ACK: [PATCH][SRU][xenial] UBUNTU: SAUCE: apparmor: fix audit failures when, performing profile transitions

Tyler Hicks tyhicks at canonical.com
Tue Aug 6 16:29:07 UTC 2019 

On 2019-08-05 16:28:59, John Johansen wrote:
> From fdca76b2ed3795d24e445d24cdc244a63b8772f5 Mon Sep 17 00:00:00 2001
> From: John Johansen <john.johansen at canonical.com>
> Date: Tue, 30 Jul 2019 11:34:27 -0700
> Subject: [PATCH 3/4] UBUNTU: SAUCE: apparmor: fix audit failures when
>  performing profile transitions
> 
> v2. Add fix to profile_transition() also
> 
> There are 2 cases where a denial in onexec profile transitions can
> occur that results in an apparmor WARN traceback. The first occurs if
> onexec is denied by policy, the second if onexec fails due to
> no-new-privs.
> 
> A similar failure can occur in profile_transition() when directed to
> perform a stack, resulting in a simiar traceback with handle_onexec()
> replaced by profile_transition().
> 
> [1140910.816457] ------------[ cut here ]------------
> [1140910.816466] WARNING: CPU: 4 PID: 32497 at /build/linux-UdetSb/linux-4.4.0/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180()
> [1140910.816467] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)):
> [1140910.816469] Modules linked in:
> [1140910.816470]  xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_REDIRECT nf_nat_redirect xt_nat veth btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c msr nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype br_netfilter pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) xt_CHECKSUM iptable_mangle rfcomm ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables xt_multiport iptable_filter ip_tables x_tables aufs overlay bnep uvcvideo videobuf2_vmalloc btusb videobuf2_memops videobuf2_v4l2 btrtl btbcm videobuf2_core btintel v4l2_common bluetooth videodev media binfmt_misc arc4
> [1140910.816508]  iwlmvm mac80211 intel_rapl snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek snd_hda_codec_generic iwlwifi joydev input_leds serio_raw cfg80211 snd_hda_intel snd_hda_codec snd_hda_core lpc_ich snd_hwdep thinkpad_acpi nvram snd_pcm snd_seq_midi mei_me snd_seq_midi_event shpchp ie31200_edac mei snd_rawmidi edac_core snd_seq wmi snd_seq_device snd_timer snd soundcore kvm_intel mac_hid kvm irqbypass coretemp parport_pc ppdev lp parport autofs4 drbg ansi_cprng algif_skcipher af_alg dm_crypt hid_generic hid_logitech_hidpp hid_logitech_dj usbhid hid uas usb_storage crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel i915 aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd i2c_algo_bit drm_kms_helper psmouse syscopyarea sysfillrect ahci sysimgblt e1000e
> [1140910.816544]  fb_sys_fops libahci sdhci_pci drm sdhci ptp pps_core fjes video
> [1140910.816549] CPU: 4 PID: 32497 Comm: runc:[2:INIT] Tainted: G        W  OE   4.4.0-151-generic #178-Ubuntu
> [1140910.816551] Hardware name: LENOVO 20EFCTO1WW/20EFCTO1WW, BIOS GNET82WW (2.30 ) 03/21/2017
> [1140910.816552]  0000000000000286 312c35d8d7e796cb ffff880637cef9d0 ffffffff8140b481
> [1140910.816554]  ffff880637cefa18 ffffffff81d02fe8 ffff880637cefa08 ffffffff81085432
> [1140910.816555]  ffff880108206400 ffff880637cefb6c ffff880825129b88 ffff880637cefd88
> [1140910.816557] Call Trace:
> [1140910.816563]  [<ffffffff8140b481>] dump_stack+0x63/0x82
> [1140910.816567]  [<ffffffff81085432>] warn_slowpath_common+0x82/0xc0
> [1140910.816569]  [<ffffffff810854cc>] warn_slowpath_fmt+0x5c/0x80
> [1140910.816571]  [<ffffffff81397ebc>] ? label_match.constprop.9+0x3dc/0x6c0
> [1140910.816573]  [<ffffffff813a696e>] aa_audit_file+0x16e/0x180
> [1140910.816575]  [<ffffffff813982dd>] profile_onexec+0x13d/0x3d0
> [1140910.816577]  [<ffffffff8139a33e>] handle_onexec+0x10e/0x10d0
> [1140910.816581]  [<ffffffff81242957>] ? vfs_getxattr_alloc+0x67/0x100
> [1140910.816584]  [<ffffffff81355395>] ? cap_inode_getsecurity+0x95/0x220
> [1140910.816588]  [<ffffffff8135965d>] ? security_inode_getsecurity+0x5d/0x70
> [1140910.816590]  [<ffffffff8139b417>] apparmor_bprm_set_creds+0x117/0xa60
> [1140910.816591]  [<ffffffff81242a8e>] ? vfs_getxattr+0x9e/0xb0
> [1140910.816595]  [<ffffffffc05be712>] ? ovl_getxattr+0x52/0xb0 [overlay]
> [1140910.816597]  [<ffffffff8135619d>] ? get_vfs_caps_from_disk+0x7d/0x180
> [1140910.816599]  [<ffffffff81356343>] ? cap_bprm_set_creds+0xa3/0x5f0
> [1140910.816601]  [<ffffffff81358909>] security_bprm_set_creds+0x39/0x50
> [1140910.816605]  [<ffffffff812229d5>] prepare_binprm+0x85/0x190
> [1140910.816607]  [<ffffffff812240f4>] do_execveat_common.isra.31+0x4b4/0x770
> [1140910.816610]  [<ffffffff8122460a>] SyS_execve+0x3a/0x50
> [1140910.816613]  [<ffffffff81863ed5>] stub_execve+0x5/0x5
> [1140910.816615]  [<ffffffff81863b5b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb
> [1140910.816616] ---[ end trace cf4320c1d43eedd8 ]---
> 
> This is because the error is being audited as if onexec was not denied
> this triggering the AA_BUG check.
> 
> BugLink: http://bugs.launchpad.net/bugs/1838627
> Signed-off-by: John Johansen <john.johansen at canonical.com>

Acked-by: Tyler Hicks <tyhicks at canonical.com>

Thanks for spinning v2.

Tyler

> ---
>  security/apparmor/domain.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> index 576d51194eae..d9e29b2fdda2 100644
> --- a/security/apparmor/domain.c
> +++ b/security/apparmor/domain.c
> @@ -573,6 +573,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
>  		error = -EPERM;
>  		info = "no new privs";
>  		nonewprivs = true;
> +		perms.allow &= ~MAY_EXEC;
>  		goto audit;
>  	}
>  
> @@ -647,8 +648,10 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
>  	state = aa_dfa_null_transition(profile->file.dfa, state);
>  	error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC,
>  				     state, &perms);
> -	if (error)
> +	if (error) {
> +		perms.allow &= ~AA_MAY_ONEXEC;
>  		goto audit;
> +	}
>  
>  	/* Policy has specified a domain transitions. if no_new_privs and
>  	 * confined and not transitioning to the current domain fail.
> @@ -662,6 +665,7 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
>  	    !aa_label_is_subset(onexec, &profile->label)) {
>  		error = -EPERM;
>  		info = "no new privs";
> +		perms.allow &= ~AA_MAY_ONEXEC;
>  		goto audit;
>  	}
>  
> -- 
> 2.17.1
>

More information about the kernel-team mailing list