IMA policy parsing is broken in 4.13

Bug #1755804 reported by rppt on 2018-03-14
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Joseph Salisbury
Artful
Medium
Joseph Salisbury

Bug Description

== SRU Justification ==
Artful has a bug in IMA policy parsing introduced by mailine commit 787d8c530af7.
This bug prevents setting IMA measurements and appraisal options per fsuuid.

This commit has been cc'd to upstream stable. However, it has not yet been applied
to Artful, since upstream 4.13 is EOL.

== Fix ==
36447456e1cc ("ima/policy: fix parsing of fsuuid")

== Regression Potential ==
Low. This patch has also been sent to upstream stable, so it has had additional upstream
review.

== Test Case ==
A test kernel was built with this patch and tested by the original bug reporter.
The bug reporter states the test kernel resolved the bug.

Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid.

The issue can be reproduced with simple ima_policy:

# fsuuid=$(blkid -s UUID -o value /dev/sda1)
# cat > ima_policy << EOF
dont_appraise fsuuid=$fsuuid
dont_measure fsuuid=$fsuuid
EOF
# cat ima_policy > /sys/kernel/security/ima/policy
cat: write error: Invalid argument
# dmesg | tail
[ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0
[ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0
[ 928.070829] IMA: policy update failed
[ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0

The same policy can be successfully loaded on v4.10:

(v4.10) # dmesg | tail
[ 54.071383] IMA: policy update completed
[ 54.071484] kauditd_printk_skb: 1 callbacks suppressed
[ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1
[ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1
[ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1

The bug is fixed in the mainline kernel:

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a
---
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 Mar 14 12:37 seq
 crw-rw---- 1 root audio 116, 33 Mar 14 12:37 timer
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.20.1-0ubuntu2.15
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
DistroRelease: Ubuntu 16.04
IwConfig: Error: [Errno 2] No such file or directory
Lsusb: Error: command ['lsusb'] failed with exit code 1:
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
Package: linux (not installed)
PciMultimedia:

ProcFB:

ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M
ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13
RelatedPackageVersions:
 linux-restricted-modules-4.13.0-36-generic N/A
 linux-backports-modules-4.13.0-36-generic N/A
 linux-firmware 1.157.17
RfKill: Error: [Errno 2] No such file or directory
Tags: xenial uec-images
Uname: Linux 4.13.0-36-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: pkcs11
_MarkForUpload: True
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: Ubuntu-1.8.2-1ubuntu1
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-xenial
dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-xenial
dmi.sys.vendor: QEMU

CVE References

rppt (mike-rapoport) on 2018-03-14
description: updated

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1755804

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
rppt (mike-rapoport) wrote : CRDA.txt

apport information

tags: added: apport-collected uec-images xenial
description: updated

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

rppt (mike-rapoport) on 2018-03-14
description: updated
Changed in linux (Ubuntu Artful):
status: New → Triaged
Changed in linux (Ubuntu):
status: Incomplete → Triaged
importance: Undecided → Medium
Changed in linux (Ubuntu Artful):
importance: Undecided → Medium
Changed in linux (Ubuntu Artful):
status: Triaged → In Progress
Changed in linux (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Artful):
assignee: nobody → Joseph Salisbury (jsalisbury)
Joseph Salisbury (jsalisbury) wrote :

I built a test kernel with commit 36447456e1cca853188505f2a964dbbeacfc7a7a. The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1755804

Can you test this kernel and see if it resolves this bug?

Note, to test this kernel, you need to install both the linux-image and linux-image-extra .deb packages.

Thanks in advance!

rppt (mike-rapoport) wrote :

Yes, this kernel works as expected, thanks.

I presume that despite this being marked as Artful the fix will get into Xenail hwe releases. Is this correct?

Joseph Salisbury (jsalisbury) wrote :

Yes, that is correct. Any commits applied to the Artful kernel will also get applied to the 4.13 based HWE kernel.

