Creation of IMA file hashes fails when appraisal is enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned |
Bug Description
== SRU Justification ==
On a system that has IMA appraisal enabled it is impossible to create
security.ima extended attribute files that contain IMA hash. This is
due to mainline commit c68ed80c97d, which prevents writing file hashes as
security.ima xattrs.
This bug is fixed by reverting commit c68ed80c97d, which is done by
mainline commit f5acb3dcba1f as of v4.10-rc1.
== Fix ==
f5acb3dcba1f ("Revert "ima: limit file hash setting by user to fix and log modes"")
== Regression Potential ==
Low. This revert happend in v4.10-rc1. It has been in Artful and
Bionic for a while without any reported issues.
== Test Case ==
A test kernel was built with this patch and tested by the original bug reporter.
The bug reporter states the test kernel resolved the bug.
== Original Bug Description ==
On a system that has IMA appraisal enabled it is impossible to create
security.ima extended attribute files that contain IMA hash.
For instance, consider the following use case:
1) extract application files to a staging area as non root user
2) verify that installation is correct
3) create IMA extended attributes for the installed files
4) move the files to their destination
5) change the files ownership to root
With kernel 4.4.x step 3 will fail.
The issues is fixed in upstream kernels by the following commit [1]:
commit f5acb3dcba1ffb7
Author: Mimi Zohar <email address hidden>
Date: Wed Nov 2 09:14:16 2016 -0400
Revert "ima: limit file hash setting by user to fix and log modes"
[1] https:/
d=f5acb3dcba1ff
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: linux-image-
ProcVersionSign
Uname: Linux 4.4.0-124-generic x86_64
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 May 17 14:07 seq
crw-rw---- 1 root audio 116, 33 May 17 14:07 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.20.1-0ubuntu2.15
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found.
Date: Thu May 17 14:08:59 2018
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
Lsusb: Error: command ['lsusb'] failed with exit code 1:
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
PciMultimedia:
ProcFB:
ProcKernelCmdLine: BOOT_IMAGE=
RelatedPackageV
linux-
linux-
linux-firmware 1.157.17
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: rel-1.11.
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.
dmi.modalias: dmi:bvnSeaBIOS:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.
dmi.sys.vendor: QEMU
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
status: | Confirmed → Triaged |
Changed in linux (Ubuntu Xenial): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in linux (Ubuntu): | |
status: | Triaged → Invalid |
Changed in linux (Ubuntu Xenial): | |
status: | Triaged → In Progress |
assignee: | nobody → Joseph Salisbury (jsalisbury) |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-xenial removed: verification-needed-xenial |
This change was made by a bot.