- Linux-kselftest-mirror - lists.linaro.org

lkft kselftest for next-20220816

by lkft＠linaro.org

## Build * kernel: 6.0.0-rc1 * git: https://gitlab.com/Linaro/lkft/mirrors/next/linux-next * git branch: master * git commit: e1084bacab44f570691c0fdaa1259acf93ed0098 * git describe: next-20220816 * test details: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20220816 ## Test Regressions (compared to next-20220815) No test regressions found. ## Metric Regressions (compared to next-20220815) No metric regressions found. Tested-by: Linux Kernel Functional Testing <lkft(a)linaro.org> ## Test Fixes (compared to next-20220815) No test fixes found. ## Metric Fixes (compared to next-20220815) No metric fixes found. ## Test result summary total: 0, pass: 0, fail: 0, skip: 0, xfail: 0 ## Build Summary ## Test suites summary -- Linaro LKFT https://lkft.linaro.org

3 years, 2 months

1
0
0 0

[PATCH v12 0/2] Introduce XSAVE feature self-test

by Pengfei Xu

The XSAVE feature set supports the saving and restoring of xstate components. XSAVE feature has been used for process context switching. XSAVE components include x87 state for FP execution environment, SSE state, AVX state and so on. In order to ensure that XSAVE works correctly, add XSAVE most basic test for XSAVE architecture functionality. This patch tests "FP, SSE(XMM), AVX2(YMM), AVX512_OPMASK/AVX512_ZMM_Hi256/ AVX512_Hi16_ZMM and PKRU parts" xstates with following cases: 1. The contents of these xstates in the process should not change after the signal handling. 2. The contents of these xstates in the child process should be the same as the contents of the xstate in the parent process after the fork syscall. 3. The contents of xstates in the parent process should not change after the context switch. Because xstate like XMM will not be preserved across function calls, fork() and raise() are implemented and inlined. To prevent GCC from generating any FP/SSE(XMM)/AVX/PKRU code, add "-mno-sse -mno-mmx -mno-sse2 -mno-avx -mno-pku" compiler arguments. stdlib.h can not be used because of the "-mno-sse" option. Thanks Dave, Hansen for the above suggestion! Thanks Chen Yu; Shuah Khan; Chatre Reinette and Tony Luck's comments! Thanks to Bae, Chang Seok for a bunch of comments! ======== - Change from v11 to v12 - Remove useless rbx register stuffing in assembly syscall functions. (Zhang, Li) - Change from v10 to v11 - Remove the small function like cpu_has_pkru(), get_xstate_size() and so on. (Shuah Khan) - Unify xfeature_num type to uint32_t. - Change from v9 to v10 - Remove the small function if the function will be called once and there is no good reason. (Shuah Khan) - Change from v8 to v9 - Use function pointers to make it more structured. (Hansen, Dave) - Improve the function name: xstate_tested -> xstate_in_test. (Chang S. Bae) - Break this test up into two pieces: keep the xstate key test steps with "-mno-sse" and no stdlib.h, keep others in xstate.c file. (Hansen, Dave) - Use kselftest infrastructure for xstate.c file. (Hansen, Dave) - Use instruction back to populate fp xstate buffer. (Hansen, Dave) - Will skip the test if cpu could not support xsave. (Chang S. Bae) - Use __cpuid_count() helper in kselftest.h. (Reinette, Chatre) - Change from v7 to v8 Many thanks to Bae, Chang Seok for a bunch of comments as follow: - Use the filling buffer way to prepare the xstate buffer, and use xrstor instruction way