| Message ID | 68e8aa9b-0522-8587-2e19-9a4e244c9780@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,xenial] UBUNTU: SAUCE: apparmor: fix audit failures when performing onexec | expand |
On 2019-08-01 04:29:21, John Johansen wrote: > > There are 2 cases where a denial in onexec profile transitions can > occur that results in an apparmor WARN traceback. The first occurs if > onexec is denied by policy, the second if onexec fails due to > no-new-privs. > > [1140910.816457] ------------[ cut here ]------------ > [1140910.816466] WARNING: CPU: 4 PID: 32497 at /build/linux-UdetSb/linux-4.4.0/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180() > [1140910.816467] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)): > [1140910.816469] Modules linked in: > [1140910.816470] xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_REDIRECT nf_nat_redirect xt_nat veth btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c msr nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype br_netfilter pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) xt_CHECKSUM iptable_mangle rfcomm ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables xt_multiport iptable_filter ip_tables x_tables aufs overlay bnep uvcvideo videobuf2_vmalloc btusb videobuf2_memops videobuf2_v4l2 btrtl btbcm videobuf2_core btintel v4l2_common bluetooth videodev media binfmt_misc arc4 > [1140910.816508] iwlmvm mac80211 intel_rapl snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek snd_hda_codec_generic iwlwifi joydev input_leds serio_raw cfg80211 snd_hda_intel snd_hda_codec snd_hda_core lpc_ich snd_hwdep thinkpad_acpi nvram snd_pcm snd_seq_midi mei_me snd_seq_midi_event shpchp ie31200_edac mei snd_rawmidi edac_core snd_seq wmi snd_seq_device snd_timer snd soundcore kvm_intel mac_hid kvm irqbypass coretemp parport_pc ppdev lp parport autofs4 drbg ansi_cprng algif_skcipher af_alg dm_crypt hid_generic hid_logitech_hidpp hid_logitech_dj usbhid hid uas usb_storage crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel i915 aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd i2c_algo_bit drm_kms_helper psmouse syscopyarea sysfillrect ahci sysimgblt e1000e > [1140910.816544] fb_sys_fops libahci sdhci_pci drm sdhci ptp pps_core fjes video > [1140910.816549] CPU: 4 PID: 32497 Comm: runc:[2:INIT] Tainted: G W OE 4.4.0-151-generic #178-Ubuntu > [1140910.816551] Hardware name: LENOVO 20EFCTO1WW/20EFCTO1WW, BIOS GNET82WW (2.30 ) 03/21/2017 > [1140910.816552] 0000000000000286 312c35d8d7e796cb ffff880637cef9d0 ffffffff8140b481 > [1140910.816554] ffff880637cefa18 ffffffff81d02fe8 ffff880637cefa08 ffffffff81085432 > [1140910.816555] ffff880108206400 ffff880637cefb6c ffff880825129b88 ffff880637cefd88 > [1140910.816557] Call Trace: > [1140910.816563] [<ffffffff8140b481>] dump_stack+0x63/0x82 > [1140910.816567] [<ffffffff81085432>] warn_slowpath_common+0x82/0xc0 > [1140910.816569] [<ffffffff810854cc>] warn_slowpath_fmt+0x5c/0x80 > [1140910.816571] [<ffffffff81397ebc>] ? label_match.constprop.9+0x3dc/0x6c0 > [1140910.816573] [<ffffffff813a696e>] aa_audit_file+0x16e/0x180 > [1140910.816575] [<ffffffff813982dd>] profile_onexec+0x13d/0x3d0 > [1140910.816577] [<ffffffff8139a33e>] handle_onexec+0x10e/0x10d0 > [1140910.816581] [<ffffffff81242957>] ? vfs_getxattr_alloc+0x67/0x100 > [1140910.816584] [<ffffffff81355395>] ? cap_inode_getsecurity+0x95/0x220 > [1140910.816588] [<ffffffff8135965d>] ? security_inode_getsecurity+0x5d/0x70 > [1140910.816590] [<ffffffff8139b417>] apparmor_bprm_set_creds+0x117/0xa60 > [1140910.816591] [<ffffffff81242a8e>] ? vfs_getxattr+0x9e/0xb0 > [1140910.816595] [<ffffffffc05be712>] ? ovl_getxattr+0x52/0xb0 [overlay] > [1140910.816597] [<ffffffff8135619d>] ? get_vfs_caps_from_disk+0x7d/0x180 > [1140910.816599] [<ffffffff81356343>] ? cap_bprm_set_creds+0xa3/0x5f0 > [1140910.816601] [<ffffffff81358909>] security_bprm_set_creds+0x39/0x50 > [1140910.816605] [<ffffffff812229d5>] prepare_binprm+0x85/0x190 > [1140910.816607] [<ffffffff812240f4>] do_execveat_common.isra.31+0x4b4/0x770 > [1140910.816610] [<ffffffff8122460a>] SyS_execve+0x3a/0x50 > [1140910.816613] [<ffffffff81863ed5>] stub_execve+0x5/0x5 > [1140910.816615] [<ffffffff81863b5b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb > [1140910.816616] ---[ end trace cf4320c1d43eedd8 ]--- > > This is because the error is being audited as if onexec was not denied > this triggering the AA_BUG check. > > BugLink: http://bugs.launchpad.net/bugs/1838627 > Signed-off-by: John Johansen <john.johansen@canonical.com> > --- > security/apparmor/domain.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c > index 576d51194eae..86e2908f805d 100644 > --- a/security/apparmor/domain.c > +++ b/security/apparmor/domain.c > @@ -647,8 +647,10 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec, > state = aa_dfa_null_transition(profile->file.dfa, state); > error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC, > state, &perms); > - if (error) > + if (error) { > + perms.allow &= ~AA_MAY_ONEXEC; > goto audit; > + } > > /* Policy has specified a domain transitions. if no_new_privs and > * confined and not transitioning to the current domain fail. > @@ -662,6 +664,7 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec, > !aa_label_is_subset(onexec, &profile->label)) { > error = -EPERM; > info = "no new privs"; > + perms.allow &= ~AA_MAY_ONEXEC; A similar change also needs to be added to the NNP check in change_profile_perms_wrapper(). I can trigger the AA_WARN() from that error path, as well: [ 14.721337] WARNING: CPU: 0 PID: 1453 at /tmp/kernel-tyhicks-a20f622-EAUF/build/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180() [ 14.721339] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)): [ 14.721340] Modules linked in: [ 14.721342] snd_hda_codec_generic kvm_intel snd_hda_intel snd_hda_codec kvm irqbypass snd_hda_core snd_hwdep snd_pcm input_leds joydev serio_raw snd_timer snd soundcore i2c_piix4 8250_fintek mac_hid ib _iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6 _pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid crct10dif_pclmul hid crc32_pclmul ghash_clmulni_intel aesni_intel qxl aes_x86_64 ttm lrw gf128mul glue_helper ablk_helper cryptd drm_kms_helper syscopyarea sysfillrect sysimgblt psmouse fb_sys_fops drm pata_acpi floppy [ 14.721387] CPU: 0 PID: 1453 Comm: transition Tainted: G W 4.4.0-158-generic #186~aa.1 [ 14.721389] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 14.721391] 0000000000000286 f4807cdf06cc1e28 ffff88003808fae8 ffffffff8140c9b1 [ 14.721394] ffff88003808fb30 ffffffff81d04208 ffff88003808fb20 ffffffff810864d2 [ 14.721397] ffff880038036800 ffff88003808fc9c ffff88003808fc9c ffff88003808fd88 [ 14.721400] Call Trace: [ 14.721407] [<ffffffff8140c9b1>] dump_stack+0x63/0x82 [ 14.721412] [<ffffffff810864d2>] warn_slowpath_common+0x82/0xc0 [ 14.721415] [<ffffffff8108656c>] warn_slowpath_fmt+0x5c/0x80 [ 14.721419] [<ffffffff813a7dfe>] aa_audit_file+0x16e/0x180 [ 14.721423] [<ffffffff8139ae57>] profile_transition+0x3e7/0xc80 [ 14.721426] [<ffffffff8139d136>] apparmor_bprm_set_creds+0x956/0xa60 [ 14.721431] [<ffffffff812f9d1c>] ? ext4_xattr_security_get+0x1c/0x30 [ 14.721435] [<ffffffff81243911>] ? generic_getxattr+0x51/0x70 [ 14.721439] [<ffffffff8135778d>] ? get_vfs_caps_from_disk+0x7d/0x180 [ 14.721442] [<ffffffff81357933>] ? cap_bprm_set_creds+0xa3/0x5f0 [ 14.721447] [<ffffffff81359ef9>] security_bprm_set_creds+0x39/0x50 [ 14.721451] [<ffffffff81223da5>] prepare_binprm+0x85/0x190 [ 14.721453] [<ffffffff812254ca>] do_execveat_common.isra.31+0x4ba/0x780 [ 14.721456] [<ffffffff812259ea>] SyS_execve+0x3a/0x50 [ 14.721460] [<ffffffff81865295>] stub_execve+0x5/0x5 [ 14.721464] [<ffffffff81864f1b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb [ 14.721466] ---[ end trace f0bc5f47039c8348 ]--- I've written a set of automated regression tests for NNP and AppArmor which trigger this WARNING as well as the original one. I'll reply here once I've got a public PR available on the AppArmor gitlab page. Tyler > goto audit; > } > > -- > 2.17.1 >
