Ubuntu
linux package

IMA policy parsing is broken in 4.13

Bug #1755804 reported by rppt on 2018-03-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Medium	Joseph Salisbury
	Artful	Fix Released	Medium	Joseph Salisbury

Bug Description

== SRU Justification ==
Artful has a bug in IMA policy parsing introduced by mailine commit 787d8c530af7.
This bug prevents setting IMA measurements and appraisal options per fsuuid.

This commit has been cc'd to upstream stable. However, it has not yet been applied
to Artful, since upstream 4.13 is EOL.

== Fix ==
36447456e1cc ("ima/policy: fix parsing of fsuuid")

== Regression Potential ==
Low. This patch has also been sent to upstream stable, so it has had additional upstream
review.

== Test Case ==
A test kernel was built with this patch and tested by the original bug reporter.
The bug reporter states the test kernel resolved the bug.

Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid.

The issue can be reproduced with simple ima_policy:

# fsuuid=$(blkid -s UUID -o value /dev/sda1)
# cat > ima_policy << EOF
dont_appraise fsuuid=$fsuuid
dont_measure fsuuid=$fsuuid
EOF
# cat ima_policy > /sys/kernel/security/ima/policy
cat: write error: Invalid argument
# dmesg | tail
[ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0
[ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0
[ 928.070829] IMA: policy update failed
[ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0

The same policy can be successfully loaded on v4.10:

(v4.10) # dmesg | tail
[ 54.071383] IMA: policy update completed
[ 54.071484] kauditd_printk_skb: 1 callbacks suppressed
[ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1
[ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1
[ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1

The bug is fixed in the mainline kernel:

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a
---
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Mar 14 12:37 seq
crw-rw---- 1 root audio 116, 33 Mar 14 12:37 timer
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.20.1-0ubuntu2.15
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
DistroRelease: Ubuntu 16.04
IwConfig: Error: [Errno 2] No such file or directory
Lsusb: Error: command ['lsusb'] failed with exit code 1:
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
Package: linux (not installed)
PciMultimedia:

ProcFB:

ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M
ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13
RelatedPackageVersions:
linux-restricted-modules-4.13.0-36-generic N/A
linux-backports-modules-4.13.0-36-generic N/A
linux-firmware 1.157.17
RfKill: Error: [Errno 2] No such file or directory
Tags: xenial uec-images
Uname: Linux 4.13.0-36-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: pkcs11
_MarkForUpload: True
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: Ubuntu-1.8.2-1ubuntu1
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-xenial
dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-xenial
dmi.sys.vendor: QEMU

See original description

Tags:

CVE References

rppt (mike-rapoport) on 2018-03-14

description:

updated

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2018-03-14: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1755804

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete

Revision history for this message

rppt (mike-rapoport) wrote on 2018-03-14: CRDA.txt

CRDA.txt Edit (420 bytes, text/plain)

apport information

tags:	added: apport-collected uec-images xenial
description:	updated

Revision history for this message

rppt (mike-rapoport) wrote on 2018-03-14: CurrentDmesg.txt

CurrentDmesg.txt Edit (34.5 KiB, text/plain)

apport information

Revision history for this message

rppt (mike-rapoport) wrote on 2018-03-14: JournalErrors.txt

JournalErrors.txt Edit (2.5 KiB, text/plain)

apport information

Revision history for this message

rppt (mike-rapoport) wrote on 2018-03-14: Lspci.txt

Lspci.txt Edit (3.1 KiB, text/plain)

apport information

Revision history for this message

rppt (mike-rapoport) wrote on 2018-03-14: ProcCpuinfo.txt

ProcCpuinfo.txt Edit (6.9 KiB, text/plain)

apport information

Revision history for this message

rppt (mike-rapoport) wrote on 2018-03-14: ProcCpuinfoMinimal.txt

ProcCpuinfoMinimal.txt Edit (879 bytes, text/plain)

apport information

Revision history for this message

rppt (mike-rapoport) wrote on 2018-03-14: ProcEnviron.txt

ProcEnviron.txt Edit (310 bytes, text/plain)

apport information

Revision history for this message

rppt (mike-rapoport) wrote on 2018-03-14: ProcInterrupts.txt

ProcInterrupts.txt Edit (3.7 KiB, text/plain)

apport information

Revision history for this message

rppt (mike-rapoport) wrote on 2018-03-14: ProcModules.txt

#10

ProcModules.txt Edit (2.6 KiB, text/plain)

apport information

Revision history for this message

rppt (mike-rapoport) wrote on 2018-03-14: UdevDb.txt

#11

UdevDb.txt Edit (77.2 KiB, text/plain)

apport information

Revision history for this message

rppt (mike-rapoport) wrote on 2018-03-14: WifiSyslog.txt

#12

WifiSyslog.txt Edit (43.1 KiB, text/plain)

apport information

rppt (mike-rapoport) on 2018-03-14

description:

updated

Joseph Salisbury (jsalisbury) on 2018-03-14

Changed in linux (Ubuntu Artful):
status:	New → Triaged
Changed in linux (Ubuntu):
status:	Incomplete → Triaged
importance:	Undecided → Medium
Changed in linux (Ubuntu Artful):
importance:	Undecided → Medium

Joseph Salisbury (jsalisbury) on 2018-03-14

Changed in linux (Ubuntu Artful):
status:	Triaged → In Progress
Changed in linux (Ubuntu):
status:	Triaged → In Progress
assignee:	nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Artful):
assignee:	nobody → Joseph Salisbury (jsalisbury)

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2018-03-14:

#13

I built a test kernel with commit 36447456e1cca853188505f2a964dbbeacfc7a7a. The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1755804

Can you test this kernel and see if it resolves this bug?

Note, to test this kernel, you need to install both the linux-image and linux-image-extra .deb packages.

Thanks in advance!

Revision history for this message

rppt (mike-rapoport) wrote on 2018-03-15:

#14

Yes, this kernel works as expected, thanks.

I presume that despite this being marked as Artful the fix will get into Xenail hwe releases. Is this correct?

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2018-03-15:

#15

Yes, that is correct. Any commits applied to the Artful kernel will also get applied to the 4.13 based HWE kernel.

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2018-03-15:

#16

SRU request submitted:
https://lists.ubuntu.com/archives/kernel-team/2018-March/090843.html

description:

updated

Stefan Bader (smb) on 2018-03-28

Changed in linux (Ubuntu Artful):
status:	In Progress → Fix Committed

Revision history for this message

Brad Figg (brad-figg) wrote on 2018-04-10:

#17

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-artful' to 'verification-done-artful'. If the problem still exists, change the tag 'verification-needed-artful' to 'verification-failed-artful'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-artful

rppt (mike-rapoport) on 2018-04-10

tags:

added: verification-done-artful
removed: verification-needed-artful

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-04-23:

#18

Download full text (5.6 KiB)

This bug was fixed in the package linux - 4.13.0-39.44

---------------
linux (4.13.0-39.44) artful; urgency=medium

* linux: 4.13.0-39.44 -proposed tracker (LP: #1761456)

  * intel-microcode 3.20180312.0 causes lockup at login screen(w/ linux-
    image-4.13.0-37-generic) (LP: #1759920) // CVE-2017-5715 (Spectre v2
    Intel) // CVE-2017-5754
    - x86/mm: Reinitialize TLB state on hotplug and resume

  * intel-microcode 3.20180312.0 causes lockup at login screen(w/ linux-
    image-4.13.0-37-generic) (LP: #1759920) // CVE-2017-5715 (Spectre v2 Intel)
    - Revert "x86/mm: Only set IBPB when the new thread cannot ptrace current
      thread"
    - x86/speculation: Use Indirect Branch Prediction Barrier in context switch

  * DKMS driver builds fail with: Cannot use CONFIG_STACK_VALIDATION=y, please
    install libelf-dev, libelf-devel or elfutils-libelf-devel (LP: #1760876)
    - [Packaging] include the retpoline extractor in the headers

  * retpoline hints: primary infrastructure and initial hints (LP: #1758856)
    - [Packaging] retpoline-extract: flag *0xNNN(%reg) branches
    - x86/speculation, objtool: Annotate indirect calls/jumps for objtool
    - x86/speculation, objtool: Annotate indirect calls/jumps for objtool on 32bit
    - x86/paravirt, objtool: Annotate indirect calls
    - [Packaging] retpoline -- add safe usage hint support
    - [Packaging] retpoline-check -- only report additions
    - [Packaging] retpoline -- widen indirect call/jmp detection
    - [Packaging] retpoline -- elide %rip relative indirections
    - [Packaging] retpoline -- clear hint information from packages
    - KVM: x86: Make indirect calls in emulator speculation safe
    - KVM: VMX: Make indirect call speculation safe
    - x86/boot, objtool: Annotate indirect jump in secondary_startup_64()
    - SAUCE: early/late -- annotate indirect calls in early/late initialisation
      code
    - SAUCE: vga_set_mode -- avoid jump tables
    - [Config] retpoline -- switch to new format
    - [Packaging] retpoline hints -- handle missing files when RETPOLINE not
      enabled
    - [Packaging] final-checks -- remove check for empty retpoline files

* retpoline: ignore %cs:0xNNN constant indirections (LP: #1752655)
- [Packaging] retpoline -- elide %cs:0xNNNN constants on i386

* zfs system process hung on container stop/delete (LP: #1754584)
- SAUCE: Fix non-prefaulted page deadlock (LP: #1754584)

  * zfs-linux 0.6.5.11-1ubuntu5 ADT test failure with linux 4.15.0-1.2
    (LP: #1737761)
    - SAUCE: (noup) Update zfs to 0.6.5.11-1ubuntu3.2

  * AT_BASE_PLATFORM in AUXV is absent on kernels available on Ubuntu 17.10
    (LP: #1759312)
    - powerpc/64s: Fix NULL AT_BASE_PLATFORM when using DT CPU features

  * btrfs and tar sparse truncate archives (LP: #1757565)
    - Btrfs: move definition of the function btrfs_find_new_delalloc_bytes
    - Btrfs: fix reported number of inode blocks after buffered append writes

* efifb broken on ThunderX-based Gigabyte nodes (LP: #1758375)
- drivers/fbdev/efifb: Allow BAR to be moved instead of claiming it

  * Intel i40e PF reset due to incorrect MDD detection (continues...)
    (LP: #1723127)
    - i40e/i40ev...

