Re: kernel panic: MAC Initialization failed. (3)
11 views
Skip to first unread message
Dmitry Vyukov
May 15, 2019, 5:58:27 AM5/15/19
to Tetsuo Handa, syzkaller
On Wed, May 15, 2019 at 4:00 AM Tetsuo Handa
<penguin...@i-love.sakura.ne.jp> wrote:
>
> On 2019/05/14 6:59, Tetsuo Handa wrote:
> > Excuse me, but will you revert aa8482aa8acbe261c9413fd4179e8163069b7605 until
> > c367dc8d0dd2a1e1ed9fdc2dd831053bdfdf0968 gets propagated to targets with CONFIG_SECURITY_TOMOYO=y ?
>
> An approach to handle this transition period would be to use
> CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=n and CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING=y
> in the default kernel config file.
>
> diff --git a/dashboard/config/upstream-kasan.config b/dashboard/config/upstream-kasan.config
> index c0f054de..673d6fa6 100644
> --- a/dashboard/config/upstream-kasan.config
> +++ b/dashboard/config/upstream-kasan.config
> @@ -5598,7 +5598,9 @@ CONFIG_SECURITY_SMACK_NETFILTER=y
> CONFIG_SECURITY_TOMOYO=y
> CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=1024
> CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=32
> -CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y
> +# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
> +CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"
> +CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init"
> CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING=y
> CONFIG_SECURITY_APPARMOR=y
> CONFIG_SECURITY_APPARMOR_HASH=y
>
> If CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is available, "make" will update the .config file to include
> both CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y and CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING=y lines.
>
> If CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not available, "make" will update the .config file to
> discard CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING=y line.
>
> As a result, the kernel will be built with CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y
> only if CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is available.
+syzkaller mailing list so that it's possible reference this in commit message
<penguin...@i-love.sakura.ne.jp> wrote:
>
> On 2019/05/14 6:59, Tetsuo Handa wrote:
> > Excuse me, but will you revert aa8482aa8acbe261c9413fd4179e8163069b7605 until
> > c367dc8d0dd2a1e1ed9fdc2dd831053bdfdf0968 gets propagated to targets with CONFIG_SECURITY_TOMOYO=y ?
>
> An approach to handle this transition period would be to use
> CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=n and CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING=y
> in the default kernel config file.
>
> diff --git a/dashboard/config/upstream-kasan.config b/dashboard/config/upstream-kasan.config
> index c0f054de..673d6fa6 100644
> --- a/dashboard/config/upstream-kasan.config
> +++ b/dashboard/config/upstream-kasan.config
> @@ -5598,7 +5598,9 @@ CONFIG_SECURITY_SMACK_NETFILTER=y
> CONFIG_SECURITY_TOMOYO=y
> CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=1024
> CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=32
> -CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y
> +# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
> +CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"
> +CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init"
> CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING=y
> CONFIG_SECURITY_APPARMOR=y
> CONFIG_SECURITY_APPARMOR_HASH=y
>
> If CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is available, "make" will update the .config file to include
> both CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y and CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING=y lines.
>
> If CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not available, "make" will update the .config file to
> discard CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING=y line.
>
> As a result, the kernel will be built with CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y
> only if CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is available.
+syzkaller mailing list so that it's possible reference this in commit message
Dmitry Vyukov
May 15, 2019, 6:00:47 AM5/15/19
to Tetsuo Handa, syzkaller
Dmitry Vyukov
May 21, 2019, 6:42:13 AM5/21/19
to Tetsuo Handa, syzkaller
history. git bisect does linear search to avoid boot breakage which
takes infinity.
Need to figure out what to do with this...
Tetsuo Handa
May 21, 2019, 6:57:23 AM5/21/19
to Dmitry Vyukov, syzkaller
On 2019/05/21 19:42, Dmitry Vyukov wrote:
>>> +syzkaller mailing list so that it's possible reference this in commit message
>>
>> Let's try this:
>> https://github.com/google/syzkaller/commit/3345130d0ff55e38f6a00f98fd796d433d915a0e
>
> This broke bisection. The config we now have is broken long back in
> history. git bisect does linear search to avoid boot breakage which
> takes infinity.
> Need to figure out what to do with this...
>
During the bisection, the kernels are built with CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y
>>> +syzkaller mailing list so that it's possible reference this in commit message
>>
>> Let's try this:
>> https://github.com/google/syzkaller/commit/3345130d0ff55e38f6a00f98fd796d433d915a0e
>
> This broke bisection. The config we now have is broken long back in
> history. git bisect does linear search to avoid boot breakage which
> takes infinity.
> Need to figure out what to do with this...
>
even if CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not available?
Dmitry Vyukov
May 21, 2019, 7:54:54 AM5/21/19
to Tetsuo Handa, syzkaller
currently it's happening with these configs:
https://syzkaller.appspot.com/bug?id=b7e5765f7957f002938296003e361009197ae9c0
then checks out an older kernel and runs make olddefconfig. The
resulting config is then used to build the kernel.
Tetsuo Handa
May 21, 2019, 8:16:54 AM5/21/19
to Dmitry Vyukov, syzkaller
sed -i -e 's/CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y/# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set/' .config
echo 'CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"' >> .config
echo 'CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init"' >> .config
before build? This should do what 3345130d0ff55e38f6a00f98fd796d433d915a0e does.
Tetsuo Handa
May 21, 2019, 8:48:42 AM5/21/19
to Dmitry Vyukov, syzkaller
sed -i -e 's/CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y/# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set/' .config
echo 'CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"' >> .config
echo 'CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init"' >> .config
would be more accurate if CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING
was again added by "git bisect good".
Dmitry Vyukov
May 21, 2019, 10:53:37 AM5/21/19
to Tetsuo Handa, syzkaller
On Tue, May 21, 2019 at 2:48 PM Tetsuo Handa
It seems that we only need to disable
CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER, because
CONFIG_SECURITY_TOMOYO_POLICY_LOADER/CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER
are set to these default values after make olddefconfig.
Let's try this:
https://github.com/google/syzkaller/commit/13427bd9a952fddd2f59aaca90a76fe209f6c9c9
CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER, because
CONFIG_SECURITY_TOMOYO_POLICY_LOADER/CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER
are set to these default values after make olddefconfig.
Let's try this:
https://github.com/google/syzkaller/commit/13427bd9a952fddd2f59aaca90a76fe209f6c9c9
Reply all
Reply to author
Forward
0 new messages