EVM gives no_label error due to security_kernfs_init_security

EVM gives no_label error due to security_kernfs_init_security

[Bighead Wang]

In cgroup filesystem, security_kernfs_init_security() will initialize
the security data for newly created kernfs node after kernel 5.2.,
however, new EVM xattr value is not initialized, and the no_label
error appears when evm_verify_hmac() is triggered.


The detailed description:
When system boots up with IMA/EVM and SELinux enabled, we get:
" May 25 14:13:01 raspberrypi audit[1212]: INTEGRITY_METADATA pid=1212
uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t
op=appraise_metadata cause=no_label comm="(systemd)"
name="cgroup.procs" dev="cgroup2" ino=1360 res=0 errno=0 "

The root cause is that our customized SELinux file_contexts file does
not contain the line "/sys/fs/cgroup/.*     <<none>>".
When systemd relabels directories under /sys/fs/cgroup/ during
booting, it will set SELinux label inside the iattr member of kernfs
node, and then security_kernfs_init_security() will initialize the
security data at the time new kernfs node created.
After systemd executes something to trigger evm_verify_hmac(), we get
this no_label error.

In evm_verify_hmac(), if there is no EVM xattr value, it will check
any other xattr values protected by EVM exist or not.
In this situation, there is no EVM xattr value (got from the iattr
member of kernfs node in cgroup filesystem), but SELinux label (also
got from the iattr member of kernfs node instead of from inode)
exists.
To sum up, the error seems to me is EVM mechanism doesn't initialize
EVM xattr value in kernfs node.

The environment:
/proc/version: Linux version 5.13.0-rc3-v7l+ (bighead@52-0453463-02)
(arm-linux-gnueabi-gcc (GCC) 9.1.0, GNU ld (GNU Binutils) 2.32) #1 SMP
Tue May 25 12:33:01 CST 2021
/proc/sys/kernel/tainted: 0
Operating System: Raspbian GNU/Linux 10 (buster)
Architecture: armv7l
systemd version: systemd 241 (241) +PAM +AUDIT +SELINUX +IMA +APPARMOR
+SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4
+SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2
default-hierarchy=hybrid
IMA/EVM kernel parameter: ima_policy=appraise_tcb ima_appraise=fix
SELinux kernel parameter: security=selinux selinux=1 (permissive mode)

How to reproduce the error in Raspbian:
1. Prepare an environment which SELinux and IMA/EVM are enabled and
boot up with kernel parameters: security=selinux selinux=1
ima_policy=appraise_tcb ima_appraise=fix evm=fix
2. Remove the line "/sys/fs/cgroup/.*     <<none>>" in file_contexts
file, and fully relabel all system with SELinux official reference
policy
3. Walk through all regular files and generate ima/evm hash:
/usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
4. Reboot with kernel parameters: security=selinux selinux=1
ima_policy=appraise_tcb ima_appraise=fix
5. After boot up, you will get this EVM no_label error message

Reproduce the error directly:
1. Prepare an environment which SELinux and IMA/EVM are enabled and
boot up with kernel parameters: security=selinux selinux=1
ima_policy=appraise_tcb ima_appraise=fix evm=fix
2. Fully relabel all system with SELinux official reference policy
3. Walk through all regular files and generate ima/evm hash:
/usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
4. Reboot with kernel parameters: security=selinux selinux=1
ima_policy=appraise_tcb ima_appraise=fix
5. sudo setfattr -n security.selinux -v system_u:object_r:cgroup_t
/sys/fs/cgroup/unified
6. sudo mkdir /sys/fs/cgroup/unified/testevm
7. sudo chmod +x /sys/fs/cgroup/unified/testevm/cgroup.procs: you will
get this EVM error message

Reference:
Kernel config: https://140.96.154.7:5001/sharing/9cPNowmhK
Journal log: https://140.96.154.7:5001/sharing/sRISz6IPt
Patch for security_kernfs_init_security() :
https://lore.kernel.org/selinux/20190130114150.27807-1-omosnace@redhat.com/

-- 
Best Regards,
Hank Wang

RE: EVM gives no_label error due to security_kernfs_init_security

[Roberto Sassu]

