http://bugzilla.opensuse.org/show_bug.cgi?id=1197746
http://bugzilla.opensuse.org/show_bug.cgi?id=1197746#c1
--- Comment #1 from Dominique Leuenberger ---
Rundown by debug by Fabian:
5.17 changes CONFIG_LSM="integrity,apparmor" to
CONFIG_LSM="integrity,apparmor,bpf"
(https://github.com/openSUSE/kernel-source/commit/c2c25b18721866d6211054f5429...)
As a result, the effective LSMs (/sys/kernel/security/lsm) with
security=selinux changes from lockdown,capability,selinux to
lockdown,capability,bpf,selinux.
For /proc/self/attr/current, the kernel calls the getprocattr LSM hook for each
enabled module in order. lockdown and capability don't define it, but bpf does
because it uses lsm_hook_defs.h:
https://github.com/torvalds/linux/blob/d888c83fcec75194a8a48ccd283953bdba7b2....
Thus bpf is the first module to get the call and the default implementation
returns -EINVAL.
Using selinux,bpf explicitly by passing lsm=selinux,bpf works.
FWICT, lsm_hook_defs is only meant to be used with LSMs which define
LSM_FLAG_LEGACY_MAJOR.
Broken: security=selinux
[ 0.021124][ T0] Kernel command line:
BOOT_IMAGE=/boot/vmlinuz-5.17.1-1-default
root=UUID=b5d02679-d959-4c26-8221-f205d9c12ed8 rd.timeout=60 rd.retry=45
systemd.show_status=yes console=ttyS0,115200 ignition_firstboot
ignition.platform.id=qemu security=selinux selinux=1 lsm.debug debug
[ 0.153158][ T0] LSM: Security Framework initializing
[ 0.153737][ T0] LSM: first ordering: capability (enabled)
[ 0.154337][ T0] LSM: security=selinux disabled: tomoyo
[ 0.154900][ T0] LSM: security=selinux disabled: apparmor
[ 0.155484][ T0] LSM: builtin ordering: integrity (enabled)
[ 0.155527][ T0] LSM: builtin ordering: apparmor (disabled)
[ 0.155527][ T0] LSM: builtin ordering: bpf (enabled)
[ 0.155527][ T0] LSM: security= ordering: selinux (enabled)
[ 0.155527][ T0] LSM: builtin disabled: tomoyo
[ 0.155527][ T0] LSM: builtin disabled: yama
[ 0.155527][ T0] LSM: builtin disabled: landlock
[ 0.155527][ T0] LSM: exclusive chosen: selinux
[ 0.155527][ T0] LSM: cred blob size = 24
[ 0.155527][ T0] LSM: file blob size = 16
[ 0.155527][ T0] LSM: inode blob size = 64
[ 0.155527][ T0] LSM: ipc blob size = 8
[ 0.155527][ T0] LSM: msg_msg blob size = 4
[ 0.155527][ T0] LSM: superblock blob size = 72
[ 0.155527][ T0] LSM: task blob size = 8
[ 0.155527][ T0] LSM: initializing capability
[ 0.155527][ T0] LSM: initializing integrity
[ 0.155527][ T0] LSM: initializing bpf
[ 0.155527][ T0] LSM support for eBPF active
[ 0.155527][ T0] LSM: initializing selinux
[ 0.155527][ T0] SELinux: Initializing.
[ 10.534768][ T1] systemd[1]: Failed to compute init label, ignoring.
Broken: lsm=bpf,selinux
[ 0.021020][ T0] Kernel command line:
BOOT_IMAGE=/boot/vmlinuz-5.17.1-1-default
root=UUID=b5d02679-d959-4c26-8221-f205d9c12ed8 rd.timeout=60 rd.retry=45
systemd.show_status=yes console=ttyS0,115200 ignition_firstboot
ignition.platform.id=qemu selinux=1 lsm.debug lsm=bpf,selinux
[ 0.146955][ T0] LSM: Security Framework initializing
[ 0.147570][ T0] LSM: first ordering: capability (enabled)
[ 0.148192][ T0] LSM: cmdline ordering: bpf (enabled)
[ 0.148783][ T0] LSM: cmdline ordering: selinux (enabled)
[ 0.149317][ T0] LSM: cmdline disabled: tomoyo
[ 0.149317][ T0] LSM: cmdline disabled: apparmor
[ 0.149317][ T0] LSM: cmdline disabled: yama
[ 0.149317][ T0] LSM: cmdline disabled: landlock
[ 0.149317][ T0] LSM: cmdline disabled: integrity
[ 0.149317][ T0] LSM: exclusive chosen: selinux
[ 0.149317][ T0] LSM: cred blob size = 24
[ 0.149317][ T0] LSM: file blob size = 16
[ 0.149317][ T0] LSM: inode blob size = 64
[ 0.149317][ T0] LSM: ipc blob size = 8
[ 0.149317][ T0] LSM: msg_msg blob size = 4
[ 0.149317][ T0] LSM: superblock blob size = 72
[ 0.149317][ T0] LSM: task blob size = 8
[ 0.149317][ T0] LSM: initializing capability
[ 0.149317][ T0] LSM: initializing bpf
[ 0.149317][ T0] LSM support for eBPF active
[ 0.149317][ T0] LSM: initializing selinux
[ 0.149317][ T0] SELinux: Initializing.
Works: lsm=selinux,bpf
[ 0.021052][ T0] Kernel command line:
BOOT_IMAGE=/boot/vmlinuz-5.17.1-1-default
root=UUID=b5d02679-d959-4c26-8221-f205d9c12ed8 rd.timeout=60 rd.retry=45
systemd.show_status=yes console=ttyS0,115200 ignition_firstboot
ignition.platform.id=qemu selinux=1 lsm.debug lsm=selinux,bpf
[ 0.165850][ T0] LSM: Security Framework initializing
[ 0.166495][ T0] LSM: first ordering: capability (enabled)
[ 0.167110][ T0] LSM: cmdline ordering: selinux (enabled)
[ 0.167689][ T0] LSM: cmdline ordering: bpf (enabled)
[ 0.168228][ T0] LSM: cmdline disabled: tomoyo
[ 0.168293][ T0] LSM: cmdline disabled: apparmor
[ 0.168293][ T0] LSM: cmdline disabled: yama
[ 0.168293][ T0] LSM: cmdline disabled: landlock
[ 0.168293][ T0] LSM: cmdline disabled: integrity
[ 0.168293][ T0] LSM: exclusive chosen: selinux
[ 0.168293][ T0] LSM: cred blob size = 24
[ 0.168293][ T0] LSM: file blob size = 16
[ 0.168293][ T0] LSM: inode blob size = 64
[ 0.168293][ T0] LSM: ipc blob size = 8
[ 0.168293][ T0] LSM: msg_msg blob size = 4
[ 0.168293][ T0] LSM: superblock blob size = 72
[ 0.168293][ T0] LSM: task blob size = 8
[ 0.168293][ T0] LSM: initializing capability
[ 0.168293][ T0] LSM: initializing selinux
[ 0.168293][ T0] SELinux: Initializing.
[ 0.168293][ T0] LSM: initializing bpf
[ 0.168293][ T0] LSM support for eBPF active
--
You are receiving this mail because:
You are the assignee for the bug.