CachyOS Kernel is missing explicit Init config - conflict with Tomoyo LSM

Feedback Bugreports
1

Greetings,

Two issues:

The CacheOS Kernel is missing an explicit call to “/sbin/init” in its config:

zgrep DEFAULT_INIT /proc/config.gz
CONFIG_DEFAULT_INIT=“”

This causes a bug with the Tomoyo LSM of the Kernel, since the Tomoyo LSM treats actions taken by the domain “ /sbin/init” as being strarted directly by “” instead, which messes up the domain call order of that security implementation.

Explicitely specifying “init=/sbin/init” in the bootloader does not seem to fix this.

Actual possible fix:
Simply define “/sbin/init” explicitely as the CONFIG_DEFAULT_INIT init binary in the kernel configuration of future kernel versions.

Second related bug:
Tomoyo has its startup process trigger set as “/usr/lib/systemd/systemd” instead of “/sbin/init”. While “/sbin/init” is a symlink to “/usr/lib/systemd/systemd”, Tomoyo needs the actual entry in the process list to match, else it starts later than it should - namely when /sbin/init calls itself on later execution via “/usr/lib/systemd/systemd”.

zgrep TOMOYO_ACTIVATION /proc/config.gz
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER=“/usr/lib/systemd/systemd”

Fix:
Set this kernel config value to “/sbin/init” instead.

That should resolve all Tomoyo related Problems with the current Kernel(s). :slight_smile:

2

Hi,

We are actually following the archlinux kernel config and also would like to keep it going like that.
Is tomoyo really a thing, which is still much used?

But I would suggest you creating an issue at the archlinux github tracker, if this can not be workarounded with other settings or variables.

3

Alright :slight_smile: I will report this directly to the Arch maintainers then.

And Tomoyo IMO is the best replacement for GRSecurity’s RBAC model. They just fail at advertising themself :wink:

Thank you for the quick reply!

4

Checking the Archlinux Wiki, they are writing that these are default supported, but it seems they are not:
https://wiki.archlinux.org/title/TOMOYO_Linux#Installation_2

5

Oh, Tomoyo is in the kernel, and it works, but its domain hierarchy is faulty. It’s not noticable unless you do a whole system ruleset.

Anyways, going to see what they say over there, tomorrow :slight_smile:

P.S. Good work on Cachy!

1 Like
6

Sounds good. Feel free to provide us the link here, from the arch bugtracker.

and thanks!

7

Greetings, and sorry for the delay!
Here’s the link: Kernel Init setting conflicts with Tomoyo LSM logic (#59) · Issues · Arch Linux / Packaging / Packages / linux · GitLab

1 Like