From: David Abdurachmanov <david.abdurachmanov@gmail.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Palmer Dabbelt <palmer@sifive.com>,
linux-riscv@lists.infradead.org, aou@eecs.berkeley.edu,
eparis@redhat.com, Kees Cook <keescook@chromium.org>,
luto@amacapital.net, Will Drewry <wad@chromium.org>,
wesley@sifive.com, dhowells@redhat.com, tglx@linutronix.de,
Philippe Ombredanne <pombredanne@nexb.com>,
gregkh@linuxfoundation.org,
Kate Stewart <kstewart@linuxfoundation.org>,
linux-kernel@vger.kernel.org, linux-audit@redhat.com
Subject: Re: [PATCH 2/2] RISC-V: Add support for SECCOMP
Date: Sun, 28 Oct 2018 12:07:55 +0100 [thread overview]
Message-ID: <CAEn-LTonSqSG8GtgVmwt7ToJ2NZKsGEaWndmA0Q7Lzm316CFbA@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhT015tz4qZZ=vM6FowsUXLv-RYeBrH4C8d6jvg=XHumHA@mail.gmail.com>
On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
> <david.abdurachmanov@gmail.com> wrote:
> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
>
> ...
>
> > Palmer,
> >
> > Half of the patch seems to touch audit parts. I started working on audit
> > support this morning, and I can boot Fedora with audit traces.
> >
> > [root@fedora-riscv ~]# dmesg | grep audit
> > [ 0.312000] audit: initializing netlink subsys (disabled)
> > [ 0.316000] audit: type=2000 audit(0.316:1): state=initialized
> > audit_enabled=0 res=1
> > [ 7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> > terminal=? res=success'
> > [ 7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> > res=success'
> > [..]
> >
> > I am still working on audit user-space support for better testing.
> >
> > I suggest we first implement audit and then seccomp.
>
> FYI, while small and far from comprehensive, we do have a test suite
> we use for basic validation of the audit kernel bits which may be
> helpful while you're working on the audit enablement:
>
> * https://github.com/linux-audit/audit-testsuite
Currently I checked the following to work:
- /proc/self/loginuid (required by DNF [package manager])
- auditctl (checked several different example rules from internet)
- aulast
- aulastlog
- ausearch
- ausyscall
- aureport
- autrace (compared some syscalls to strace: order and
return value/input arguments seems to be correct)
I checked audit-testsuite yesterday and it seems to be only for
x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:
Failed 4/14 test programs. 19/88 subtests failed.
I don't plan to look further in the failure, e.g.:
- syscall_socketcall: that's an old stuff and not relevant to
new arches
- syscall_module: Fedora kernel currently is not compiled
with kernel loadable module support
- filter_exclude: two tests fail because id -Z doesn't print
any categories, but "semanage login -l" output is identical
between x86_64 and riscv64
- netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled
Fedora kernel currently has minimal CONFIG_* options
and is built without loadable module support.
I will send the patches for review soon.
david
next prev parent reply other threads:[~2018-10-28 11:08 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAEn-LTqbEmWovu4t7Rs4C211+GRRU4V3B=+WmW0SOhX_b8db5Q@mail.gmail.com>
2018-10-24 20:40 ` [PATCH 0/2] RISC-V: Add support for SECCOMP Palmer Dabbelt
2018-10-24 20:40 ` [PATCH 1/2] Move EM_RISCV into elf-em.h Palmer Dabbelt
2018-10-24 21:26 ` Kees Cook
2018-10-27 7:46 ` Christoph Hellwig
2018-10-27 9:10 ` David Abdurachmanov
2018-10-24 20:40 ` [PATCH 2/2] RISC-V: Add support for SECCOMP Palmer Dabbelt
2018-10-24 21:42 ` Kees Cook
2018-10-24 22:34 ` Kees Cook
2018-10-25 21:02 ` Andy Lutomirski
2018-10-27 6:07 ` Palmer Dabbelt
2018-10-25 18:31 ` David Abdurachmanov
2018-10-25 20:36 ` Paul Moore
2018-10-28 11:07 ` David Abdurachmanov [this message]
2018-10-29 20:27 ` Palmer Dabbelt
2018-11-02 13:32 ` David Abdurachmanov
2018-11-02 15:51 ` Kees Cook
2018-10-27 6:07 ` Palmer Dabbelt
2018-10-27 7:55 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEn-LTonSqSG8GtgVmwt7ToJ2NZKsGEaWndmA0Q7Lzm316CFbA@mail.gmail.com \
--to=david.abdurachmanov@gmail.com \
--cc=aou@eecs.berkeley.edu \
--cc=dhowells@redhat.com \
--cc=eparis@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=kstewart@linuxfoundation.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=luto@amacapital.net \
--cc=palmer@sifive.com \
--cc=paul@paul-moore.com \
--cc=pombredanne@nexb.com \
--cc=tglx@linutronix.de \
--cc=wad@chromium.org \
--cc=wesley@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).