NACK: [PATCH][SRU][xenial] UBUNTU: SAUCE: apparmor: fix audit failures when performing onexec

Tyler Hicks tyhicks at canonical.com
Thu Aug 1 14:58:00 UTC 2019 

On 2019-08-01 09:47:29, Tyler Hicks wrote:
> On 2019-08-01 04:29:21, John Johansen wrote:
> > 
> > There are 2 cases where a denial in onexec profile transitions can
> > occur that results in an apparmor WARN traceback. The first occurs if
> > onexec is denied by policy, the second if onexec fails due to
> > no-new-privs.
> > 
> > [1140910.816457] ------------[ cut here ]------------
> > [1140910.816466] WARNING: CPU: 4 PID: 32497 at /build/linux-UdetSb/linux-4.4.0/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180()
> > [1140910.816467] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)):
> > [1140910.816469] Modules linked in:
> > [1140910.816470]  xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_REDIRECT nf_nat_redirect xt_nat veth btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c msr nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype br_netfilter pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) xt_CHECKSUM iptable_mangle rfcomm ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables xt_multiport iptable_filter ip_tables x_tables aufs overlay bnep uvcvideo videobuf2_vmalloc btusb videobuf2_memops videobuf2_v4l2 btrtl btbcm videobuf2_core btintel v4l2_common bluetooth videodev media binfmt_misc arc4
> > [1140910.816508]  iwlmvm mac80211 intel_rapl snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek snd_hda_codec_generic iwlwifi joydev input_leds serio_raw cfg80211 snd_hda_intel snd_hda_codec snd_hda_core lpc_ich snd_hwdep thinkpad_acpi nvram snd_pcm snd_seq_midi mei_me snd_seq_midi_event shpchp ie31200_edac mei snd_rawmidi edac_core snd_seq wmi snd_seq_device snd_timer snd soundcore kvm_intel mac_hid kvm irqbypass coretemp parport_pc ppdev lp parport autofs4 drbg ansi_cprng algif_skcipher af_alg dm_crypt hid_generic hid_logitech_hidpp hid_logitech_dj usbhid hid uas usb_storage crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel i915 aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd i2c_algo_bit drm_kms_helper psmouse syscopyarea sysfillrect ahci sysimgblt e1000e
> > [1140910.816544]  fb_sys_fops libahci sdhci_pci drm sdhci ptp pps_core fjes video
> > [1140910.816549] CPU: 4 PID: 32497 Comm: runc:[2:INIT] Tainted: G        W  OE   4.4.0-151-generic #178-Ubuntu
> > [1140910.816551] Hardware name: LENOVO 20EFCTO1WW/20EFCTO1WW, BIOS GNET82WW (2.30 ) 03/21/2017
> > [1140910.816552]  0000000000000286 312c35d8d7e796cb ffff880637cef9d0 ffffffff8140b481
> > [1140910.816554]  ffff880637cefa18 ffffffff81d02fe8 ffff880637cefa08 ffffffff81085432
> > [1140910.816555]  ffff880108206400 ffff880637cefb6c ffff880825129b88 ffff880637cefd88
> > [1140910.816557] Call Trace:
> > [1140910.816563]  [<ffffffff8140b481>] dump_stack+0x63/0x82
> > [1140910.816567]  [<ffffffff81085432>] warn_slowpath_common+0x82/0xc0
> > [1140910.816569]  [<ffffffff810854cc>] warn_slowpath_fmt+0x5c/0x80
> > [1140910.816571]  [<ffffffff81397ebc>] ? label_match.constprop.9+0x3dc/0x6c0
> > [1140910.816573]  [<ffffffff813a696e>] aa_audit_file+0x16e/0x180
> > [1140910.816575]  [<ffffffff813982dd>] profile_onexec+0x13d/0x3d0
> > [1140910.816577]  [<ffffffff8139a33e>] handle_onexec+0x10e/0x10d0
> > [1140910.816581]  [<ffffffff81242957>] ? vfs_getxattr_alloc+0x67/0x100
> > [1140910.816584]  [<ffffffff81355395>] ? cap_inode_getsecurity+0x95/0x220
> > [1140910.816588]  [<ffffffff8135965d>] ? security_inode_getsecurity+0x5d/0x70
> > [1140910.816590]  [<ffffffff8139b417>] apparmor_bprm_set_creds+0x117/0xa60
> > [1140910.816591]  [<ffffffff81242a8e>] ? vfs_getxattr+0x9e/0xb0
> > [1140910.816595]  [<ffffffffc05be712>] ? ovl_getxattr+0x52/0xb0 [overlay]
> > [1140910.816597]  [<ffffffff8135619d>] ? get_vfs_caps_from_disk+0x7d/0x180
> > [1140910.816599]  [<ffffffff81356343>] ? cap_bprm_set_creds+0xa3/0x5f0
> > [1140910.816601]  [<ffffffff81358909>] security_bprm_set_creds+0x39/0x50
> > [1140910.816605]  [<ffffffff812229d5>] prepare_binprm+0x85/0x190
> > [1140910.816607]  [<ffffffff812240f4>] do_execveat_common.isra.31+0x4b4/0x770
> > [1140910.816610]  [<ffffffff8122460a>] SyS_execve+0x3a/0x50
> > [1140910.816613]  [<ffffffff81863ed5>] stub_execve+0x5/0x5
> > [1140910.816615]  [<ffffffff81863b5b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb
> > [1140910.816616] ---[ end trace cf4320c1d43eedd8 ]---
> > 
> > This is because the error is being audited as if onexec was not denied
> > this triggering the AA_BUG check.
> > 
> > BugLink: http://bugs.launchpad.net/bugs/1838627
> > Signed-off-by: John Johansen <john.johansen at canonical.com>
> > ---
> >  security/apparmor/domain.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> > index 576d51194eae..86e2908f805d 100644
> > --- a/security/apparmor/domain.c
> > +++ b/security/apparmor/domain.c
> > @@ -647,8 +647,10 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
> >  	state = aa_dfa_null_transition(profile->file.dfa, state);
> >  	error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC,
> >  				     state, &perms);
> > -	if (error)
> > +	if (error) {
> > +		perms.allow &= ~AA_MAY_ONEXEC;
> >  		goto audit;
> > +	}
> >  
> >  	/* Policy has specified a domain transitions. if no_new_privs and
> >  	 * confined and not transitioning to the current domain fail.
> > @@ -662,6 +664,7 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
> >  	    !aa_label_is_subset(onexec, &profile->label)) {
> >  		error = -EPERM;
> >  		info = "no new privs";
> > +		perms.allow &= ~AA_MAY_ONEXEC;
> 
> A similar change also needs to be added to the NNP check in
> change_profile_perms_wrapper(). I can trigger the AA_WARN() from that
> error path, as well:
> 
> [   14.721337] WARNING: CPU: 0 PID: 1453 at /tmp/kernel-tyhicks-a20f622-EAUF/build/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180()
> [   14.721339] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)): 
> [   14.721340] Modules linked in:
> [   14.721342]  snd_hda_codec_generic kvm_intel snd_hda_intel snd_hda_codec kvm irqbypass snd_hda_core snd_hwdep snd_pcm input_leds joydev serio_raw snd_timer snd soundcore i2c_piix4 8250_fintek mac_hid ib
> _iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6
> _pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid crct10dif_pclmul hid crc32_pclmul ghash_clmulni_intel aesni_intel qxl aes_x86_64 ttm lrw gf128mul glue_helper ablk_helper cryptd drm_kms_helper
>  syscopyarea sysfillrect sysimgblt psmouse fb_sys_fops drm pata_acpi floppy
> [   14.721387] CPU: 0 PID: 1453 Comm: transition Tainted: G        W       4.4.0-158-generic #186~aa.1
> [   14.721389] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> [   14.721391]  0000000000000286 f4807cdf06cc1e28 ffff88003808fae8 ffffffff8140c9b1
> [   14.721394]  ffff88003808fb30 ffffffff81d04208 ffff88003808fb20 ffffffff810864d2
> [   14.721397]  ffff880038036800 ffff88003808fc9c ffff88003808fc9c ffff88003808fd88
> [   14.721400] Call Trace:
> [   14.721407]  [<ffffffff8140c9b1>] dump_stack+0x63/0x82
> [   14.721412]  [<ffffffff810864d2>] warn_slowpath_common+0x82/0xc0
> [   14.721415]  [<ffffffff8108656c>] warn_slowpath_fmt+0x5c/0x80
> [   14.721419]  [<ffffffff813a7dfe>] aa_audit_file+0x16e/0x180
> [   14.721423]  [<ffffffff8139ae57>] profile_transition+0x3e7/0xc80

