Bug in selinux on ubuntu 16.04 with kernel 4.15.0-34

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1794067

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

It does not occur on a mainline kernel

FYI:

---------- Forwarded message ---------
From: Stephen Smalley <email address hidden>
Date: Fr., 21. Sep. 2018 um 19:09 Uhr
Subject: Re: Bug in selinux on ubuntu 16.04 with kernel 4.15.0-34
To: Benjamin Schüle <email address hidden>, <email address hidden>,
Paul Moore <email address hidden>

On 09/21/2018 04:50 AM, Benjamin Schüle wrote:
> Hello,
>
> just found a bug in selinux. It appears on ubuntu 16.04 with kernel
> 4.15, but not with kernel 4.4.
>
> What's going wrong:
> Copy a link with "-a" option while selinux is on.
>
>
> steps to reproduce:
> ~$ mkdir -p a/b
> ~$ ln -s b a/c
> ~$ cp -a a b
> cp: failed to restore the default file creation context: Invalid argument
>
>
> Results of my investigation:
>
> The "cp" of coreutils is calling "setfscreatecon (NULL)" to restore
> the default file creation context (coreutils-8.30/src/copy.c:1771) as
> it is stated in the selinux api
> (/libselinux/include/selinux/selinux.h:71).
>
> As we see in the result of strace below, the kernel returns an -1 on
> try to restore the default file creation context. So, in my opinion,
> is the bug has to be in the selinux_setprocattr method in the
> security/selinux/hooks.c file.
>
>
> Part of "strace cp -a a b"
>
> lgetxattr("a/c", "security.selinux",
> "system_u:object_r:user_home_dir_t:s0", 255) = 37
> readlink("a/c", "b", 2) = 1
> symlink("b", "b/a/c") = 0
> open("/proc/self/task/2136/attr/fscreate", O_RDWR|O_CLOEXEC) = 3
> write(3, NULL, 0) = -1 EINVAL (Invalid argument)
> close(3) = 0
> open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=2995, ...}) = 0
> read(3, "# Locale name alias data base.\n#"..., 4096) = 2995
> read(3, "", 4096) = 0
> close(3)

This appears to be Ubuntu-specific; I can't reproduce upstream. If you
are able to reproduce with an upstream kernel, let us know; otherwise,
file a bug with Ubuntu. A quick look at the Ubuntu kernel git tree
shows the following commit which would explain this regression.

commit 36788bfe15f16b2eba39d0e563ae8027c5072b98
Author: Colin Ian King <email address hidden>
Date: Tue Oct 3 13:12:54 2017 +0100

     UBUNTU: SAUCE: LSM stacking: check for invalid zero sized writes

     BugLink: http://bugs.launchpad.net/bugs/1720779
     BugLink: http://bugs.launchpad.net/bugs/1763062

     Writing zero bytes to /proc/$pid/task/$pid/attr/context via
     security_setprocattr cause an oops in memcpy_erms. Fix this by
     checking for zero size and returning -EINVAL for this invalid
     write size.

     Detected by running stress-ng --procfs 0

     Signed-off-by: Colin Ian King <email address hidden>
     Signed-off-by: Seth Forshee <email address hidden>

I'll build a test kernel with the commit posted in #4 reverted so see if that is the cause.

I built a test kernel with a revert of commit 36788bfe15f16b2eba. The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1794067

Can you test this kernel and see if it resolves this bug?

Note about installing test kernels:
• If the test kernel is prior to 4.15(Bionic) you need to install the linux-image and linux-image-extra .deb packages.
• If the test kernel is 4.15(Bionic) or newer, you need to install the linux-modules, linux-modules-extra and linux-image-unsigned .deb packages.

Thanks in advance!

no, does not solve the issue

beschuele@vm-ssd-neon:~$ uname -a
Linux vm-ssd-neon 4.15.0-36-generic #40~lp1794067 SMP Wed Sep 26 21:45:59 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
beschuele@vm-ssd-neon:~$
beschuele@vm-ssd-neon:~$
beschuele@vm-ssd-neon:~$
beschuele@vm-ssd-neon:~$ cd /tmp
beschuele@vm-ssd-neon:/tmp$ mkdir -p a/b
beschuele@vm-ssd-neon:/tmp$ ln -s b a/c
beschuele@vm-ssd-neon:/tmp$ cp -a a b
cp: failed to restore the default file creation context: Invalid argument

The test kernel I posted is built on top of upstream 4.15.18. To confirm this is an Ubuntu specific bug, can you test 4.15.18? It can be downloaded from:

http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.15.18/

the problem does not exist on the mainline kernel

Commit 36788bfe15f1 was applied to Bionic in kernel version: Ubuntu-4.15.0-16. Do you happen to know the last kernel version that did not exhibit this bug? If not, we can try a kernel bisect to identify the commit that caused this.

I've no clue in which kernel version it started...

We may have to test some prior kernel to have a starting version for a bisect. Before starting a bisect, would it be possible for you to test the proposed kernel and post back if it resolves this bug?

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed.

the linux-image-4.15.0-37-generic kernel from proposed has also the same problem

Can you test the following kernels and report back? We are looking for the first kernel version that exhibits this bug:

For 4.14 and earlier kernels, install the linux-image and linux-image-extra .deb packages:
4.14.0-11: https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/bootstrap/+build/13813977

4.14.0-16: https://launchpad.net/~canonical-kernel-security-team/+archive/ubuntu/ppa2/+build/14223014

4.15.0-9: https://launchpad.net/ubuntu/+source/linux/4.15.0-9.10/+build/14326410
4.15.0-20: https://launchpad.net/ubuntu/+source/linux/4.15.0-20.21/+build/14791489

You don't have to test every kernel, just up until the kernel that first has this bug.

Thanks in advance!

the last working version is 4.15.0-15,
the version 4.15.0-20 has the bug

Can you next test 4.15.0-18:
https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable/+build/14779251

 4.15.0-18 does not work

There is no -16 kernel, so the last one to test before bisecting would be 4.15.0-17:

https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable/+build/14768117

4.15.0-17 does also not work

There are a bunch of LSM stacking changes in 4.15.0-16 that may be the cause.

I built a test kernel with commit f14e289850b3 as the tip. The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1794067

Can you test this kernel and see if it resolves this bug?

no, does not

This also affects me on Ubuntu 18.04, kernel 4.15.0-39.

This issue is causing update-initramfs to fail since many of the initramfs-tools hooks use cp -a and are unable to complete.

Suffering from this as well, making kernel upgrades on serveral machines quite hard (need to boot with selinux=0).
I can reproduce the failure with the steps above on 4.15.18-38, while Debian buster/sid with 4.19.28-2 doesn't show the problem.