dashboard/config: drop security modules bits from usb instance

CONFIG_SECURITY_TOMOYO produces a large amount of coverage entries for each ioctl call. For normal instances, this might not be a problem, as they call only a single ioctl for each syzkaller syscall. However, the syz_usb_connect pseudo-syscall calls a large number of ioctls. As a result, the KCOV coverage buffer for this syscall might overflow due to the tomoyo-produced entries. For example, with tomoyo, the first syscall of the vusb_ath9k runtest produces ~140k KCOV entries (with [1] applied), which is not far from the current 256k limit of KCOV entries per syscall. With tomoyo disabled, the number of entries falls to ~30k. Drop the security modules–related bits from the USB instance: I don't think they are useful for that instance anyway. [1] https://lore.kernel.org/all/eaf54b8634970b73552dcd38bf9be6ef55238c10.1718092070.git.dvyukov@google.com/
author: Andrey Konovalov <andreyknvl@gmail.com> 2024-07-22 23:01:45 +0200
committer: Dmitry Vyukov <dvyukov@google.com> 2024-07-23 10:43:03 +0000
commit: 44cd723acfeeb472c42cc2fa6d1279ec4406d07d (patch)
tree: ad9304bdaf34e9c78173b881e85325b9464d7803 /dashboard/config
parent: 1ede261d340d1b94872fcd490338915478483003 (diff)
2 files changed, 26 insertions, 95 deletions
diff --git a/dashboard/config/linux/main.yml b/dashboard/config/linux/main.yml
index 04b4901da..553fb3214 100644
--- a/dashboard/config/linux/main.yml
+++ b/dashboard/config/linux/main.yml
@@ -11,7 +11,7 @@ instances:
  - upstream-kmsan-next:		[linux-next, timeouts_native, x86_64, clang, lsm, smack, nonoise, kmsan]
  - upstream-kcsan:		[upstream, timeouts_native, x86_64, clang, onlynet, nonoise, kcsan]
  - upstream-leak:		[upstream, timeouts_native, x86_64, gcc, bpfjit, lsm, apparmor, nonoise, kmemleak]
- - upstream-usb:		[upstream, timeouts_native, x86_64, gcc, lsm, apparmor, onlyusb, kasan]
+ - upstream-usb:		[upstream, timeouts_native, x86_64, gcc, onlyusb, kasan]
  - upstream-arm64-kasan:	[upstream, arm64, arm64_emu, timeouts_emu, clang, lsm, selinux, reduced, kasan, nokcov]
  - upstream-arm64-kasan_sw-kcov: [linux-next, arm64, arm64_emu, timeouts_emu, clang, lsm, selinux, reduced, kasan_sw]
  - upstream-arm64-mte:		[upstream, arm64, arm64_emu, timeouts_emu, clang, bpfjit, lsm, smack, nonoise, reduced, kfence, mte, nokcov]
diff --git a/dashboard/config/linux/upstream-usb.config b/dashboard/config/linux/upstream-usb.config
index 7ea9881b5..d6b4e7ffe 100644
--- a/dashboard/config/linux/upstream-usb.config
+++ b/dashboard/config/linux/upstream-usb.config
@@ -849,7 +849,6 @@ CONFIG_FUNCTION_ALIGNMENT=16
 # end of General architecture-dependent options
 
 CONFIG_RT_MUTEXES=y
-CONFIG_MODULE_SIG_FORMAT=y
 CONFIG_MODULES=y
 # CONFIG_MODULE_DEBUG is not set
 # CONFIG_MODULE_FORCE_LOAD is not set
@@ -858,17 +857,7 @@ CONFIG_MODULE_FORCE_UNLOAD=y
 # CONFIG_MODULE_UNLOAD_TAINT_TRACKING is not set
 # CONFIG_MODVERSIONS is not set
 # CONFIG_MODULE_SRCVERSION_ALL is not set
-CONFIG_MODULE_SIG=y
-# CONFIG_MODULE_SIG_FORCE is not set
-# CONFIG_MODULE_SIG_ALL is not set
-CONFIG_MODULE_SIG_SHA1=y
