-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detected data corruption against SELinux when inserting policy modules #56
Comments
Here is another case (with additional log verbosity) where a new module was being installed:
|
Do you have enabled GCC_PLUGIN_RANDSTRUCT ? |
Yes. |
Currently, our SELinux protection logic is incompatible with GCC_PLUGIN_RANDSTRUCT since kernel 5.6. Without GCC_PLUGIN_RANDSTRUCT or if GCC_PLUGIN_RANDSTRUCT is enabled but kernel < 5.6 it works fine. We are aware of that and we are working on a proper fix to support SELinux protection on kernels 5.6+ with GCC_PLUGIN_RANDSTRUCT. |
@Adam-pi3 Since getting this fixed properly is taking a long while, maybe you can meanwhile disable the known-buggy functionality in LKRG? That is, exclude "SELinux protection on kernels 5.6+ with GCC_PLUGIN_RANDSTRUCT." |
In fact, yesterday I've been talking with @oshogbo and reviewing his changes and after some suggestions it work up to the kernel 5.11. We are working now to add support for 5.11+.
I think we can add it but we would need to revert such changes relatively soon. As soon as 5.11+ support will be done. We can also push the current changes but it won't work for 5.11+ |
Great news that progress is being made on this. Not having seen those WIP changes, I don't know how close to being ready they actually are. It may well make sense to disable the broken functionality meanwhile. |
Checking our e-mail discussion from January, besides the issue with RANDSTRUCT there's also the issue with LKRG not supporting CONFIG_SECURITY_SELINUX_DISABLE=n:
Perhaps you can fix this other issue without waiting on @oshogbo? |
In fact, the upcoming changes will address it as well. I think it's better to focus more on adding support for 5.11+ and speed-up that work. It will fix all the problems :) |
Does the RANDSTRUCT problem exist when LKRG is built into the kernel with access to the struct layouts at compile time and the seed used? |
@0xC0ncord This issue should be fixed by #57, which is merged. Can you please test and confirm, and if so close the issue? Thanks! |
@solardiz So far I haven't been able to reproduce the issue since building from master and using the same kernel, so it looks to be solved. Hopefully soon we can reinstate SELinux protections when RANDSTRUCT is in use in the future however. Going to close this since the original issue has been resolved. |
Sometimes, when using
semodule -i *.pp
to install a new SELinux module or update an existing one, LKRG detects this as an attack against the internal state of SELinux.This error was recorded on a 5.10.19 system running in permissive mode while updating a policy module:
I haven't found a reliable way to reproduce this behavior, but in the cases where it occurs, it occurs consistently on the same system even after a reboot.
The text was updated successfully, but these errors were encountered: