-
Notifications
You must be signed in to change notification settings - Fork 511
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add kernel 5.15 sources #2226
Add kernel 5.15 sources #2226
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't speak for the nvidia side of things - but everything else looks good.
Forced push removed the NVIDIA driver for the 5.15 kernel, since the 470 version didn't compile aarch64 with this new kernel. |
From f39069aa728e8e7038ba0568f81b97298e47cd0f Mon Sep 17 00:00:00 2001 | ||
From: Arnaldo Garcia Rincon <agarrcia@amazon.com> | ||
Date: Tue, 21 Jun 2022 16:42:09 +0000 | ||
Subject: [PATCH 1002/1002] Makefile: expose tools/ builds for external modules |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I can tell this is a clean revert of the upstream patch mentioned. We should name it as what it is and provide the reasoning on why we are reverting this one (as you have done in the commit message).
I will have to take a look at kmod kit to see if this is the right way to do this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reverting this (https://lore.kernel.org/all/20210512065201.35268-1-masahiroy@kernel.org/) looks like a decent approach to me. The commit moved the definition of the tools
target into a block guarded by KBUILD_EXTMOD
(https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/Makefile?h=v5.15.43#n1117), only set when Kbuild is invoked for an out-of-tree build. I, too, would prefer a proper revert commit the way git revert
would generate it, though.
An alternative would be to (cross-compile if needed and) package the required tools in the kmod kit, but this right here seems simpler.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The alternative approach that I thought of was to copy the targets inside the KBUILD_EXTMOD
block instead of reverting the commit just to make our lives easier in the future in case our revert conflicts with updates in the Makefile.
Regarding this:
An alternative would be to (cross-compile if needed and) package the required tools in the kmod kit, but this right here seems simpler.
There is a comment in the other patch that explains why we didn't include the compiled binaries in the archive:
Unlike other distributions, we cannot include these programs in our kernel-devel archive, because we rely on cross-compilation: these are "host" programs and may not match the architecture of the target
(Note to myself: Comparing to the 5.10 kernel build, we could drop the two additional patches to support zstd since they were originally taken from upstream 5.13.) Since I did not see any mention of config changes, have you checked the resulting Bottlerocket kernel configs against the ones for 5.10? Going from upstream 5.10 to upstream 5.15 naturally changes the available config options (new features, drivers, etc.), but there's also been work on the Amazon Linux kernel configs we base our configs on. I've only skimmed the resulting differences and mostly found welcome changes (e.g. |
Regarding the diff between the 5.10 and 5.15 configs, I'll add a comment in this PR comparing the two configurations 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you share the SELinux related output from early boot? It'll look like this:
[ 4.150596] SELinux: policy capability network_peer_controls=1
[ 4.155730] SELinux: policy capability open_perms=1
[ 4.160314] SELinux: policy capability extended_socket_class=1
[ 4.165506] SELinux: policy capability always_check_network=0
[ 4.170627] SELinux: policy capability cgroup_seclabel=1
[ 4.175380] SELinux: policy capability nnp_nosuid_transition=1
[ 4.180373] SELinux: policy capability genfs_seclabel_symlinks=1
[ 4.185486] SELinux: policy capability ioctl_skip_cloexec=0
[ 4.233927] systemd[1]: Successfully loaded SELinux policy in 238.564ms.
There are likely to be new classes or actions that need rules, if we don't want them to be denied by default.
# Because Bottlerocket does not have an initramfs, modules required to mount | ||
# the root filesystem must be set to y. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please keep "rebasing" this on 5.10 kernel config changes until this merges, and then please nag others to keep this config current.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are two new classes that need to be added:
[ 0.956969] SELinux: Class mctp_socket not defined in policy.
[ 0.957602] SELinux: Class anon_inode not defined in policy.
[ 0.958165] SELinux: the above unknown classes and permissions will be denied
[ 0.960123] SELinux: policy capability network_peer_controls=1
[ 0.960731] SELinux: policy capability open_perms=1
[ 0.961217] SELinux: policy capability extended_socket_class=1
[ 0.961812] SELinux: policy capability always_check_network=0
[ 0.962377] SELinux: policy capability cgroup_seclabel=1
[ 0.962907] SELinux: policy capability nnp_nosuid_transition=1
[ 0.963484] SELinux: policy capability genfs_seclabel_symlinks=1
[ 0.964114] SELinux: policy capability ioctl_skip_cloexec=0
( forced push includes the proper revert patch for the commit required to compile out-of-tree kernel modules) |
Forced push includes:
|
@markusboehme here is the script that I used to generate a "diff": #! /usr/bin/env fish
set --local old aws-ecs-1-x86_64-kmod-kit-v1.8.0/kernel-devel/.config
set --local new aws-dev-x86_64-kmod-kit-v1.8.0/kernel-devel/.config
for c in (sed -e 's|#.*||g' -e 's|#||g' $old | rg -v '^$')
# First check if setting exists in new configs
set --local config_name (echo $c | awk ' { split($1,c,"="); print(c[1]) } ')
if ! rg -q $config_name $new
echo "Config isn't set in 5.15: $config_name"
else if ! rg -q $c $new # check if the values are different
set --local new_config (rg $config_name $new)
echo "Value in 5.10: $c, Value in 5.15: $new_config"
end
end
for c in (sed -e 's|#.*||g' -e 's|#||g' $new | rg -v '^$')
set --local config_name (echo $c | awk ' { split($1,c,"="); print(c[1]) } ')
# Check new configs
if ! rg -q $config_name $old
echo "Config is new in 5.15: $c"
end
end
|
Thanks for listing the config changes! I like to use diffconfig for these purposes. Perhaps you'll find it helpful, too. Either way, I don't have any doubts about unwelcome config changes anymore. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The SELinux policy changes look reasonable to me by comparison to similar object classes. I am unsure about the significance of the position of the items in the classorder
and sidorder
definitions. I'll have to defer to someone with more SELinux expertise on that until I catch up.