On 2019-08-01 09:47:29, Tyler Hicks wrote: > On 2019-08-01 04:29:21, John Johansen wrote: > > > > There are 2 cases where a denial in onexec profile transitions can > > occur that results in an apparmor WARN traceback. The first occurs if > > onexec is denied by policy, the second if onexec fails due to > > no-new-privs. > > > > [1140910.816457] ------------[ cut here ]------------ > > [1140910.816466] WARNING: CPU: 4 PID: 32497 at /build/linux-UdetSb/linux-4.4.0/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180() > > [1140910.816467] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)): > > [1140910.816469] Modules linked in: > > [1140910.816470] xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_REDIRECT nf_nat_redirect xt_nat veth btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c msr nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype br_netfilter pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) xt_CHECKSUM iptable_mangle rfcomm ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables xt_multiport iptable_filter ip_tables x_tables aufs overlay bnep uvcvideo videobuf2_vmalloc btusb videobuf2_memops videobuf2_v4l2 btrtl btbcm videobuf2_core btintel v4l2_common bluetooth videodev media binfmt_misc arc4 > > [1140910.816508] iwlmvm mac80211 intel_rapl snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek snd_hda_codec_generic iwlwifi joydev input_leds serio_raw cfg80211 snd_hda_intel snd_hda_codec snd_hda_core lpc_ich snd_hwdep thinkpad_acpi nvram snd_pcm snd_seq_midi mei_me snd_seq_midi_event shpchp ie31200_edac mei snd_rawmidi edac_core snd_seq wmi snd_seq_device snd_timer snd soundcore kvm_intel mac_hid kvm irqbypass coretemp parport_pc ppdev lp parport autofs4 drbg ansi_cprng algif_skcipher af_alg dm_crypt hid_generic hid_logitech_hidpp hid_logitech_dj usbhid hid uas usb_storage crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel i915 aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd i2c_algo_bit drm_kms_helper psmouse syscopyarea sysfillrect ahci sysimgblt e1000e > > [1140910.816544] fb_sys_fops libahci sdhci_pci drm sdhci ptp pps_core fjes video > > [1140910.816549] CPU: 4 PID: 32497 Comm: runc:[2:INIT] Tainted: G W OE 4.4.0-151-generic #178-Ubuntu > > [1140910.816551] Hardware name: LENOVO 20EFCTO1WW/20EFCTO1WW, BIOS GNET82WW (2.30 ) 03/21/2017 > > [1140910.816552] 0000000000000286 312c35d8d7e796cb ffff880637cef9d0 ffffffff8140b481 > > [1140910.816554] ffff880637cefa18 ffffffff81d02fe8 ffff880637cefa08 ffffffff81085432 > > [1140910.816555] ffff880108206400 ffff880637cefb6c ffff880825129b88 ffff880637cefd88 > > [1140910.816557] Call Trace: > > [1140910.816563] [<ffffffff8140b481>] dump_stack+0x63/0x82 > > [1140910.816567] [<ffffffff81085432>] warn_slowpath_common+0x82/0xc0 > > [1140910.816569] [<ffffffff810854cc>] warn_slowpath_fmt+0x5c/0x80 > > [1140910.816571] [<ffffffff81397ebc>] ? label_match.constprop.9+0x3dc/0x6c0 > > [1140910.816573] [<ffffffff813a696e>] aa_audit_file+0x16e/0x180 > > [1140910.816575] [<ffffffff813982dd>] profile_onexec+0x13d/0x3d0 > > [1140910.816577] [<ffffffff8139a33e>] handle_onexec+0x10e/0x10d0 > > [1140910.816581] [<ffffffff81242957>] ? vfs_getxattr_alloc+0x67/0x100 > > [1140910.816584] [<ffffffff81355395>] ? cap_inode_getsecurity+0x95/0x220 > > [1140910.816588] [<ffffffff8135965d>] ? security_inode_getsecurity+0x5d/0x70 > > [1140910.816590] [<ffffffff8139b417>] apparmor_bprm_set_creds+0x117/0xa60 > > [1140910.816591] [<ffffffff81242a8e>] ? vfs_getxattr+0x9e/0xb0 > > [1140910.816595] [<ffffffffc05be712>] ? ovl_getxattr+0x52/0xb0 [overlay] > > [1140910.816597] [<ffffffff8135619d>] ? get_vfs_caps_from_disk+0x7d/0x180 > > [1140910.816599] [<ffffffff81356343>] ? cap_bprm_set_creds+0xa3/0x5f0 > > [1140910.816601] [<ffffffff81358909>] security_bprm_set_creds+0x39/0x50 > > [1140910.816605] [<ffffffff812229d5>] prepare_binprm+0x85/0x190 > > [1140910.816607] [<ffffffff812240f4>] do_execveat_common.isra.31+0x4b4/0x770 > > [1140910.816610] [<ffffffff8122460a>] SyS_execve+0x3a/0x50 > > [1140910.816613] [<ffffffff81863ed5>] stub_execve+0x5/0x5 > > [1140910.816615] [<ffffffff81863b5b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb > > [1140910.816616] ---[ end trace cf4320c1d43eedd8 ]--- > > > > This is because the error is being audited as if onexec was not denied > > this triggering the AA_BUG check. > > > > BugLink: http://bugs.launchpad.net/bugs/1838627 > > Signed-off-by: John Johansen <john.johansen@canonical.com> > > --- > > security/apparmor/domain.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c > > index 576d51194eae..86e2908f805d 100644 > > --- a/security/apparmor/domain.c > > +++ b/security/apparmor/domain.c > > @@ -647,8 +647,10 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec, > > state = aa_dfa_null_transition(profile->file.dfa, state); > > error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC, > > state, &perms); > > - if (error) > > + if (error) { > > + perms.allow &= ~AA_MAY_ONEXEC; > > goto audit; > > + } > > > > /* Policy has specified a domain transitions. if no_new_privs and > > * confined and not transitioning to the current domain fail. > > @@ -662,6 +664,7 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec, > > !aa_label_is_subset(onexec, &profile->label)) { > > error = -EPERM; > > info = "no new privs"; > > + perms.allow &= ~AA_MAY_ONEXEC; > > A similar change also needs to be added to the NNP check in > change_profile_perms_wrapper(). I can trigger the AA_WARN() from that > error path, as well: > > [ 14.721337] WARNING: CPU: 0 PID: 1453 at /tmp/kernel-tyhicks-a20f622-EAUF/build/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180() > [ 14.721339] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)): > [ 14.721340] Modules linked in: > [ 14.721342] snd_hda_codec_generic kvm_intel snd_hda_intel snd_hda_codec kvm irqbypass snd_hda_core snd_hwdep snd_pcm input_leds joydev serio_raw snd_timer snd soundcore i2c_piix4 8250_fintek mac_hid ib > _iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6 > _pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid crct10dif_pclmul hid crc32_pclmul ghash_clmulni_intel aesni_intel qxl aes_x86_64 ttm lrw gf128mul glue_helper ablk_helper cryptd drm_kms_helper > syscopyarea sysfillrect sysimgblt psmouse fb_sys_fops drm pata_acpi floppy > [ 14.721387] CPU: 0 PID: 1453 Comm: transition Tainted: G W 4.4.0-158-generic #186~aa.1 > [ 14.721389] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 > [ 14.721391] 0000000000000286 f4807cdf06cc1e28 ffff88003808fae8 ffffffff8140c9b1 > [ 14.721394] ffff88003808fb30 ffffffff81d04208 ffff88003808fb20 ffffffff810864d2 > [ 14.721397] ffff880038036800 ffff88003808fc9c ffff88003808fc9c ffff88003808fd88 > [ 14.721400] Call Trace: > [ 14.721407] [<ffffffff8140c9b1>] dump_stack+0x63/0x82 > [ 14.721412] [<ffffffff810864d2>] warn_slowpath_common+0x82/0xc0 > [ 14.721415] [<ffffffff8108656c>] warn_slowpath_fmt+0x5c/0x80 > [ 14.721419] [<ffffffff813a7dfe>] aa_audit_file+0x16e/0x180 > [ 14.721423] [<ffffffff8139ae57>] profile_transition+0x3e7/0xc80 Hrm, I guess this indicates that we need the change in the NNP check in profile_transition() instead of (or in addition to?) change_profile_perms_wrapper(), as mentioned above. I could have swore that I saw aa_change_profile() in