[REGRESSION] EINVAL with mount in selinux_set_mnt_opts when mounting in a guest vm with selinux disabled
#regzbot introduced v6.1.52..v6.1.53 #regzbot introduced: ed134f284b4ed85a70d5f760ed0686e3cd555f9b
We hit this regression when updating our guest vm kernel from 6.1.52 to 6.1.53 -- bisecting this problem was introduced in ed134f284b4ed85a70d5f760ed0686e3cd555f9b -- vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing -- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v...
We're getting an EINVAL in `selinux_set_mnt_opts` in `security/selinux/hooks.c` when mounting a folder in a guest VM where selinux is disabled. We're mounting from another folder that we suspect has selinux labels set from the host. The EINVAL is getting set in the following block... ``` if (!selinux_initialized(&selinux_state)) { if (!opts) { /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security server is ready to handle calls. */ goto out; } rc = -EINVAL; pr_warn("SELinux: Unable to set superblock options " "before the security server is initialized\n"); goto out; } ``` We can reproduce 100% of the time but don't currently have a simple reproducer as the problem was found in our build service which uses kata-containers (with cloud-hypervisor and rootfs mounted via virtio-blk).
We have not checked the mainline as we currently are tied to 6.1.x.
-Simon
On Wed, 2023-09-27 at 15:55 -0400, Simon Kaegi wrote:
#regzbot introduced v6.1.52..v6.1.53 #regzbot introduced: ed134f284b4ed85a70d5f760ed0686e3cd555f9b
We hit this regression when updating our guest vm kernel from 6.1.52 to 6.1.53 -- bisecting this problem was introduced in ed134f284b4ed85a70d5f760ed0686e3cd555f9b -- vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing -- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v...
We're getting an EINVAL in `selinux_set_mnt_opts` in `security/selinux/hooks.c` when mounting a folder in a guest VM where selinux is disabled. We're mounting from another folder that we suspect has selinux labels set from the host. The EINVAL is getting set in the following block...
if (!selinux_initialized(&selinux_state)) { if (!opts) { /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security server is ready to handle calls. */ goto out; } rc = -EINVAL; pr_warn("SELinux: Unable to set superblock options " "before the security server is initialized\n"); goto out; }We can reproduce 100% of the time but don't currently have a simple reproducer as the problem was found in our build service which uses kata-containers (with cloud-hypervisor and rootfs mounted via virtio-blk).
We have not checked the mainline as we currently are tied to 6.1.x.
-Simon
This sounds very similar to the bug that Ondrej fixed here:
https://lore.kernel.org/selinux/20230911142358.883728-1-omosnace@redhat.com/
You may want to try that patch and see if it helps.
Thanks Jeff. I've confirmed that Ondrej's patch fixes the issue we were having. Definitely would be great to get this in 6.1.x. soon. -Simon
On Wed, Sep 27, 2023 at 4:21 PM Jeff Layton jlayton@kernel.org wrote:
On Wed, 2023-09-27 at 15:55 -0400, Simon Kaegi wrote:
#regzbot introduced v6.1.52..v6.1.53 #regzbot introduced: ed134f284b4ed85a70d5f760ed0686e3cd555f9b
We hit this regression when updating our guest vm kernel from 6.1.52 to 6.1.53 -- bisecting this problem was introduced in ed134f284b4ed85a70d5f760ed0686e3cd555f9b -- vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing -- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v...
We're getting an EINVAL in `selinux_set_mnt_opts` in `security/selinux/hooks.c` when mounting a folder in a guest VM where selinux is disabled. We're mounting from another folder that we suspect has selinux labels set from the host. The EINVAL is getting set in the following block...
if (!selinux_initialized(&selinux_state)) { if (!opts) { /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security server is ready to handle calls. */ goto out; } rc = -EINVAL; pr_warn("SELinux: Unable to set superblock options " "before the security server is initialized\n"); goto out; }We can reproduce 100% of the time but don't currently have a simple reproducer as the problem was found in our build service which uses kata-containers (with cloud-hypervisor and rootfs mounted via virtio-blk).
We have not checked the mainline as we currently are tied to 6.1.x.
-Simon
This sounds very similar to the bug that Ondrej fixed here:
https://lore.kernel.org/selinux/20230911142358.883728-1-omosnace@redhat.com/You may want to try that patch and see if it helps.