I'd very much prefer to not take this change. Everything else looks OK. |
# Network support | ||
CONFIG_ETHERNET=y | ||
CONFIG_NET_CORE=y | ||
CONFIG_NETDEVICES=y | ||
|
||
# Intel network support | ||
CONFIG_IGB=m | ||
CONFIG_IGBVF=m | ||
CONFIG_NET_VENDOR_INTEL=m | ||
CONFIG_IGB_HWMON=y | ||
CONFIG_E1000=m | ||
CONFIG_E1000e=m | ||
CONFIG_E1000e_hwts=y |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs to be "rebased" on the changes in #2264.
packages/selinux-policy/class.cil
Outdated
@@ -259,7 +263,7 @@ | |||
phonet_socket ieee802154_socket caif_socket alg_socket | |||
nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket | |||
infiniband_pkey infiniband_endport bpf xdp_socket | |||
perf_event lockdown)) | |||
mctp_socket perf_event anon_inode lockdown)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't match the kernel's class order in security/selinux/include/classmap.h
:
mctp_socket perf_event anon_inode lockdown)) | |
mctp_socket perf_event lockdown anon_inode)) |
It'd be good to fix that.
packages/selinux-policy/sid.cil
Outdated
; The order of ISIDs must match the kernel's order, for now. | ||
(sidorder ( | ||
kernel security unlabeled fs file file_labels init any_socket port | ||
netif netmsg node igmp_packet icmp_socket tcp_socket sysctl_modprobe | ||
sysctl sysctl_fs sysctl_kernel sysctl_net sysctl_net_unix sysctl_vm | ||
sysctl_dev kmod policy scmp_packet devnull)) | ||
netif netmsg node igmp_packet icmp_socket tcp_socket mctp_socket | ||
sysctl_modprobe sysctl sysctl_fs sysctl_kernel sysctl_net sysctl_net_unix | ||
sysctl_vm sysctl_dev kmod policy scmp_packet devnull)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't look correct.
There's no new initial SID for mctp_socket
in security/selinux/include/initial_sid_to_string.h
, and it would cause trouble if there were because the order would be wrong on older kernels.
You should revert all changes to sid.cil
.
@@ -9,6 +9,7 @@ | |||
(classmapping files relabel relabel_blk_file) | |||
(classmapping files relabel relabel_sock_file) | |||
(classmapping files relabel relabel_fifo_file) | |||
(classmapping files relabel relabel_anon_inode) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This treatment of anon_inode
looks OK.
In the absence of the transition rules, it looks like the anon_inode
objects will continue to use the subject's label, and be covered by this blanket rule:
(allow all_s self (files (mutate)))
To actually write policy for this, we'd need a named transition rule and additional rules like:
(typetransition all_s all_s anon_inode "[userfaultfd]" userfaultfd_t)
(allow trusted_s userfaultfd_t (files (mutate)))
(neverallow untrusted_s userfaultfd_t (files (mutate)))
In other words - force all userfaultfd descriptors to be created with a particular label, and then restricting mutations to just the subjects that we want to be able to use them.
Before we did that, we'd probably want to default to turning off userfaultfd for unprivileged users via vm.unprivileged_userfaultfd = 0
, and then understand why that wasn't sufficient.
Signed-off-by: Arnaldo Garcia Rincon <agarrcia@amazon.com>
Now the aws-dev, vmware-dev and metal-dev variants use the 5.15 kernel Signed-off-by: Arnaldo Garcia Rincon <agarrcia@amazon.com>
The MCTP network protocol landed in the 5.15 kernel, and along with it the new `mctp_socket` SELinux class was added. In Bottlerocket's SELinux policy, this class received the same treatment as all the other `socket` classes. Signed-off-by: Arnaldo Garcia Rincon <agarrcia@amazon.com>
In SELinux, anonymous inodes get the same permissions as the `file` class. Thus, in Bottlerocket's SELinux policy the `anon_inodes` class gets almost the same treatment as existing "file" classes. Signed-off-by: Arnaldo Garcia Rincon <agarrcia@amazon.com>
Forced push includes:
|
CONFIG_ROMFS_FS=n | ||
CONFIG_UFS_FS=n | ||
CONFIG_ZONEFS_FS=n | ||
CONFIG_NTFS3_FS=n |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: could put this in sorted order
Issue number:
Closes #2008
Description of changes:
TODO:
Testing done:
aws-dev
VM, and it booted successfully:kmod-kit
to compile an out-of-tree kernel module:Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.