> From: Bighead Wang [mailto:ex200208049@gmail.com]
> Sent: Tuesday, May 25, 2021 11:19 AM
> In cgroup filesystem, security_kernfs_init_security() will initialize
> the security data for newly created kernfs node after kernel 5.2.,
> however, new EVM xattr value is not initialized, and the no_label
> error appears when evm_verify_hmac() is triggered.
> 
> 
> The detailed description:
> When system boots up with IMA/EVM and SELinux enabled, we get:
> " May 25 14:13:01 raspberrypi audit[1212]: INTEGRITY_METADATA pid=1212
> uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t
> op=appraise_metadata cause=no_label comm="(systemd)"
> name="cgroup.procs" dev="cgroup2" ino=1360 res=0 errno=0 "
> 
> The root cause is that our customized SELinux file_contexts file does
> not contain the line "/sys/fs/cgroup/.*     <<none>>".
> When systemd relabels directories under /sys/fs/cgroup/ during
> booting, it will set SELinux label inside the iattr member of kernfs
> node, and then security_kernfs_init_security() will initialize the
> security data at the time new kernfs node created.
> After systemd executes something to trigger evm_verify_hmac(), we get
> this no_label error.
> 
> In evm_verify_hmac(), if there is no EVM xattr value, it will check
> any other xattr values protected by EVM exist or not.
> In this situation, there is no EVM xattr value (got from the iattr
> member of kernfs node in cgroup filesystem), but SELinux label (also
> got from the iattr member of kernfs node instead of from inode)
> exists.
> To sum up, the error seems to me is EVM mechanism doesn't initialize
> EVM xattr value in kernfs node.

Hi Hank

this patch should help:

https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/commit/?h=next-integrity-testing&id=4a804b8a4572dfc81c3a59709d49ae206e4370ba

Could you please try it?

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

> The environment:
> /proc/version: Linux version 5.13.0-rc3-v7l+ (bighead@52-0453463-02)
> (arm-linux-gnueabi-gcc (GCC) 9.1.0, GNU ld (GNU Binutils) 2.32) #1 SMP
> Tue May 25 12:33:01 CST 2021
> /proc/sys/kernel/tainted: 0
> Operating System: Raspbian GNU/Linux 10 (buster)
> Architecture: armv7l
> systemd version: systemd 241 (241) +PAM +AUDIT +SELINUX +IMA
> +APPARMOR
> +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ
> +LZ4
> +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2
> default-hierarchy=hybrid
> IMA/EVM kernel parameter: ima_policy=appraise_tcb ima_appraise=fix
> SELinux kernel parameter: security=selinux selinux=1 (permissive mode)
> 
> How to reproduce the error in Raspbian:
> 1. Prepare an environment which SELinux and IMA/EVM are enabled and
> boot up with kernel parameters: security=selinux selinux=1
> ima_policy=appraise_tcb ima_appraise=fix evm=fix
> 2. Remove the line "/sys/fs/cgroup/.*     <<none>>" in file_contexts
> file, and fully relabel all system with SELinux official reference
> policy
> 3. Walk through all regular files and generate ima/evm hash:
> /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
> 4. Reboot with kernel parameters: security=selinux selinux=1
> ima_policy=appraise_tcb ima_appraise=fix
> 5. After boot up, you will get this EVM no_label error message
> 
> Reproduce the error directly:
> 1. Prepare an environment which SELinux and IMA/EVM are enabled and
> boot up with kernel parameters: security=selinux selinux=1
> ima_policy=appraise_tcb ima_appraise=fix evm=fix
> 2. Fully relabel all system with SELinux official reference policy
> 3. Walk through all regular files and generate ima/evm hash:
> /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
> 4. Reboot with kernel parameters: security=selinux selinux=1
> ima_policy=appraise_tcb ima_appraise=fix
> 5. sudo setfattr -n security.selinux -v system_u:object_r:cgroup_t
> /sys/fs/cgroup/unified
> 6. sudo mkdir /sys/fs/cgroup/unified/testevm
> 7. sudo chmod +x /sys/fs/cgroup/unified/testevm/cgroup.procs: you will
> get this EVM error message
> 
> Reference:
> Kernel config: https://140.96.154.7:5001/sharing/9cPNowmhK
> Journal log: https://140.96.154.7:5001/sharing/sRISz6IPt
> Patch for security_kernfs_init_security() :
> https://lore.kernel.org/selinux/20190130114150.27807-1-
> omosnace@redhat.com/
> 
> --
> Best Regards,
> Hank Wang

