Creation of IMA file hashes fails when appraisal is enabled

Bug #1771826 reported by rppt on 2018-05-17
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Unassigned
Xenial
Medium
Joseph Salisbury

Bug Description

== SRU Justification ==
On a system that has IMA appraisal enabled it is impossible to create
security.ima extended attribute files that contain IMA hash. This is
due to mainline commit c68ed80c97d, which prevents writing file hashes as
security.ima xattrs.

This bug is fixed by reverting commit c68ed80c97d, which is done by
mainline commit f5acb3dcba1f as of v4.10-rc1.

== Fix ==
f5acb3dcba1f ("Revert "ima: limit file hash setting by user to fix and log modes"")

== Regression Potential ==
Low. This revert happend in v4.10-rc1. It has been in Artful and
Bionic for a while without any reported issues.

== Test Case ==
A test kernel was built with this patch and tested by the original bug reporter.
The bug reporter states the test kernel resolved the bug.

== Original Bug Description ==
On a system that has IMA appraisal enabled it is impossible to create
security.ima extended attribute files that contain IMA hash.

For instance, consider the following use case:

1) extract application files to a staging area as non root user
2) verify that installation is correct
3) create IMA extended attributes for the installed files
4) move the files to their destination
5) change the files ownership to root

With kernel 4.4.x step 3 will fail.

The issues is fixed in upstream kernels by the following commit [1]:

commit f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b
Author: Mimi Zohar <email address hidden>
Date: Wed Nov 2 09:14:16 2016 -0400

    Revert "ima: limit file hash setting by user to fix and log modes"

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i
d=f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: linux-image-4.4.0-124-generic 4.4.0-124.148
ProcVersionSignature: User Name 4.4.0-124.148-generic 4.4.117
Uname: Linux 4.4.0-124-generic x86_64
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 May 17 14:07 seq
 crw-rw---- 1 root audio 116, 33 May 17 14:07 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.20.1-0ubuntu2.15
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found.
Date: Thu May 17 14:08:59 2018
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
Lsusb: Error: command ['lsusb'] failed with exit code 1:
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
PciMultimedia:

ProcFB:

ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-124-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro biosdevname=0 net.ifnames=0 console=tty1 console=ttyS0 crashkernel=384M-:128M
RelatedPackageVersions:
 linux-restricted-modules-4.4.0-124-generic N/A
 linux-backports-modules-4.4.0-124-generic N/A
 linux-firmware 1.157.17
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-2.12
dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-2.12:cvnQEMU:ct1:cvrpc-i440fx-2.12:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-2.12
dmi.sys.vendor: QEMU

CVE References

rppt (mike-rapoport) wrote :
description: updated

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Changed in linux (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
Changed in linux (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → Medium
Changed in linux (Ubuntu):
status: Triaged → Invalid
Changed in linux (Ubuntu Xenial):
status: Triaged → In Progress
assignee: nobody → Joseph Salisbury (jsalisbury)
Joseph Salisbury (jsalisbury) wrote :

I built a test kernel with commit f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b. The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1771826

Can you test this kernel and see if it resolves this bug?

Note about installing test kernels:
• If the test kernel is prior to 4.15(Bionic) you need to install the linux-image and linux-image-extra .deb packages.
• If the test kernel is 4.15(Bionic) or newer, you need to install the linux-image-unsigned, linux-modules and linux-modules-extra .deb packages.

Thanks in advance!

rppt (mike-rapoport) wrote :

I've tested with your kernel package and it works fine.
Thanks!

Joseph Salisbury (jsalisbury) wrote :
description: updated
Juerg Haefliger (juergh) on 2018-06-07
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
rppt (mike-rapoport) on 2018-06-14
tags: added: verification-done-xenial
removed: verification-needed-xenial
Launchpad Janitor (janitor) wrote :
Download full text (29.8 KiB)

This bug was fixed in the package linux - 4.4.0-130.156

---------------
linux (4.4.0-130.156) xenial; urgency=medium

  * linux: 4.4.0-130.156 -proposed tracker (LP: #1776822)

  * CVE-2018-3665 (x86)
    - x86/fpu: Fix early FPU command-line parsing
    - x86/fpu: Fix 'no387' regression
    - x86/fpu: Disable MPX when eagerfpu is off
    - x86/fpu: Default eagerfpu=on on all CPUs
    - x86/fpu: Fix FNSAVE usage in eagerfpu mode
    - x86/fpu: Fix math emulation in eager fpu mode
    - x86/fpu: Fix eager-FPU handling on legacy FPU machines

linux (4.4.0-129.155) xenial; urgency=medium

  * linux: 4.4.0-129.155 -proposed tracker (LP: #1776352)

  * Xenial update to 4.4.134 stable release (LP: #1775771)
    - MIPS: ptrace: Expose FIR register through FP regset
    - MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs
    - KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable"
    - affs_lookup(): close a race with affs_remove_link()
    - aio: fix io_destroy(2) vs. lookup_ioctx() race
    - ALSA: timer: Fix pause event notification
    - mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register
    - libata: Blacklist some Sandisk SSDs for NCQ
    - libata: blacklist Micron 500IT SSD with MU01 firmware
    - xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent
    - Revert "ipc/shm: Fix shmat mmap nil-page protection"
    - ipc/shm: fix shmat() nil address after round-down when remapping
    - kasan: fix memory hotplug during boot
    - kernel/sys.c: fix potential Spectre v1 issue
    - kernel/signal.c: avoid undefined behaviour in kill_something_info
    - xfs: remove racy hasattr check from attr ops
    - do d_instantiate/unlock_new_inode combinations safely
    - firewire-ohci: work around oversized DMA reads on JMicron controllers
    - NFSv4: always set NFS_LOCK_LOST when a lock is lost.
    - ALSA: hda - Use IS_REACHABLE() for dependency on input
    - ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read()
    - kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl
    - tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into
      account
    - PCI: Add function 1 DMA alias quirk for Marvell 9128
    - tools lib traceevent: Simplify pointer print logic and fix %pF
    - perf callchain: Fix attr.sample_max_stack setting
    - tools lib traceevent: Fix get_field_str() for dynamic strings
    - dm thin: fix documentation relative to low water mark threshold
    - nfs: Do not convert nfs_idmap_cache_timeout to jiffies
    - watchdog: sp5100_tco: Fix watchdog disable bit
    - kconfig: Don't leak main menus during parsing
    - kconfig: Fix automatic menu creation mem leak
    - kconfig: Fix expr_free() E_NOT leak
    - ipmi/powernv: Fix error return code in ipmi_powernv_probe()
    - Btrfs: set plug for fsync
    - btrfs: Fix out of bounds access in btrfs_search_slot
    - Btrfs: fix scrub to repair raid6 corruption
    - scsi: fas216: fix sense buffer initialization
    - HID: roccat: prevent an out of bounds read in kovaplus_profile_activated()
    - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
    - powerpc/numa: Use ibm,max-associativity-domains to discover possib...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers