Linux 4.16 cap_sys

All of lore.kernel.org
 help / color / mirror / Atom feed

* Linux 4.16 cap_sys_module
@ 2018-02-28  9:27 Dominick Grift
  2018-02-28  9:53 ` Dominick Grift
  0 siblings, 1 reply; 7+ messages in thread
From: Dominick Grift @ 2018-02-28  9:27 UTC (permalink / raw)
  To: selinux

[-- Attachment #1: Type: text/plain, Size: 1311 bytes --]

Since Linux 4.16 (to atleast RC2) user space started to excessively trigger cap_sys_module

Here is one example of such and event:

type=SYSCALL msg=audit(02/27/2018 08:06:40.017:74) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x2 a1=TCGETS a2=0x7fff2d89f8f0 a3=0x55ba203a9010 items=0 ppid=1 pid=423 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=sys.id:sys.role:user_sessions.subj:s0 key=(null)
type=AVC msg=audit(02/27/2018 08:06:40.017:74) : avc:  denied  { sys_module } for  pid=423 comm=systemd-user-se capability=sys_module  scontext=sys.id:sys.role:user_sessions.subj:s0 tcontext=sys.id:sys.role:user_sessions.subj:s0 tclass=capability permissive=1
type=AVC msg=audit(02/27/2018 08:06:40.017:74) : avc:  denied  { module_request } for  pid=423 comm=systemd-user-se kmod=6E65746465762D80E72A05257F scontext=sys.id:sys.role:user_sessions.subj:s0 tcontext=sys.id:sys.role:sys.isid:s0 tclass=system permissive=1

Any idea what causes this and how to fix it?

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Linux 4.16 cap_sys_module
  2018-02-28  9:27 Linux 4.16 cap_sys_module Dominick Grift
@ 2018-02-28  9:53 ` Dominick Grift
  2018-02-28 13:53   ` Stephen Smalley
  0 siblings, 1 reply; 7+ messages in thread
From: Dominick Grift @ 2018-02-28  9:53 UTC (permalink / raw)
  To: selinux

[-- Attachment #1: Type: text/plain, Size: 1699 bytes --]

On Wed, Feb 28, 2018 at 10:27:08AM +0100, Dominick Grift wrote:
> Since Linux 4.16 (to atleast RC2) user space started to excessively trigger cap_sys_module
> 
> Here is one example of such and event:
> 
> type=SYSCALL msg=audit(02/27/2018 08:06:40.017:74) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x2 a1=TCGETS a2=0x7fff2d89f8f0 a3=0x55ba203a9010 items=0 ppid=1 pid=423 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=sys.id:sys.role:user_sessions.subj:s0 key=(null)
> type=AVC msg=audit(02/27/2018 08:06:40.017:74) : avc:  denied  { sys_module } for  pid=423 comm=systemd-user-se capability=sys_module  scontext=sys.id:sys.role:user_sessions.subj:s0 tcontext=sys.id:sys.role:user_sessions.subj:s0 tclass=capability permissive=1
> type=AVC msg=audit(02/27/2018 08:06:40.017:74) : avc:  denied  { module_request } for  pid=423 comm=systemd-user-se kmod=6E65746465762D80E72A05257F scontext=sys.id:sys.role:user_sessions.subj:s0 tcontext=sys.id:sys.role:sys.isid:s0 tclass=system permissive=1
> 
> Any idea what causes this and how to fix it?

For reference: https://github.com/fedora-selinux/selinux-policy/commit/2c13be1fb543c51935785e7a43b798a9f35f5aa0#comments

> 
> -- 
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift



-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Linux 4.16 cap_sys_module
  2018-02-28  9:53 ` Dominick Grift
@ 2018-02-28 13:53   ` Stephen Smalley
  2018-02-28 14:18       ` Stephen Smalley
  0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2018-02-28 13:53 UTC (permalink / raw)
  To: selinux, Dominick Grift, Paul Moore

On 02/28/2018 04:53 AM, Dominick Grift wrote:
> On Wed, Feb 28, 2018 at 10:27:08AM +0100, Dominick Grift wrote:
>> Since Linux 4.16 (to atleast RC2) user space started to excessively trigger cap_sys_module
>>
>> Here is one example of such and event:
>>
>> type=SYSCALL msg=audit(02/27/2018 08:06:40.017:74) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x2 a1=TCGETS a2=0x7fff2d89f8f0 a3=0x55ba203a9010 items=0 ppid=1 pid=423 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=sys.id:sys.role:user_sessions.subj:s0 key=(null)
>> type=AVC msg=audit(02/27/2018 08:06:40.017:74) : avc:  denied  { sys_module } for  pid=423 comm=systemd-user-se capability=sys_module  scontext=sys.id:sys.role:user_sessions.subj:s0 tcontext=sys.id:sys.role:user_sessions.subj:s0 tclass=capability permissive=1
>> type=AVC msg=audit(02/27/2018 08:06:40.017:74) : avc:  denied  { module_request } for  pid=423 comm=systemd-user-se kmod=6E65746465762D80E72A05257F scontext=sys.id:sys.role:user_sessions.subj:s0 tcontext=sys.id:sys.role:sys.isid:s0 tclass=system permissive=1
>>
>> Any idea what causes this and how to fix it?
> 
> For reference: https://github.com/fedora-selinux/selinux-policy/commit/2c13be1fb543c51935785e7a43b798a9f35f5aa0#comments

Looks like this might be caused by:

commit 44c02a2c3dc55835e9f0d8ef73966406cd805001
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu Oct 5 12:59:44 2017 -0400

    dev_ioctl(): move copyin/copyout to callers

    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>


It moves the dev_load() call out of the switch statement, which was only
conditionally called in the default case if the cmd had certain values,
and unconditionally calls it.  So we trigger module load denials on
simple TCGETS (isatty) probes on a socket.  We need it moved back.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Linux 4.16 cap_sys_module
  2018-02-28 13:53   ` Stephen Smalley
@ 2018-02-28 14:18       ` Stephen Smalley
  0 siblings, 0 replies; 7+ messages in thread
From: Stephen Smalley @ 2018-02-28 14:18 UTC (permalink / raw)
  To: selinux, Dominick Grift, Paul Moore, James Morris, Serge E. Hallyn, LSM

On 02/28/2018 08:53 AM, Stephen Smalley wrote:
> On 02/28/2018 04:53 AM, Dominick Grift wrote:
>> On Wed, Feb 28, 2018 at 10:27:08AM +0100, Dominick Grift wrote:
>>> Since Linux 4.16 (to atleast RC2) user space started to excessively trigger cap_sys_module
>>>
>>> Here is one example of such and event:
>>>
>>> type=SYSCALL msg=audit(02/27/2018 08:06:40.017:74) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x2 a1=TCGETS a2=0x7fff2d89f8f0 a3=0x55ba203a9010 items=0 ppid=1 pid=423 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=sys.id:sys.role:user_sessions.subj:s0 key=(null)
>>> type=AVC msg=audit(02/27/2018 08:06:40.017:74) : avc:  denied  { sys_module } for  pid=423 comm=systemd-user-se capability=sys_module  scontext=sys.id:sys.role:user_sessions.subj:s0 tcontext=sys.id:sys.role:user_sessions.subj:s0 tclass=capability permissive=1
>>> type=AVC msg=audit(02/27/2018 08:06:40.017:74) : avc:  denied  { module_request } for  pid=423 comm=systemd-user-se kmod=6E65746465762D80E72A05257F scontext=sys.id:sys.role:user_sessions.subj:s0 tcontext=sys.id:sys.role:sys.isid:s0 tclass=system permissive=1
>>>
>>> Any idea what causes this and how to fix it?
>>
>> For reference: https://github.com/fedora-selinux/selinux-policy/commit/2c13be1fb543c51935785e7a43b798a9f35f5aa0#comments
> 
> Looks like this might be caused by:
> 
> commit 44c02a2c3dc55835e9f0d8ef73966406cd805001
> Author: Al Viro <viro@zeniv.linux.org.uk>
> Date:   Thu Oct 5 12:59:44 2017 -0400
> 
>     dev_ioctl(): move copyin/copyout to callers
> 
>     Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> 
> 
> It moves the dev_load() call out of the switch statement, which was only
> conditionally called in the default case if the cmd had certain values,
> and unconditionally calls it.  So we trigger module load denials on
> simple TCGETS (isatty) probes on a socket.  We need it moved back.

(expanded cc list since this affects more than just SELinux)

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Linux 4.16 cap_sys_module
@ 2018-02-28 14:18       ` Stephen Smalley
  0 siblings, 0 replies; 7+ messages in thread
From: Stephen Smalley @ 2018-02-28 14:18 UTC (permalink / raw)
  To: linux-security-module

On 02/28/2018 08:53 AM, Stephen Smalley wrote:
> On 02/28/2018 04:53 AM, Dominick Grift wrote:
>> On Wed, Feb 28, 2018 at 10:27:08AM +0100, Dominick Grift wrote:
>>> Since Linux 4.16 (to atleast RC2) user space started to excessively trigger cap_sys_module
>>>
>>> Here is one example of such and event:
>>>
>>> type=SYSCALL msg=audit(02/27/2018 08:06:40.017:74) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x2 a1=TCGETS a2=0x7fff2d89f8f0 a3=0x55ba203a9010 items=0 ppid=1 pid=423 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=sys.id:sys.role:user_sessions.subj:s0 key=(null)
>>> type=AVC msg=audit(02/27/2018 08:06:40.017:74) : avc:  denied  { sys_module } for  pid=423 comm=systemd-user-se capability=sys_module  scontext=sys.id:sys.role:user_sessions.subj:s0 tcontext=sys.id:sys.role:user_sessions.subj:s0 tclass=capability permissive=1
>>> type=AVC msg=audit(02/27/2018 08:06:40.017:74) : avc:  denied  { module_request } for  pid=423 comm=systemd-user-se kmod=6E65746465762D80E72A05257F scontext=sys.id:sys.role:user_sessions.subj:s0 tcontext=sys.id:sys.role:sys.isid:s0 tclass=system permissive=1
>>>
>>> Any idea what causes this and how to fix it?
>>
>> For reference: https://github.com/fedora-selinux/selinux-policy/commit/2c13be1fb543c51935785e7a43b798a9f35f5aa0#comments
> 
> Looks like this might be caused by:
> 
> commit 44c02a2c3dc55835e9f0d8ef73966406cd805001
> Author: Al Viro <viro@zeniv.linux.org.uk>
> Date:   Thu Oct 5 12:59:44 2017 -0400
> 
>     dev_ioctl(): move copyin/copyout to callers
> 
>     Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> 
> 
> It moves the dev_load() call out of the switch statement, which was only
> conditionally called in the default case if the cmd had certain values,
> and unconditionally calls it.  So we trigger module load denials on
> simple TCGETS (isatty) probes on a socket.  We need it moved back.

(expanded cc list since this affects more than just SELinux)

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Linux 4.16 cap_sys_module
  2018-02-28 14:18       ` Stephen Smalley
@ 2018-03-06 22:31         ` Paul Moore
  -1 siblings, 0 replies; 7+ messages in thread
From: Paul Moore @ 2018-03-06 22:31 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: selinux, Dominick Grift, James Morris, Serge E. Hallyn, LSM

On Wed, Feb 28, 2018 at 9:18 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 02/28/2018 08:53 AM, Stephen Smalley wrote:
>> On 02/28/2018 04:53 AM, Dominick Grift wrote:
>>> On Wed, Feb 28, 2018 at 10:27:08AM +0100, Dominick Grift wrote:
>>>> Since Linux 4.16 (to atleast RC2) user space started to excessively trigger cap_sys_module
>>>>
>>>> Here is one example of such and event:
>>>>
>>>> type=SYSCALL msg=audit(02/27/2018 08:06:40.017:74) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x2 a1=TCGETS a2=0x7fff2d89f8f0 a3=0x55ba203a9010 items=0 ppid=1 pid=423 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=sys.id:sys.role:user_sessions.subj:s0 key=(null)
>>>> type=AVC msg=audit(02/27/2018 08:06:40.017:74) : avc:  denied  { sys_module } for  pid=423 comm=systemd-user-se capability=sys_module  scontext=sys.id:sys.role:user_sessions.subj:s0 tcontext=sys.id:sys.role:user_sessions.subj:s0 tclass=capability permissive=1
>>>> type=AVC msg=audit(02/27/2018 08:06:40.017:74) : avc:  denied  { module_request } for  pid=423 comm=systemd-user-se kmod=6E65746465762D80E72A05257F scontext=sys.id:sys.role:user_sessions.subj:s0 tcontext=sys.id:sys.role:sys.isid:s0 tclass=system permissive=1
>>>>
>>>> Any idea what causes this and how to fix it?
>>>
>>> For reference: https://github.com/fedora-selinux/selinux-policy/commit/2c13be1fb543c51935785e7a43b798a9f35f5aa0#comments
>>
>> Looks like this might be caused by:
>>
>> commit 44c02a2c3dc55835e9f0d8ef73966406cd805001
>> Author: Al Viro <viro@zeniv.linux.org.uk>
>> Date:   Thu Oct 5 12:59:44 2017 -0400
>>
>>     dev_ioctl(): move copyin/copyout to callers
>>
>>     Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
>>
>>
>> It moves the dev_load() call out of the switch statement, which was only
>> conditionally called in the default case if the cmd had certain values,
>> and unconditionally calls it.  So we trigger module load denials on
>> simple TCGETS (isatty) probes on a socket.  We need it moved back.
>
> (expanded cc list since this affects more than just SELinux)

Just in case any of you on the To/CC line missed the patch:

* https://marc.info/?l=linux-netdev&m=152037526927844&w=2

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Linux 4.16 cap_sys_module
@ 2018-03-06 22:31         ` Paul Moore
  0 siblings, 0 replies; 7+ messages in thread
From: Paul Moore @ 2018-03-06 22:31 UTC (permalink / raw)
  To: linux-security-module

On Wed, Feb 28, 2018 at 9:18 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 02/28/2018 08:53 AM, Stephen Smalley wrote:
>> On 02/28/2018 04:53 AM, Dominick Grift wrote:
>>> On Wed, Feb 28, 2018 at 10:27:08AM +0100, Dominick Grift wrote:
>>>> Since Linux 4.16 (to atleast RC2) user space started to excessively trigger cap_sys_module
>>>>
>>>> Here is one example of such and event:
>>>>
>>>> type=SYSCALL msg=audit(02/27/2018 08:06:40.017:74) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x2 a1=TCGETS a2=0x7fff2d89f8f0 a3=0x55ba203a9010 items=0 ppid=1 pid=423 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-se exe=/usr/lib/systemd/systemd-user-sessions subj=sys.id:sys.role:user_sessions.subj:s0 key=(null)
>>>> type=AVC msg=audit(02/27/2018 08:06:40.017:74) : avc:  denied  { sys_module } for  pid=423 comm=systemd-user-se capability=sys_module  scontext=sys.id:sys.role:user_sessions.subj:s0 tcontext=sys.id:sys.role:user_sessions.subj:s0 tclass=capability permissive=1
>>>> type=AVC msg=audit(02/27/2018 08:06:40.017:74) : avc:  denied  { module_request } for  pid=423 comm=systemd-user-se kmod=6E65746465762D80E72A05257F scontext=sys.id:sys.role:user_sessions.subj:s0 tcontext=sys.id:sys.role:sys.isid:s0 tclass=system permissive=1
>>>>
>>>> Any idea what causes this and how to fix it?
>>>
>>> For reference: https://github.com/fedora-selinux/selinux-policy/commit/2c13be1fb543c51935785e7a43b798a9f35f5aa0#comments
>>
>> Looks like this might be caused by:
>>
>> commit 44c02a2c3dc55835e9f0d8ef73966406cd805001
>> Author: Al Viro <viro@zeniv.linux.org.uk>
>> Date:   Thu Oct 5 12:59:44 2017 -0400
>>
>>     dev_ioctl(): move copyin/copyout to callers
>>
>>     Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
>>
>>
>> It moves the dev_load() call out of the switch statement, which was only
>> conditionally called in the default case if the cmd had certain values,
>> and unconditionally calls it.  So we trigger module load denials on
>> simple TCGETS (isatty) probes on a socket.  We need it moved back.
>
> (expanded cc list since this affects more than just SELinux)

Just in case any of you on the To/CC line missed the patch:

* https://marc.info/?l=linux-netdev&m=152037526927844&w=2

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2018-03-06 22:39 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-28  9:27 Linux 4.16 cap_sys_module Dominick Grift
2018-02-28  9:53 ` Dominick Grift
2018-02-28 13:53   ` Stephen Smalley
2018-02-28 14:18     ` Stephen Smalley
2018-02-28 14:18       ` Stephen Smalley
2018-03-06 22:31       ` Paul Moore
2018-03-06 22:31         ` Paul Moore

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.