From: Guenter Roeck <linux@roeck-us.net>
To: Paul Moore <paul@paul-moore.com>
Cc: KP Singh <kpsingh@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, bp@alien8.de,
sfr@canb.auug.org.au, peterz@infradead.org
Subject: Re: [PATCH] init/main.c: Initialize early LSMs after arch code
Date: Thu, 8 Aug 2024 11:00:39 -0700 [thread overview]
Message-ID: <8061553f-6bfc-4ee6-a8f1-e3741cf5ae6c@roeck-us.net> (raw)
In-Reply-To: <CAHC9VhRGt-b8PmtR-hZwOWB1zfmuhfftoppjacqrjq60tm0mag@mail.gmail.com>
On Thu, Aug 08, 2024 at 01:32:37PM -0400, Paul Moore wrote:
> On Thu, Aug 8, 2024 at 12:43 PM Guenter Roeck <linux@roeck-us.net> wrote:
> >
> > Also, there is a backtrace on ppc (also see below), but that is unrelated
> > to your patches and only seen now because I enabled the security modules
> > on that architecture. I'll bring that up with ppc maintainers.
>
> Thanks for all your help testing this Guenter. I see you've also
> already submitted an AppArmor fix for the endian issue, that's very
> helpful and I'm sure John will be happy to see it.
>
> Beyond this work testing the static call patches from KP, would you be
> willing to add a LSM configuration to your normal testing? While most
> of the LSM subsystem should be architecture agnostic, there are
> definitely bits and pieces that can vary (as you've seen), and I think
> it would be great to get more testing across a broad range of
> supported arches, even if it is just some simple "does it boot" tests.
>
That really depends. I already enabled some of the kernel security modules.
CONFIG_SECURITY=y
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_KUNIT_TEST=y
CONFIG_SECURITY_LANDLOCK=y
CONFIG_SECURITY_LANDLOCK_KUNIT_TEST=y
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_LOADPIN=y
CONFIG_SECURITY_SAFESETID=y
CONFIG_BPF_LSM=y
CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,bpf"
I can easily add more if you tell me what else I should enable.
Userspace is more difficult. My root file systems are generated using
buildroot. I run some basic tests, such as network interface tests
and TPM tests, but those are just simple scripts utilizing packages
provided by buildroot. I can add more, but I would need to know what
exactly to add and how to execute it.
In general my tests are intended to cover a large number of different
configurations; they are intended to be broad, not deep. That means an
individual test should not take longer than a couple of seconds. If you
can provide something that would run in the buildroot environment and
not take long to execute (example: tpm2 selftests), I'd be happy to add
it.
For more comprehensive tests, it might make sense to discuss adding
security tests to KernelCI; they have much more resources available
and target deeper testing. That would make sense if you have, for example,
test suites to run on upstream kernels or stable release candidates.
> Out of curiosity, do you have your test setup documented anywhere? It
> sounds fairly impressive and I'd be curious to learn more about it.
>
Not really. The code is at https://github.com/groeck/linux-build-test.
My clone of buildroot is at https://github.com/groeck/buildroot (look
for local- branches to see my changes). Please feel free to have a look,
but documentation is seriously lacking (and README is completely out
of date).
Guenter
next prev parent reply other threads:[~2024-08-08 18:00 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-01 17:17 [PATCH] init/main.c: Initialize early LSMs after arch code KP Singh
2024-08-05 19:57 ` Paul Moore
2024-08-05 23:29 ` KP Singh
2024-08-06 2:20 ` Nathan Chancellor
2024-08-06 21:41 ` Paul Moore
2024-08-07 20:44 ` Paul Moore
2024-08-07 22:45 ` KP Singh
2024-08-07 22:50 ` KP Singh
2024-08-07 23:43 ` Paul Moore
2024-08-08 0:30 ` KP Singh
2024-08-08 0:34 ` Guenter Roeck
2024-08-08 0:40 ` KP Singh
2024-08-08 1:20 ` Guenter Roeck
2024-08-08 1:18 ` Paul Moore
2024-08-08 1:40 ` Guenter Roeck
2024-08-08 2:13 ` Guenter Roeck
2024-08-08 4:07 ` Guenter Roeck
2024-08-08 9:57 ` KP Singh
2024-08-08 15:20 ` Guenter Roeck
2024-08-08 16:43 ` Guenter Roeck
2024-08-08 17:32 ` Paul Moore
2024-08-08 18:00 ` Guenter Roeck [this message]
2024-08-08 20:49 ` Paul Moore
2024-08-12 17:12 ` KP Singh
2024-08-12 19:33 ` Paul Moore
2024-08-12 21:14 ` KP Singh
2024-08-12 21:32 ` Paul Moore
2024-08-12 22:02 ` KP Singh
2024-08-13 4:07 ` Guenter Roeck
2024-08-13 15:56 ` KP Singh
2024-08-13 16:26 ` Guenter Roeck
2024-08-13 18:21 ` Paul Moore
2024-08-08 17:19 ` Paul Moore
2025-03-11 13:37 ` joeyli
2025-03-11 15:14 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8061553f-6bfc-4ee6-a8f1-e3741cf5ae6c@roeck-us.net \
--to=linux@roeck-us.net \
--cc=bp@alien8.de \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nathan@kernel.org \
--cc=paul@paul-moore.com \
--cc=peterz@infradead.org \
--cc=sfr@canb.auug.org.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox