, Paul Moore wrote: > On Sat, Sep 13, 2025 at 1:01 PM Filip Hejsek <filip.hejsek@...il.com> wrote: > > > > Hello, > > > > TLDR: because of bpf lsm, putting security=selinux on commandline > > results in /proc/*/attr/current returning errors. > > > > When the legacy security= commandline option is used, the specified lsm > > is added to the end of the lsm list. For example, security=apparmor > > results in the following order of security modules: > > > > capability,landlock,lockdown,yama,bpf,apparmor > > > > In particular, the bpf lsm will be ordered before the chosen major lsm. > > > > This causes reads and writes of /proc/*/attr/current to fail, because > > the bpf hook overrides the apparmor/selinux hook. > > What kernel are you using? I'm using Arch Linux kernel, which is very close to mainline. I have also tested my own build from git sources (I used a stripped down config which I based on config from Arch). Example in QEMU: $ qemu-system-x86_64 -nodefaults -accel kvm -cpu host -smp cpus=2 -m 1G -display none -kernel ~/git/linux/arch/x86/boot/bzImage -initrd ./initramfs.img -serial mon:stdio -append 'console=ttyS0 security=selinux' :: mounting '' on real root mount: /new_root: no valid filesystem type specified. ERROR: Failed to mount '' on real root You are now being dropped into an emergency shell. sh: can't access tty; job control turned off [rootfs ~]# uname -a Linux archlinux 6.17.0-rc7-00020-gcec1e6e5d1ab #3 SMP PREEMPT_DYNAMIC Thu Sep 25 16:28:02 CEST 2025 x86_64 GNU/Linux [rootfs ~]# mount -t securityfs securityfs /sys/kernel/security [rootfs ~]# cat /proc/cmdline console=ttyS0 security=selinux [rootfs ~]# cat /sys/kernel/security/lsm; echo capability,landlock,lockdown,yama,bpf,selinux [rootfs ~]# cat /proc/self/attr/current cat: read error: Invalid argument (Note: In this example, uname reports archlinux, but that's only because I based the config on Arch config, it's not actually an Arch kernel.) Maybe the different behavior is caused by a different config? You can find the Arch config at [1]. Based on Fedora package sources, I think their config has CONFIG_LSM="lockdown,yama,integrity,selinux,bpf,landlock,ipe" while the Arch config has CONFIG_LSM="landlock,lockdown,yama,integrity,bpf" . [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/raw/main/config?ref_type=heads > Things appear to work correctly on my > kernel that is tracking upstream (Fedora Rawhide + some unrelated > bits): > > % uname -a > Linux dev-rawhide-1.lan 6.17.0-0.rc7.250923gd1ab3.57.1.secnext.fc44.x86_64 #1 SM > P PREEMPT_DYNAMIC Tue Sep 23 10:07:14 EDT 2025 x86_64 GNU/Linux > % cat /proc/cmdline > BOOT_IMAGE=(hd0,gpt4)/boot/vmlinuz-6.17.0-0.rc7.250923gd1ab3.57.1.secnext.fc44.x > 86_64 root=UUID=285029fa-4431-45e9-af1b-298ab0caf16a ro console=ttyS0 mitigation > s=off security=selinux > % cat /sys/kernel/security/lsm; echo "" > lockdown,capability,yama,selinux,bpf,landlock,ipe,ima,evm > % id -Z > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > % cat /proc/self/attr/current; echo "" > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > I even ran it against the LSM initialization rework that has been > proposed, but has not yet been accepted/merged, and that worked the > same as above. > > Is this a distro kernel with a lot of "special" patches which aren't > present upstream?
Powered by blists - more mailing lists