to load the tested xstates. - Remove useless dump_buffer, compare_buffer functions. - Improve the struct of xstate_info. - Added AVX512_ZMM_Hi256 and AVX512_Hi16_ZMM components in xstate test. - Remove redundant xstate_info.xstate_mask, xstate_flag[], and xfeature_test_mask, use xstate_info.mask instead. - Check if xfeature is supported outside of fill_xstate_buf() , this change is easier to read and understand. - Remove useless wrpkru, only use filling all tested xstate buffer in fill_xstates_buf(). - Improve a bunch of function names and variable names. - Improve test steps flow for readability. - Change from v6 to v7: - Added the error number and error description of the reason for the failure, thanks Shuah Khan's suggestion. - Added a description of what these tests are doing in the head comments. - Added changes update in the head comments. - Added description of the purpose of the function. thanks Shuah Khan. - Change from v5 to v6: - In order to prevent GCC from generating any FP code by mistake, "-mno-sse -mno-mmx -mno-sse2 -mno-avx -mno-pku" compiler parameter was added, it's referred to the parameters for compiling the x86 kernel. Thanks Dave Hansen's suggestion. - Removed the use of "kselftest.h", because kselftest.h included <stdlib.h>, and "stdlib.h" would use sse instructions in it's libc, and this *XSAVE* test needed to be compiled without libc sse instructions(-mno-sse). - Improved the description in commit header, thanks Chen Yu's suggestion. - Becasue test code could not use buildin xsave64 in libc without sse, added xsave function by instruction way. - Every key test action would not use libc(like printf) except syscall until it's failed or done. If it's failed, then it would print the failed reason. - Used __cpuid_count() instead of native_cpuid(), becasue __cpuid_count() was a macro definition function with one instruction in libc and did not change xstate. Thanks Chatre Reinette, Shuah Khan. https://lore.kernel.org/linux-sgx/8b7c98f4-f050-bc1c-5699-fa598ecc66a2@linu… - Change from v4 to v5: - Moved code files into tools/testing/selftests/x86. - Delete xsave instruction test, becaue it's not related to kernel. - Improved case description. - Added AVX512 opmask change and related XSAVE content verification. - Added PKRU part xstate test into instruction and signal handling test. - Added XSAVE process swich test for FPU, AVX2, AVX512 opmask and PKRU part. - Change from v3 to v4: - Improve the comment in patch 1. - Change from v2 to v3: - Improve the description of patch 2 git log. - Change from v1 to v2: - Improve the cover-letter. Thanks Dave Hansen's suggestion. Pengfei Xu (2): selftests/x86/xstate: Add xstate signal handling test for XSAVE feature selftests/x86/xstate: Add xstate fork test for XSAVE feature tools/testing/selftests/x86/.gitignore | 1 + tools/testing/selftests/x86/Makefile | 11 +- tools/testing/selftests/x86/xstate.c | 215 +++++++++++++++++ tools/testing/selftests/x86/xstate.h | 228 +++++++++++++++++++ tools/testing/selftests/x86/xstate_helpers.c | 209 +++++++++++++++++ tools/testing/selftests/x86/xstate_helpers.h | 9 + 6 files changed, 671 insertions(+), 2 deletions(-) create mode 100644 tools/testing/selftests/x86/xstate.c create mode 100644 tools/testing/selftests/x86/xstate.h create mode 100644 tools/testing/selftests/x86/xstate_helpers.c create mode 100644 tools/testing/selftests/x86/xstate_helpers.h -- 2.31.1

