NACK[K/Unstable]: [SRU][J][K][Unstable][PATCH V2 1/1] UBUNTU: SAUCE: LSM: Change Landlock from LSMBLOB_NEEDED to LSMBLOB_NOT_NEEDED

Andrea Righi andrea.righi at canonical.com
Tue Sep 27 10:09:21 UTC 2022 

On Tue, Sep 27, 2022 at 11:51:15AM +0200, Andrea Righi wrote:
> On Tue, Sep 27, 2022 at 10:31:59PM +1300, Matthew Ruffell wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1987998
> > 
> > The Landlock LSM does not register any hooks which use struct lsmblob, and does
> > not require a slot in the secid array of struct lsmblob.
> > 
> > Change LSMBLOB_NEEDED to LSMBLOB_NOT_NEEDED.
> > 
> > This is required to fix a panic on boot where too many LSMs can be configured,
> > since while we currently mark Landlock as LSMBLOB_NEEDED, we do not actually
> > make LSMBLOB_ENTRIES large enough to fit it, and we panic when more than 2
> > LSMs are configured, like:
> > 
> > GRUB_CMDLINE_LINUX_DEFAULT="lsm=landlock,bpf,apparmor"
> > 
> > LSM: Security Framework initializing
> > landlock: Up and running.
> > LSM support for eBPF active
> > Kernel panic - not syncing: security_add_hooks Too many LSMs registered.
> > CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.15.0-46-generic #49-Ubuntu
> > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
> > Call Trace:
> >  <TASK>
> >  show_stack+0x52/0x5c
> >  dump_stack_lvl+0x4a/0x63
> >  dump_stack+0x10/0x16
> >  panic+0x149/0x321
> >  security_add_hooks+0x45/0x13a
> >  apparmor_init+0x189/0x1ef
> >  initialize_lsm+0x54/0x74
> >  ordered_lsm_init+0x379/0x392
> >  security_init+0x40/0x49
> >  start_kernel+0x466/0x4dc
> >  x86_64_start_reservations+0x24/0x2a
> >  x86_64_start_kernel+0xe4/0xef
> >  secondary_startup_64_no_verify+0xc2/0xcb
> >  </TASK>
> > ---[ end Kernel panic - not syncing: security_add_hooks Too many LSMs registered. ]---
> > 
> > Also refactor the Landlock support by going to just one struct lsm_id, and
> > extern it from setup.h, following upstream development.
> > 
> > Fixes: f17b27a2790e ("UBUNTU: SAUCE: LSM: Create and manage the lsmblob data structure.") ubuntu-jammy
> > Signed-off-by: Matthew Ruffell <matthew.ruffell at canonical.com>
> 
> Looks good to me, but it seems to conflict after applying the new
> apparmor pull request for kinetic (maybe these changes are already
> integrated in the PR). I'll double check for kinetic and unstable, in
> the meantime it makes sense to me to have this in jammy, therefore:
> 
> Acked-by: Andrea Righi <andrea.righi at canonical.com>

This is not needed anymore with the new apparmor (6.1) and lsm stacking
(v37) patch set, so NACK-ing for kinetic:linux and
kinetic:linux-unstable.

-Andrea

More information about the kernel-team mailing list