Re: EVM gives no_label error due to security_kernfs_init_security

[Bighead Wang]

Hi Roberto
Thank you for the reply

Before I try this patch, I am sorry that I forget to mention that I
have loaded the EVM HMAC key in initramfs during system bootup.
Therefore, I don't think this patch will fix this issue although I
will give it a try. Because when issue happens, the key has already
loaded.

Thanks !

Roberto Sassu <roberto.sassu@huawei.com> 於 2021年5月25日 週二 下午5:29寫道：
>
> > From: Bighead Wang [mailto:ex200208049@gmail.com]
> > Sent: Tuesday, May 25, 2021 11:19 AM
> > In cgroup filesystem, security_kernfs_init_security() will initialize
> > the security data for newly created kernfs node after kernel 5.2.,
> > however, new EVM xattr value is not initialized, and the no_label
> > error appears when evm_verify_hmac() is triggered.
> >
> >
> > The detailed description:
> > When system boots up with IMA/EVM and SELinux enabled, we get:
> > " May 25 14:13:01 raspberrypi audit[1212]: INTEGRITY_METADATA pid=1212
> > uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t
> > op=appraise_metadata cause=no_label comm="(systemd)"
> > name="cgroup.procs" dev="cgroup2" ino=1360 res=0 errno=0 "
> >
> > The root cause is that our customized SELinux file_contexts file does
> > not contain the line "/sys/fs/cgroup/.*     <<none>>".
> > When systemd relabels directories under /sys/fs/cgroup/ during
> > booting, it will set SELinux label inside the iattr member of kernfs
> > node, and then security_kernfs_init_security() will initialize the
> > security data at the time new kernfs node created.
> > After systemd executes something to trigger evm_verify_hmac(), we get
> > this no_label error.
> >
> > In evm_verify_hmac(), if there is no EVM xattr value, it will check
> > any other xattr values protected by EVM exist or not.
> > In this situation, there is no EVM xattr value (got from the iattr
> > member of kernfs node in cgroup filesystem), but SELinux label (also
> > got from the iattr member of kernfs node instead of from inode)
> > exists.
> > To sum up, the error seems to me is EVM mechanism doesn't initialize
> > EVM xattr value in kernfs node.
>
> Hi Hank
>
> this patch should help:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/commit/?h=next-integrity-testing&id=4a804b8a4572dfc81c3a59709d49ae206e4370ba
>
> Could you please try it?
>
> Thanks
>
> Roberto
>
> HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
> Managing Director: Li Peng, Li Jian, Shi Yanli
>
> > The environment:
> > /proc/version: Linux version 5.13.0-rc3-v7l+ (bighead@52-0453463-02)
> > (arm-linux-gnueabi-gcc (GCC) 9.1.0, GNU ld (GNU Binutils) 2.32) #1 SMP
> > Tue May 25 12:33:01 CST 2021
> > /proc/sys/kernel/tainted: 0
> > Operating System: Raspbian GNU/Linux 10 (buster)
> > Architecture: armv7l
> > systemd version: systemd 241 (241) +PAM +AUDIT +SELINUX +IMA
> > +APPARMOR
> > +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ
> > +LZ4
> > +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2
> > default-hierarchy=hybrid
> > IMA/EVM kernel parameter: ima_policy=appraise_tcb ima_appraise=fix
> > SELinux kernel parameter: security=selinux selinux=1 (permissive mode)
> >
> > How to reproduce the error in Raspbian:
> > 1. Prepare an environment which SELinux and IMA/EVM are enabled and
> > boot up with kernel parameters: security=selinux selinux=1
> > ima_policy=appraise_tcb ima_appraise=fix evm=fix
> > 2. Remove the line "/sys/fs/cgroup/.*     <<none>>" in file_contexts
> > file, and fully relabel all system with SELinux official reference
> > policy
> > 3. Walk through all regular files and generate ima/evm hash:
> > /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
> > 4. Reboot with kernel parameters: security=selinux selinux=1
> > ima_policy=appraise_tcb ima_appraise=fix
> > 5. After boot up, you will get this EVM no_label error message
> >
> > Reproduce the error directly:
> > 1. Prepare an environment which SELinux and IMA/EVM are enabled and
> > boot up with kernel parameters: security=selinux selinux=1
> > ima_policy=appraise_tcb ima_appraise=fix evm=fix
> > 2. Fully relabel all system with SELinux official reference policy
> > 3. Walk through all regular files and generate ima/evm hash:
> > /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
> > 4. Reboot with kernel parameters: security=selinux selinux=1
> > ima_policy=appraise_tcb ima_appraise=fix
> > 5. sudo setfattr -n security.selinux -v system_u:object_r:cgroup_t
> > /sys/fs/cgroup/unified
> > 6. sudo mkdir /sys/fs/cgroup/unified/testevm
> > 7. sudo chmod +x /sys/fs/cgroup/unified/testevm/cgroup.procs: you will
> > get this EVM error message
> >
> > Reference:
> > Kernel config: https://140.96.154.7:5001/sharing/9cPNowmhK
> > Journal log: https://140.96.154.7:5001/sharing/sRISz6IPt
> > Patch for security_kernfs_init_security() :
> > https://lore.kernel.org/selinux/20190130114150.27807-1-
> > omosnace@redhat.com/
> >
> > --
> > Best Regards,
> > Hank Wang



