[PATCH] init/main.c: Initialize early LSMs after arch code
KP Singh
kpsingh at kernel.org
Thu Aug 8 00:30:11 UTC 2024
On Thu, Aug 8, 2024 at 1:44 AM Paul Moore <paul at paul-moore.com> wrote:
>
> On Wed, Aug 7, 2024 at 6:45 PM KP Singh <kpsingh at kernel.org> wrote:
> > On Wed, Aug 7, 2024 at 10:45 PM Paul Moore <paul at paul-moore.com> wrote:
> > > On Tue, Aug 6, 2024 at 5:41 PM Paul Moore <paul at paul-moore.com> wrote:
> > > > On Mon, Aug 5, 2024 at 10:20 PM Nathan Chancellor <nathan at kernel.org> wrote:
> > >
> > > ...
> > >
> > > > > For what it's worth, I have not noticed any issues in my -next testing
> > > > > with this patch applied but I only build architectures that build with
> > > > > LLVM due to the nature of my work. If exposure to more architectures is
> > > > > desirable, perhaps Guenter Roeck would not mind testing it with his
> > > > > matrix?
> > > >
> > > > Thanks Nathan.
> > > >
> > > > I think the additional testing would be great, KP can you please work
> > > > with Guenter to set this up?
> > >
> >
> > Adding Guenter directly to this thread.
> >
> > > Is that something you can do KP? I'm asking because I'm looking at
> > > merging some other patches into lsm/dev and I need to make a decision
> > > about the static call patches (hold off on merging the other patches
> > > until the static call testing is complete, or yank the static call
> > > patches until testing is complete and then re-merge). Understanding
> > > your ability to do the additional testing, and a rough idea of how
> >
> > I have done the best of the testing I could do here. I think we should
> > let this run its normal course and see if this breaks anything. I am
> > not sure how testing is done before patches are merged and what else
> > you expect me to do?
>
> That is why I was asking you to get in touch with Guenter to try and
> sort out what needs to be done to test this across different
> architectures.
>
> With all due respect, this patchset has a history of not being as
> tested as well as I would like; we had the compilation warning on gcc
> and then the linux-next breakage. The gcc problem wasn't a major
> problem (although it was disappointing, especially considering the
> context around it), but I consider the linux-next breakage fairly
> serious and would like to have some assurance beyond your "it's okay,
> trust me" this time around. If there really is no way to practically
> test this patchset across multiple arches prior to throwing it into
> linux-next, so be it, but I want to see at least some effort towards
> trying to make that happen.
>
I did add Guenter to the thread, but really, I cannot offer more
testing than the configs we use in production. I don't use GCC as we
mostly use clang, and we don't use early LSMs which is such a special
case with two extra configs with lockdown. Calling it having a
"history of not being tested is unfair".
If there is a general process / tests you follow before merging
patches, I am happy to run them. In the absence of that, it's not easy
to spot corner cases.
- KP
> --
> paul-moore.com
More information about the Linux-security-module-archive
mailing list