[rsbac] RSBAC build problem on linux-4.9.y-c3fbb3a

HacKurx hackurx at gmail.com
Wed May 17 21:34:05 CEST 2017 

Le 2017-05-17 08:27, Amon Ott a écrit :
> Am 16.05.2017 um 21:33 schrieb HacKurx:
>> 2017-05-16 8:57 GMT+02:00 Amon Ott :
>>> mprotect must be active by default and it has been working fine in hard
>>> server use for months now.
>>>
>>> You can use rsbac_debug_mprotect kernel parameter to get debug output
>>> for mprotect. To enable debug as user 400 at runtime (disable with 0):
>>>
>>> echo debug_mprotect 1 >/proc/rsbac-info/debug
>>
>> I do not have the file "/proc/rsbac-info/debug" :/
>> I have not yet used RSBAC administration tools. I only configured the
>> kernel to test your mprotect option.
>> I use ubuntu 16.04 LTS for this.
>
> You should enable both RSBAC proc interface and RSBAC debug. They both
> have little to no overhead and will enable you to test better and us to
> spot problems. As company, we run all production systems with both
> settings and many others enabled.
>
> As some programs do not work with mprotect, you will probably need the
> tools some day to change settings for these.

egrep "RSBAC_PROC|RSBAC_DEBUG|RSBAC_MPROTECT" /boot/config-4.9.28-rsbac
CONFIG_RSBAC_PROC=y
CONFIG_RSBAC_DEBUG=y
# CONFIG_RSBAC_PROC_HIDE is not set
CONFIG_RSBAC_MPROTECT=y

cat /proc/rsbac-info/debug
cat: /proc/rsbac-info/debug: No such file or directory

There must be a few things that block this. Perhaps the file system or systemd?

Le 2017-05-17 13:08, Amon Ott a écrit :
> Am 16.05.2017 um 21:10 schrieb HacKurx:
>> 2017-05-15 22:59 GMT+02:00 Javier Juan Martinez Cabezon :
>>>> On 15/05/17 21:44, HacKurx wrote:
>>>>  CONFIG_RSBAC_INIT_THREAD is not set
>>> Can you please check booting with above option enabled?
>>
>> No problem. The system starts but I still have a message in the log.
>
> I have just pushed a possible fix to 4.9 git, the list probably needs to
> be protected by a spinlock.
>
> Can you please pull the fix and retry?

Perfect. No kernel call trace error :)
I edited also "CONFIG_FUSE_FS=m" at "CONFIG_FUSE_FS=y". I don't know
if it changes the fix anything for you.

More information about the rsbac mailing list