ACK[J]: [SRU][J][K][Unstable][PATCH V2 1/1] UBUNTU: SAUCE: LSM: Change Landlock from LSMBLOB_NEEDED to LSMBLOB_NOT_NEEDED

Andrea Righi andrea.righi at canonical.com
Tue Sep 27 09:51:13 UTC 2022 

On Tue, Sep 27, 2022 at 10:31:59PM +1300, Matthew Ruffell wrote:
> BugLink: https://bugs.launchpad.net/bugs/1987998
> 
> The Landlock LSM does not register any hooks which use struct lsmblob, and does
> not require a slot in the secid array of struct lsmblob.
> 
> Change LSMBLOB_NEEDED to LSMBLOB_NOT_NEEDED.
> 
> This is required to fix a panic on boot where too many LSMs can be configured,
> since while we currently mark Landlock as LSMBLOB_NEEDED, we do not actually
> make LSMBLOB_ENTRIES large enough to fit it, and we panic when more than 2
> LSMs are configured, like:
> 
> GRUB_CMDLINE_LINUX_DEFAULT="lsm=landlock,bpf,apparmor"
> 
> LSM: Security Framework initializing
> landlock: Up and running.
> LSM support for eBPF active
> Kernel panic - not syncing: security_add_hooks Too many LSMs registered.
> CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.15.0-46-generic #49-Ubuntu
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
> Call Trace:
>  <TASK>
>  show_stack+0x52/0x5c
>  dump_stack_lvl+0x4a/0x63
>  dump_stack+0x10/0x16
>  panic+0x149/0x321
>  security_add_hooks+0x45/0x13a
>  apparmor_init+0x189/0x1ef
>  initialize_lsm+0x54/0x74
>  ordered_lsm_init+0x379/0x392
>  security_init+0x40/0x49
>  start_kernel+0x466/0x4dc
>  x86_64_start_reservations+0x24/0x2a
>  x86_64_start_kernel+0xe4/0xef
>  secondary_startup_64_no_verify+0xc2/0xcb
>  </TASK>
> ---[ end Kernel panic - not syncing: security_add_hooks Too many LSMs registered. ]---
> 
> Also refactor the Landlock support by going to just one struct lsm_id, and
> extern it from setup.h, following upstream development.
> 
> Fixes: f17b27a2790e ("UBUNTU: SAUCE: LSM: Create and manage the lsmblob data structure.") ubuntu-jammy
> Signed-off-by: Matthew Ruffell <matthew.ruffell at canonical.com>

Looks good to me, but it seems to conflict after applying the new
apparmor pull request for kinetic (maybe these changes are already
integrated in the PR). I'll double check for kinetic and unstable, in
the meantime it makes sense to me to have this in jammy, therefore:

Acked-by: Andrea Righi <andrea.righi at canonical.com>

More information about the kernel-team mailing list