3 years, 2 months

1
2
0 0

[PATCH v10 0/9] bpf: Add kfuncs for PKCS#7 signature verification

by Roberto Sassu

One of the desirable features in security is the ability to restrict import of data to a given system based on data authenticity. If data import can be restricted, it would be possible to enforce a system-wide policy based on the signing keys the system owner trusts. This feature is widely used in the kernel. For example, if the restriction is enabled, kernel modules can be plugged in only if they are signed with a key whose public part is in the primary or secondary keyring. For eBPF, it can be useful as well. For example, it might be useful to authenticate data an eBPF program makes security decisions on. After a discussion in the eBPF mailing list, it was decided that the stated goal should be accomplished by introducing four new kfuncs: bpf_lookup_user_key() and bpf_lookup_system_key(), for retrieving a keyring with keys trusted for signature verification, respectively from its serial and from a pre-determined ID; bpf_key_put(), to release the reference obtained with the former two kfuncs, bpf_verify_pkcs7_signature(), for verifying PKCS#7 signatures. Other than the key serial, bpf_lookup_user_key() also accepts key lookup flags, that influence the behavior of the lookup. bpf_lookup_system_key() accepts pre-determined IDs defined in include/linux/verification.h. bpf_key_put() accepts the new bpf_key structure, introduced to tell whether the other structure member, a key pointer, is valid or not. The reason is that verify_pkcs7_signature() also accepts invalid pointers, set with the pre-determined ID, to select a system-defined keyring. key_put() must be called only for valid key pointers. Since the two key lookup functions allocate memory and one increments a key reference count, they must be used in conjunction with bpf_key_put(). The latter must be called only if the lookup functions returned a non-NULL pointer. The verifier denies the execution of eBPF programs that don't respect this rule. The two key lookup functions should be used in alternative, depending on the use case. While bpf_lookup_user_key() provides great flexibility, it seems suboptimal in terms of security guarantees, as even if the eBPF program is assumed to be trusted, the serial used to obtain the key pointer might come from untrusted user space not choosing one that the system administrator approves to enforce a mandatory policy. bpf_lookup_system_key() instead provides much stronger guarantees, especially if the pre-determined ID is not passed by user space but is hardcoded in the eBPF program, and that program is signed. In this case, bpf_verify_pkcs7_signature() will always perform signature verification with a key that the system administrator approves, i.e. the primary, secondary or platform keyring. Nevertheless, key permission checks need to be done accurately. Since bpf_lookup_user_key() cannot determine how a key will be used by other kfuncs, it has to defer the permission check to the actual kfunc using the key. It does it by calling lookup_user_key() with KEY_DEFER_PERM_CHECK as needed permission. Later, bpf_verify_pkcs7_signature(), if called, completes the permission check by calling key_validate(). It does not need to call key_task_permission() with permission KEY_NEED_SEARCH, as it is already done elsewhere by the key subsystem. Future kfuncs using the bpf_key structure need to implement the proper checks as well. Finally, the last kfunc, bpf_verify_pkcs7_signature(), accepts the data and signature to verify as eBPF dynamic pointers, to minimize the number of kfunc parameters, and the keyring with keys for signature verification as a bpf_key structure, returned by one of the two key lookup functions. bpf_lookup_user_key() and bpf_verify_pkcs7_signature() can