-- 
Best Regards,
王禹軒 Hank

RE: EVM gives no_label error due to security_kernfs_init_security

[Roberto Sassu]

> From: Bighead Wang [mailto:ex200208049@gmail.com]
> Sent: Thursday, May 27, 2021 6:00 AM
> Hi Roberto
> Thank you for the reply
> 
> Before I try this patch, I am sorry that I forget to mention that I
> have loaded the EVM HMAC key in initramfs during system bootup.
> Therefore, I don't think this patch will fix this issue although I
> will give it a try. Because when issue happens, the key has already
> loaded.

Hi Hank

correct, my patch wouldn't solve the issue. It ignores the
INTEGRITY_NOLABEL error only if the HMAC key is not loaded.

To solve this, it is necessary to implement a more complicated
solution where the result of the verification is passed from the
pre hook to the post hook, so that allowing an operation from
the pre hook wouldn't cause the HMAC to be calculated on
unsuccessfully verified metadata (the post hook would stop
if the result of the verification from the pre hook is not
INTEGRITY_PASS).

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

> Thanks !
> 
> Roberto Sassu <roberto.sassu@huawei.com> 於 2021年5月25日 週二 下午
> 5:29寫道：
> >
> > > From: Bighead Wang [mailto:ex200208049@gmail.com]
> > > Sent: Tuesday, May 25, 2021 11:19 AM
> > > In cgroup filesystem, security_kernfs_init_security() will initialize
> > > the security data for newly created kernfs node after kernel 5.2.,
> > > however, new EVM xattr value is not initialized, and the no_label
> > > error appears when evm_verify_hmac() is triggered.
> > >
> > >
> > > The detailed description:
> > > When system boots up with IMA/EVM and SELinux enabled, we get:
> > > " May 25 14:13:01 raspberrypi audit[1212]: INTEGRITY_METADATA
> pid=1212
> > > uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t
> > > op=appraise_metadata cause=no_label comm="(systemd)"
> > > name="cgroup.procs" dev="cgroup2" ino=1360 res=0 errno=0 "
> > >
> > > The root cause is that our customized SELinux file_contexts file does
> > > not contain the line "/sys/fs/cgroup/.*     <<none>>".
> > > When systemd relabels directories under /sys/fs/cgroup/ during
> > > booting, it will set SELinux label inside the iattr member of kernfs
> > > node, and then security_kernfs_init_security() will initialize the
> > > security data at the time new kernfs node created.
> > > After systemd executes something to trigger evm_verify_hmac(), we get
> > > this no_label error.
> > >
> > > In evm_verify_hmac(), if there is no EVM xattr value, it will check
> > > any other xattr values protected by EVM exist or not.
> > > In this situation, there is no EVM xattr value (got from the iattr
> > > member of kernfs node in cgroup filesystem), but SELinux label (also
> > > got from the iattr member of kernfs node instead of from inode)
> > > exists.
> > > To sum up, the error seems to me is EVM mechanism doesn't initialize
> > > EVM xattr value in kernfs node.
> >
> > Hi Hank
> >
> > this patch should help:
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-
> integrity.git/commit/?h=next-integrity-
> testing&id=4a804b8a4572dfc81c3a59709d49ae206e4370ba
> >
> > Could you please try it?
> >
> > Thanks
> >
> > Roberto
> >
> > HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
> > Managing Director: Li Peng, Li Jian, Shi Yanli
> >
> > > The environment:
> > > /proc/version: Linux version 5.13.0-rc3-v7l+ (bighead@52-0453463-02)
> > > (arm-linux-gnueabi-gcc (GCC) 9.1.0, GNU ld (GNU Binutils) 2.32) #1 SMP
> > > Tue May 25 12:33:01 CST 2021
> > > /proc/sys/kernel/tainted: 0
> > > Operating System: Raspbian GNU/Linux 10 (buster)
> > > Architecture: armv7l
> > > systemd version: systemd 241 (241) +PAM +AUDIT +SELINUX +IMA
> > > +APPARMOR
> > > +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ
> > > +LZ4
> > > +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2
> > > default-hierarchy=hybrid
> > > IMA/EVM kernel parameter: ima_policy=appraise_tcb ima_appraise=fix
> > > SELinux kernel parameter: security=selinux selinux=1 (permissive mode)
> > >
> > > How to reproduce the error in Raspbian:
> > > 1. Prepare an environment which SELinux and IMA/EVM are enabled and
> > > boot up with kernel parameters: security=selinux selinux=1
> > > ima_policy=appraise_tcb ima_appraise=fix evm=fix
> > > 2. Remove the line "/sys/fs/cgroup/.*     <<none>>" in file_contexts
> > > file, and fully relabel all system with SELinux official reference
> > > policy
> > > 3. Walk through all regular files and generate ima/evm hash:
> > > /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
> > > 4. Reboot with kernel parameters: security=selinux selinux=1
> > > ima_policy=appraise_tcb ima_appraise=fix
> > > 5. After boot up, you will get this EVM no_label error message
> > >
> > > Reproduce the error directly:
> > > 1. Prepare an environment which SELinux and IMA/EVM are enabled and
> > > boot up with kernel parameters: security=selinux selinux=1
> > > ima_policy=appraise_tcb ima_appraise=fix evm=fix
> > > 2. Fully relabel all system with SELinux official reference policy
> > > 3. Walk through all regular files and generate ima/evm hash:
> > > /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
> > > 4. Reboot with kernel parameters: security=selinux selinux=1
> > > ima_policy=appraise_tcb ima_appraise=fix
> > > 5. sudo setfattr -n security.selinux -v system_u:object_r:cgroup_t
> > > /sys/fs/cgroup/unified
> > > 6. sudo mkdir /sys/fs/cgroup/unified/testevm
> > > 7. sudo chmod +x /sys/fs/cgroup/unified/testevm/cgroup.procs: you will
> > > get this EVM error message
> > >
> > > Reference:
> > > Kernel config: https://140.96.154.7:5001/sharing/9cPNowmhK
> > > Journal log: https://140.96.154.7:5001/sharing/sRISz6IPt
> > > Patch for security_kernfs_init_security() :
> > > https://lore.kernel.org/selinux/20190130114150.27807-1-
> > > omosnace@redhat.com/
> > >
> > > --
> > > Best Regards,
> > > Hank Wang
> 
> 
> 
> --
> Best Regards,
> 王禹軒 Hank