[PULL][Disco] LSM stacking
John Johansen
john.johansen at canonical.com
Fri Mar 22 20:07:46 UTC 2019
On 3/22/19 7:44 AM, Seth Forshee wrote:
> On Wed, Mar 20, 2019 at 06:19:30PM -0700, John Johansen wrote:
>> The following patch set brings 5.1 LSM stacking to the Disco kernel. The
>> cherry-picked patches have been refreshed to use the sha1s from upstream
>> 5.1-rc2.
>>
>> The rest of the patch series makes it so that apparmor can stack with
>> selinux and smack. These patches are all tagged with "UBUNTU: SAUCE:" the
>> bulk of this is reverting apparmor features that are currently unused in
>> Ubuntu and require secid support.
>>
>>
>> The following changes since commit f4dfce1da80f55c0940dfb83eb8879283e823b2f:
>>
>> UBUNTU: Ubuntu-5.0.0-8.9 (2019-03-12 16:15:44 -0300)
>>
>> are available in the Git repository at:
>>
>> https://git.launchpad.net/~jjohansen/+git/disco-stacking disco-lsm_stacking
>>
>> for you to fetch changes up to d9d34fff369f1b8bc8c076a5f7726c52a21899cd:
>>
>> UBUNTU: SAUCE: update configs and annotations for LSM stacking (2019-03-20 17:02:25 -0700)
>
> It's a lot of changes, but most are upstream, and the rest fall under
> your domain of expertise. Can you tell me what kind of testing you've
> done on the patches?
>
Sure,
I have booted these with the default config (just apparmor as a major LSM).
Run the apparmor regression tests. Did some basic desktop smoke testing,
which is good for catching breakage in af_unix and dbus mediation.
Booted with with different LSM combinations, eg. apparmor,selinux and
apparmor,smack etc. And did the above testing again.
Ported to fedora, yes this means not exactly the same kernel, and booted
and tested a fully enforcing selinux policy in combination with apparmor.
> Some of the SAUCE patches still have cherry-picked lines which imply
> they came from upstream. Did they come from some other repo? If so I can
> update the messages to indicate where they came from.
>
yep, there are a couple queued for 5.2 that I picked out of the apparmor tree,
and couple new ones that I am going to push into the apparmor tree. I'll
update all of these to have the appropriate reference, and resend
> I also found that a config option removed from the configs,
> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE, was still in the ubuntu
> configs, so I've amended the last commit to also remove that one.
>
hrmmm sorry I missed that
> I'm going to do a little smoke testing on these. If that turns out good
> then I'm okay with applying these, once I have answers to the questions
> above.
>
> Thanks,
> Seth
>
More information about the kernel-team
mailing list