This bug was fixed in the package linux - 4.13.0-39.44

---------------
linux (4.13.0-39.44) artful; urgency=medium

* linux: 4.13.0-39.44 -proposed tracker (LP: #1761456)

* retpoline: ignore %cs:0xNNN constant indirections (LP: #1752655)
    - [Packaging] retpoline -- elide %cs:0xNNNN constants on i386

* zfs system process hung on container stop/delete (LP: #1754584)
    - SAUCE: Fix non-prefaulted page deadlock (LP: #1754584)

* zfs-linux 0.6.5.11-1ubuntu5 ADT test failure with linux 4.15.0-1.2
    (LP: #1737761)
    - SAUCE: (noup) Update zfs to 0.6.5.11-1ubuntu3.2

* AT_BASE_PLATFORM in AUXV is absent on kernels available on Ubuntu 17.10
    (LP: #1759312)
    - powerpc/64s: Fix NULL AT_BASE_PLATFORM when using DT CPU features

* efifb broken on ThunderX-based Gigabyte nodes (LP: #1758375)
    - drivers/fbdev/efifb: Allow BAR to be moved instead of claiming it

* Intel i40e PF reset due to incorrect MDD detection (continues...)
    (LP: #1723127)
    - i40e/i40evf: Account for frags split over multiple descriptors in check
      linearize

* Fix an issue that when system in S3, USB keyboard can't wake up the system.
    (LP: #1759511)
    - ACPI / PM: Allow deeper wakeup power states with no _SxD nor _SxW

* [8086:3e92] display becomes blank after S3 (LP: #1759188)
    - drm/i915: Apply Display WA #1183 on skl, kbl, and cfl

* add audio kernel patches for Raven (LP: #1758364)
    - ALSA: hda: Add Raven PCI ID
    - ALSA: hda/realtek - Fix ALC700 family no sound issue

* Cpu utilization showing system time for kvm guests (performance) (sysstat)
    (LP: #1755979)
    - KVM: PPC: Book3S HV: Fix guest time accounting with VIRT_CPU_ACCOUNTING_GEN

* Kernel panic on a nfsroot system (LP: #1734327)
    - Revert "UBUNTU: SAUCE: LSM stacking: add stacking support to apparmor
      network hooks"
    - Revert "UBUNTU: SAUCE: LSM stacking: LSM: Infrastructure management of the
      remaining blobs"

* can't record sound via front headset port on the Dell Precision 3630
    (LP: #1759088)
    - ALSA: hda/realtek - Fix Dell headset Mic can't record

* speaker can't output sound anymore after system resumes from S3 on a lenovo
    machine with alc257 (LP: #1758829)
    - ALSA: hda/realtek - Fix speaker no sound after system resume

* hda driver initialization takes too much time on the machine with coffeelake
    audio controller [8086:a348] (LP: #1758800)
    - ALSA: hda - Force polling mode on CFL for fixing codec communication

* Let headset-mode initialization be called on Dell Precision 3930
    (LP: #1757584)
    - ALSA: hda/realtek - Add headset mode support for Dell laptop

* ubuntu_zram_smoke test will cause soft lockup on Artful ThunderX ARM64
    (LP: #1755073)
    - SAUCE: crypto: thunderx_zip: Fix fallout from CONFIG_VMAP_STACK

* [Hyper-V] include kvp fix for Avoid reading past allocated blocks from KVP
    file (LP: #1750349)
    - hv: kvp: Avoid reading past allocated blocks from KVP file

* IMA policy parsing is broken in 4.13 (LP: #1755804)
    - ima/policy: fix parsing of fsuuid

* external mic not work on Dell OptiPlex 7460 AIO (LP: #1755954)
    - ALSA: hda/realtek - Add headset mode support for Dell laptop

* sbsa watchdog crashes thunderx2 system (LP: #1755595)
    - watchdog: sbsa: use 32-bit read for WCV

* CVE-2018-8043
    - net: phy: mdio-bcm-unimac: fix potential NULL dereference in
      unimac_mdio_probe()

-- Stefan Bader <stefan.bader@canonical.com>  Thu, 05 Apr 2018 14:47:00 +0200

Changed in linux (Ubuntu Artful):
status:	Fix Committed → Fix Released

Joseph Salisbury (jsalisbury) on 2019-01-23

Changed in linux (Ubuntu):
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

IMA policy parsing is broken in 4.13

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
linux package