Jeff Layton jlayton@kernel.org
On 28.09.23 16:43, Simon Kaegi wrote:
Thanks Jeff. I've confirmed that Ondrej's patch fixes the issue we were having. Definitely would be great to get this in 6.1.x. soon.
That patch afaics is already part of 6.1.55
#regzbot fix: 978b86fbdb2acf69
HTH!
Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat) -- Everything you wanna know about Linux kernel regression tracking: https://linux-regtracking.leemhuis.info/about/#tldr If I did something stupid, please tell me, as explained on that page.
On Wed, Sep 27, 2023 at 4:21 PM Jeff Layton jlayton@kernel.org wrote:
On Wed, 2023-09-27 at 15:55 -0400, Simon Kaegi wrote:
#regzbot introduced v6.1.52..v6.1.53 #regzbot introduced: ed134f284b4ed85a70d5f760ed0686e3cd555f9b
We hit this regression when updating our guest vm kernel from 6.1.52 to 6.1.53 -- bisecting this problem was introduced in ed134f284b4ed85a70d5f760ed0686e3cd555f9b -- vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing -- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v...
We're getting an EINVAL in `selinux_set_mnt_opts` in `security/selinux/hooks.c` when mounting a folder in a guest VM where selinux is disabled. We're mounting from another folder that we suspect has selinux labels set from the host. The EINVAL is getting set in the following block...
if (!selinux_initialized(&selinux_state)) { if (!opts) { /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security server is ready to handle calls. */ goto out; } rc = -EINVAL; pr_warn("SELinux: Unable to set superblock options " "before the security server is initialized\n"); goto out; }We can reproduce 100% of the time but don't currently have a simple reproducer as the problem was found in our build service which uses kata-containers (with cloud-hypervisor and rootfs mounted via virtio-blk).
We have not checked the mainline as we currently are tied to 6.1.x.
-Simon
This sounds very similar to the bug that Ondrej fixed here:
https://lore.kernel.org/selinux/20230911142358.883728-1-omosnace@redhat.com/You may want to try that patch and see if it helps.
Jeff Layton jlayton@kernel.org
Ah... I see it's already in 6.1.55 -- tested that and confirmed we're all good. Thanks. -Simon
On Thu, Sep 28, 2023 at 10:43 AM Simon Kaegi simon.kaegi@gmail.com wrote:
Thanks Jeff. I've confirmed that Ondrej's patch fixes the issue we were having. Definitely would be great to get this in 6.1.x. soon. -Simon
On Wed, Sep 27, 2023 at 4:21 PM Jeff Layton jlayton@kernel.org wrote:
On Wed, 2023-09-27 at 15:55 -0400, Simon Kaegi wrote:
#regzbot introduced v6.1.52..v6.1.53 #regzbot introduced: ed134f284b4ed85a70d5f760ed0686e3cd555f9b
We hit this regression when updating our guest vm kernel from 6.1.52 to 6.1.53 -- bisecting this problem was introduced in ed134f284b4ed85a70d5f760ed0686e3cd555f9b -- vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing -- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v...
We're getting an EINVAL in `selinux_set_mnt_opts` in `security/selinux/hooks.c` when mounting a folder in a guest VM where selinux is disabled. We're mounting from another folder that we suspect has selinux labels set from the host. The EINVAL is getting set in the following block...
if (!selinux_initialized(&selinux_state)) { if (!opts) { /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security server is ready to handle calls. */ goto out; } rc = -EINVAL; pr_warn("SELinux: Unable to set superblock options " "before the security server is initialized\n"); goto out; }We can reproduce 100% of the time but don't currently have a simple reproducer as the problem was found in our build service which uses kata-containers (with cloud-hypervisor and rootfs mounted via virtio-blk).
We have not checked the mainline as we currently are tied to 6.1.x.
-Simon
This sounds very similar to the bug that Ondrej fixed here:
https://lore.kernel.org/selinux/20230911142358.883728-1-omosnace@redhat.com/You may want to try that patch and see if it helps.
Jeff Layton jlayton@kernel.org
linux-stable-mirror@lists.linaro.org
-
Jeff Layton -
Linux regression tracking (Thorsten Leemhuis) -
Simon Kaegi