lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADG95vuTMGQY1HbPuHhD9kTEegUBFf75Nen2jPRZq4Xp_51wZw@mail.gmail.com>
Date:   Thu, 27 May 2021 11:59:41 +0800
From:   Bighead Wang <ex200208049@...il.com>
To:     Roberto Sassu <roberto.sassu@...wei.com>
Cc:     "zohar@...ux.ibm.com" <zohar@...ux.ibm.com>,
        "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: EVM gives no_label error due to security_kernfs_init_security

Hi Roberto
Thank you for the reply

Before I try this patch, I am sorry that I forget to mention that I
have loaded the EVM HMAC key in initramfs during system bootup.
Therefore, I don't think this patch will fix this issue although I
will give it a try. Because when issue happens, the key has already
loaded.

Thanks !

Roberto Sassu <roberto.sassu@...wei.com> 於 2021年5月25日 週二 下午5:29寫道:
>
> > From: Bighead Wang [mailto:ex200208049@...il.com]
> > Sent: Tuesday, May 25, 2021 11:19 AM
> > In cgroup filesystem, security_kernfs_init_security() will initialize
> > the security data for newly created kernfs node after kernel 5.2.,
> > however, new EVM xattr value is not initialized, and the no_label
> > error appears when evm_verify_hmac() is triggered.
> >
> >
> > The detailed description:
> > When system boots up with IMA/EVM and SELinux enabled, we get:
> > " May 25 14:13:01 raspberrypi audit[1212]: INTEGRITY_METADATA pid=1212
> > uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t
> > op=appraise_metadata cause=no_label comm="(systemd)"
> > name="cgroup.procs" dev="cgroup2" ino=1360 res=0 errno=0 "
> >
> > The root cause is that our customized SELinux file_contexts file does
> > not contain the line "/sys/fs/cgroup/.*     <<none>>".
> > When systemd relabels directories under /sys/fs/cgroup/ during
> > booting, it will set SELinux label inside the iattr member of kernfs
> > node, and then security_kernfs_init_security() will initialize the
> > security data at the time new kernfs node created.
> > After systemd executes something to trigger evm_verify_hmac(), we get
> > this no_label error.
> >
> > In evm_verify_hmac(), if there is no EVM xattr value, it will check
> > any other xattr values protected by EVM exist or not.
> > In this situation, there is no EVM xattr value (got from the iattr
> > member of kernfs node in cgroup filesystem), but SELinux label (also
> > got from the iattr member of kernfs node instead of from inode)
> > exists.
> > To sum up, the error seems to me is EVM mechanism doesn't initialize
> > EVM xattr value in kernfs node.
>
> Hi Hank
>
> this patch should help:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/commit/?h=next-integrity-testing&id=4a804b8a4572dfc81c3a59709d49ae206e4370ba
>
> Could you please try it?
>
> Thanks
>
> Roberto
>
> HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
> Managing Director: Li Peng, Li Jian, Shi Yanli
>
> > The environment:
> > /proc/version: Linux version 5.13.0-rc3-v7l+ (bighead@...0453463-02)
> > (arm-linux-gnueabi-gcc (GCC) 9.1.0, GNU ld (GNU Binutils) 2.32) #1 SMP
> > Tue May 25 12:33:01 CST 2021
> > /proc/sys/kernel/tainted: 0
> > Operating System: Raspbian GNU/Linux 10 (buster)
> > Architecture: armv7l
> > systemd version: systemd 241 (241) +PAM +AUDIT +SELINUX +IMA
> > +APPARMOR
> > +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ
> > +LZ4
> > +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2
> > default-hierarchy=hybrid
> > IMA/EVM kernel parameter: ima_policy=appraise_tcb ima_appraise=fix
> > SELinux kernel parameter: security=selinux selinux=1 (permissive mode)
> >
> > How to reproduce the error in Raspbian:
> > 1. Prepare an environment which SELinux and IMA/EVM are enabled and
> > boot up with kernel parameters: security=selinux selinux=1
> > ima_policy=appraise_tcb ima_appraise=fix evm=fix
> > 2. Remove the line "/sys/fs/cgroup/.*     <<none>>" in file_contexts
> > file, and fully relabel all system with SELinux official reference
> > policy
> > 3. Walk through all regular files and generate ima/evm hash:
> > /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
> > 4. Reboot with kernel parameters: security=selinux selinux=1
> > ima_policy=appraise_tcb ima_appraise=fix
> > 5. After boot up, you will get this EVM no_label error message
> >
> > Reproduce the error directly:
> > 1. Prepare an environment which SELinux and IMA/EVM are enabled and
> > boot up with kernel parameters: security=selinux selinux=1
> > ima_policy=appraise_tcb ima_appraise=fix evm=fix
> > 2. Fully relabel all system with SELinux official reference policy
> > 3. Walk through all regular files and generate ima/evm hash:
> > /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
> > 4. Reboot with kernel parameters: security=selinux selinux=1
> > ima_policy=appraise_tcb ima_appraise=fix
> > 5. sudo setfattr -n security.selinux -v system_u:object_r:cgroup_t
> > /sys/fs/cgroup/unified
> > 6. sudo mkdir /sys/fs/cgroup/unified/testevm
> > 7. sudo chmod +x /sys/fs/cgroup/unified/testevm/cgroup.procs: you will
> > get this EVM error message
> >
> > Reference:
> > Kernel config: https://140.96.154.7:5001/sharing/9cPNowmhK
> > Journal log: https://140.96.154.7:5001/sharing/sRISz6IPt
> > Patch for security_kernfs_init_security() :
> > https://lore.kernel.org/selinux/20190130114150.27807-1-
> > omosnace@...hat.com/
> >
> > --
> > Best Regards,
> > Hank Wang



-- 
Best Regards,
王禹軒 Hank

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