From: Dmitry Vyukov <dvyukov@google.com>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
syzbot <syzbot+21016130b0580a9de3b5@syzkaller.appspotmail.com>,
tyhicks@canonical.com,
John Johansen <john.johansen@canonical.com>,
James Morris <jmorris@namei.org>,
LKML <linux-kernel@vger.kernel.org>,
linux-security-module@vger.kernel.org,
Serge Hallyn <serge@hallyn.com>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
Jeffrey Vander Stoep <jeffv@google.com>,
SELinux <selinux@tycho.nsa.gov>,
Russell Coker <russell@coker.com.au>,
Laurent Bigonville <bigon@debian.org>,
syzkaller <syzkaller@googlegroups.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH] LSM: Allow syzbot to ignore security= parameter.
Date: Mon, 4 Feb 2019 09:07:54 +0100 [thread overview]
Message-ID: <CACT4Y+Yd1YN=OELBmzUDvwdg5KuV2WnN9WZpjk5O_yuS0i1yOA@mail.gmail.com> (raw)
In-Reply-To: <52531a69-10ed-d263-be66-e707705597d6@i-love.sakura.ne.jp>
On Fri, Feb 1, 2019 at 2:09 PM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> On 2019/02/01 19:50, Dmitry Vyukov wrote:
> > On Fri, Feb 1, 2019 at 11:44 AM Tetsuo Handa
> > <penguin-kernel@i-love.sakura.ne.jp> wrote:
> >>
> >> On 2019/02/01 19:09, Dmitry Vyukov wrote:
> >>> Thanks for the explanations.
> >>>
> >>> Here is the change that I've come up with:
> >>> https://github.com/google/syzkaller/commit/aa53be276dc84aa8b3825b3416542447ff82b41a
> >>
> >> You are not going to apply this updated config to upstream kernels now, are you?
> >> Removing CONFIG_DEFAULT_SECURITY="apparmor" from configs used by upstream kernels
> >> will cause failing to enable AppArmor (unless security=apparmor is specified).
> >
> >
> > We do use security=apparmor, see:
> > https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-apparmor.cmdline
> > https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-selinux.cmdline
> > https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-smack.cmdline
> >
>
> Oh, security= parameter is explicitly specified on all targets?
> Then, we can abuse CONFIG_DEBUG_AID_FOR_SYZBOT option. ;-)
>
> LSM folks, may we use this patch for linux-next.git ?
> CONFIG_DEBUG_AID_FOR_SYZBOT is a linux-next.git-only kernel config option used by syzbot.
Then we also need this on syzbot side, right? Otherwise it seems that
all instances will default to a single security module.
https://github.com/google/syzkaller/commit/ffec3d1894ffd05966b50efa49ca19af76c9ea81
> From c7d21f9c1c0b610ddea4233b89edf7d3140b8baf Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Date: Fri, 1 Feb 2019 22:03:55 +0900
> Subject: [PATCH linux-next] LSM: Allow syzbot to ignore security= parameter.
>
> LSM is going to get infrastructure managed security blob support in Linux
> 5.1, and it becomes possible to run TOMOYO with SELinux/Smack/AppArmor.
> But for compatibility reason, since security= parameter makes it
> impossible to run TOMOYO with SELinux/Smack/AppArmor, syzbot can't
> test that combination. Therefore, this patch allows syzbot to temporarily
> ignore security= parameter. This patch is meant for linux-next.git only,
> and will be removed after infrastructure managed security blob support
> went to linux.git.