-# CONFIG_MODULE_SIG_SHA256 is not set
-# CONFIG_MODULE_SIG_SHA384 is not set
-# CONFIG_MODULE_SIG_SHA512 is not set
-# CONFIG_MODULE_SIG_SHA3_256 is not set
-# CONFIG_MODULE_SIG_SHA3_384 is not set
-# CONFIG_MODULE_SIG_SHA3_512 is not set
-CONFIG_MODULE_SIG_HASH="sha1"
+# CONFIG_MODULE_SIG is not set
 CONFIG_MODULE_COMPRESS_NONE=y
 # CONFIG_MODULE_COMPRESS_GZIP is not set
 # CONFIG_MODULE_COMPRESS_XZ is not set
@@ -3109,24 +3098,7 @@ CONFIG_NVRAM=y
 CONFIG_HPET=y
 # CONFIG_HPET_MMAP is not set
 # CONFIG_HANGCHECK_TIMER is not set
-CONFIG_TCG_TPM=y
-# CONFIG_TCG_TPM2_HMAC is not set
-# CONFIG_HW_RANDOM_TPM is not set
-CONFIG_TCG_TIS_CORE=y
-CONFIG_TCG_TIS=y
-# CONFIG_TCG_TIS_SPI is not set
-# CONFIG_TCG_TIS_I2C is not set
-# CONFIG_TCG_TIS_I2C_CR50 is not set
-# CONFIG_TCG_TIS_I2C_ATMEL is not set
-# CONFIG_TCG_TIS_I2C_INFINEON is not set
-# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_NSC is not set
-# CONFIG_TCG_ATMEL is not set
-# CONFIG_TCG_INFINEON is not set
-CONFIG_TCG_CRB=y
-# CONFIG_TCG_VTPM_PROXY is not set
-# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
-# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
+# CONFIG_TCG_TPM is not set
 # CONFIG_TELCLOCK is not set
 # CONFIG_XILLYBUS is not set
 # CONFIG_XILLYUSB is not set
@@ -7749,79 +7721,42 @@ CONFIG_KEYS=y
 # CONFIG_KEYS_REQUEST_CACHE is not set
 # CONFIG_PERSISTENT_KEYRINGS is not set
 # CONFIG_TRUSTED_KEYS is not set
-CONFIG_ENCRYPTED_KEYS=y
-# CONFIG_USER_DECRYPTED_DATA is not set
+# CONFIG_ENCRYPTED_KEYS is not set
 # CONFIG_KEY_DH_OPERATIONS is not set
 # CONFIG_SECURITY_DMESG_RESTRICT is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
-CONFIG_SECURITY_NETWORK_XFRM=y
-CONFIG_SECURITY_PATH=y
+# CONFIG_SECURITY_NETWORK_XFRM is not set
+# CONFIG_SECURITY_PATH is not set
 # CONFIG_INTEL_TXT is not set
+CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_HARDENED_USERCOPY=y
 CONFIG_FORTIFY_SOURCE=y
 # CONFIG_STATIC_USERMODEHELPER is not set
-# CONFIG_SECURITY_SELINUX is not set
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_BOOTPARAM=y
+CONFIG_SECURITY_SELINUX_DEVELOP=y
+CONFIG_SECURITY_SELINUX_AVC_STATS=y
+CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
+CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
+# CONFIG_SECURITY_SELINUX_DEBUG is not set
 # CONFIG_SECURITY_SMACK is not set
-CONFIG_SECURITY_TOMOYO=y
-CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=64
-CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=32
-CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y
-CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING=y
-CONFIG_SECURITY_APPARMOR=y
-CONFIG_SECURITY_APPARMOR_DEBUG=y
-CONFIG_SECURITY_APPARMOR_DEBUG_ASSERTS=y
-# CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES is not set
-CONFIG_SECURITY_APPARMOR_INTROSPECT_POLICY=y
-CONFIG_SECURITY_APPARMOR_HASH=y
-CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
-# CONFIG_SECURITY_APPARMOR_EXPORT_BINARY is not set
-# CONFIG_SECURITY_APPARMOR_PARANOID_LOAD is not set
+# CONFIG_SECURITY_TOMOYO is not set
+# CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
-CONFIG_SECURITY_YAMA=y
