From: Kees Cook <keescook@chromium.org>
To: Andy Lutomirski <luto@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>,
Sumit Semwal <sumit.semwal@linaro.org>,
Brian Norris <computersforpeace@gmail.com>,
"Luis R. Rodriguez" <mcgrof@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
LKML <linux-kernel@vger.kernel.org>,
"# 3.4.x" <stable@vger.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>,
Shuah Khan <shuahkh@osg.samsung.com>
Subject: Re: seccomp ptrace selftest failures with 4.4-stable [Was: Re: LTS testing with latest kselftests - some failures]
Date: Thu, 22 Jun 2017 10:50:43 -0700 [thread overview]
Message-ID: <CAGXu5jKDq9PmHOyooRrUXBE-iRbh4CR5B-QYVi=Gp1tOFPP_3g@mail.gmail.com> (raw)
In-Reply-To: <CALCETrVa0RgBcsb1_GmobjG1prFNFs0F8krHdbmiKEyhua7xkw@mail.gmail.com>
On Thu, Jun 22, 2017 at 10:49 AM, Andy Lutomirski <luto@kernel.org> wrote:
> On Thu, Jun 22, 2017 at 10:09 AM, Shuah Khan <shuah@kernel.org> wrote:
>> On 06/22/2017 10:53 AM, Kees Cook wrote:
>>> On Thu, Jun 22, 2017 at 9:18 AM, Sumit Semwal <sumit.semwal@linaro.org> wrote:
>>>> Hi Kees, Andy,
>>>>
>>>> On 15 June 2017 at 23:26, Sumit Semwal <sumit.semwal@linaro.org> wrote:
>>>>> 3. 'seccomp ptrace hole closure' patches got added in 4.7 [3] -
>>>>> feature and test together.
>>>>> - This one also seems like a security hole being closed, and the
>>>>> 'feature' could be a candidate for stable backports, but Arnd tried
>>>>> that, and it was quite non-trivial. So perhaps we'll need some help
>>>>> from the subsystem developers here.
>>>>
>>>> Could you please help us sort this out? Our goal is to help Greg with
>>>> testing stable kernels, and currently the seccomp tests fail due to
>>>> missing feature (seccomp ptrace hole closure) getting tested via
>>>> latest kselftest.
>>>>
>>>> If you feel the feature isn't a stable candidate, then could you
>>>> please help make the test degrade gracefully in its absence?
>>>
>>> I don't really want to have that change be a backport -- it's quite
>>> invasive across multiple architectures.
>>>
>>> I would say just add a kernel version check to the test. This is
>>> probably not the only selftest that will need such things. :)
>>
>> Adding release checks to selftests is going to problematic for maintenance.
>> Tests should fail gracefully if feature isn't supported in older kernels.
>>
>> Several tests do that now and please find a way to check for dependencies
>> and feature availability and fail the test gracefully. If there is a test
>> that can't do that for some reason, we can discuss it, but as a general
>> rule, I don't want to see kselftest patches that check release.
>
> If a future kernel inadvertently loses the new feature and degrades to
> the behavior of old kernels, that would be a serious bug and should be
> caught.
Right. I really think stable kernels should be tested with their own
selftests. If some test is needed in a stable kernel it should be
backported to that stable kernel.
-Kees
--
Kees Cook
Pixel Security
next prev parent reply other threads:[~2017-06-22 17:50 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-22 16:18 seccomp ptrace selftest failures with 4.4-stable [Was: Re: LTS testing with latest kselftests - some failures] Sumit Semwal
2017-06-22 16:53 ` Kees Cook
2017-06-22 17:09 ` Shuah Khan
2017-06-22 17:49 ` Andy Lutomirski
2017-06-22 17:50 ` Kees Cook [this message]
2017-06-22 19:06 ` Shuah Khan
2017-06-22 19:48 ` Tom Gall
2017-06-22 20:23 ` Shuah Khan
2017-06-23 4:02 ` Sumit Semwal
2017-06-23 15:36 ` Shuah Khan
2017-06-23 19:03 ` Shuah Khan
2017-06-23 19:44 ` Tom Gall
2017-06-23 1:52 ` Greg Kroah-Hartman
2017-06-23 2:40 ` Andy Lutomirski
2017-06-23 4:05 ` Kees Cook
2017-06-24 0:34 ` Luis R. Rodriguez
2017-06-24 4:45 ` Greg Kroah-Hartman
2017-06-26 21:44 ` Luis R. Rodriguez
2017-06-24 4:43 ` Greg Kroah-Hartman
2017-07-05 14:59 ` Sumit Semwal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5jKDq9PmHOyooRrUXBE-iRbh4CR5B-QYVi=Gp1tOFPP_3g@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=computersforpeace@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mcgrof@kernel.org \
--cc=shuah@kernel.org \
--cc=shuahkh@osg.samsung.com \
--cc=stable@vger.kernel.org \
--cc=sumit.semwal@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).