be called only from sleepable programs, because of memory allocation and crypto operations. For example, the lsm.s/bpf attach point is suitable, fexit/array_map_update_elem is not. The correctness of implementation of the new kfuncs and of their usage is checked with the introduced tests. The patch set includes a patch from another author (dependency) for sake of completeness. It is organized as follows. Patch 1 from KP Singh allows kfuncs to be used by LSM programs. Patch 2 allows dynamic pointers to be used as kfunc parameters. Patch 3 exports bpf_dynptr_get_size(), to obtain the real size of data carried by a dynamic pointer. Patch 4 makes available for new eBPF kfuncs some key-related definitions. Patch 5 introduces the bpf_lookup_*_key() and bpf_key_put() kfuncs. Patch 6 introduces the bpf_verify_pkcs7_signature() kfunc. Finally, patches 7-9 introduce the tests. Changelog v9: - Drop patch to introduce KF_SLEEPABLE kfunc flag (already merged) - Rename valid_ptr member of bpf_key to has_ref (suggested by Daniel) - Check dynamic pointers in kfunc definition with bpf_dynptr_kern struct definition instead of string, to detect structure renames (suggested by Daniel) - Explicitly say that we permit initialized dynamic pointers in kfunc definition (suggested by Daniel) - Remove noinline __weak from kfuncs definition (reported by Daniel) - Simplify key lookup flags check in bpf_lookup_user_key() (suggested by Daniel) - Explain the reason for deferring key permission check (suggested by Daniel) - Allocate memory with GFP_ATOMIC in bpf_lookup_system_key(), and remove KF_SLEEPABLE kfunc flag from kfunc declaration (suggested by Daniel) - Define only one kfunc set and remove the loop for registration (suggested by Alexei) v8: - Define the new bpf_key structure to carry the key pointer and whether that pointer is valid or not (suggested by Daniel) - Drop patch to mark a kfunc parameter with the __maybe_null suffix - Improve documentation of kfuncs - Introduce bpf_lookup_system_key() to obtain a key pointer suitable for verify_pkcs7_signature() (suggested by Daniel) - Use the new kfunc registration API - Drop patch to test the __maybe_null suffix - Add tests for bpf_lookup_system_key() v7: - Add support for using dynamic and NULL pointers in kfunc (suggested by Alexei) - Add new kfunc-related tests v6: - Switch back to key lookup helpers + signature verification (until v5), and defer permission check from bpf_lookup_user_key() to bpf_verify_pkcs7_signature() - Add additional key lookup test to illustrate the usage of the KEY_LOOKUP_CREATE flag and validate the flags (suggested by Daniel) - Make description of flags of bpf_lookup_user_key() more user-friendly (suggested by Daniel) - Fix validation of flags parameter in bpf_lookup_user_key() (reported by Daniel) - Rename bpf_verify_pkcs7_signature() keyring-related parameters to user_keyring and system_keyring to make their purpose more clear - Accept keyring-related parameters of bpf_verify_pkcs7_signature() as alternatives (suggested by KP) - Replace unsigned long type with u64 in helper declaration (suggested by Daniel) - Extend the bpf_verify_pkcs7_signature() test by calling the helper without data, by ensuring that the helper enforces the keyring-related parameters as alternatives, by ensuring that the helper rejects inaccessible and expired keyrings, and by checking all system keyrings - Move bpf_lookup_user_key() and bpf_key_put() usage tests to ref_tracking.c (suggested by John) - Call bpf_lookup_user_key() and bpf_key_put() only in sleepable programs v5: - Move KEY_LOOKUP_ to include/linux/key.h for validation of bpf_verify_pkcs7_signature() parameter - Remove bpf_lookup_user_key() and bpf_key_put() helpers, and the corresponding tests - Replace struct key parameter of