[PATCH] security/tomoyo: Prevent message flooding if no Tomoyo loader is present

Yafang Shao laoar.shao at gmail.com
Thu Jul 25 05:42:16 UTC 2024 

After upgrading our OS to Rocky Linux 9, we've noticed an abundance of
Tomoyo-related messages in the dmesg output, specifically indicating that
Mandatory Access Control is not being activated due to the absence of
/sbin/tomoyo-init. These messages repeatedly appear as systemd periodically
checks for Tomoyo, but since the loader does not exist, it triggers the
messages, as follows,

[2362655.988555] Not activating Mandatory Access Control as /sbin/tomoyo-init does not exist.
[2362956.054826] Not activating Mandatory Access Control as /sbin/tomoyo-init does not exist.
[2363256.123963] Not activating Mandatory Access Control as /sbin/tomoyo-init does not exist.
[2363556.176985] Not activating Mandatory Access Control as /sbin/tomoyo-init does not exist.
[2363856.239882] Not activating Mandatory Access Control as /sbin/tomoyo-init does not exist.
[2364041.613547] Not activating Mandatory Access Control as /sbin/tomoyo-init does not exist.
[2364155.298170] Not activating Mandatory Access Control as /sbin/tomoyo-init does not exist.
[2364455.361375] Not activating Mandatory Access Control as /sbin/tomoyo-init does not exist.
[2364755.411385] Not activating Mandatory Access Control as /sbin/tomoyo-init does not exist.
[2364816.253043] Not activating Mandatory Access Control as /sbin/tomoyo-init does not exist.

The tomoyo configs in our kernel config are as follows,

  CONFIG_SECURITY_TOMOYO=y
  CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
  CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
  # CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
  CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"
  CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/usr/lib/systemd/systemd"
  # CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not set

While disabling Tomoyo is a straightforward solution to prevent the message
flooding, it's suboptimal as we're unsure if any system components rely on
its functionality. A more elegant approach would be to modify the logging
mechanism to use pr_info_once() instead of the default one, which would
reduce the number of redundant messages without compromising the
functionality of the system. This change would ensure that the necessary
information is logged once, preventing the dmesg from being cluttered
with repetitive messages.

Signed-off-by: Yafang Shao <laoar.shao at gmail.com>
---
 security/tomoyo/load_policy.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/tomoyo/load_policy.c b/security/tomoyo/load_policy.c
index 363b65be87ab..4e64b5678abf 100644
--- a/security/tomoyo/load_policy.c
+++ b/security/tomoyo/load_policy.c
@@ -41,8 +41,8 @@ static bool tomoyo_policy_loader_exists(void)
 	if (!tomoyo_loader)
 		tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER;
 	if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
-		pr_info("Not activating Mandatory Access Control as %s does not exist.\n",
-			tomoyo_loader);
+		pr_info_once("Not activating Mandatory Access Control as %s does not exist.\n",
+			     tomoyo_loader);
 		return false;
 	}
 	path_put(&path);
-- 
2.43.5

More information about the Linux-security-module-archive mailing list