Hrm, I guess this indicates that we need the change in the NNP check in
profile_transition() instead of (or in addition to?)
change_profile_perms_wrapper(), as mentioned above. I could have swore
that I saw aa_change_profile() in a stack trace, which is what made me
think change_profile_perms_wrapper() needed to be updated, but now I
can't find it.

Tyler

> [   14.721426]  [<ffffffff8139d136>] apparmor_bprm_set_creds+0x956/0xa60
> [   14.721431]  [<ffffffff812f9d1c>] ? ext4_xattr_security_get+0x1c/0x30
> [   14.721435]  [<ffffffff81243911>] ? generic_getxattr+0x51/0x70
> [   14.721439]  [<ffffffff8135778d>] ? get_vfs_caps_from_disk+0x7d/0x180
> [   14.721442]  [<ffffffff81357933>] ? cap_bprm_set_creds+0xa3/0x5f0
> [   14.721447]  [<ffffffff81359ef9>] security_bprm_set_creds+0x39/0x50
> [   14.721451]  [<ffffffff81223da5>] prepare_binprm+0x85/0x190
> [   14.721453]  [<ffffffff812254ca>] do_execveat_common.isra.31+0x4ba/0x780
> [   14.721456]  [<ffffffff812259ea>] SyS_execve+0x3a/0x50
> [   14.721460]  [<ffffffff81865295>] stub_execve+0x5/0x5
> [   14.721464]  [<ffffffff81864f1b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb
> [   14.721466] ---[ end trace f0bc5f47039c8348 ]---
> 
> I've written a set of automated regression tests for NNP and AppArmor which
> trigger this WARNING as well as the original one. I'll reply here once I've got
> a public PR available on the AppArmor gitlab page.
> 
> Tyler
> 
> >  		goto audit;
> >  	}
> >  
> > -- 
> > 2.17.1
> >

More information about the kernel-team mailing list