Re: [kpsingh:static_calls] [security] 9e15595ed0: Kernel_panic-not_syncing:lsm_static_call_init-Ran_out_of_static_slots
From: KP Singh
Date: Mon Apr 15 2024 - 16:42:38 EST
> On 15 Apr 2024, at 17:47, KP Singh <kpsingh@xxxxxxxxxx> wrote:
>
>
[...]
>> <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote:
>>> On 2024/04/15 17:26, KP Singh wrote:
>>>> This seems like an odd config which does not enable STATIC_CALL, I am going to
>>>> make CONFIG_SECURITY depend on CONFIG_STATIC_CALL and make the dependency explicit.
>>>
>>> If CONFIG_SECURITY depends on CONFIG_STATIC_CALL, architectures which do not
>>> support CONFIG_STATIC_CALL can no longer use LSM ? That sounds a bad dependency.
>>
>> Agreed. If the arch doesn't support static calls we need a fallback
>> solution for the LSM that is no worse than what we have now, and
>> preferably would still solve the issue of the BPF hooks active even
>> where this is no BPF program attached.
>
> Actually I take it back, when CONFIG_STATIC_CALL is not available, the implementation falls back to an indirect call. This crash is unrelated, I will debug further and post back.
Apparently, when I smoke tested, I had CONFIG_IMA disabled so did not hit the bug. Well, now IMA is an LSM, so the following fixes it:
kpsingh@kpsingh:~/projects/linux$ git diff
diff --git a/include/linux/lsm_count.h b/include/linux/lsm_count.h
index dbb3c8573959..77803d117a30 100644
--- a/include/linux/lsm_count.h
+++ b/include/linux/lsm_count.h
@@ -78,6 +78,12 @@
#define BPF_LSM_ENABLED
#endif
+#if IS_ENABLED(CONFIG_IMA)
+#define IMA_ENABLED 1,
+#else
+#define IMA_ENABLED
+#endif
+
#if IS_ENABLED(CONFIG_SECURITY_LANDLOCK)
#define LANDLOCK_ENABLED 1,
#else
@@ -103,6 +109,7 @@
LOCKDOWN_ENABLED \
SAFESETID_ENABLED \
BPF_LSM_ENABLED \
+ IMA_ENABLED \
LANDLOCK_ENABLED)
We don't need a CONFIG_STATIC_CALL dependency, th static_call code nicely falls back.
- KP
>
> - KP
>
>>
>> --
>> paul-moore.com
>