Skip to content

dashboard/config: enable BPF LSM configs #2035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
chmnchiang wants to merge 1 commit into
base: master
Choose a base branch
from
Open

dashboard/config: enable BPF LSM configs #2035

chmnchiang wants to merge 1 commit into from

Conversation

@chmnchiang
Copy link
Contributor

@chmnchiang chmnchiang commented Aug 11, 2020
edited
Loading

Enable some kernel settings that is necessary for BPF LSM. These configs are listed on the KRSI website.

Also update the config to match fc80c51f @ Linux kernel.

@codecov
Copy link

codecov bot commented Aug 11, 2020

Codecov Report

Merging #2035 into master will not change coverage.
The diff coverage is n/a.

dvyukov
dvyukov reviewed Aug 11, 2020
View reviewed changes
dashboard/config/upstream-kasan.config Outdated
Copy link
Collaborator

@dvyukov dvyukov Aug 11, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I forgot about this. Unfortunately, this cannot be enabled:
https://github.com/google/syzkaller/blob/master/dashboard/config/bits-syzbot.config#L153

Copy link
Contributor Author

@chmnchiang chmnchiang Aug 11, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, that will be bad news because BPF LSM requires the existence of vmlinux. Even if we replace the hook id with some random integer, it will never pass the verification (see here).

Is it possible to update pahole somehow?

Copy link
Collaborator

@dvyukov dvyukov Aug 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ideal way to update it would be update the distro-provided package. But I just tried, and it's still not there:

# apt-get upgrade dwarves
# pahole --version
v1.9

Updating images on all syzbot machines is not something I can take on right now.
I have not looked into compiling a fresh version of pahole from source.

Copy link
Contributor Author

@chmnchiang chmnchiang Aug 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Saw this instruction of building pahole from source on the krsi dev page.

sudo apt install -y libdwarf-dev libdw-dev &&
git clone git://git.kernel.org/pub/scm/devel/pahole/pahole.git && \
cd pahole && \
mkdir build && \
cd build && \
cmake -DCMAKE_INSTALL_PREFIX=/usr -D__LIB=lib .. && \
make -j $(nproc) && \
sudo make install

dashboard/config: enable BPF LSM configs
f4735c5 
Enable some kernel settings that is necessary for BPF LSM.
This pull request is blocked before pahole is updated to 1.13, see
https://github.com/google/syzkaller/blob/master/dashboard/config/bits-syzbot.config#L150
for more information.
@chmnchiang
Copy link
Contributor Author

chmnchiang commented Aug 12, 2020

So we will probably need to wait before we can update pahole to 1.13.
I kept only the changes related to BPF LSM and reverted the remains to avoid merge conflicts or to serve as a reference for future updates.

@dvyukov
Copy link
Collaborator

dvyukov commented Aug 13, 2020

We cannot merge this b/c it breaks kernel build:
https://github.com/google/syzkaller/blob/master/dashboard/config/bits-syzbot.config#L153

chmnchiang pushed a commit to chmnchiang/syzkaller that referenced this pull request Aug 15, 2020
sys/linux: make bpf_lsm_btf_id optional
442ba1f 
Pull request google#1971 add the resource bpf_lsm_btf_id and make that a
required resource for bpf$BPF_LSM_PROG_LOAD. However, we need google#2035
merged to get a bpf_lsm_btf_id, and the pull request is currently
blocked by a pahole issue. Thus, bpf$BPF_LSM_PROG_LOAD will be disabled
for now.

This pull request makes bpf_lsm_btf_id optional for
bpf$BPF_LSM_PROG_LOAD, so we can test this syscall before the issue is
resolved.
@chmnchiang chmnchiang mentioned this pull request Aug 15, 2020
Merged
jedav pushed a commit that referenced this pull request Aug 24, 2020
sys/linux: make bpf_lsm_btf_id optional (#2054)
622e52f 
Pull request #1971 add the resource bpf_lsm_btf_id and make that a
required resource for bpf$BPF_LSM_PROG_LOAD. However, we need #2035
merged to get a bpf_lsm_btf_id, and the pull request is currently
blocked by a pahole issue. Thus, bpf$BPF_LSM_PROG_LOAD will be disabled
for now.

This pull request makes bpf_lsm_btf_id optional for
bpf$BPF_LSM_PROG_LOAD, so we can test this syscall before the issue is
resolved.
@dvyukov
Copy link
Collaborator

dvyukov commented Sep 12, 2020

#2096 will allow to resolve this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dvyukov dvyukov dvyukov left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chmnchiang @dvyukov