bpf_verify_pkcs7_signature() with the keyring serial and lookup flags - Call lookup_user_key() and key_put() in bpf_verify_pkcs7_signature() code, to ensure that the retrieved key is used according to the permission requested at lookup time - Clarified keyring precedence in the description of bpf_verify_pkcs7_signature() (suggested by John) - Remove newline in the second argument of ASSERT_ - Fix helper prototype regular expression in bpf_doc.py v4: - Remove bpf_request_key_by_id(), don't return an invalid pointer that other helpers can use - Pass the keyring ID (without ULONG_MAX, suggested by Alexei) to bpf_verify_pkcs7_signature() - Introduce bpf_lookup_user_key() and bpf_key_put() helpers (suggested by Alexei) - Add lookup_key_norelease test, to ensure that the verifier blocks eBPF programs which don't decrement the key reference count - Parse raw PKCS#7 signature instead of module-style signature in the verify_pkcs7_signature test (suggested by Alexei) - Parse kernel module in user space and pass raw PKCS#7 signature to the eBPF program for signature verification v3: - Rename bpf_verify_signature() back to bpf_verify_pkcs7_signature() to avoid managing different parameters for each signature verification function in one helper (suggested by Daniel) - Use dynamic pointers and export bpf_dynptr_get_size() (suggested by Alexei) - Introduce bpf_request_key_by_id() to give more flexibility to the caller of bpf_verify_pkcs7_signature() to retrieve the appropriate keyring (suggested by Alexei) - Fix test by reordering the gcc command line, always compile sign-file - Improve helper support check mechanism in the test v2: - Rename bpf_verify_pkcs7_signature() to a more generic bpf_verify_signature() and pass the signature type (suggested by KP) - Move the helper and prototype declaration under #ifdef so that user space can probe for support for the helper (suggested by Daniel) - Describe better the keyring types (suggested by Daniel) - Include linux/bpf.h instead of vmlinux.h to avoid implicit or redeclaration - Make the test selfcontained (suggested by Alexei) v1: - Don't define new map flag but introduce simple wrapper of verify_pkcs7_signature() (suggested by Alexei and KP) KP Singh (1): bpf: Allow kfuncs to be used in LSM programs Roberto Sassu (8): btf: Handle dynamic pointer parameter in kfuncs bpf: Export bpf_dynptr_get_size() KEYS: Move KEY_LOOKUP_ to include/linux/key.h bpf: Add bpf_lookup_*_key() and bpf_key_put() kfuncs bpf: Add bpf_verify_pkcs7_signature() kfunc selftests/bpf: Add verifier tests for bpf_lookup_*_key() and bpf_key_put() selftests/bpf: Add additional tests for bpf_lookup_*_key() selftests/bpf: Add test for bpf_verify_pkcs7_signature() kfunc include/linux/bpf.h | 7 + include/linux/bpf_verifier.h | 3 + include/linux/key.h | 3 + kernel/bpf/btf.c | 23 + kernel/bpf/helpers.c | 2 +- kernel/bpf/verifier.c | 4 +- kernel/trace/bpf_trace.c | 191 +++++++++ security/keys/internal.h | 2 - tools/testing/selftests/bpf/Makefile | 14 +- tools/testing/selftests/bpf/config | 2 + .../selftests/bpf/prog_tests/lookup_key.c | 112 +++++ .../bpf/prog_tests/verify_pkcs7_sig.c | 399 ++++++++++++++++++ .../selftests/bpf/progs/test_lookup_key.c | 46 ++ .../bpf/progs/test_verify_pkcs7_sig.c | 100 +++++ tools/testing/selftests/bpf/test_verifier.c | 3 +- .../selftests/bpf/verifier/ref_tracking.c | 139 ++++++ .../testing/selftests/bpf/verify_sig_setup.sh | 104 +++++ 17 files changed, 1145 insertions(+), 9 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/lookup_key.c create mode 100644 tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c create mode 100644 tools/testing/selftests/bpf/progs/test_lookup_key.c create mode 100644 tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c create mode 100755 tools/testing/selftests/bpf/verify_sig_setup.sh -- 2.25.1

3 years, 2 months

4
19
0 0

[PATCH net v3 1/2] selftests: include bonding tests into the kselftest infra

by Jonathan Toppins

This creates a test collection in drivers/net/bonding for bonding specific kernel selftests. The first test is a reproducer that provisions a bond and given the specific order in how the ip-link(8) commands are issued the bond never transmits an LACPDU frame on any of its slaves. Signed-off-by: Jonathan Toppins <jtoppins(a)redhat.com> --- Notes: v2: * fully integrated the test into the kselftests infrastructure * moved the reproducer to under tools/testing/selftests/drivers/net/bonding * reduced the test to its minimial amount and used ip-link(8) for all bond interface configuration v3: * rebase to latest net/master * remove `#set -x` requested by Hangbin MAINTAINERS | 1 + tools/testing/selftests/Makefile | 1 + .../selftests/drivers/net/bonding/Makefile | 6 ++ .../net/bonding/bond-break-lacpdu-tx.sh | 81 +++++++++++++++++++ .../selftests/drivers/net/bonding/config | 1 + .../selftests/drivers/net/bonding/settings | 1 + 6 files changed, 91 insertions(+) create mode 100644 tools/testing/selftests/drivers/net/bonding/Makefile create mode 100755 tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh create mode 100644 tools/testing/selftests/drivers/net/bonding/config create mode 100644 tools/testing/selftests/drivers/net/bonding/settings diff --git a/MAINTAINERS b/MAINTAINERS index f2d64020399b..e5fb14dc302d 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3672,6 +3672,7 @@ F: Documentation/networking/bonding.rst F: drivers/net/bonding/ F: include/net/bond* F: include/uapi/linux/if_bonding.h +F: tools/testing/selftests/net/bonding/ BOSCH SENSORTEC BMA400 ACCELEROMETER IIO DRIVER M: Dan Robertson <dan(a)dlrobertson.com> diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile index 10b34bb03bc1..c2064a35688b 100644 --- a/tools/testing/selftests/Makefile +++ b/tools/testing/selftests/Makefile @@ -12,6 +12,7 @@ TARGETS += cpu-hotplug TARGETS += damon TARGETS += drivers/dma-buf TARGETS += drivers/s390x/uvdevice +TARGETS += drivers/net/bonding TARGETS += efivarfs TARGETS += exec TARGETS += filesystems diff --git a/tools/testing/selftests/drivers/net/bonding/Makefile b/tools/testing/selftests/drivers/net/bonding/Makefile new file mode 100644 index 000000000000..ab6c54b12098 --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/Makefile @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: GPL-2.0 +# Makefile for net selftests + +TEST_PROGS := bond-break-lacpdu-tx.sh + +include ../../../lib.mk diff --git a/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh b/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh new file mode 100755 index 000000000000..47ab90596acb --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh @@ -0,0 +1,81 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 + +# Regression Test: +# Verify LACPDUs get transmitted after setting the MAC address of +# the bond. +# +# https://bugzilla.redhat.com/show_bug.cgi?id=2020773 +# +# +---------+ +# | fab-br0 | +# +---------+ +# | +# +---------+ +# | fbond | +# +---------+ +# | | +# +------+ +------+ +# |veth1 | |veth2 | +# +------+ +------+ +# +# We use veths instead of physical interfaces + +set -e +tmp=$(mktemp -q dump.XXXXXX) +cleanup() { + ip link del fab-br0 >/dev/null 2>&1 || : + ip link del fbond >/dev/null 2>&1 || : + ip link del veth1-bond >/dev/null 2>&1 || : + ip link del veth2-bond >/dev/null 2>&1 || : + modprobe -r bonding >/dev/null 2>&1 || : + rm -f -- ${tmp} +} + +trap cleanup 0 1 2 +cleanup +sleep 1 + +# create the bridge +ip link add fab-br0 address 52:54:00:3B:7C:A6 mtu 1500 type bridge \ + forward_delay 15 + +# create the bond +ip link add fbond type bond mode 4 miimon 200 xmit_hash_policy 1 \ + ad_actor_sys_prio 65535 lacp_rate fast + +# set bond address +ip link set fbond address 52:54:00:3B:7C:A6 +ip link set fbond up + +# set again bond sysfs parameters +ip link set fbond type bond ad_actor_sys_prio 65535 + +# create veths +ip link add name veth1-bond type veth peer name veth1-end +ip link add name veth2-bond type veth peer name veth2-end + +# add ports +ip link set fbond master fab-br0 +ip link set veth1-bond down master fbond +ip link set veth2-bond down master fbond + +# bring up +ip link set veth1-end up +ip link set veth2-end up +ip link set fab-br0 up +ip link set fbond up +ip addr add dev fab-br0 10.0.0.3 + +tcpdump -n -i veth1-end -e ether proto 0x8809 >${tmp} 2>&1 & +sleep 15 +pkill tcpdump >/dev/null 2>&1 +rc=0 +num=$(grep "packets captured" ${tmp} | awk '{print $1}') +if test "$num" -gt 0; then + echo "PASS, captured ${num}" +else + echo "FAIL" + rc=1 +fi +exit $rc diff --git a/tools/testing/selftests/drivers/net/bonding/config b/tools/testing/selftests/drivers/net/bonding/config new file mode 100644 index 000000000000..dc1c22de3c92 --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/config @@ -0,0 +1 @@ +CONFIG_BONDING=y diff --git a/tools/testing/selftests/drivers/net/bonding/settings b/tools/testing/selftests/drivers/net/bonding/settings new file mode 100644 index 000000000000..867e118223cd --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/settings @@ -0,0 +1 @@ +timeout=60 -- 2.31.1

3 years, 2 months

2
1
0 0

kselftest/fixes build: 6 builds: 0 failed, 6 passed (v6.0-rc1-1-g5f4d1fd5b5d35)

by kernelci.org bot

kselftest/fixes build: 6 builds: 0 failed, 6 passed (v6.0-rc1-1-g5f4d1fd5b5d35) Full Build Summary: https://kernelci.org/build/kselftest/branch/fixes/kernel/v6.0-rc1-1-g5f4d1f… Tree: kselftest Branch: fixes Git Describe: v6.0-rc1-1-g5f4d1fd5b5d35 Git Commit: 5f4d1fd5b5d3506759b5d9cf20bb5fb5b8bdcab1 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git Built: 3 unique architectures ================================================================================ Detailed per-defconfig build reports: -------------------------------------------------------------------------------- defconfig+kselftest (arm64, clang-15) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig+kselftest+arm64-chromebook (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig+kselftest+arm64-chromebook (arm64, clang-15) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- i386_defconfig+kselftest (i386, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig+kselftest (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig+kselftest (x86_64, clang-15) — PASS, 0 errors, 0 warnings, 0 section mismatches --- For more info write to <info(a)kernelci.org>

