Ubuntu
linux-oem-5.6 package

test_310_config_security_perf_events_restrict / test_400_refcount_config in ubuntu_qrt_kernel_security failed on F-OEM-5.6

Bug #1879339 reported by Po-Hsu Lin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QA Regression Testing
Fix Released
Undecided
Unassigned
ubuntu-kernel-tests
New
Undecided
Unassigned
linux-oem-5.6 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

  ======================================================================
  FAIL: test_310_config_security_perf_events_restrict (__main__.KernelSecurityConfigTest)
  Ensure CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 2704, in test_310_config_security_perf_events_restrict
      self.assertKernelConfig(config_name, expected)
    File "./test-kernel-security.py", line 214, in assertKernelConfig
      self.assertKernelConfigSet(name)
    File "./test-kernel-security.py", line 201, in assertKernelConfigSet
      '%s option was expected to be set in the kernel config' % name)
  AssertionError: SECURITY_PERF_EVENTS_RESTRICT option was expected to be set in the kernel config

  ======================================================================
  FAIL: test_400_refcount_config (__main__.KernelSecurityConfigTest)
  Ensure kernel refcount protections are enabled
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 2817, in test_400_refcount_config
      self.assertKernelConfig(config_name, expected)
    File "./test-kernel-security.py", line 214, in assertKernelConfig
      self.assertKernelConfigSet(name)
    File "./test-kernel-security.py", line 201, in assertKernelConfigSet
      '%s option was expected to be set in the kernel config' % name)
  AssertionError: ARCH_HAS_REFCOUNT option was expected to be set in the kernel config

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: linux-image-5.6.0-1010-oem 5.6.0-1010.10
ProcVersionSignature: User Name 5.6.0-1010.10-oem 5.6.8
Uname: Linux 5.6.0-1010-oem x86_64
ApportVersion: 2.20.11-0ubuntu27
Architecture: amd64
CasperMD5CheckResult: skip
Date: Mon May 18 14:44:11 2020
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=C.UTF-8
 SHELL=/bin/bash
SourcePackage: linux-signed-oem-5.6
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
tags: added: sru-20200427 ubuntu-qrt-kernel-security
Timo Aaltonen (tjaalton)
affects: linux-signed-oem-5.6 (Ubuntu) → linux-oem-5.6 (Ubuntu)
Revision history for this message
Steve Beattie (sbeattie) wrote :

For the test_310_config_security_perf_events_restrict -- missing SECURITY_PERF_EVENTS_RESTRICT option; it appears the linux-oem-5.6 kernel is missing the following Ubuntu SAUCE patch:

  commit 4e6246de75c468397327fa741b380c926020c81f
  Author: Ben Hutchings <email address hidden>
  Date: Tue Aug 16 10:27:00 2016 -0600

    UBUNTU: SAUCE: security,perf: Allow further restriction of perf_event_open

For the test_400_refcount_config test, the ARCH_HAS_REFCOUNT and REFCOUNT_FULL config options were removed upstream in the 5.5. kernel cycle. I'm working on a patch to qrt to address this.

Thanks.

Changed in qa-regression-testing:
status: New → Confirmed
Changed in linux-oem-5.6 (Ubuntu):
status: New → Confirmed
Revision history for this message
Steve Beattie (sbeattie) wrote :

The test_400_refcount_config failure has been addressed in qa-regression-testing commit
https://git.launchpad.net/qa-regression-testing/commit/?id=480aaab47c0e7e11ab5bad5b56f61742ac8fdf9e

Thanks.

Steve Beattie (sbeattie)
Changed in qa-regression-testing:
status: Confirmed → Fix Released
Revision history for this message
Timo Aaltonen (tjaalton) wrote :
Download full text (3.6 KiB)

does this upstream change replace the sauce patch?

commit da97e18458fb42d7c00fac5fd1c56a3896ec666e
Author: Joel Fernandes (Google) <email address hidden>
Date: Mon Oct 14 13:03:08 2019 -0400

    perf_event: Add support for LSM and SELinux checks

    In current mainline, the degree of access to perf_event_open(2) system
    call depends on the perf_event_paranoid sysctl. This has a number of
    limitations:

    1. The sysctl is only a single value. Many types of accesses are controlled
       based on the single value thus making the control very limited and
       coarse grained.
    2. The sysctl is global, so if the sysctl is changed, then that means
       all processes get access to perf_event_open(2) opening the door to
       security issues.

    This patch adds LSM and SELinux access checking which will be used in
    Android to access perf_event_open(2) for the purposes of attaching BPF
    programs to tracepoints, perf profiling and other operations from
    userspace. These operations are intended for production systems.

    5 new LSM hooks are added:
    1. perf_event_open: This controls access during the perf_event_open(2)
       syscall itself. The hook is called from all the places that the
       perf_event_paranoid sysctl is checked to keep it consistent with the
       systctl. The hook gets passed a 'type' argument which controls CPU,
       kernel and tracepoint accesses (in this context, CPU, kernel and
       tracepoint have the same semantics as the perf_event_paranoid sysctl).
       Additionally, I added an 'open' type which is similar to
       perf_event_paranoid sysctl == 3 patch carried in Android and several other
       distros but was rejected in mainline [1] in 2016.

    2. perf_event_alloc: This allocates a new security object for the event
       which stores the current SID within the event. It will be useful when
       the perf event's FD is passed through IPC to another process which may
       try to read the FD. Appropriate security checks will limit access.

    3. perf_event_free: Called when the event is closed.

    4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event.

    5. perf_event_write: Called from the ioctl(2) syscalls for the event.

    [1] https://lwn.net/Articles/696240/

    Since Peter had suggest LSM hooks in 2016 [1], I am adding his
    Suggested-by tag below.

    To use this patch, we set the perf_event_paranoid sysctl to -1 and then
    apply selinux checking as appropriate (default deny everything, and then
    add policy rules to give access to domains that need it). In the future
    we can remove the perf_event_paranoid sysctl altogether.

    Suggested-by: Peter Zijlstra <email address hidden>
    Co-developed-by: Peter Zijlstra <email address hidden>
    Signed-off-by: Joel Fernandes (Google) <email address hidden>
    Signed-off-by: Peter Zijlstra (Intel) <email address hidden>
    Acked-by: James Morris <email address hidden>
    Cc: Arnaldo Carvalho de Melo <email address hidden>
    Cc: <email address hidden>
    Cc: Yonghong Song <email address hidden>
    Cc: Kees Cook <email address hidden>
    Cc:...

Read more...

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

Hello Steve,
test_310_config_security_perf_events_restrict is still failing with F-OEM-5.6, do you want me to open a new bug for it?

Thanks

tags: added: sru-20200608
Kelsey Steele (kelsey-steele)
tags: added: 5.6 oem oem-5.6 sru-20210412
Revision history for this message
Steve Beattie (sbeattie) wrote :

Sorry for the lag on this issue.

Timo, while the added hooks are useful, they don't for the time being obviate the need for the larger hammer of the sysctl, so we'd still like to keep the referred to patch available, until we are forced to make a choice if and when upstream drops the sysctl entirely.

Po-Hsu, if it's easier for tracking for it to be a separate bug report, that's fine. Am hoping ot have more time soon to focus on qa-r-t issues when they come up.

Thanks.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.