NACK: [PATCH][SRU][xenial] UBUNTU: SAUCE: apparmor: fix audit failures when performing onexec
Tyler Hicks
tyhicks at canonical.com
Thu Aug 1 17:18:46 UTC 2019
On 2019-08-01 09:57:59, Tyler Hicks wrote:
> On 2019-08-01 09:47:29, Tyler Hicks wrote:
> > On 2019-08-01 04:29:21, John Johansen wrote:
> > >
> > > There are 2 cases where a denial in onexec profile transitions can
> > > occur that results in an apparmor WARN traceback. The first occurs if
> > > onexec is denied by policy, the second if onexec fails due to
> > > no-new-privs.
> > >
> > > [1140910.816457] ------------[ cut here ]------------
> > > [1140910.816466] WARNING: CPU: 4 PID: 32497 at /build/linux-UdetSb/linux-4.4.0/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180()
> > > [1140910.816467] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)):
> > > [1140910.816469] Modules linked in:
> > > [1140910.816470] xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_REDIRECT nf_nat_redirect xt_nat veth btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c msr nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype br_netfilter pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) xt_CHECKSUM iptable_mangle rfcomm ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables xt_multiport iptable_filter ip_tables x_tables aufs overlay bnep uvcvideo videobuf2_vmalloc btusb videobuf2_memops videobuf2_v4l2 btrtl btbcm videobuf2_core btintel v4l2_common bluetooth videodev media binfmt_misc arc4
> > > [1140910.816508] iwlmvm mac80211 intel_rapl snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek snd_hda_codec_generic iwlwifi joydev input_leds serio_raw cfg80211 snd_hda_intel snd_hda_codec snd_hda_core lpc_ich snd_hwdep thinkpad_acpi nvram snd_pcm snd_seq_midi mei_me snd_seq_midi_event shpchp ie31200_edac mei snd_rawmidi edac_core snd_seq wmi snd_seq_device snd_timer snd soundcore kvm_intel mac_hid kvm irqbypass coretemp parport_pc ppdev lp parport autofs4 drbg ansi_cprng algif_skcipher af_alg dm_crypt hid_generic hid_logitech_hidpp hid_logitech_dj usbhid hid uas usb_storage crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel i915 aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd i2c_algo_bit drm_kms_helper psmouse syscopyarea sysfillrect ahci sysimgblt e1000e
> > > [1140910.816544] fb_sys_fops libahci sdhci_pci drm sdhci ptp pps_core fjes video
> > > [1140910.816549] CPU: 4 PID: 32497 Comm: runc:[2:INIT] Tainted: G W OE 4.4.0-151-generic #178-Ubuntu
> > > [1140910.816551] Hardware name: LENOVO 20EFCTO1WW/20EFCTO1WW, BIOS GNET82WW (2.30 ) 03/21/2017
> > > [1140910.816552] 0000000000000286 312c35d8d7e796cb ffff880637cef9d0 ffffffff8140b481
> > > [1140910.816554] ffff880637cefa18 ffffffff81d02fe8 ffff880637cefa08 ffffffff81085432
> > > [1140910.816555] ffff880108206400 ffff880637cefb6c ffff880825129b88 ffff880637cefd88
> > > [1140910.816557] Call Trace:
> > > [1140910.816563] [<ffffffff8140b481>] dump_stack+0x63/0x82
> > > [1140910.816567] [<ffffffff81085432>] warn_slowpath_common+0x82/0xc0
> > > [1140910.816569] [<ffffffff810854cc>] warn_slowpath_fmt+0x5c/0x80
> > > [1140910.816571] [<ffffffff81397ebc>] ? label_match.constprop.9+0x3dc/0x6c0
> > > [1140910.816573] [<ffffffff813a696e>] aa_audit_file+0x16e/0x180
> > > [1140910.816575] [<ffffffff813982dd>] profile_onexec+0x13d/0x3d0
> > > [1140910.816577] [<ffffffff8139a33e>] handle_onexec+0x10e/0x10d0
> > > [1140910.816581] [<ffffffff81242957>] ? vfs_getxattr_alloc+0x67/0x100
> > > [1140910.816584] [<ffffffff81355395>] ? cap_inode_getsecurity+0x95/0x220
> > > [1140910.816588] [<ffffffff8135965d>] ? security_inode_getsecurity+0x5d/0x70
> > > [1140910.816590] [<ffffffff8139b417>] apparmor_bprm_set_creds+0x117/0xa60
> > > [1140910.816591] [<ffffffff81242a8e>] ? vfs_getxattr+0x9e/0xb0
> > > [1140910.816595] [<ffffffffc05be712>] ? ovl_getxattr+0x52/0xb0 [overlay]
> > > [1140910.816597] [<ffffffff8135619d>] ? get_vfs_caps_from_disk+0x7d/0x180
> > > [1140910.816599] [<ffffffff81356343>] ? cap_bprm_set_creds+0xa3/0x5f0
> > > [1140910.816601] [<ffffffff81358909>] security_bprm_set_creds+0x39/0x50
> > > [1140910.816605] [<ffffffff812229d5>] prepare_binprm+0x85/0x190
> > > [1140910.816607] [<ffffffff812240f4>] do_execveat_common.isra.31+0x4b4/0x770
> > > [1140910.816610] [<ffffffff8122460a>] SyS_execve+0x3a/0x50
> > > [1140910.816613] [<ffffffff81863ed5>] stub_execve+0x5/0x5
> > > [1140910.816615] [<ffffffff81863b5b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb
> > > [1140910.816616] ---[ end trace cf4320c1d43eedd8 ]---
> > >
> > > This is because the error is being audited as if onexec was not denied
> > > this triggering the AA_BUG check.
