Message ID | 20190628103900.10113-1-po-hsu.lin@canonical.com |
---|---|
State | Accepted |
Headers | show |
Series | scenario_groups/default: run the kernel_misc test after the cve test | expand |
Hi, Your patch just workarounds the issue for now, because it still happens if a new test designed to taint kernel is added to the group before cve group in future. Could we save the value of tainted before running block_dev and then restore it after running block_dev? Best Regards, Xiao Yang On 2019/06/28 18:39, Po-Hsu Lin wrote: > The block_dev test in kernel_misc will taint kernel with a warning flag, > this is an expected behaviour. > > However, if you run the cve-2017-17053 after it, as the test is looking > for a warning / died flag for a tainted kernel, it will cause false > alarm with: > tst_taint.c:88: BROK: Kernel is already tainted: 14849 > > The kernel_misc test was executed before the cve test in the default > test plan. Move the kernel_misc test to the end of the list to > workaround this issue. > > Signed-off-by: Po-Hsu Lin<po-hsu.lin@canonical.com> > --- > scenario_groups/default | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/scenario_groups/default b/scenario_groups/default > index 1f3e5b27f..e5b34782c 100644 > --- a/scenario_groups/default > +++ b/scenario_groups/default > @@ -22,7 +22,6 @@ power_management_tests > hugetlb > commands > hyperthreading > -kernel_misc > fs_ext4 > can > cpuhotplug > @@ -30,3 +29,4 @@ net.ipv6_lib > input > cve > crypto > +kernel_misc
Hello, I am not sure if we can restore the value in /proc/sys/kernel/tainted, which can be changed manually: # cat /proc/sys/kernel/tainted 0 # echo 12800 > /proc/sys/kernel/tainted # cat /proc/sys/kernel/tainted 12800 But it can't be reset back to 0. From the Documentation/admin-guide/tainted-kernels.rst, it states that: "Note the kernel will remain tainted even after you undo what caused the taint (i.e. unload a proprietary kernel module), to indicate the kernel remains not trustworthy." Thanks On Mon, Jul 1, 2019 at 2:27 PM Xiao Yang <yangx.jy@cn.fujitsu.com> wrote: > > Hi, > > Your patch just workarounds the issue for now, because it still happens > if a new test designed to taint > kernel is added to the group before cve group in future. > > Could we save the value of tainted before running block_dev and then > restore it after running block_dev? > > Best Regards, > Xiao Yang > On 2019/06/28 18:39, Po-Hsu Lin wrote: > > The block_dev test in kernel_misc will taint kernel with a warning flag, > > this is an expected behaviour. > > > > However, if you run the cve-2017-17053 after it, as the test is looking > > for a warning / died flag for a tainted kernel, it will cause false > > alarm with: > > tst_taint.c:88: BROK: Kernel is already tainted: 14849 > > > > The kernel_misc test was executed before the cve test in the default > > test plan. Move the kernel_misc test to the end of the list to > > workaround this issue. > > > > Signed-off-by: Po-Hsu Lin<po-hsu.lin@canonical.com> > > --- > > scenario_groups/default | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/scenario_groups/default b/scenario_groups/default > > index 1f3e5b27f..e5b34782c 100644 > > --- a/scenario_groups/default > > +++ b/scenario_groups/default > > @@ -22,7 +22,6 @@ power_management_tests > > hugetlb > > commands > > hyperthreading > > -kernel_misc > > fs_ext4 > > can > > cpuhotplug > > @@ -30,3 +29,4 @@ net.ipv6_lib > > input > > cve > > crypto > > +kernel_misc > > >
