Re: WARNING in apparmor_secid_to_secctx

From: Dmitry Vyukov
Date: Fri Feb 01 2019 - 05:51:05 EST

Next message: Will Deacon: "Re: [PATCH v3 0/1] arm64: Add workaround for Fujitsu A64FX erratum 010001"
Previous message: Cornelia Huck: "Re: [PATCH v1] KVM: s390: vsie: fix Do the CRYCB validation first"
In reply to: Tetsuo Handa: "Re: WARNING in apparmor_secid_to_secctx"
Next in thread: Tetsuo Handa: "[PATCH] LSM: Allow syzbot to ignore security= parameter."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 1, 2019 at 11:44 AM Tetsuo Handa
<penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On 2019/02/01 19:09, Dmitry Vyukov wrote:
> > Thanks for the explanations.
> >
> > Here is the change that I've come up with:
> > https://github.com/google/syzkaller/commit/aa53be276dc84aa8b3825b3416542447ff82b41a
>
> You are not going to apply this updated config to upstream kernels now, are you?
> Removing CONFIG_DEFAULT_SECURITY="apparmor" from configs used by upstream kernels
> will cause failing to enable AppArmor (unless security=apparmor is specified).

We do use security=apparmor, see:
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-apparmor.cmdline
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-selinux.cmdline
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-smack.cmdline

> I guess you can apply this updated config to linux-next kernels given that
> you replace
>
> CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
>
> with
>
> CONFIG_LSM="yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"
>
> so that AppArmor is enabled instead of SELinux.
>
> >
> > I've disabled CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER (it
> > actually looked like omitting a user-space loader that I don't have is
> > the right thing to do, but okay, it indeed does not with =y).
> >
> > For now I just enabled TOMOYO and SAFESETID.
> > I see the problem with making both linux-next and upstream work. If we
> > use a single config and lsm= cmdline argument, then on upstream all
> > kernels will use the same module (they won't understand lsm=). But if
> > we add security= then it will take precedence over lsm= on linux-next,
> > so we won't get stacked modules.
>
> Right.
>
> >
> > Let's go with (c) because I don't want an additional long-term maintenance cost.
>
> OK.
>
> > If I understand it correctly later we will need to replace:
> > security=selinux
> > security=smack
> > security=apparmor
> >
> > with:
> > lsm=yama,safesetid,integrity,selinux,tomoyo
> > lsm=yama,safesetid,integrity,smack,tomoyo
> > lsm=yama,safesetid,integrity,tomoyo,apparmor
>
> Yes. Thank you.

Next message: Will Deacon: "Re: [PATCH v3 0/1] arm64: Add workaround for Fujitsu A64FX erratum 010001"
Previous message: Cornelia Huck: "Re: [PATCH v1] KVM: s390: vsie: fix Do the CRYCB validation first"
In reply to: Tetsuo Handa: "Re: WARNING in apparmor_secid_to_secctx"
Next in thread: Tetsuo Handa: "[PATCH] LSM: Allow syzbot to ignore security= parameter."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]