a stack trace, which is what made me think change_profile_perms_wrapper() needed to be updated, but now I can't find it. Tyler > [ 14.721426] [<ffffffff8139d136>] apparmor_bprm_set_creds+0x956/0xa60 > [ 14.721431] [<ffffffff812f9d1c>] ? ext4_xattr_security_get+0x1c/0x30 > [ 14.721435] [<ffffffff81243911>] ? generic_getxattr+0x51/0x70 > [ 14.721439] [<ffffffff8135778d>] ? get_vfs_caps_from_disk+0x7d/0x180 > [ 14.721442] [<ffffffff81357933>] ? cap_bprm_set_creds+0xa3/0x5f0 > [ 14.721447] [<ffffffff81359ef9>] security_bprm_set_creds+0x39/0x50 > [ 14.721451] [<ffffffff81223da5>] prepare_binprm+0x85/0x190 > [ 14.721453] [<ffffffff812254ca>] do_execveat_common.isra.31+0x4ba/0x780 > [ 14.721456] [<ffffffff812259ea>] SyS_execve+0x3a/0x50 > [ 14.721460] [<ffffffff81865295>] stub_execve+0x5/0x5 > [ 14.721464] [<ffffffff81864f1b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb > [ 14.721466] ---[ end trace f0bc5f47039c8348 ]--- > > I've written a set of automated regression tests for NNP and AppArmor which > trigger this WARNING as well as the original one. I'll reply here once I've got > a public PR available on the AppArmor gitlab page. > > Tyler > > > goto audit; > > } > > > > -- > > 2.17.1 > >
On 2019-08-01 09:57:59, Tyler Hicks wrote: > On 2019-08-01 09:47:29, Tyler Hicks wrote: > > On 2019-08-01 04:29:21, John Johansen wrote: > > > > > > There are 2 cases where a denial in onexec profile transitions can > > > occur that results in an apparmor WARN traceback. The first occurs if > > > onexec is denied by policy, the second if onexec fails due to > > > no-new-privs. > > > > > > [1140910.816457] ------------[ cut here ]------------ > > > [1140910.816466] WARNING: CPU: 4 PID: 32497 at /build/linux-UdetSb/linux-4.4.0/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180() > > > [1140910.816467] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)): > > > [1140910.816469] Modules linked in: > > > [1140910.816470] xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_REDIRECT nf_nat_redirect xt_nat veth btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c msr nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype br_netfilter pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) xt_CHECKSUM iptable_mangle rfcomm ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables xt_multiport iptable_filter ip_tables x_tables aufs overlay bnep uvcvideo videobuf2_vmalloc btusb videobuf2_memops videobuf2_v4l2 btrtl btbcm videobuf2_core btintel v4l2_common bluetooth videodev media binfmt_misc arc4 > > > [1140910.816508] iwlmvm mac80211 intel_rapl snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek snd_hda_codec_generic iwlwifi joydev input_leds serio_raw cfg80211 snd_hda_intel snd_hda_codec snd_hda_core lpc_ich snd_hwdep thinkpad_acpi nvram snd_pcm snd_seq_midi mei_me snd_seq_midi_event shpchp ie31200_edac mei snd_rawmidi edac_core snd_seq wmi snd_seq_device snd_timer snd soundcore kvm_intel mac_hid kvm irqbypass coretemp parport_pc ppdev lp parport autofs4 drbg ansi_cprng algif_skcipher af_alg dm_crypt hid_generic hid_logitech_hidpp hid_logitech_dj usbhid hid uas usb_storage crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel i915 aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd i2c_algo_bit drm_kms_helper psmouse syscopyarea sysfillrect ahci sysimgblt e1000e > > > [1140910.816544] fb_sys_fops libahci sdhci_pci drm sdhci ptp pps_core fjes video > > > [1140910.816549] CPU: 4 PID: 32497 Comm: runc:[2:INIT] Tainted: G W OE 4.4.0-151-generic #178-Ubuntu > > > [1140910.816551] Hardware name: LENOVO 20EFCTO1WW/20EFCTO1WW, BIOS GNET82WW (2.30 ) 03/21/2017 > > > [1140910.816552] 0000000000000286 312c35d8d7e796cb ffff880637cef9d0 ffffffff8140b481 > > > [1140910.816554] ffff880637cefa18 ffffffff81d02fe8 ffff880637cefa08 ffffffff81085432 > > > [1140910.816555] ffff880108206400 