[PATCH] LSM: Allow syzbot to ignore security= parameter.

WARNING in apparmor_secid_to_secctx · syzbot <hidden> · 2018-08-30
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2018-08-30
Re: WARNING in apparmor_secid_to_secctx · Stephen Smalley <hidden> · 2018-08-31
Re: WARNING in apparmor_secid_to_secctx · Paul Moore <paul@paul-moore.com> · 2018-08-31
Re: WARNING in apparmor_secid_to_secctx · Stephen Smalley <hidden> · 2018-08-31
Re: WARNING in apparmor_secid_to_secctx · Stephen Smalley <hidden> · 2018-08-31
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2018-08-31
Re: WARNING in apparmor_secid_to_secctx · Stephen Smalley <hidden> · 2018-09-04
Re: WARNING in apparmor_secid_to_secctx · Russell Coker <hidden> · 2018-09-04
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2018-09-04
Re: WARNING in apparmor_secid_to_secctx · Kees Cook <hidden> · 2018-09-05
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2018-09-04
Re: WARNING in apparmor_secid_to_secctx · Stephen Smalley <hidden> · 2018-09-04
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2018-09-04
Re: WARNING in apparmor_secid_to_secctx · Stephen Smalley <hidden> · 2018-09-04
Re: WARNING in apparmor_secid_to_secctx · Paul Moore <paul@paul-moore.com> · 2018-09-05
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2018-09-05
Re: WARNING in apparmor_secid_to_secctx · Casey Schaufler <casey@schaufler-ca.com> · 2018-09-05
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2018-09-06
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2018-09-06
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2018-09-06
Re: WARNING in apparmor_secid_to_secctx · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2019-01-29
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2019-01-30
Re: WARNING in apparmor_secid_to_secctx · Micah Morton <mortonm@chromium.org> · 2019-01-30
Re: WARNING in apparmor_secid_to_secctx · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2019-01-31
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2019-02-01
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2019-02-01
Re: WARNING in apparmor_secid_to_secctx · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2019-02-01
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2019-02-01
[PATCH] LSM: Allow syzbot to ignore security= parameter. · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2019-02-01
Re: [PATCH] LSM: Allow syzbot to ignore security= parameter. · Dmitry Vyukov <dvyukov@google.com> · 2019-02-04
Re: [PATCH] LSM: Allow syzbot to ignore security= parameter. · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2019-02-06
Re: [PATCH] LSM: Allow syzbot to ignore security= parameter. · Casey Schaufler <casey@schaufler-ca.com> · 2019-02-06
Re: [PATCH] LSM: Allow syzbot to ignore security= parameter. · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2019-02-07
Re: [PATCH] LSM: Allow syzbot to ignore security= parameter. · Casey Schaufler <casey@schaufler-ca.com> · 2019-02-07
Re: [PATCH] LSM: Allow syzbot to ignore security= parameter. · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2019-02-08
Re: [PATCH] LSM: Allow syzbot to ignore security= parameter. · Casey Schaufler <casey@schaufler-ca.com> · 2019-02-08
Re: [PATCH] LSM: Allow syzbot to ignore security= parameter. · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2019-02-09
Re: [PATCH] LSM: Allow syzbot to ignore security= parameter. · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2019-02-09
Re: [PATCH] LSM: Allow syzbot to ignore security= parameter. · Kees Cook <hidden> · 2019-02-08
Re: [PATCH] LSM: Allow syzbot to ignore security= parameter. · Kees Cook <hidden> · 2019-02-08
Re: WARNING in apparmor_secid_to_secctx · syzbot <hidden> · 2018-08-30
Re: WARNING in apparmor_secid_to_secctx · John Johansen <john.johansen@canonical.com> · 2018-09-01
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2018-09-02
Re: WARNING in apparmor_secid_to_secctx · John Johansen <john.johansen@canonical.com> · 2018-09-02
Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2018-09-02
Re: Re: WARNING in apparmor_secid_to_secctx · syzbot <hidden> · 2018-09-02
Re: Re: WARNING in apparmor_secid_to_secctx · Dmitry Vyukov <dvyukov@google.com> · 2018-09-02
Re: WARNING in apparmor_secid_to_secctx · syzbot <hidden> · 2018-09-02

From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Date: 2019-02-01 13:10:07
Also in: lkml
Subsystem: security subsystem, the rest · Maintainers: Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds

On 2019/02/01 19:50, Dmitry Vyukov wrote:

On Fri, Feb 1, 2019 at 11:44 AM Tetsuo Handa
[off-list ref] wrote:

quoted

On 2019/02/01 19:09, Dmitry Vyukov wrote:

quoted

Thanks for the explanations.

Here is the change that I've come up with:
https://github.com/google/syzkaller/commit/aa53be276dc84aa8b3825b3416542447ff82b41a

You are not going to apply this updated config to upstream kernels now, are you?
Removing CONFIG_DEFAULT_SECURITY="apparmor" from configs used by upstream kernels
will cause failing to enable AppArmor (unless security=apparmor is specified).


We do use  security=apparmor, see:
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-apparmor.cmdline
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-selinux.cmdline
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-smack.cmdline

Oh, security= parameter is explicitly specified on all targets?
Then, we can abuse CONFIG_DEBUG_AID_FOR_SYZBOT option. ;-)

LSM folks, may we use this patch for linux-next.git ?
CONFIG_DEBUG_AID_FOR_SYZBOT is a linux-next.git-only kernel config option used by syzbot.



From c7d21f9c1c0b610ddea4233b89edf7d3140b8baf Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Fri, 1 Feb 2019 22:03:55 +0900
Subject: [PATCH linux-next] LSM: Allow syzbot to ignore security= parameter.

LSM is going to get infrastructure managed security blob support in Linux
5.1, and it becomes possible to run TOMOYO with SELinux/Smack/AppArmor.
But for compatibility reason, since security= parameter makes it
impossible to run TOMOYO with SELinux/Smack/AppArmor, syzbot can't
test that combination. Therefore, this patch allows syzbot to temporarily
ignore security= parameter. This patch is meant for linux-next.git only,
and will be removed after infrastructure managed security blob support
went to linux.git.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 security/security.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/security.c b/security/security.c
index ef03643..0632feb 100644
--- a/security/security.c
+++ b/security/security.c

@@ -346,12 +346,14 @@ int __init security_init(void)
 }
 
 /* Save user chosen LSM */
+#ifndef CONFIG_DEBUG_AID_FOR_SYZBOT
 static int __init choose_major_lsm(char *str)
 {
 	chosen_major_lsm = str;
 	return 1;
 }
 __setup("security=", choose_major_lsm);
+#endif
 
 /* Explicitly choose LSM initialization order. */
 static int __init choose_lsm_order(char *str)

-- 
1.8.3.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help