Joseph Salisbury (jsalisbury) wrote :
description: updated
Stefan Bader (smb) on 2018-03-28
Changed in linux (Ubuntu Artful):
status: In Progress → Fix Committed
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-artful' to 'verification-done-artful'. If the problem still exists, change the tag 'verification-needed-artful' to 'verification-failed-artful'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-artful
rppt (mike-rapoport) on 2018-04-10
tags: added: verification-done-artful
removed: verification-needed-artful
Launchpad Janitor (janitor) wrote :
Download full text (5.6 KiB)

This bug was fixed in the package linux - 4.13.0-39.44

---------------
linux (4.13.0-39.44) artful; urgency=medium

  * linux: 4.13.0-39.44 -proposed tracker (LP: #1761456)

  * intel-microcode 3.20180312.0 causes lockup at login screen(w/ linux-
    image-4.13.0-37-generic) (LP: #1759920) // CVE-2017-5715 (Spectre v2
    Intel) // CVE-2017-5754
    - x86/mm: Reinitialize TLB state on hotplug and resume

  * intel-microcode 3.20180312.0 causes lockup at login screen(w/ linux-
    image-4.13.0-37-generic) (LP: #1759920) // CVE-2017-5715 (Spectre v2 Intel)
    - Revert "x86/mm: Only set IBPB when the new thread cannot ptrace current
      thread"
    - x86/speculation: Use Indirect Branch Prediction Barrier in context switch

  * DKMS driver builds fail with: Cannot use CONFIG_STACK_VALIDATION=y, please
    install libelf-dev, libelf-devel or elfutils-libelf-devel (LP: #1760876)
    - [Packaging] include the retpoline extractor in the headers

  * retpoline hints: primary infrastructure and initial hints (LP: #1758856)
    - [Packaging] retpoline-extract: flag *0xNNN(%reg) branches
    - x86/speculation, objtool: Annotate indirect calls/jumps for objtool
    - x86/speculation, objtool: Annotate indirect calls/jumps for objtool on 32bit
    - x86/paravirt, objtool: Annotate indirect calls
    - [Packaging] retpoline -- add safe usage hint support
    - [Packaging] retpoline-check -- only report additions
    - [Packaging] retpoline -- widen indirect call/jmp detection
    - [Packaging] retpoline -- elide %rip relative indirections
    - [Packaging] retpoline -- clear hint information from packages
    - KVM: x86: Make indirect calls in emulator speculation safe
    - KVM: VMX: Make indirect call speculation safe
    - x86/boot, objtool: Annotate indirect jump in secondary_startup_64()
    - SAUCE: early/late -- annotate indirect calls in early/late initialisation
      code
    - SAUCE: vga_set_mode -- avoid jump tables
    - [Config] retpoline -- switch to new format
    - [Packaging] retpoline hints -- handle missing files when RETPOLINE not
      enabled
    - [Packaging] final-checks -- remove check for empty retpoline files

  * retpoline: ignore %cs:0xNNN constant indirections (LP: #1752655)
    - [Packaging] retpoline -- elide %cs:0xNNNN constants on i386

  * zfs system process hung on container stop/delete (LP: #1754584)
    - SAUCE: Fix non-prefaulted page deadlock (LP: #1754584)

  * zfs-linux 0.6.5.11-1ubuntu5 ADT test failure with linux 4.15.0-1.2
    (LP: #1737761)
    - SAUCE: (noup) Update zfs to 0.6.5.11-1ubuntu3.2

  * AT_BASE_PLATFORM in AUXV is absent on kernels available on Ubuntu 17.10
    (LP: #1759312)
    - powerpc/64s: Fix NULL AT_BASE_PLATFORM when using DT CPU features

  * btrfs and tar sparse truncate archives (LP: #1757565)
    - Btrfs: move definition of the function btrfs_find_new_delalloc_bytes
    - Btrfs: fix reported number of inode blocks after buffered append writes

  * efifb broken on ThunderX-based Gigabyte nodes (LP: #1758375)
    - drivers/fbdev/efifb: Allow BAR to be moved instead of claiming it

  * Intel i40e PF reset due to incorrect MDD detection (continues...)
    (LP: #1723127)
    - i40e/i40ev...

Read more...

Changed in linux (Ubuntu Artful):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers