In linux-next security modules can be stacked.
TOMOYO is compatible with other modules and SAFESETID
module is added. But this is not yet in mainline.
Enable TOMOYO and SAFESETID.
There is no way to enable stacked modules in linux-next
while preserving the current behavior in mainline.
Once these changes reach mainline, we will need to replace
security cmdline arguments with lsm as follows:
lsm=yama,safesetid,integrity,selinux,tomoyo
lsm=yama,safesetid,integrity,smack,tomoyo
lsm=yama,safesetid,integrity,tomoyo,apparmor
CONFIG_PRINTK_CALLER has reached linux-next:
https://groups.google.com/d/msg/syzkaller/xEDUgkgFvL8/d5bBS3BJBwAJ
Enable CONFIG_PRINTK_CALLER and support parsing of its output format.
This gives us several advantages:
- output from different contexts don't intermix
- intermixed output doesn't cause corrupted reports
- we can keep larger prefix since we know it comes from the same task
Credit for the kernel part goes to Tetsuo Handa.
Also Sergey Senozhatsky and Petr Mladek for reviews of the kernel part.
Fixes#596Fixes#600
* sus/openbsd: store kernel configs in tree
They now include https://man.openbsd.org/witness per suggestion from
@mptre
* LOCKF_DIAGNOSTIC while we are at it.
* Moved to a better place.
We have some bugs with insane amount of repros.
So many that new crashes don't show up on dashboard at all.
Purge old repros too. There is no need to keep more than 40.
1. Use dashboard style.
2. Allow sorting of tables.
3. Show old crashes in grey.
4. Use tables instead of text output for more pages.
5. Show corpus inputs on a separate page to allow copy-pasting.
6. Use standard JS sorting instead of custom bubble sort (much faster).
7. Fix off-by one in table sorting.
Fixes#694
There are 2 important virtual drm drivers:
CONFIG_DRM_VKMS
CONFIG_DRM_VGEM
VGEM was already enabled, enable VKMS.
Also enable few other configs that look like
we can potentially reach them.
Currently it triggers datastore timeouts episodically.
Don't fail build upload if bug commit update fails.
Split the large query into two smaller queries.
We are seeing lots of datastore timeout errors during bug fetch.
It's a bad idea to fetch thousands of bugs in one query,
so fetch them in batches of 1000 bugs.
Hopefully will reduce rate of errors.
syzkaller manages to turn on dynamic debug messages somehow,
which then produces tons of output on console. Disable dynamic
debug on kasan.
Disable bpfilter on kmsan as we already did on kasan.
Now that syz-ci can upload coverage reports to GCS,
we can show up-to-date coverage for each manager
rather than a single static outdated file per namespace.
Don't show maintainers for crashes if we don't have them (only linux has).
Show short git hashes for kernel/syzkaller, 40 chars looks excessive (full hash is in hint).
Show current build kernel/syzkaller git hash in managers table.
Remove fuzzing time from managers table (does not seem too useful).
Allow a special case of cross-reporting duping:
rom last but one reporting to the last one (which is stable, final destination)
provided that these two reportings have the same access level and type.
The rest of the combinations can lead to surprising states and
information hiding, so we still don't allow them.
Fixes#569
Upstream "selinux: fix mounting of cgroup2 under older policies"
commit fixes mounting of cgroup2 under wheezy selinux policy.
So don't disable selinux on start.
Create separate cmdline arguments that enable selinux and apparmor.
- enable usbip
- enable squashfs
- enable ubifs
- enable dm-verity
- enable IMA/EVM
/\/\/\
all things we want to test
- set hung_task_check_interval_secs = 20 for more precise hung detection
- switch to apparmor (we don't enable selinux anyway)
- update to latest kernel
Update #533
As asked by Peter Zijlstra: "the lack of whitespace between "repro:"
and the URL makes it hard to copy paste".
We keep lines below 78 colons because otherwise some email clients will reflow them.
And also we want it all properly aligned as asked by Ted Ts'o.
So shorten "syzkaller repro" to "syz repro".
