[PATCH] init/main.c: Initialize early LSMs after arch code

Paul Moore paul at paul-moore.com
Thu Aug 8 20:49:08 UTC 2024 

On Thu, Aug 8, 2024 at 2:00 PM Guenter Roeck <linux at roeck-us.net> wrote:
> On Thu, Aug 08, 2024 at 01:32:37PM -0400, Paul Moore wrote:
> > On Thu, Aug 8, 2024 at 12:43 PM Guenter Roeck <linux at roeck-us.net> wrote:
> > >
> > > Also, there is a backtrace on ppc (also see below), but that is unrelated
> > > to your patches and only seen now because I enabled the security modules
> > > on that architecture. I'll bring that up with ppc maintainers.
> >
> > Thanks for all your help testing this Guenter.  I see you've also
> > already submitted an AppArmor fix for the endian issue, that's very
> > helpful and I'm sure John will be happy to see it.
> >
> > Beyond this work testing the static call patches from KP, would you be
> > willing to add a LSM configuration to your normal testing?  While most
> > of the LSM subsystem should be architecture agnostic, there are
> > definitely bits and pieces that can vary (as you've seen), and I think
> > it would be great to get more testing across a broad range of
> > supported arches, even if it is just some simple "does it boot" tests.
> >
>
> That really depends. I already enabled some of the kernel security modules.
>
> CONFIG_SECURITY=y
> CONFIG_SECURITY_APPARMOR=y
> CONFIG_SECURITY_APPARMOR_KUNIT_TEST=y
> CONFIG_SECURITY_LANDLOCK=y
> CONFIG_SECURITY_LANDLOCK_KUNIT_TEST=y
> CONFIG_SECURITY_LOCKDOWN_LSM=y
> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> CONFIG_SECURITY_YAMA=y
> CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_SAFESETID=y
> CONFIG_BPF_LSM=y
> CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,bpf"
>
> I can easily add more if you tell me what else I should enable.

Thanks, I just added a todo item to send you a list.  I appreciate the help.

> Userspace is more difficult. My root file systems are generated using
> buildroot. I run some basic tests, such as network interface tests
> and TPM tests, but those are just simple scripts utilizing packages
> provided by buildroot. I can add more, but I would need to know what
> exactly to add and how to execute it.

Of course.  As far as I'm concerned, simply enabling the LSMs and
making sure the various arches boot without additional faults would be
a nice boost in testing.

> > Out of curiosity, do you have your test setup documented anywhere?  It
> > sounds fairly impressive and I'd be curious to learn more about it.
>
> Not really. The code is at https://github.com/groeck/linux-build-test.
> My clone of buildroot is at https://github.com/groeck/buildroot (look
> for local- branches to see my changes). Please feel free to have a look,
> but documentation is seriously lacking (and README is completely out
> of date).

Thanks for the pointers.

-- 
paul-moore.com

More information about the Linux-security-module-archive mailing list