test_072_config_debug_rodata in kernel security test failed with 4.4 X-kvm

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1760643

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Before kernel 4.11 CONFIG_DEBUG_RODATA depended on CONFIG_KERNEL_DEBUG being set, and the 4.4 linux-kvm kernel does not set this option (I assume in the name of performance). I'm therefore fixing up the qrt testcase to not fail in this situation, but only for pre-4.11 kernels. For kernels based on 4.11 and later, where the CONFIG_STRICT_KERNEL_RWX option does not depend on CONFIG_KERNEL_DEBUG being set, the Ubuntu Security Team would like to see CONFIG_STRICT_KERNEL_RWX enabled.

QRT commit https://git.launchpad.net/qa-regression-testing/commit/?id=d7e8c14e20ad00a2bb089c46b28b5f4c0c265849 puts this into place.

Thanks.

And linux-kvm/bionic has STRICT_KERNEL_RWX set, so closing that task.

Hi Steve,
Today I found this one is still failing on 4.4 KVM:

  FAIL: test_072_config_debug_rodata (__main__.KernelSecurityTest)
  CONFIG_DEBUG_RODATA/CONFIG_STRICT_KERNEL_RWX enabled
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 674, in test_072_config_debug_rodata
      self.assertEqual(self._test_config(option), expected)
  AssertionError: False != True

ubuntu@zeppo:~$ cat /proc/version_signature
Ubuntu 4.4.0-1022.27-kvm 4.4.128

These two configs are not enabled in the kernel config file:
$ grep -e CONFIG_DEBUG_RODATA -e CONFIG_STRICT_KERNEL_RWX /boot/config-4.4.0-1022-kvm
# CONFIG_DEBUG_RODATA is not set

As in you comment #3 the CONFIG_KERNEL_DEBUG should be CONFIG_DEBUG_KERNEL instead?
The code was checking for "DEBUG_KERNEL", and this one is enabled in the 4.4 KVM kernel

$ grep DEBUG_KERNEL /boot/config-4.4.0-1022-kvm
CONFIG_DEBUG_KERNEL=y

Therefore I will re-open the task for q-r-t.

Hi Po-Hsu,

Oh whoops. Sure enough, CONFIG_DEBUG_KERNEL is enabled in the linux-kvm/xenial kernel. Given that, then CONFIG_DEBUG_RODATA should be enabled as well. So qrt is correctly failing here (though it could be more verbose in its reporting, I'll fix that). Therefore, closing for qrt and re-opening for linux-kvm/xenial.

Thanks!

A test kernel with CONFIG_DEBUG_RODATA enabled in Xenial KVM could be found here:
http://people.canonical.com/~phlin/kernel/lp-1766832/

This bug was fixed in the package linux-kvm - 4.4.0-1027.32

---------------
linux-kvm (4.4.0-1027.32) xenial; urgency=medium

  * linux-kvm: 4.4.0-1027.32 -proposed tracker (LP: #1772964)

  * Xenial update to 4.4.129 stable release (LP: #1768429)
    - [Config] Remove ARCH_HWEIGHT_CFLAGS

  * test_140_kernel_modules_not_tainted in kernel security test failed with 4.15
    kvm kernel (LP: #1766832)
    - kvm: [config] enable CONFIG_MODULE_UNLOAD

  * test_072_config_debug_set_module_ronx in kernel security test failed with
    4.4 X-kvm (LP: #1760646)
    - kvm: [config] enable CONFIG_DEBUG_SET_MODULE_RONX

  * test_151_sysctl_disables_bpf_unpriv_userns in kernel security test failed
    with 4.4/4.15 kvm (LP: #1760656)
    - kvm: [config] enable BPF_SYSCALL

  * test_077_config_security_ipsec in kernel security test failed with 4.4/4.15
    kvm (LP: #1760653)
    - kvm: [config] enable ipsec configs

  * test_072_config_strict_devmem in kernel security test failed with 4.4/4.15
    kvm (LP: #1760648) // test_072_strict_devmem in kernel security test failed
    with 4.4/4.15 kvm (LP: #1760649)
    - kvm: [config] enable DEVMEM

  * test_076_config_security_acl_ext4 in kernel security test failed with
    4.4/4.15 kvm (LP: #1760652) // test_160_setattr_CVE_2015_1350 in kernel
    security test failed with 4.4/4.15 kvm (LP: #1760657)
    - kvm: [config] enable POSIX_ACL, XATTR, FS_SECURITY for all filesystems

  * test_074_config_security_default_mmap_min_addr in kernel security test
    failed with 4.4/4.15 kvm (LP: #1760650)
    - kvm: [config] DEFAULT_MMAP_MIN_ADDR=65536

  * test_072_config_debug_rodata in kernel security test failed with 4.4 X-kvm
    (LP: #1760643)
    - [Config] enable CONFIG_DEBUG_RODATA

  [ Ubuntu: 4.4.0-128.154 ]

  * linux: 4.4.0-128.154 -proposed tracker (LP: #1772960)
  * CVE-2018-3639 (x86)
    - x86/cpu: Make alternative_msr_write work for 32-bit code
    - x86/bugs: Fix the parameters alignment and missing void
    - KVM: SVM: Move spec control call after restore of GS
    - x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
    - x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS
    - x86/cpufeatures: Disentangle SSBD enumeration
    - x86/cpu/AMD: Fix erratum 1076 (CPB bit)
    - x86/cpufeatures: Add FEATURE_ZEN
    - x86/speculation: Handle HT correctly on AMD
    - x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
    - x86/speculation: Add virtualized speculative store bypass disable support
    - x86/speculation: Rework speculative_store_bypass_update()
    - x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host}
    - x86/bugs: Expose x86_spec_ctrl_base directly
    - x86/bugs: Remove x86_spec_ctrl_set()
    - x86/bugs: Rework spec_ctrl base and mask logic
    - x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG
    - KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
    - x86/bugs: Rename SSBD_NO to SSB_NO
    - KVM: VMX: Expose SSBD properly to guests.
  * [i915_bpo] Fix flickering issue after panel change (LP: #1770565)
    - drm/i915: Fix iboost setting for DDI with 4 lanes on SKL
    - drm/i915: Name the "iboost bit"
    - drm/i915: Program iboost s...