[PATCH] init/main.c: Initialize early LSMs after arch code

Mon Aug 12 17:12:16 UTC 2024

On Thu, Aug 8, 2024 at 10:49 PM Paul Moore <paul at paul-moore.com> wrote:
>
> On Thu, Aug 8, 2024 at 2:00 PM Guenter Roeck <linux at roeck-us.net> wrote:
> > On Thu, Aug 08, 2024 at 01:32:37PM -0400, Paul Moore wrote:
> > > On Thu, Aug 8, 2024 at 12:43 PM Guenter Roeck <linux at roeck-us.net> wrote:
> > > >
> > > > Also, there is a backtrace on ppc (also see below), but that is unrelated
> > > > to your patches and only seen now because I enabled the security modules
> > > > on that architecture. I'll bring that up with ppc maintainers.
> > >
> > > Thanks for all your help testing this Guenter.  I see you've also
> > > already submitted an AppArmor fix for the endian issue, that's very
> > > helpful and I'm sure John will be happy to see it.
> > >
> > > Beyond this work testing the static call patches from KP, would you be
> > > willing to add a LSM configuration to your normal testing?  While most
> > > of the LSM subsystem should be architecture agnostic, there are
> > > definitely bits and pieces that can vary (as you've seen), and I think
> > > it would be great to get more testing across a broad range of
> > > supported arches, even if it is just some simple "does it boot" tests.
> > >
> >
> > That really depends. I already enabled some of the kernel security modules.
> >
> > CONFIG_SECURITY=y
> > CONFIG_SECURITY_APPARMOR=y
> > CONFIG_SECURITY_APPARMOR_KUNIT_TEST=y
> > CONFIG_SECURITY_LANDLOCK=y
> > CONFIG_SECURITY_LANDLOCK_KUNIT_TEST=y
> > CONFIG_SECURITY_LOCKDOWN_LSM=y
> > CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> > CONFIG_SECURITY_YAMA=y
> > CONFIG_SECURITY_LOADPIN=y
> > CONFIG_SECURITY_SAFESETID=y
> > CONFIG_BPF_LSM=y
> > CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,bpf"
> >
> > I can easily add more if you tell me what else I should enable.
>
> Thanks, I just added a todo item to send you a list.  I appreciate the help.
>
> > Userspace is more difficult. My root file systems are generated using
> > buildroot. I run some basic tests, such as network interface tests
> > and TPM tests, but those are just simple scripts utilizing packages
> > provided by buildroot. I can add more, but I would need to know what
> > exactly to add and how to execute it.
>
> Of course.  As far as I'm concerned, simply enabling the LSMs and
> making sure the various arches boot without additional faults would be
> a nice boost in testing.
>
> > > Out of curiosity, do you have your test setup documented anywhere?  It
> > > sounds fairly impressive and I'd be curious to learn more about it.
> >
> > Not really. The code is at https://github.com/groeck/linux-build-test.
> > My clone of buildroot is at https://github.com/groeck/buildroot (look
> > for local- branches to see my changes). Please feel free to have a look,
> > but documentation is seriously lacking (and README is completely out
> > of date).
>

JFYI, I synced with Guenter and all arch seem to pass and alpha does
not work due to a reason that I am unable to debug. I will try doing
more debugging but I will need more alpha help here (Added the
maintainers to this thread).

> Thanks for the pointers.
>
> --
> paul-moore.com