ffff880637cefb6c ffff880825129b88 ffff880637cefd88 > > > [1140910.816557] Call Trace: > > > [1140910.816563] [<ffffffff8140b481>] dump_stack+0x63/0x82 > > > [1140910.816567] [<ffffffff81085432>] warn_slowpath_common+0x82/0xc0 > > > [1140910.816569] [<ffffffff810854cc>] warn_slowpath_fmt+0x5c/0x80 > > > [1140910.816571] [<ffffffff81397ebc>] ? label_match.constprop.9+0x3dc/0x6c0 > > > [1140910.816573] [<ffffffff813a696e>] aa_audit_file+0x16e/0x180 > > > [1140910.816575] [<ffffffff813982dd>] profile_onexec+0x13d/0x3d0 > > > [1140910.816577] [<ffffffff8139a33e>] handle_onexec+0x10e/0x10d0 > > > [1140910.816581] [<ffffffff81242957>] ? vfs_getxattr_alloc+0x67/0x100 > > > [1140910.816584] [<ffffffff81355395>] ? cap_inode_getsecurity+0x95/0x220 > > > [1140910.816588] [<ffffffff8135965d>] ? security_inode_getsecurity+0x5d/0x70 > > > [1140910.816590] [<ffffffff8139b417>] apparmor_bprm_set_creds+0x117/0xa60 > > > [1140910.816591] [<ffffffff81242a8e>] ? vfs_getxattr+0x9e/0xb0 > > > [1140910.816595] [<ffffffffc05be712>] ? ovl_getxattr+0x52/0xb0 [overlay] > > > [1140910.816597] [<ffffffff8135619d>] ? get_vfs_caps_from_disk+0x7d/0x180 > > > [1140910.816599] [<ffffffff81356343>] ? cap_bprm_set_creds+0xa3/0x5f0 > > > [1140910.816601] [<ffffffff81358909>] security_bprm_set_creds+0x39/0x50 > > > [1140910.816605] [<ffffffff812229d5>] prepare_binprm+0x85/0x190 > > > [1140910.816607] [<ffffffff812240f4>] do_execveat_common.isra.31+0x4b4/0x770 > > > [1140910.816610] [<ffffffff8122460a>] SyS_execve+0x3a/0x50 > > > [1140910.816613] [<ffffffff81863ed5>] stub_execve+0x5/0x5 > > > [1140910.816615] [<ffffffff81863b5b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb > > > [1140910.816616] ---[ end trace cf4320c1d43eedd8 ]--- > > > > > > This is because the error is being audited as if onexec was not denied > > > this triggering the AA_BUG check. > > > > > > BugLink: http://bugs.launchpad.net/bugs/1838627 > > > Signed-off-by: John Johansen <john.johansen@canonical.com> > > > --- > > > security/apparmor/domain.c | 5 ++++- > > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > > > diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c > > > index 576d51194eae..86e2908f805d 100644 > > > --- a/security/apparmor/domain.c > > > +++ b/security/apparmor/domain.c > > > @@ -647,8 +647,10 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec, > > > state = aa_dfa_null_transition(profile->file.dfa, state); > > > error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC, > > > state, &perms); > > > - if (error) > > > + if (error) { > > > + perms.allow &= ~AA_MAY_ONEXEC; > > > goto audit; > > > + } > > > > > > /* Policy has specified a domain transitions. if no_new_privs and > > > * confined and not transitioning to the current domain fail. > > > @@ -662,6 +664,7 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec, > > > !aa_label_is_subset(onexec, &profile->label)) { > > > error = -EPERM; > > > info = "no new privs"; > > > + perms.allow &= ~AA_MAY_ONEXEC; > > > > A similar change also needs to be added to the NNP check in > > change_profile_perms_wrapper(). I can trigger the AA_WARN() from that > > error path, as well: > > > > [ 14.721337] WARNING: CPU: 0 PID: 1453 at /tmp/kernel-tyhicks-a20f622-EAUF/build/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180() > > [ 14.721339] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)): > > [ 14.721340] Modules linked in: > > [ 14.721342] snd_hda_codec_generic kvm_intel snd_hda_intel snd_hda_codec kvm irqbypass snd_hda_core snd_hwdep snd_pcm input_leds joydev serio_raw snd_timer snd soundcore i2c_piix4 8250_fintek mac_hid ib > > _iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6 > > _pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid crct10dif_pclmul hid crc32_pclmul ghash_clmulni_intel aesni_intel qxl aes_x86_64 ttm