> > >
> > > BugLink: http://bugs.launchpad.net/bugs/1838627
> > > Signed-off-by: John Johansen <john.johansen at canonical.com>
> > > ---
> > > security/apparmor/domain.c | 5 ++++-
> > > 1 file changed, 4 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> > > index 576d51194eae..86e2908f805d 100644
> > > --- a/security/apparmor/domain.c
> > > +++ b/security/apparmor/domain.c
> > > @@ -647,8 +647,10 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
> > > state = aa_dfa_null_transition(profile->file.dfa, state);
> > > error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC,
> > > state, &perms);
> > > - if (error)
> > > + if (error) {
> > > + perms.allow &= ~AA_MAY_ONEXEC;
> > > goto audit;
> > > + }
> > >
> > > /* Policy has specified a domain transitions. if no_new_privs and
> > > * confined and not transitioning to the current domain fail.
> > > @@ -662,6 +664,7 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
> > > !aa_label_is_subset(onexec, &profile->label)) {
> > > error = -EPERM;
> > > info = "no new privs";
> > > + perms.allow &= ~AA_MAY_ONEXEC;
> >
> > A similar change also needs to be added to the NNP check in
> > change_profile_perms_wrapper(). I can trigger the AA_WARN() from that
> > error path, as well:
> >
> > [ 14.721337] WARNING: CPU: 0 PID: 1453 at /tmp/kernel-tyhicks-a20f622-EAUF/build/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180()
> > [ 14.721339] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)):
> > [ 14.721340] Modules linked in:
> > [ 14.721342] snd_hda_codec_generic kvm_intel snd_hda_intel snd_hda_codec kvm irqbypass snd_hda_core snd_hwdep snd_pcm input_leds joydev serio_raw snd_timer snd soundcore i2c_piix4 8250_fintek mac_hid ib
> > _iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6
> > _pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid crct10dif_pclmul hid crc32_pclmul ghash_clmulni_intel aesni_intel qxl aes_x86_64 ttm lrw gf128mul glue_helper ablk_helper cryptd drm_kms_helper
> > syscopyarea sysfillrect sysimgblt psmouse fb_sys_fops drm pata_acpi floppy
> > [ 14.721387] CPU: 0 PID: 1453 Comm: transition Tainted: G W 4.4.0-158-generic #186~aa.1
> > [ 14.721389] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> > [ 14.721391] 0000000000000286 f4807cdf06cc1e28 ffff88003808fae8 ffffffff8140c9b1
> > [ 14.721394] ffff88003808fb30 ffffffff81d04208 ffff88003808fb20 ffffffff810864d2
> > [ 14.721397] ffff880038036800 ffff88003808fc9c ffff88003808fc9c ffff88003808fd88
> > [ 14.721400] Call Trace:
> > [ 14.721407] [<ffffffff8140c9b1>] dump_stack+0x63/0x82
> > [ 14.721412] [<ffffffff810864d2>] warn_slowpath_common+0x82/0xc0
> > [ 14.721415] [<ffffffff8108656c>] warn_slowpath_fmt+0x5c/0x80
> > [ 14.721419] [<ffffffff813a7dfe>] aa_audit_file+0x16e/0x180
> > [ 14.721423] [<ffffffff8139ae57>] profile_transition+0x3e7/0xc80
>
> Hrm, I guess this indicates that we need the change in the NNP check in
> profile_transition() instead of (or in addition to?)
> change_profile_perms_wrapper(), as mentioned above. I could have swore
> that I saw aa_change_profile() in a stack trace, which is what made me
> think change_profile_perms_wrapper() needed to be updated, but now I
> can't find it.
>
> Tyler
>
> > [ 14.721426] [<ffffffff8139d136>] apparmor_bprm_set_creds+0x956/0xa60
> > [ 14.721431] [<ffffffff812f9d1c>] ? ext4_xattr_security_get+0x1c/0x30
> > [ 14.721435] [<ffffffff81243911>] ? generic_getxattr+0x51/0x70
> > [ 14.721439] [<ffffffff8135778d>] ? get_vfs_caps_from_disk+0x7d/0x180
> > [ 14.721442] [<ffffffff81357933>] ? cap_bprm_set_creds+0xa3/0x5f0
> > [ 14.721447] [<ffffffff81359ef9>] security_bprm_set_creds+0x39/0x50
> > [ 14.721451] [<ffffffff81223da5>] prepare_binprm+0x85/0x190
> > [ 14.721453] [<ffffffff812254ca>] do_execveat_common.isra.31+0x4ba/0x780
> > [ 14.721456] [<ffffffff812259ea>] SyS_execve+0x3a/0x50
> > [ 14.721460] [<ffffffff81865295>] stub_execve+0x5/0x5
> > [ 14.721464] [<ffffffff81864f1b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb
> > [ 14.721466] ---[ end trace f0bc5f47039c8348 ]---
> >
> > I've written a set of automated regression tests for NNP and AppArmor which
> > trigger this WARNING as well as the original one. I'll reply here once I've got
> > a public PR available on the AppArmor gitlab page.
The NNP tests can be found here:
https://gitlab.com/apparmor/apparmor/merge_requests/408
Note the additional B and X test failure described here:
https://gitlab.com/apparmor/apparmor/merge_requests/408#note_199095464
Tyler
> >
> > Tyler
> >
> > > goto audit;
> > > }
> > >
> > > --
> > > 2.17.1
> > >
More information about the kernel-team
mailing list