On Thu, Aug 08, 2024 at 01:32:37PM -0400, Paul Moore wrote:

On Thu, Aug 8, 2024 at 12:43 PM Guenter Roeck [off-list ref] wrote:

quoted

Also, there is a backtrace on ppc (also see below), but that is unrelated
to your patches and only seen now because I enabled the security modules
on that architecture. I'll bring that up with ppc maintainers.

Thanks for all your help testing this Guenter.  I see you've also
already submitted an AppArmor fix for the endian issue, that's very
helpful and I'm sure John will be happy to see it.

Beyond this work testing the static call patches from KP, would you be
willing to add a LSM configuration to your normal testing?  While most
of the LSM subsystem should be architecture agnostic, there are
definitely bits and pieces that can vary (as you've seen), and I think
it would be great to get more testing across a broad range of
supported arches, even if it is just some simple "does it boot" tests.

That really depends. I already enabled some of the kernel security modules.

CONFIG_SECURITY=y
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_KUNIT_TEST=y
CONFIG_SECURITY_LANDLOCK=y
CONFIG_SECURITY_LANDLOCK_KUNIT_TEST=y
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_LOADPIN=y
CONFIG_SECURITY_SAFESETID=y
CONFIG_BPF_LSM=y
CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,bpf"

I can easily add more if you tell me what else I should enable.

Userspace is more difficult. My root file systems are generated using
buildroot. I run some basic tests, such as network interface tests
and TPM tests, but those are just simple scripts utilizing packages
provided by buildroot. I can add more, but I would need to know what
exactly to add and how to execute it.

In general my tests are intended to cover a large number of different
configurations; they are intended to be broad, not deep. That means an
individual test should not take longer than a couple of seconds. If you
can provide something that would run in the buildroot environment and
not take long to execute (example: tpm2 selftests), I'd be happy to add
it.

For more comprehensive tests, it might make sense to discuss adding
security tests to KernelCI; they have much more resources available
and target deeper testing. That would make sense if you have, for example,
test suites to run on upstream kernels or stable release candidates. 

Out of curiosity, do you have your test setup documented anywhere?  It
sounds fairly impressive and I'd be curious to learn more about it.

Not really. The code is at https://github.com/groeck/linux-build-test.
My clone of buildroot is at https://github.com/groeck/buildroot (look
for local- branches to see my changes). Please feel free to have a look,
but documentation is seriously lacking (and README is completely out
of date).

Guenter