lrw gf128mul glue_helper ablk_helper cryptd drm_kms_helper > > syscopyarea sysfillrect sysimgblt psmouse fb_sys_fops drm pata_acpi floppy > > [ 14.721387] CPU: 0 PID: 1453 Comm: transition Tainted: G W 4.4.0-158-generic #186~aa.1 > > [ 14.721389] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 > > [ 14.721391] 0000000000000286 f4807cdf06cc1e28 ffff88003808fae8 ffffffff8140c9b1 > > [ 14.721394] ffff88003808fb30 ffffffff81d04208 ffff88003808fb20 ffffffff810864d2 > > [ 14.721397] ffff880038036800 ffff88003808fc9c ffff88003808fc9c ffff88003808fd88 > > [ 14.721400] Call Trace: > > [ 14.721407] [<ffffffff8140c9b1>] dump_stack+0x63/0x82 > > [ 14.721412] [<ffffffff810864d2>] warn_slowpath_common+0x82/0xc0 > > [ 14.721415] [<ffffffff8108656c>] warn_slowpath_fmt+0x5c/0x80 > > [ 14.721419] [<ffffffff813a7dfe>] aa_audit_file+0x16e/0x180 > > [ 14.721423] [<ffffffff8139ae57>] profile_transition+0x3e7/0xc80 > > Hrm, I guess this indicates that we need the change in the NNP check in > profile_transition() instead of (or in addition to?) > change_profile_perms_wrapper(), as mentioned above. I could have swore > that I saw aa_change_profile() in a stack trace, which is what made me > think change_profile_perms_wrapper() needed to be updated, but now I > can't find it. > > Tyler > > > [ 14.721426] [<ffffffff8139d136>] apparmor_bprm_set_creds+0x956/0xa60 > > [ 14.721431] [<ffffffff812f9d1c>] ? ext4_xattr_security_get+0x1c/0x30 > > [ 14.721435] [<ffffffff81243911>] ? generic_getxattr+0x51/0x70 > > [ 14.721439] [<ffffffff8135778d>] ? get_vfs_caps_from_disk+0x7d/0x180 > > [ 14.721442] [<ffffffff81357933>] ? cap_bprm_set_creds+0xa3/0x5f0 > > [ 14.721447] [<ffffffff81359ef9>] security_bprm_set_creds+0x39/0x50 > > [ 14.721451] [<ffffffff81223da5>] prepare_binprm+0x85/0x190 > > [ 14.721453] [<ffffffff812254ca>] do_execveat_common.isra.31+0x4ba/0x780 > > [ 14.721456] [<ffffffff812259ea>] SyS_execve+0x3a/0x50 > > [ 14.721460] [<ffffffff81865295>] stub_execve+0x5/0x5 > > [ 14.721464] [<ffffffff81864f1b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb > > [ 14.721466] ---[ end trace f0bc5f47039c8348 ]--- > > > > I've written a set of automated regression tests for NNP and AppArmor which > > trigger this WARNING as well as the original one. I'll reply here once I've got > > a public PR available on the AppArmor gitlab page. The NNP tests can be found here: https://gitlab.com/apparmor/apparmor/merge_requests/408 Note the additional B and X test failure described here: https://gitlab.com/apparmor/apparmor/merge_requests/408#note_199095464 Tyler > > > > Tyler > > > > > goto audit; > > > } > > > > > > -- > > > 2.17.1 > > >
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 576d51194eae..86e2908f805d 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -647,8 +647,10 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec, state = aa_dfa_null_transition(profile->file.dfa, state); error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC, state, &perms); - if (error) + if (error) { + perms.allow &= ~AA_MAY_ONEXEC; goto audit; + } /* Policy has specified a domain transitions. if no_new_privs and * confined and not transitioning to the current domain fail. @@ -662,6 +664,7 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec, !aa_label_is_subset(onexec, &profile->label)) { error = -EPERM; info = "no new privs"; + perms.allow &= ~AA_MAY_ONEXEC; goto audit; }