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
> security/security.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/security/security.c b/security/security.c
> index ef03643..0632feb 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -346,12 +346,14 @@ int __init security_init(void)
> }
>
> /* Save user chosen LSM */
> +#ifndef CONFIG_DEBUG_AID_FOR_SYZBOT
> static int __init choose_major_lsm(char *str)
> {
> chosen_major_lsm = str;
> return 1;
> }
> __setup("security=", choose_major_lsm);
> +#endif
>
> /* Explicitly choose LSM initialization order. */
> static int __init choose_lsm_order(char *str)
> --
> 1.8.3.1
>
next prev parent reply other threads:[~2019-02-04 8:08 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-30 2:17 WARNING in apparmor_secid_to_secctx syzbot
2018-08-30 2:17 ` syzbot
2018-08-30 2:21 ` Dmitry Vyukov
2018-08-30 2:21 ` Dmitry Vyukov
2018-08-31 16:03 ` Stephen Smalley
2018-08-31 16:03 ` Stephen Smalley
2018-08-31 16:07 ` Paul Moore
2018-08-31 16:07 ` Paul Moore
2018-08-31 16:16 ` Stephen Smalley
2018-08-31 16:16 ` Stephen Smalley
2018-08-31 16:17 ` Stephen Smalley
2018-08-31 16:17 ` Stephen Smalley
2018-08-31 22:38 ` Dmitry Vyukov
2018-08-31 22:38 ` Dmitry Vyukov
2018-09-04 12:57 ` Stephen Smalley
2018-09-04 12:57 ` Stephen Smalley
2018-09-04 13:16 ` Russell Coker
2018-09-04 13:16 ` Russell Coker
2018-09-04 14:53 ` Dmitry Vyukov
2018-09-04 14:53 ` Dmitry Vyukov
2018-09-05 17:13 ` Kees Cook
2018-09-05 17:13 ` Kees Cook
2018-09-04 15:02 ` Dmitry Vyukov
2018-09-04 15:02 ` Dmitry Vyukov
2018-09-04 15:28 ` Stephen Smalley
2018-09-04 15:28 ` Stephen Smalley
2018-09-04 15:38 ` Dmitry Vyukov
2018-09-04 15:38 ` Dmitry Vyukov
2018-09-04 17:02 ` Stephen Smalley
2018-09-04 17:02 ` Stephen Smalley
2018-09-05 1:21 ` Paul Moore
2018-09-05 1:21 ` Paul Moore
2018-09-05 11:08 ` Dmitry Vyukov
2018-09-05 11:08 ` Dmitry Vyukov
2018-09-05 17:37 ` Casey Schaufler
2018-09-05 17:37 ` Casey Schaufler
2018-09-06 10:59 ` Dmitry Vyukov
2018-09-06 10:59 ` Dmitry Vyukov
2018-09-06 11:19 ` Dmitry Vyukov
2018-09-06 11:19 ` Dmitry Vyukov
2018-09-06 19:35 ` Dmitry Vyukov
2018-09-06 19:35 ` Dmitry Vyukov
2019-01-29 11:32 ` Tetsuo Handa
2019-01-30 14:45 ` Dmitry Vyukov
2019-01-30 16:30 ` Micah Morton
2019-01-31 0:22 ` Tetsuo Handa
2019-02-01 10:09 ` Dmitry Vyukov
2019-02-01 10:11 ` Dmitry Vyukov
2019-02-01 10:43 ` Tetsuo Handa
2019-02-01 10:50 ` Dmitry Vyukov
2019-02-01 13:09 ` [PATCH] LSM: Allow syzbot to ignore security= parameter Tetsuo Handa
2019-02-04 8:07 ` Dmitry Vyukov [this message]
2019-02-06 10:23 ` Tetsuo Handa
2019-02-06 17:03 ` Casey Schaufler
2019-02-07 2:30 ` Tetsuo Handa
2019-02-07 16:24 ` Casey Schaufler
2019-02-08 10:52 ` Tetsuo Handa
2019-02-08 16:23 ` Casey Schaufler
2019-02-09 0:28 ` Tetsuo Handa
2019-02-09 1:40 ` Tetsuo Handa
2019-02-08 21:49 ` Kees Cook
2019-02-08 21:33 ` Kees Cook
2018-08-30 3:43 ` WARNING in apparmor_secid_to_secctx syzbot
2018-08-30 3:43 ` syzbot
2018-09-01 9:18 ` John Johansen
2018-09-01 9:18 ` John Johansen
2018-09-02 4:33 ` Dmitry Vyukov
2018-09-02 4:33 ` Dmitry Vyukov
2018-09-02 4:52 ` John Johansen
2018-09-02 4:52 ` John Johansen
2018-09-02 5:03 ` Dmitry Vyukov
2018-09-02 5:03 ` Dmitry Vyukov
2018-09-02 5:03 ` syzbot
2018-09-02 5:03 ` syzbot
2018-09-02 5:05 ` Dmitry Vyukov
2018-09-02 5:05 ` Dmitry Vyukov
2018-09-02 5:46 ` syzbot
2018-09-02 5:46 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACT4Y+Yd1YN=OELBmzUDvwdg5KuV2WnN9WZpjk5O_yuS0i1yOA@mail.gmail.com' \
--to=dvyukov@google.com \
--cc=akpm@linux-foundation.org \
--cc=bigon@debian.org \
--cc=casey@schaufler-ca.com \
--cc=jeffv@google.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=russell@coker.com.au \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=syzbot+21016130b0580a9de3b5@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=syzkaller@googlegroups.com \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.