RE: EVM gives no_label error due to security_kernfs_init_security

[Roberto Sassu <roberto.sassu@huawei.com>]

> From: Bighead Wang [mailto:ex200208049@gmail.com]
> Sent: Thursday, May 27, 2021 6:00 AM
> Hi Roberto
> Thank you for the reply
> 
> Before I try this patch, I am sorry that I forget to mention that I
> have loaded the EVM HMAC key in initramfs during system bootup.
> Therefore, I don't think this patch will fix this issue although I
> will give it a try. Because when issue happens, the key has already
> loaded.

Hi Hank

correct, my patch wouldn't solve the issue. It ignores the
INTEGRITY_NOLABEL error only if the HMAC key is not loaded.

To solve this, it is necessary to implement a more complicated
solution where the result of the verification is passed from the
pre hook to the post hook, so that allowing an operation from
the pre hook wouldn't cause the HMAC to be calculated on
unsuccessfully verified metadata (the post hook would stop
if the result of the verification from the pre hook is not
INTEGRITY_PASS).

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

> Thanks !
> 
> Roberto Sassu <roberto.sassu@huawei.com> 於 2021年5月25日 週二 下午
> 5:29寫道：
> >
> > > From: Bighead Wang [mailto:ex200208049@gmail.com]
> > > Sent: Tuesday, May 25, 2021 11:19 AM
> > > In cgroup filesystem, security_kernfs_init_security() will initialize
> > > the security data for newly created kernfs node after kernel 5.2.,
> > > however, new EVM xattr value is not initialized, and the no_label
> > > error appears when evm_verify_hmac() is triggered.
> > >
> > >
> > > The detailed description:
> > > When system boots up with IMA/EVM and SELinux enabled, we get:
> > > " May 25 14:13:01 raspberrypi audit[1212]: INTEGRITY_METADATA
> pid=1212
> > > uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t
> > > op=appraise_metadata cause=no_label comm="(systemd)"
> > > name="cgroup.procs" dev="cgroup2" ino=1360 res=0 errno=0 "
> > >
> > > The root cause is that our customized SELinux file_contexts file does
> > > not contain the line "/sys/fs/cgroup/.*     <<none>>".
> > > When systemd relabels directories under /sys/fs/cgroup/ during
> > > booting, it will set SELinux label inside the iattr member of kernfs
> > > node, and then security_kernfs_init_security() will initialize the
> > > security data at the time new kernfs node created.
> > > After systemd executes something to trigger evm_verify_hmac(), we get
> > > this no_label error.
> > >
> > > In evm_verify_hmac(), if there is no EVM xattr value, it will check
> > > any other xattr values protected by EVM exist or not.
> > > In this situation, there is no EVM xattr value (got from the iattr
> > > member of kernfs node in cgroup filesystem), but SELinux label (also
> > > got from the iattr member of kernfs node instead of from inode)
> > > exists.
> > > To sum up, the error seems to me is EVM mechanism doesn't initialize
> > > EVM xattr value in kernfs node.
> >
> > Hi Hank
> >
> > this patch should help:
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-
> integrity.git/commit/?h=next-integrity-
> testing&id=4a804b8a4572dfc81c3a59709d49ae206e4370ba
> >
> > Could you please try it?
> >
> > Thanks
> >
> > Roberto
> >
> > HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
> > Managing Director: Li Peng, Li Jian, Shi Yanli
> >
> > > The environment:
> > > /proc/version: Linux version 5.13.0-rc3-v7l+ (bighead@52-0453463-02)
> > > (arm-linux-gnueabi-gcc (GCC) 9.1.0, GNU ld (GNU Binutils) 2.32) #1 SMP
> > > Tue May 25 12:33:01 CST 2021
> > > /proc/sys/kernel/tainted: 0
> > > Operating System: Raspbian GNU/Linux 10 (buster)
> > > Architecture: armv7l
> > > systemd version: systemd 241 (241) +PAM +AUDIT +SELINUX +IMA
> > > +APPARMOR
> > > +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ
> > > +LZ4
> > > +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2
> > > default-hierarchy=hybrid
> > > IMA/EVM kernel parameter: ima_policy=appraise_tcb ima_appraise=fix
> > > SELinux kernel parameter: security=selinux selinux=1 (permissive mode)
> > >
> > > How to reproduce the error in Raspbian:
> > > 1. Prepare an environment which SELinux and IMA/EVM are enabled and
> > > boot up with kernel parameters: security=selinux selinux=1
> > > ima_policy=appraise_tcb ima_appraise=fix evm=fix
> > > 2. Remove the line "/sys/fs/cgroup/.*     <<none>>" in file_contexts
> > > file, and fully relabel all system with SELinux official reference
> > > policy
> > > 3. Walk through all regular files and generate ima/evm hash:
> > > /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
> > > 4. Reboot with kernel parameters: security=selinux selinux=1
> > > ima_policy=appraise_tcb ima_appraise=fix
> > > 5. After boot up, you will get this EVM no_label error message
> > >
> > > Reproduce the error directly:
> > > 1. Prepare an environment which SELinux and IMA/EVM are enabled and
> > > boot up with kernel parameters: security=selinux selinux=1
> > > ima_policy=appraise_tcb ima_appraise=fix evm=fix
> > > 2. Fully relabel all system with SELinux official reference policy
> > > 3. Walk through all regular files and generate ima/evm hash:
> > > /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
> > > 4. Reboot with kernel parameters: security=selinux selinux=1
> > > ima_policy=appraise_tcb ima_appraise=fix
> > > 5. sudo setfattr -n security.selinux -v system_u:object_r:cgroup_t
> > > /sys/fs/cgroup/unified
> > > 6. sudo mkdir /sys/fs/cgroup/unified/testevm
> > > 7. sudo chmod +x /sys/fs/cgroup/unified/testevm/cgroup.procs: you will
> > > get this EVM error message
> > >
> > > Reference:
> > > Kernel config: https://140.96.154.7:5001/sharing/9cPNowmhK
> > > Journal log: https://140.96.154.7:5001/sharing/sRISz6IPt
> > > Patch for security_kernfs_init_security() :
> > > https://lore.kernel.org/selinux/20190130114150.27807-1-
> > > omosnace@redhat.com/
> > >
> > > --
> > > Best Regards,
> > > Hank Wang
> 
> 
> 
> --
> Best Regards,
> 王禹軒 Hank