[PATCH][SRU][xenial] UBUNTU: SAUCE: apparmor: fix audit failures when, performing profile transitions
John Johansen
john.johansen at canonical.com
Mon Aug 5 23:28:59 UTC 2019
>From fdca76b2ed3795d24e445d24cdc244a63b8772f5 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen at canonical.com>
Date: Tue, 30 Jul 2019 11:34:27 -0700
Subject: [PATCH 3/4] UBUNTU: SAUCE: apparmor: fix audit failures when
performing profile transitions
v2. Add fix to profile_transition() also
There are 2 cases where a denial in onexec profile transitions can
occur that results in an apparmor WARN traceback. The first occurs if
onexec is denied by policy, the second if onexec fails due to
no-new-privs.
A similar failure can occur in profile_transition() when directed to
perform a stack, resulting in a simiar traceback with handle_onexec()
replaced by profile_transition().
[1140910.816457] ------------[ cut here ]------------
[1140910.816466] WARNING: CPU: 4 PID: 32497 at /build/linux-UdetSb/linux-4.4.0/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180()
[1140910.816467] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)):
[1140910.816469] Modules linked in:
[1140910.816470] xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_REDIRECT nf_nat_redirect xt_nat veth btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c msr nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype br_netfilter pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) xt_CHECKSUM iptable_mangle rfcomm ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables xt_multiport iptable_filter ip_tables x_tables aufs overlay bnep uvcvideo videobuf2_vmalloc btusb videobuf2_memops videobuf2_v4l2 btrtl btbcm videobuf2_core btintel v4l2_common bluetooth videodev media binfmt_misc arc4
[1140910.816508] iwlmvm mac80211 intel_rapl snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek snd_hda_codec_generic iwlwifi joydev input_leds serio_raw cfg80211 snd_hda_intel snd_hda_codec snd_hda_core lpc_ich snd_hwdep thinkpad_acpi nvram snd_pcm snd_seq_midi mei_me snd_seq_midi_event shpchp ie31200_edac mei snd_rawmidi edac_core snd_seq wmi snd_seq_device snd_timer snd soundcore kvm_intel mac_hid kvm irqbypass coretemp parport_pc ppdev lp parport autofs4 drbg ansi_cprng algif_skcipher af_alg dm_crypt hid_generic hid_logitech_hidpp hid_logitech_dj usbhid hid uas usb_storage crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel i915 aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd i2c_algo_bit drm_kms_helper psmouse syscopyarea sysfillrect ahci sysimgblt e1000e
[1140910.816544] fb_sys_fops libahci sdhci_pci drm sdhci ptp pps_core fjes video
[1140910.816549] CPU: 4 PID: 32497 Comm: runc:[2:INIT] Tainted: G W OE 4.4.0-151-generic #178-Ubuntu
[1140910.816551] Hardware name: LENOVO 20EFCTO1WW/20EFCTO1WW, BIOS GNET82WW (2.30 ) 03/21/2017
[1140910.816552] 0000000000000286 312c35d8d7e796cb ffff880637cef9d0 ffffffff8140b481
[1140910.816554] ffff880637cefa18 ffffffff81d02fe8 ffff880637cefa08 ffffffff81085432
[1140910.816555] ffff880108206400 ffff880637cefb6c ffff880825129b88 ffff880637cefd88
[1140910.816557] Call Trace:
[1140910.816563] [<ffffffff8140b481>] dump_stack+0x63/0x82
[1140910.816567] [<ffffffff81085432>] warn_slowpath_common+0x82/0xc0
[1140910.816569] [<ffffffff810854cc>] warn_slowpath_fmt+0x5c/0x80
[1140910.816571] [<ffffffff81397ebc>] ? label_match.constprop.9+0x3dc/0x6c0
[1140910.816573] [<ffffffff813a696e>] aa_audit_file+0x16e/0x180
[1140910.816575] [<ffffffff813982dd>] profile_onexec+0x13d/0x3d0
[1140910.816577] [<ffffffff8139a33e>] handle_onexec+0x10e/0x10d0
[1140910.816581] [<ffffffff81242957>] ? vfs_getxattr_alloc+0x67/0x100
[1140910.816584] [<ffffffff81355395>] ? cap_inode_getsecurity+0x95/0x220
[1140910.816588] [<ffffffff8135965d>] ? security_inode_getsecurity+0x5d/0x70
[1140910.816590] [<ffffffff8139b417>] apparmor_bprm_set_creds+0x117/0xa60
[1140910.816591] [<ffffffff81242a8e>] ? vfs_getxattr+0x9e/0xb0
[1140910.816595] [<ffffffffc05be712>] ? ovl_getxattr+0x52/0xb0 [overlay]
[1140910.816597] [<ffffffff8135619d>] ? get_vfs_caps_from_disk+0x7d/0x180
[1140910.816599] [<ffffffff81356343>] ? cap_bprm_set_creds+0xa3/0x5f0
[1140910.816601] [<ffffffff81358909>] security_bprm_set_creds+0x39/0x50
[1140910.816605] [<ffffffff812229d5>] prepare_binprm+0x85/0x190
[1140910.816607] [<ffffffff812240f4>] do_execveat_common.isra.31+0x4b4/0x770
[1140910.816610] [<ffffffff8122460a>] SyS_execve+0x3a/0x50
[1140910.816613] [<ffffffff81863ed5>] stub_execve+0x5/0x5
[1140910.816615] [<ffffffff81863b5b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb
[1140910.816616] ---[ end trace cf4320c1d43eedd8 ]---
This is because the error is being audited as if onexec was not denied
this triggering the AA_BUG check.
BugLink: http://bugs.launchpad.net/bugs/1838627
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
security/apparmor/domain.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 576d51194eae..d9e29b2fdda2 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -573,6 +573,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
error = -EPERM;
info = "no new privs";
nonewprivs = true;
+ perms.allow &= ~MAY_EXEC;
goto audit;
}
@@ -647,8 +648,10 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
state = aa_dfa_null_transition(profile->file.dfa, state);
error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC,
state, &perms);
- if (error)
+ if (error) {
+ perms.allow &= ~AA_MAY_ONEXEC;
goto audit;
+ }
/* Policy has specified a domain transitions. if no_new_privs and
* confined and not transitioning to the current domain fail.
@@ -662,6 +665,7 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
!aa_label_is_subset(onexec, &profile->label)) {
error = -EPERM;
info = "no new privs";
+ perms.allow &= ~AA_MAY_ONEXEC;
goto audit;
}
--
2.17.1
More information about the kernel-team
mailing list