3 years, 2 months

1
0
0 0

[PATCH v2] selftests/sgx: Ignore OpenSSL 3.0 deprecated functions warning

by Kristen Carlson Accardi

OpenSSL 3.0 deprecates some of the functions used in the SGX selftests, causing build errors on new distros. For now ignore the warnings until support for the functions is no longer available and mark FIXME so that it can be clear this should be removed at some point. Signed-off-by: Kristen Carlson Accardi <kristen(a)linux.intel.com> --- tools/testing/selftests/sgx/sigstruct.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/testing/selftests/sgx/sigstruct.c b/tools/testing/selftests/sgx/sigstruct.c index 50c5ab1aa6fa..a07896a46364 100644 --- a/tools/testing/selftests/sgx/sigstruct.c +++ b/tools/testing/selftests/sgx/sigstruct.c @@ -17,6 +17,12 @@ #include "defines.h" #include "main.h" +/* + * FIXME: OpenSSL 3.0 has deprecated some functions. For now just ignore + * the warnings. + */ +#pragma GCC diagnostic ignored "-Wdeprecated-declarations" + struct q1q2_ctx { BN_CTX *bn_ctx; BIGNUM *m; -- 2.36.1

3 years, 2 months

3
2
0 0

kselftest/next build: 6 builds: 0 failed, 6 passed (v6.0-rc1-1-gf1227dc7d0411)

by kernelci.org bot

kselftest/next build: 6 builds: 0 failed, 6 passed (v6.0-rc1-1-gf1227dc7d0411) Full Build Summary: https://kernelci.org/build/kselftest/branch/next/kernel/v6.0-rc1-1-gf1227dc… Tree: kselftest Branch: next Git Describe: v6.0-rc1-1-gf1227dc7d0411 Git Commit: f1227dc7d0411ee9a9faaa1e80cfd9d6e5d6d63e Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git Built: 3 unique architectures ================================================================================ Detailed per-defconfig build reports: -------------------------------------------------------------------------------- defconfig+kselftest (arm64, clang-15) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig+kselftest (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig+kselftest+arm64-chromebook (arm64, clang-15) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- multi_v7_defconfig+kselftest (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig+kselftest (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig+kselftest (x86_64, clang-15) — PASS, 0 errors, 0 warnings, 0 section mismatches --- For more info write to <info(a)kernelci.org>

3 years, 2 months

1
0
0 0

kselftest/fixes kselftest-cpufreq: 2 runs, 1 regressions (v6.0-rc1)

by kernelci.org bot

kselftest/fixes kselftest-cpufreq: 2 runs, 1 regressions (v6.0-rc1) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions -----------------------------+-------+--------------+----------+---------------------+------------ meson-gxl-s905x-libretech-cc | arm64 | lab-baylibre | gcc-10 | defconfig+kselftest | 1 Details: https://kernelci.org/test/job/kselftest/branch/fixes/kernel/v6.0-rc1/plan/k… Test: kselftest-cpufreq Tree: kselftest Branch: fixes Describe: v6.0-rc1 URL: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git SHA: 568035b01cfb107af8d2e4bd2fb9aea22cf5b868 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions -----------------------------+-------+--------------+----------+---------------------+------------ meson-gxl-s905x-libretech-cc | arm64 | lab-baylibre | gcc-10 | defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/62faad04683b2e848d35564e Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+kselftest Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//kselftest/fixes/v6.0-rc1/arm64/defconfig+ksel… HTML log: https://storage.kernelci.org//kselftest/fixes/v6.0-rc1/arm64/defconfig+ksel… Rootfs: http://storage.kernelci.org/images/rootfs/debian/bullseye-kselftest/2022081… * kselftest-cpufreq.login: https://kernelci.org/test/case/id/62faad04683b2e848d35564f failing since 59 days (last pass: v5.19-rc1, first fail: v5.19-rc1-4-g9b4d5c01eb234)

