test_190_config_kernel_fortify in kernel security test failed with 4.15 KVM kernel

Bug #1766774 reported by Po-Hsu Lin on 2018-04-25
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
Undecided
Po-Hsu Lin
linux-kvm (Ubuntu)
Undecided
Po-Hsu Lin
Bionic
Undecided
Unassigned

Bug Description

== Justification ==
In the Bionic KVM kernel, the CONFIG_FORTIFY_SOURCE and
CONFIG_SECURITY_PERF_EVENTS_RESTRICT were not set, they need to be enabled to
meet the security team's requirement.

== Test ==
Before enabling the config, test case test_190_config_kernel_fortify and
test_250_config_security_perf_events_restrict will fail in the kernel
security testsuite for the kernel SRU regression test.

It will pass with these two patches applied, tested on a KVM node.

== Fix ==
Set CONFIG_SECURITY_PERF_EVENTS_RESTRICT to "y".
Set CONFIG_FORTIFY_SOURCE to "y".

== Regression Potential ==
Minimal.
No code changes, just two config changes without disabling any other configs.

BugLink: https://bugs.launchpad.net/bugs/1766780
BugLink: https://bugs.launchpad.net/bugs/1766774

--------------------------------------------------
Test test_190_config_kernel_fortify from the kernel security test suite failed with 4.15.0-1008 KVM kernel.

  ======================================================================
  FAIL: test_190_config_kernel_fortify (__main__.KernelSecurityTest)
  Ensure CONFIG_FORTIFY_SOURCE is set
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 2186, in test_190_config_kernel_fortify
      self.assertTrue(self._test_config(config_name))
  AssertionError: False is not true

The CONFIG_FORTIFY_SOURCE is not set.
$ cat /boot/config-4.15.0-1008-kvm | grep CONFIG_FORTIFY_SOURCE
# CONFIG_FORTIFY_SOURCE is not set

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-1008-kvm 4.15.0-1008.8
ProcVersionSignature: User Name 4.15.0-1008.8-kvm 4.15.17
Uname: Linux 4.15.0-1008-kvm x86_64
NonfreeKernelModules: signpost
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
Date: Wed Apr 25 04:28:13 2018
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=C.UTF-8
 SHELL=/bin/bash
SourcePackage: linux-kvm
UpgradeStatus: No upgrade log present (probably fresh install)

Po-Hsu Lin (cypressyew) wrote :
Po-Hsu Lin (cypressyew) wrote :

A test kernel could be found here (along with the patch for bug 1766780:
http://people.canonical.com/~phlin/kernel/lp-1766774-1766780/

no longer affects: qa-regression-testing
Changed in ubuntu-kernel-tests:
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux-kvm (Ubuntu):
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: New → In Progress
Changed in linux-kvm (Ubuntu):
status: New → In Progress
description: updated
description: updated
description: updated
Po-Hsu Lin (cypressyew) on 2018-06-12
description: updated
Changed in linux-kvm (Ubuntu):
status: In Progress → Fix Committed
Po-Hsu Lin (cypressyew) on 2018-06-22
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Committed
Changed in linux-kvm (Ubuntu Bionic):
status: New → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers