RE: EVM gives no_label error due to security_kernfs_init_security

From: Roberto Sassu <roberto.sassu@huawei.com>
To: Bighead Wang <ex200208049@gmail.com>,
	"zohar@linux.ibm.com" <zohar@linux.ibm.com>
Cc: "linux-integrity@vger.kernel.org"
	<linux-integrity@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: EVM gives no_label error due to security_kernfs_init_security
Date: Tue, 25 May 2021 09:29:23 +0000	[thread overview]
Message-ID: <b348c8687d5b40919d8625f4c096d4e2@huawei.com> (raw)
In-Reply-To: <CADG95vuR1=dvgsf6bvNCRNsvDEJ=YwFgfvqJWRkNvD=rrYUaYA@mail.gmail.com>

> From: Bighead Wang [mailto:ex200208049@gmail.com]
> Sent: Tuesday, May 25, 2021 11:19 AM
> In cgroup filesystem, security_kernfs_init_security() will initialize
> the security data for newly created kernfs node after kernel 5.2.,
> however, new EVM xattr value is not initialized, and the no_label
> error appears when evm_verify_hmac() is triggered.
> 
> 
> The detailed description:
> When system boots up with IMA/EVM and SELinux enabled, we get:
> " May 25 14:13:01 raspberrypi audit[1212]: INTEGRITY_METADATA pid=1212
> uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t
> op=appraise_metadata cause=no_label comm="(systemd)"
> name="cgroup.procs" dev="cgroup2" ino=1360 res=0 errno=0 "
> 
> The root cause is that our customized SELinux file_contexts file does
> not contain the line "/sys/fs/cgroup/.*     <<none>>".
> When systemd relabels directories under /sys/fs/cgroup/ during
> booting, it will set SELinux label inside the iattr member of kernfs
> node, and then security_kernfs_init_security() will initialize the
> security data at the time new kernfs node created.
> After systemd executes something to trigger evm_verify_hmac(), we get
> this no_label error.
> 
> In evm_verify_hmac(), if there is no EVM xattr value, it will check
> any other xattr values protected by EVM exist or not.
> In this situation, there is no EVM xattr value (got from the iattr
> member of kernfs node in cgroup filesystem), but SELinux label (also
> got from the iattr member of kernfs node instead of from inode)
> exists.
> To sum up, the error seems to me is EVM mechanism doesn't initialize
> EVM xattr value in kernfs node.

Hi Hank

this patch should help:

https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/commit/?h=next-integrity-testing&id=4a804b8a4572dfc81c3a59709d49ae206e4370ba

Could you please try it?

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

> The environment:
> /proc/version: Linux version 5.13.0-rc3-v7l+ (bighead@52-0453463-02)
> (arm-linux-gnueabi-gcc (GCC) 9.1.0, GNU ld (GNU Binutils) 2.32) #1 SMP
> Tue May 25 12:33:01 CST 2021
> /proc/sys/kernel/tainted: 0
> Operating System: Raspbian GNU/Linux 10 (buster)
> Architecture: armv7l
> systemd version: systemd 241 (241) +PAM +AUDIT +SELINUX +IMA
> +APPARMOR
> +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ
> +LZ4
> +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2
> default-hierarchy=hybrid
> IMA/EVM kernel parameter: ima_policy=appraise_tcb ima_appraise=fix
> SELinux kernel parameter: security=selinux selinux=1 (permissive mode)
> 
> How to reproduce the error in Raspbian:
> 1. Prepare an environment which SELinux and IMA/EVM are enabled and
> boot up with kernel parameters: security=selinux selinux=1
> ima_policy=appraise_tcb ima_appraise=fix evm=fix
> 2. Remove the line "/sys/fs/cgroup/.*     <<none>>" in file_contexts
> file, and fully relabel all system with SELinux official reference
> policy
> 3. Walk through all regular files and generate ima/evm hash:
> /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
> 4. Reboot with kernel parameters: security=selinux selinux=1
> ima_policy=appraise_tcb ima_appraise=fix
> 5. After boot up, you will get this EVM no_label error message
> 
> Reproduce the error directly:
> 1. Prepare an environment which SELinux and IMA/EVM are enabled and
> boot up with kernel parameters: security=selinux selinux=1
> ima_policy=appraise_tcb ima_appraise=fix evm=fix
> 2. Fully relabel all system with SELinux official reference policy
> 3. Walk through all regular files and generate ima/evm hash:
> /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
> 4. Reboot with kernel parameters: security=selinux selinux=1
> ima_policy=appraise_tcb ima_appraise=fix
> 5. sudo setfattr -n security.selinux -v system_u:object_r:cgroup_t
> /sys/fs/cgroup/unified
> 6. sudo mkdir /sys/fs/cgroup/unified/testevm
> 7. sudo chmod +x /sys/fs/cgroup/unified/testevm/cgroup.procs: you will
> get this EVM error message
> 
> Reference:
> Kernel config: https://140.96.154.7:5001/sharing/9cPNowmhK
> Journal log: https://140.96.154.7:5001/sharing/sRISz6IPt
> Patch for security_kernfs_init_security() :
> https://lore.kernel.org/selinux/20190130114150.27807-1-
> omosnace@redhat.com/
> 
> --
> Best Regards,
> Hank Wang