On 8/3/20 6:08 PM, Lakshmi Ramasubramanian wrote:

On 8/3/20 2:07 PM, Stephen Smalley wrote:

quoted

quoted

quoted

quoted

[   68.870715] irq event stamp: 23486085
[   68.870715] hardirqs last  enabled at (23486085):
[<ffffffffaa419406>] _raw_spin_unlock_irqrestore+0x46/0x60
[   68.870715] hardirqs last disabled at (23486084):
[<ffffffffaa419443>] _raw_spin_lock_irqsave+0x23/0x90
[   68.870715] softirqs last  enabled at (23486074):
[<ffffffffaa8004f3>] __do_softirq+0x4f3/0x662
[   68.870715] softirqs last disabled at (23486067):
[<ffffffffaa601072>] asm_call_on_stack+0x12/0x20
[   68.870715] ---[ end trace fb02740ff6f4d0cd ]---

I think one issue here is that systemd loads SELinux policy first, 
then IMA policy, so it doesn't know whether it needs to measure 
SELinux policy on first policy load, and another issue is that the 
policy is too large to just queue the policy data itself this way 
(or you need to use an allocator that can handle larger sizes).

The problem seems to be that a lock is held when the IMA hook to 
measure the LSM state is called. So memory allocation is not 
allowed, but the hook is doing an allocation. I'll address this - 
thanks for catching it.

I have the following CONFIGs enabled, but I still don't see the 
above issue on my machine.

The warning has to do with the memory allocation order being above 
the max order supported for kmalloc.  I think the problem is that 
ima_alloc_data_entry() is using kmemdup() to duplicate a payload of 
arbitrary size.  Policies on e.g. Fedora can be quite large, so you 
can't assume they can be allocated with kmalloc and friends.

Thanks for clarifying. Yes ima_alloc_entry() does use kmemdup to save 
the given buffer (to be measured) until IMA loads custom policy.

On my machine the SELinux policy size is about 2MB.

Perhaps vmalloc would be better than using kmalloc? If there are 
better options for such large buffer allocation, please let me know.

kvmalloc() can be used to select whichever one is most appropriate.