-CONFIG_SECURITY_SAFESETID=y
-CONFIG_SECURITY_LOCKDOWN_LSM=y
-CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
-# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
-# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
-CONFIG_SECURITY_LANDLOCK=y
+# CONFIG_SECURITY_YAMA is not set
+# CONFIG_SECURITY_SAFESETID is not set
+# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+# CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
-CONFIG_INTEGRITY_SIGNATURE=y
-CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
-CONFIG_INTEGRITY_TRUSTED_KEYRING=y
+# CONFIG_INTEGRITY_SIGNATURE is not set
 CONFIG_INTEGRITY_AUDIT=y
-CONFIG_IMA=y
-CONFIG_IMA_MEASURE_PCR_IDX=10
-CONFIG_IMA_LSM_RULES=y
-CONFIG_IMA_NG_TEMPLATE=y
-# CONFIG_IMA_SIG_TEMPLATE is not set
-CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
-# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
-CONFIG_IMA_DEFAULT_HASH_SHA256=y
-# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
-CONFIG_IMA_DEFAULT_HASH="sha256"
-CONFIG_IMA_WRITE_POLICY=y
-CONFIG_IMA_READ_POLICY=y
-CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_ARCH_POLICY is not set
-# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
-# CONFIG_IMA_APPRAISE_BOOTPARAM is not set
-CONFIG_IMA_APPRAISE_MODSIG=y
-# CONFIG_IMA_BLACKLIST_KEYRING is not set
-# CONFIG_IMA_LOAD_X509 is not set
-CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
-CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
-# CONFIG_IMA_DISABLE_HTABLE is not set
-CONFIG_EVM=y
-CONFIG_EVM_ATTR_FSUUID=y
-CONFIG_EVM_ADD_XATTRS=y
-# CONFIG_EVM_LOAD_X509 is not set
-# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
-CONFIG_DEFAULT_SECURITY_APPARMOR=y
+# CONFIG_IMA is not set
+# CONFIG_EVM is not set
+CONFIG_DEFAULT_SECURITY_SELINUX=y
 # CONFIG_DEFAULT_SECURITY_DAC is not set
-CONFIG_LSM="landlock,lockdown,yama,safesetid,integrity,tomoyo,apparmor,bpf"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf"
 
 #
 # Kernel hardening options
@@ -7960,7 +7895,7 @@ CONFIG_CRYPTO_MD5=y
 # CONFIG_CRYPTO_MICHAEL_MIC is not set
 # CONFIG_CRYPTO_POLY1305 is not set
 # CONFIG_CRYPTO_RMD160 is not set
-CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1 is not set
 CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=y
 CONFIG_CRYPTO_SHA3=y
@@ -8090,9 +8025,6 @@ CONFIG_PKCS7_MESSAGE_PARSER=y
 #
 # Certificates for signature checking
 #
-CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
-CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
-# CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_TRUSTED_KEYS=""
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
@@ -8209,7 +8141,6 @@ CONFIG_NLATTR=y
 CONFIG_CLZ_TAB=y
 # CONFIG_IRQ_POLL is not set
 CONFIG_MPILIB=y
-CONFIG_SIGNATURE=y
 CONFIG_DIMLIB=y
 CONFIG_LIBFDT=y
 CONFIG_OID_REGISTRY=y
author	Andrey Konovalov <andreyknvl@gmail.com>	2024-07-22 23:01:45 +0200
committer	Dmitry Vyukov <dvyukov@google.com>	2024-07-23 10:43:03 +0000
commit	44cd723acfeeb472c42cc2fa6d1279ec4406d07d (patch)
tree	ad9304bdaf34e9c78173b881e85325b9464d7803 /dashboard/config
parent	1ede261d340d1b94872fcd490338915478483003 (diff)