http://bugzilla.opensuse.org/show_bug.cgi?id=1197746 http://bugzilla.opensuse.org/show_bug.cgi?id=1197746#c1 --- Comment #1 from Dominique Leuenberger --- Rundown by debug by Fabian: 5.17 changes CONFIG_LSM="integrity,apparmor" to CONFIG_LSM="integrity,apparmor,bpf" (https://github.com/openSUSE/kernel-source/commit/c2c25b18721866d6211054f5429...) As a result, the effective LSMs (/sys/kernel/security/lsm) with security=selinux changes from lockdown,capability,selinux to lockdown,capability,bpf,selinux. For /proc/self/attr/current, the kernel calls the getprocattr LSM hook for each enabled module in order. lockdown and capability don't define it, but bpf does because it uses lsm_hook_defs.h: https://github.com/torvalds/linux/blob/d888c83fcec75194a8a48ccd283953bdba7b2.... Thus bpf is the first module to get the call and the default implementation returns -EINVAL. Using selinux,bpf explicitly by passing lsm=selinux,bpf works. FWICT, lsm_hook_defs is only meant to be used with LSMs which define LSM_FLAG_LEGACY_MAJOR. Broken: security=selinux [ 0.021124][ T0] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.17.1-1-default root=UUID=b5d02679-d959-4c26-8221-f205d9c12ed8 rd.timeout=60 rd.retry=45 systemd.show_status=yes console=ttyS0,115200 ignition_firstboot ignition.platform.id=qemu security=selinux selinux=1 lsm.debug debug [ 0.153158][ T0] LSM: Security Framework initializing [ 0.153737][ T0] LSM: first ordering: capability (enabled) [ 0.154337][ T0] LSM: security=selinux disabled: tomoyo [ 0.154900][ T0] LSM: security=selinux disabled: apparmor [ 0.155484][ T0] LSM: builtin ordering: integrity (enabled) [ 0.155527][ T0] LSM: builtin ordering: apparmor (disabled) [ 0.155527][ T0] LSM: builtin ordering: bpf (enabled) [ 0.155527][ T0] LSM: security= ordering: selinux (enabled) [ 0.155527][ T0] LSM: builtin disabled: tomoyo [ 0.155527][ T0] LSM: builtin disabled: yama [ 0.155527][ T0] LSM: builtin disabled: landlock [ 0.155527][ T0] LSM: exclusive chosen: selinux [ 0.155527][ T0] LSM: cred blob size = 24 [ 0.155527][ T0] LSM: file blob size = 16 [ 0.155527][ T0] LSM: inode blob size = 64 [ 0.155527][ T0] LSM: ipc blob size = 8 [ 0.155527][ T0] LSM: msg_msg blob size = 4 [ 0.155527][ T0] LSM: superblock blob size = 72 [ 0.155527][ T0] LSM: task blob size = 8 [ 0.155527][ T0] LSM: initializing capability [ 0.155527][ T0] LSM: initializing integrity [ 0.155527][ T0] LSM: initializing bpf [ 0.155527][ T0] LSM support for eBPF active [ 0.155527][ T0] LSM: initializing selinux [ 0.155527][ T0] SELinux: Initializing. [ 10.534768][ T1] systemd[1]: Failed to compute init label, ignoring. Broken: lsm=bpf,selinux [ 0.021020][ T0] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.17.1-1-default root=UUID=b5d02679-d959-4c26-8221-f205d9c12ed8 rd.timeout=60 rd.retry=45 systemd.show_status=yes console=ttyS0,115200 ignition_firstboot ignition.platform.id=qemu selinux=1 lsm.debug lsm=bpf,selinux [ 0.146955][ T0] LSM: Security Framework initializing [ 0.147570][ T0] LSM: first ordering: capability (enabled) [ 0.148192][ T0] LSM: cmdline ordering: bpf (enabled) [ 0.148783][ T0] LSM: cmdline ordering: selinux (enabled) [ 0.149317][ T0] LSM: cmdline disabled: tomoyo [ 0.149317][ T0] LSM: cmdline disabled: apparmor [ 0.149317][ T0] LSM: cmdline disabled: yama [ 0.149317][ T0] LSM: cmdline disabled: landlock [ 0.149317][ T0] LSM: cmdline disabled: integrity [ 0.149317][ T0] LSM: exclusive chosen: selinux [ 0.149317][ T0] LSM: cred blob size = 24 [ 0.149317][ T0] LSM: file blob size = 16 [ 0.149317][ T0] LSM: inode blob size = 64 [ 0.149317][ T0] LSM: ipc blob size = 8 [ 0.149317][ T0] LSM: msg_msg blob size = 4 [ 0.149317][ T0] LSM: superblock blob size = 72 [ 0.149317][ T0] LSM: task blob size = 8 [ 0.149317][ T0] LSM: initializing capability [ 0.149317][ T0] LSM: initializing bpf [ 0.149317][ T0] LSM support for eBPF active [ 0.149317][ T0] LSM: initializing selinux [ 0.149317][ T0] SELinux: Initializing. Works: lsm=selinux,bpf [ 0.021052][ T0] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.17.1-1-default root=UUID=b5d02679-d959-4c26-8221-f205d9c12ed8 rd.timeout=60 rd.retry=45 systemd.show_status=yes console=ttyS0,115200 ignition_firstboot ignition.platform.id=qemu selinux=1 lsm.debug lsm=selinux,bpf [ 0.165850][ T0] LSM: Security Framework initializing [ 0.166495][ T0] LSM: first ordering: capability (enabled) [ 0.167110][ T0] LSM: cmdline ordering: selinux (enabled) [ 0.167689][ T0] LSM: cmdline ordering: bpf (enabled) [ 0.168228][ T0] LSM: cmdline disabled: tomoyo [ 0.168293][ T0] LSM: cmdline disabled: apparmor [ 0.168293][ T0] LSM: cmdline disabled: yama [ 0.168293][ T0] LSM: cmdline disabled: landlock [ 0.168293][ T0] LSM: cmdline disabled: integrity [ 0.168293][ T0] LSM: exclusive chosen: selinux [ 0.168293][ T0] LSM: cred blob size = 24 [ 0.168293][ T0] LSM: file blob size = 16 [ 0.168293][ T0] LSM: inode blob size = 64 [ 0.168293][ T0] LSM: ipc blob size = 8 [ 0.168293][ T0] LSM: msg_msg blob size = 4 [ 0.168293][ T0] LSM: superblock blob size = 72 [ 0.168293][ T0] LSM: task blob size = 8 [ 0.168293][ T0] LSM: initializing capability [ 0.168293][ T0] LSM: initializing selinux [ 0.168293][ T0] SELinux: Initializing. [ 0.168293][ T0] LSM: initializing bpf [ 0.168293][ T0] LSM support for eBPF active -- You are receiving this mail because: You are the assignee for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1197746 Dominique Leuenberger changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|kernel-bugs@opensuse.org |jslaby@suse.com -- You are receiving this mail because: You are the assignee for the bug.