On 2019/07/01 14:58, Po-Hsu Lin wrote: > Hello, > > I am not sure if we can restore the value in /proc/sys/kernel/tainted, > which can be changed manually: > # cat /proc/sys/kernel/tainted > 0 > # echo 12800> /proc/sys/kernel/tainted > # cat /proc/sys/kernel/tainted > 12800 > But it can't be reset back to 0. Hi, It seems that the value of /proc/sys/kernel/tainted only be increased. Best Regards, Xiao Yang > > From the Documentation/admin-guide/tainted-kernels.rst, it states that: > "Note the kernel will remain tainted even after you undo what caused the taint > (i.e. unload a proprietary kernel module), to indicate the kernel remains not > trustworthy." > > Thanks > > On Mon, Jul 1, 2019 at 2:27 PM Xiao Yang<yangx.jy@cn.fujitsu.com> wrote: >> Hi, >> >> Your patch just workarounds the issue for now, because it still happens >> if a new test designed to taint >> kernel is added to the group before cve group in future. >> >> Could we save the value of tainted before running block_dev and then >> restore it after running block_dev? >> >> Best Regards, >> Xiao Yang >> On 2019/06/28 18:39, Po-Hsu Lin wrote: >>> The block_dev test in kernel_misc will taint kernel with a warning flag, >>> this is an expected behaviour. >>> >>> However, if you run the cve-2017-17053 after it, as the test is looking >>> for a warning / died flag for a tainted kernel, it will cause false >>> alarm with: >>> tst_taint.c:88: BROK: Kernel is already tainted: 14849 >>> >>> The kernel_misc test was executed before the cve test in the default >>> test plan. Move the kernel_misc test to the end of the list to >>> workaround this issue. >>> >>> Signed-off-by: Po-Hsu Lin<po-hsu.lin@canonical.com> >>> --- >>> scenario_groups/default | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/scenario_groups/default b/scenario_groups/default >>> index 1f3e5b27f..e5b34782c 100644 >>> --- a/scenario_groups/default >>> +++ b/scenario_groups/default >>> @@ -22,7 +22,6 @@ power_management_tests >>> hugetlb >>> commands >>> hyperthreading >>> -kernel_misc >>> fs_ext4 >>> can >>> cpuhotplug >>> @@ -30,3 +29,4 @@ net.ipv6_lib >>> input >>> cve >>> crypto >>> +kernel_misc >> >> > >
Hi!
> It seems that the value of /proc/sys/kernel/tainted only be increased.
That is by design, since otherwise people would erase the track of
unsigned/out-of-tree modules being loaded...
Hi! Pushed, thanks.
Hi! > Your patch just workarounds the issue for now, because it still happens > if a new test designed to taint > kernel is added to the group before cve group in future. Unfortunately there is no better solution for this, so I pushed the patch.
Hello, thanks for the review, do you think if we should put a comment (if possible) inside that file to avoid getting re-ordered for some reason in the future? On Tue, Jul 2, 2019 at 9:05 PM Cyril Hrubis <chrubis@suse.cz> wrote: > > Hi! > > Your patch just workarounds the issue for now, because it still happens > > if a new test designed to taint > > kernel is added to the group before cve group in future. > > Unfortunately there is no better solution for this, so I pushed the > patch. > > -- > Cyril Hrubis > chrubis@suse.cz
Hi! > thanks for the review, > do you think if we should put a comment (if possible) inside that file > to avoid getting re-ordered for some reason in the future? We cannot, the scenari files are simply read line by line, the format does not support comments.
diff --git a/scenario_groups/default b/scenario_groups/default index 1f3e5b27f..e5b34782c 100644 --- a/scenario_groups/default +++ b/scenario_groups/default @@ -22,7 +22,6 @@ power_management_tests hugetlb commands hyperthreading -kernel_misc fs_ext4 can cpuhotplug @@ -30,3 +29,4 @@ net.ipv6_lib input cve crypto +kernel_misc
The block_dev test in kernel_misc will taint kernel with a warning flag, this is an expected behaviour. However, if you run the cve-2017-17053 after it, as the test is looking for a warning / died flag for a tainted kernel, it will cause false alarm with: tst_taint.c:88: BROK: Kernel is already tainted: 14849 The kernel_misc test was executed before the cve test in the default test plan. Move the kernel_misc test to the end of the list to workaround this issue. Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> --- scenario_groups/default | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)