There are 2 cases where a denial in onexec profile transitions can occur that results in an apparmor WARN traceback. The first occurs if onexec is denied by policy, the second if onexec fails due to no-new-privs. [1140910.816457] ------------[ cut here ]------------ [1140910.816466] WARNING: CPU: 4 PID: 32497 at /build/linux-UdetSb/linux-4.4.0/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180() [1140910.816467] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)): [1140910.816469] Modules linked in: [1140910.816470] xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_REDIRECT nf_nat_redirect xt_nat veth btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c msr nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype br_netfilter pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) xt_CHECKSUM iptable_mangle rfcomm ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables xt_multiport iptable_filter ip_tables x_tables aufs overlay bnep uvcvideo videobuf2_vmalloc btusb videobuf2_memops videobuf2_v4l2 btrtl btbcm videobuf2_core btintel v4l2_common bluetooth videodev media binfmt_misc arc4 [1140910.816508] iwlmvm mac80211 intel_rapl snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek snd_hda_codec_generic iwlwifi joydev input_leds serio_raw cfg80211 snd_hda_intel snd_hda_codec snd_hda_core lpc_ich snd_hwdep thinkpad_acpi nvram snd_pcm snd_seq_midi mei_me snd_seq_midi_event shpchp ie31200_edac mei snd_rawmidi edac_core snd_seq wmi snd_seq_device snd_timer snd soundcore kvm_intel mac_hid kvm irqbypass coretemp parport_pc ppdev lp parport autofs4 drbg ansi_cprng algif_skcipher af_alg dm_crypt hid_generic hid_logitech_hidpp hid_logitech_dj usbhid hid uas usb_storage crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel i915 aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd i2c_algo_bit drm_kms_helper psmouse syscopyarea sysfillrect ahci sysimgblt e1000e [1140910.816544] fb_sys_fops libahci sdhci_pci drm sdhci ptp pps_core fjes video [1140910.816549] CPU: 4 PID: 32497 Comm: runc:[2:INIT] Tainted: G W OE 4.4.0-151-generic #178-Ubuntu [1140910.816551] Hardware name: LENOVO 20EFCTO1WW/20EFCTO1WW, BIOS GNET82WW (2.30 ) 03/21/2017 [1140910.816552] 0000000000000286 312c35d8d7e796cb ffff880637cef9d0 ffffffff8140b481 [1140910.816554] ffff880637cefa18 ffffffff81d02fe8 ffff880637cefa08 ffffffff81085432 [1140910.816555] ffff880108206400 ffff880637cefb6c ffff880825129b88 ffff880637cefd88 [1140910.816557] Call Trace: [1140910.816563] [<ffffffff8140b481>] dump_stack+0x63/0x82 [1140910.816567] [<ffffffff81085432>] warn_slowpath_common+0x82/0xc0 [1140910.816569] [<ffffffff810854cc>] warn_slowpath_fmt+0x5c/0x80 [1140910.816571] [<ffffffff81397ebc>] ? label_match.constprop.9+0x3dc/0x6c0 [1140910.816573] [<ffffffff813a696e>] aa_audit_file+0x16e/0x180 [1140910.816575] [<ffffffff813982dd>] profile_onexec+0x13d/0x3d0 [1140910.816577] [<ffffffff8139a33e>] handle_onexec+0x10e/0x10d0 [1140910.816581] [<ffffffff81242957>] ? vfs_getxattr_alloc+0x67/0x100 [1140910.816584] [<ffffffff81355395>] ? cap_inode_getsecurity+0x95/0x220 [1140910.816588] [<ffffffff8135965d>] ? security_inode_getsecurity+0x5d/0x70 [1140910.816590] [<ffffffff8139b417>] apparmor_bprm_set_creds+0x117/0xa60 [1140910.816591] [<ffffffff81242a8e>] ? vfs_getxattr+0x9e/0xb0 [1140910.816595] [<ffffffffc05be712>] ? ovl_getxattr+0x52/0xb0 [overlay] [1140910.816597] [<ffffffff8135619d>] ? get_vfs_caps_from_disk+0x7d/0x180 [1140910.816599] [<ffffffff81356343>] ? cap_bprm_set_creds+0xa3/0x5f0 [1140910.816601] [<ffffffff81358909>] security_bprm_set_creds+0x39/0x50 [1140910.816605] [<ffffffff812229d5>] prepare_binprm+0x85/0x190 [1140910.816607] [<ffffffff812240f4>] do_execveat_common.isra.31+0x4b4/0x770 [1140910.816610] [<ffffffff8122460a>] SyS_execve+0x3a/0x50 [1140910.816613] [<ffffffff81863ed5>] stub_execve+0x5/0x5 [1140910.816615] [<ffffffff81863b5b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb [1140910.816616] ---[ end trace cf4320c1d43eedd8 ]--- This is because the error is being audited as if onexec was not denied this triggering the AA_BUG check. BugLink: http://bugs.launchpad.net/bugs/1838627 Signed-off-by: John Johansen <john.johansen@canonical.com> --- security/apparmor/domain.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)