On Tue, Oct 31, 2017 at 2:44 PM, Daniel Jurgens <danielj@xxxxxxxxxxxx> wrote: > On 10/31/2017 2:23 PM, Jason Gunthorpe wrote: >> On Tue, Oct 31, 2017 at 12:22 PM, Daniel Jurgens <danielj@xxxxxxxxxxxx> wrote: >> >>> Sounds like the crash is resolved and now you're getting a denial >>> from a security module. I looked in the code, it looks like >> If Chris was hitting that crash it means his security module failed the >> mad action, as that is the only way to trigger it. >> >>> AppArmor doesn't register any callbacks for the ib_* security hooks, >>> and if no hook is registered it should return 0. Can you tell me >>> more about your setup so I can create a reproducer? What OS are you >>> using? Can you double check that SELinux isn't enabled (see output >>> of sestatus). >> Which suggests to me that apparmour is not working properly with the >> rdma selinux patches?? > > It seems that way. I can't explain it looking at the code, I'm trying to reproduce it for debug. > > A point of clarification, the RDMA "SELinux" patches aren't SELinux specific. They interact with the LSM, a layer of abstraction between the security modules and the rest of the kernel. Zero or more security modules like SELinux or AppArmor can implement the security hooks. The default return value for the hook in question is 0 if no modules implement it. It doesn't look like AppArmor implements it. > >> Jason >> > Hello All, As a follow up to this issue, I went ahead and installed v4.14-rc8 mainline from http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.14-rc8/ to do some testing. I disabled apparmor via the cmdline (I added apparmor=0 security="") and this seems to have worked: root@C6100-1-N4:~# cat /proc/cmdline BOOT_IMAGE=/boot/vmlinuz-4.14.0-041400rc8-generic root=/dev/mapper/pve-root ro apparmor=0 security= quiet root@C6100-1-N4:~# apparmor_status apparmor module is loaded. apparmor filesystem is not mounted. However, I am still having the issue with up_post_send_mad error: root@C6100-1-N4:~# uptime 17:36:30 up 35 min, 1 user, load average: 0.13, 0.06, 0.01 root@C6100-1-N4:~# dmesg | grep "infiniband mthca0: ib_post_send_mad error" | wc -l 848 I will admit that I have little knowledge of apparmor, but from the above if "ib_post_send_mad error" is caused by apparmor as previously suggested, wouldn't disabling it resolve the issue? Let me know if you have any other things you would like me to test. Regards, Chris Blake -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
