Various failures of kernel_security suite on Xenial kernel on s390x arch

Hi Brad,

I've addressed most of the issues with commit 2464 to the qa-regression-testing tree. However, there are a few remaining failures that are legit issues with the kernel on 390x. They are:

FAIL: test_074_config_security_default_mmap_min_addr (__main__.KernelSecurityTest)
CONFIG_DEFAULT_MMAP_MIN_ADDR

CONFIG_DEFAULT_MMAP_MIN_ADDR is set to 4096 on s390x, not 65536 like on other arches.

FAIL: test_075_config_stack_protector (__main__.KernelSecurityTest)
CONFIG_CC_STACKPROTECTOR set
FAIL: test_082_stack_guard_kernel (__main__.KernelSecurityTest)
Kernel stack guard

CONFIG_CC_STACKPROTECTOR is not set for s390x, unlike for our other arches. As far as I can tell, gcc and the kernel support the option on s390x (but if not, then I'll adjust our tests).

I'm also seeing the module tainting test test_140_kernel_modules_not_tainted failing on s390x. Checking the contents of /proc/modules, it looks like all the modules on the s390x kernel (4.4.0-2.16-generic) aren't being signed (i.e. have an (E) listed for them). I'm not sure why this is, if it indicates an issue with the kernel build process on s390x.

Thanks.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1531327

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

I've investigated into the CONFIG_CC_STACKPROTECTOR issue on s390x and it looks like the kernel doesn't support enabling it for that architecture. I've adjusted the qrt tests to take this into account.

I submitted https://lists.ubuntu.com/archives/kernel-team/2016-February/072325.html to address the MMAP_MIN_ADDR inconsistency.

This bug was fixed in the package linux - 4.4.0-9.24

---------------
linux (4.4.0-9.24) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1551319

  * AppArmor logs denial for when the device path is ENOENT (LP: #1482943)
    - SAUCE: apparmor: fix log of apparmor audit message when kern_path() fails

  * BUG: unable to handle kernel NULL pointer dereference (aa_label_merge) (LP:
    #1448912)
    - SAUCE: apparmor: Fix: insert race between label_update and label_merge
    - SAUCE: apparmor: Fix: ensure aa_get_newest will trip debugging if the
      replacedby is not setup
    - SAUCE: apparmor: Fix: label merge handling of marking unconfined and stale
    - SAUCE: apparmor: Fix: refcount race between locating in labelset and get
    - SAUCE: apparmor: Fix: ensure new labels resulting from merge have a
      replacedby
    - SAUCE: apparmor: Fix: label_vec_merge insertion
    - SAUCE: apparmor: Fix: deadlock in aa_put_label() call chain
    - SAUCE: apparmor: Fix: add required locking of __aa_update_replacedby on
      merge path
    - SAUCE: apparmor: Fix: convert replacedby update to be protected by the
      labelset lock
    - SAUCE: apparmor: Fix: update replacedby allocation to take a gfp parameter

  * apparmor kernel BUG kills firefox (LP: #1430546)
    - SAUCE: apparmor: Disallow update of cred when then subjective != the
      objective cred
    - SAUCE: apparmor: rework retrieval of the current label in the profile update
      case

  * sleep from invalid context in aa_move_mount (LP: #1539349)
    - SAUCE: apparmor: fix sleep from invalid context

  * s390x: correct restore of high gprs on signal return (LP: #1550468)
    - s390/compat: correct restore of high gprs on signal return

  * missing SMAP support (LP: #1550517)
    - x86/entry/compat: Add missing CLAC to entry_INT80_32

  * Floating-point exception handler receives empty Data-Exception Code in
    Floating Point Control register (LP: #1548414)
    - s390/fpu: signals vs. floating point control register

  * kvm fails to boot GNU Hurd kernels with 4.4 Xenial kernel (LP: #1550596)
    - KVM: x86: fix conversion of addresses to linear in 32-bit protected mode

  * Surelock GA2 SP1: capiredp01: cxl_init_adapter fails for CAPI devices
    0000:01:00.0 and 0005:01:00.0 after upgrading to 840.10 Platform firmware
    build fips840/b1208b_1604.840 (LP: #1532914)
    - cxl: Fix PSL timebase synchronization detection

  * [Feature]EDAC support for Knights Landing (LP: #1519631)
    - EDAC, sb_edac: Set fixed DIMM width on Xeon Knights Landing

  * Various failures of kernel_security suite on Xenial kernel on s390x arch
    (LP: #1531327)
    - [config] s390x -- CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

  * Unable to install VirtualBox Guest Service in 15.04 (LP: #1434579)
    - [Config] Provides: virtualbox-guest-modules when appropriate

  * linux is missing provides for virtualbox-guest-modules [i386 amd64 x32] (LP:
    #1507588)
    - [Config] Provides: virtualbox-guest-modules when appropriate

  * Backport more recent driver for SKL, KBL and BXT graphics (LP: #1540390)
    - SAUCE: i915_bpo: Provide a backport driver for SKL, KBL & BXT graphics
    - SA...