3 years, 2 months

1
0
0 0

kselftest/fixes build: 6 builds: 0 failed, 6 passed (v6.0-rc1)

by kernelci.org bot

kselftest/fixes build: 6 builds: 0 failed, 6 passed (v6.0-rc1) Full Build Summary: https://kernelci.org/build/kselftest/branch/fixes/kernel/v6.0-rc1/ Tree: kselftest Branch: fixes Git Describe: v6.0-rc1 Git Commit: 568035b01cfb107af8d2e4bd2fb9aea22cf5b868 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git Built: 4 unique architectures ================================================================================ Detailed per-defconfig build reports: -------------------------------------------------------------------------------- defconfig+kselftest (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig+kselftest+arm64-chromebook (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- i386_defconfig+kselftest (i386, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- multi_v7_defconfig+kselftest (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig+kselftest (x86_64, clang-15) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig+kselftest (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches --- For more info write to <info(a)kernelci.org>

3 years, 2 months

1
0
0 0

[PATCH v4 0/4] Introduce security_create_user_ns()

by Frederick Lawler

While creating a LSM BPF MAC policy to block user namespace creation, we used the LSM cred_prepare hook because that is the closest hook to prevent a call to create_user_ns(). The calls look something like this: cred = prepare_creds() security_prepare_creds() call_int_hook(cred_prepare, ... if (cred) create_user_ns(cred) We noticed that error codes were not propagated from this hook and introduced a patch [1] to propagate those errors. The discussion notes that security_prepare_creds() is not appropriate for MAC policies, and instead the hook is meant for LSM authors to prepare credentials for mutation. [2] Ultimately, we concluded that a better course of action is to introduce a new security hook for LSM authors. [3] This patch set first introduces a new security_create_user_ns() function and userns_create LSM hook, then marks the hook as sleepable in BPF. Links: 1. https://lore.kernel.org/all/20220608150942.776446-1-fred@cloudflare.com/ 2. https://lore.kernel.org/all/87y1xzyhub.fsf@email.froward.int.ebiederm.org/ 3. https://lore.kernel.org/all/9fe9cd9f-1ded-a179-8ded-5fde8960a586@cloudflare… Past discussions: V3: https://lore.kernel.org/all/20220721172808.585539-1-fred@cloudflare.com/ V2: https://lore.kernel.org/all/20220707223228.1940249-1-fred@cloudflare.com/ V1: https://lore.kernel.org/all/20220621233939.993579-1-fred@cloudflare.com/ Changes since v3: - Explicitly set CAP_SYS_ADMIN to test namespace is created given permission - Simplify BPF test to use sleepable hook only - Prefer unshare() over clone() for tests Changes since v2: - Rename create_user_ns hook to userns_create - Use user_namespace as an object opposed to a generic namespace object - s/domB_t/domA_t in commit message Changes since v1: - Add selftests/bpf: Add tests verifying bpf lsm create_user_ns hook patch - Add selinux: Implement create_user_ns hook patch - Change function signature of security_create_user_ns() to only take struct cred - Move security_create_user_ns() call after id mapping check in create_user_ns() - Update documentation to reflect changes Frederick Lawler (4): security, lsm: Introduce security_create_user_ns() bpf-lsm: Make bpf_lsm_userns_create() sleepable selftests/bpf: Add tests verifying bpf lsm userns_create hook selinux: Implement userns_create hook include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 4 + include/linux/security.h | 6 ++ kernel/bpf/bpf_lsm.c | 1 + kernel/user_namespace.c | 5 + security/security.c | 5 + security/selinux/hooks.c | 9 ++ security/selinux/include/classmap.h | 2 + .../selftests/bpf/prog_tests/deny_namespace.c | 102 ++++++++++++++++++ .../selftests/bpf/progs/test_deny_namespace.c | 33 ++++++ 10 files changed, 168 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/deny_namespace.c create mode 100644 tools/testing/selftests/bpf/progs/test_deny_namespace.c -- 2.30.2

3 years, 2 months

7
30
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror