[Kernel-packages] [Bug 1755804] Re: IMA policy parsing is broken in 4.13
** Changed in: linux (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755804 Title: IMA policy parsing is broken in 4.13 Status in linux package in Ubuntu: Fix Released Status in linux source package in Artful: Fix Released Bug description: == SRU Justification == Artful has a bug in IMA policy parsing introduced by mailine commit 787d8c530af7. This bug prevents setting IMA measurements and appraisal options per fsuuid. This commit has been cc'd to upstream stable. However, it has not yet been applied to Artful, since upstream 4.13 is EOL. == Fix == 36447456e1cc ("ima/policy: fix parsing of fsuuid") == Regression Potential == Low. This patch has also been sent to upstream stable, so it has had additional upstream review. == Test Case == A test kernel was built with this patch and tested by the original bug reporter. The bug reporter states the test kernel resolved the bug. Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 The same policy can be successfully loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a --- AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Mar 14 12:37 seq crw-rw 1 root audio 116, 33 Mar 14 12:37 timer AplayDevices: Error: [Errno 2] No such file or directory ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: DistroRelease: Ubuntu 16.04 IwConfig: Error: [Errno 2] No such file or directory Lsusb: Error: command ['lsusb'] failed with exit code 1: MachineType: QEMU Standard PC (i440FX + PIIX, 1996) Package: linux (not installed) PciMultimedia: ProcFB: ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.157.17 RfKill: Error: [Errno 2] No such file or directory Tags: xenial uec-images Uname: Linux 4.13.0-36-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: pkcs11 _MarkForUpload: True dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: Ubuntu-1.8.2-1ubuntu1 dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-xenial dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-xenial dmi.sys.vendor: QEMU To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1755804] Re: IMA policy parsing is broken in 4.13
This bug was fixed in the package linux - 4.13.0-39.44 --- linux (4.13.0-39.44) artful; urgency=medium * linux: 4.13.0-39.44 -proposed tracker (LP: #1761456) * intel-microcode 3.20180312.0 causes lockup at login screen(w/ linux- image-4.13.0-37-generic) (LP: #1759920) // CVE-2017-5715 (Spectre v2 Intel) // CVE-2017-5754 - x86/mm: Reinitialize TLB state on hotplug and resume * intel-microcode 3.20180312.0 causes lockup at login screen(w/ linux- image-4.13.0-37-generic) (LP: #1759920) // CVE-2017-5715 (Spectre v2 Intel) - Revert "x86/mm: Only set IBPB when the new thread cannot ptrace current thread" - x86/speculation: Use Indirect Branch Prediction Barrier in context switch * DKMS driver builds fail with: Cannot use CONFIG_STACK_VALIDATION=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel (LP: #1760876) - [Packaging] include the retpoline extractor in the headers * retpoline hints: primary infrastructure and initial hints (LP: #1758856) - [Packaging] retpoline-extract: flag *0xNNN(%reg) branches - x86/speculation, objtool: Annotate indirect calls/jumps for objtool - x86/speculation, objtool: Annotate indirect calls/jumps for objtool on 32bit - x86/paravirt, objtool: Annotate indirect calls - [Packaging] retpoline -- add safe usage hint support - [Packaging] retpoline-check -- only report additions - [Packaging] retpoline -- widen indirect call/jmp detection - [Packaging] retpoline -- elide %rip relative indirections - [Packaging] retpoline -- clear hint information from packages - KVM: x86: Make indirect calls in emulator speculation safe - KVM: VMX: Make indirect call speculation safe - x86/boot, objtool: Annotate indirect jump in secondary_startup_64() - SAUCE: early/late -- annotate indirect calls in early/late initialisation code - SAUCE: vga_set_mode -- avoid jump tables - [Config] retpoline -- switch to new format - [Packaging] retpoline hints -- handle missing files when RETPOLINE not enabled - [Packaging] final-checks -- remove check for empty retpoline files * retpoline: ignore %cs:0xNNN constant indirections (LP: #1752655) - [Packaging] retpoline -- elide %cs:0x constants on i386 * zfs system process hung on container stop/delete (LP: #1754584) - SAUCE: Fix non-prefaulted page deadlock (LP: #1754584) * zfs-linux 0.6.5.11-1ubuntu5 ADT test failure with linux 4.15.0-1.2 (LP: #1737761) - SAUCE: (noup) Update zfs to 0.6.5.11-1ubuntu3.2 * AT_BASE_PLATFORM in AUXV is absent on kernels available on Ubuntu 17.10 (LP: #1759312) - powerpc/64s: Fix NULL AT_BASE_PLATFORM when using DT CPU features * btrfs and tar sparse truncate archives (LP: #1757565) - Btrfs: move definition of the function btrfs_find_new_delalloc_bytes - Btrfs: fix reported number of inode blocks after buffered append writes * efifb broken on ThunderX-based Gigabyte nodes (LP: #1758375) - drivers/fbdev/efifb: Allow BAR to be moved instead of claiming it * Intel i40e PF reset due to incorrect MDD detection (continues...) (LP: #1723127) - i40e/i40evf: Account for frags split over multiple descriptors in check linearize * Fix an issue that when system in S3, USB keyboard can't wake up the system. (LP: #1759511) - ACPI / PM: Allow deeper wakeup power states with no _SxD nor _SxW * [8086:3e92] display becomes blank after S3 (LP: #1759188) - drm/i915: Apply Display WA #1183 on skl, kbl, and cfl * add audio kernel patches for Raven (LP: #1758364) - ALSA: hda: Add Raven PCI ID - ALSA: hda/realtek - Fix ALC700 family no sound issue * Cpu utilization showing system time for kvm guests (performance) (sysstat) (LP: #1755979) - KVM: PPC: Book3S HV: Fix guest time accounting with VIRT_CPU_ACCOUNTING_GEN * Kernel panic on a nfsroot system (LP: #1734327) - Revert "UBUNTU: SAUCE: LSM stacking: add stacking support to apparmor network hooks" - Revert "UBUNTU: SAUCE: LSM stacking: LSM: Infrastructure management of the remaining blobs" * can't record sound via front headset port on the Dell Precision 3630 (LP: #1759088) - ALSA: hda/realtek - Fix Dell headset Mic can't record * speaker can't output sound anymore after system resumes from S3 on a lenovo machine with alc257 (LP: #1758829) - ALSA: hda/realtek - Fix speaker no sound after system resume * hda driver initialization takes too much time on the machine with coffeelake audio controller [8086:a348] (LP: #1758800) - ALSA: hda - Force polling mode on CFL for fixing codec communication * Let headset-mode initialization be called on Dell Precision 3930 (LP: #1757584) - ALSA: hda/realtek - Add headset mode support for Dell laptop * ubuntu_zram_smoke test will cause soft lockup on Artful ThunderX ARM64 (LP: #1755073) - SAUCE: crypto: thunderx_zip: Fix
[Kernel-packages] [Bug 1755804] Re: IMA policy parsing is broken in 4.13
** Tags removed: verification-needed-artful ** Tags added: verification-done-artful -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755804 Title: IMA policy parsing is broken in 4.13 Status in linux package in Ubuntu: In Progress Status in linux source package in Artful: Fix Committed Bug description: == SRU Justification == Artful has a bug in IMA policy parsing introduced by mailine commit 787d8c530af7. This bug prevents setting IMA measurements and appraisal options per fsuuid. This commit has been cc'd to upstream stable. However, it has not yet been applied to Artful, since upstream 4.13 is EOL. == Fix == 36447456e1cc ("ima/policy: fix parsing of fsuuid") == Regression Potential == Low. This patch has also been sent to upstream stable, so it has had additional upstream review. == Test Case == A test kernel was built with this patch and tested by the original bug reporter. The bug reporter states the test kernel resolved the bug. Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 The same policy can be successfully loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a --- AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Mar 14 12:37 seq crw-rw 1 root audio 116, 33 Mar 14 12:37 timer AplayDevices: Error: [Errno 2] No such file or directory ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: DistroRelease: Ubuntu 16.04 IwConfig: Error: [Errno 2] No such file or directory Lsusb: Error: command ['lsusb'] failed with exit code 1: MachineType: QEMU Standard PC (i440FX + PIIX, 1996) Package: linux (not installed) PciMultimedia: ProcFB: ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.157.17 RfKill: Error: [Errno 2] No such file or directory Tags: xenial uec-images Uname: Linux 4.13.0-36-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: pkcs11 _MarkForUpload: True dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: Ubuntu-1.8.2-1ubuntu1 dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-xenial dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-xenial dmi.sys.vendor: QEMU To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1755804] Re: IMA policy parsing is broken in 4.13
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- artful' to 'verification-done-artful'. If the problem still exists, change the tag 'verification-needed-artful' to 'verification-failed- artful'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-artful -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755804 Title: IMA policy parsing is broken in 4.13 Status in linux package in Ubuntu: In Progress Status in linux source package in Artful: Fix Committed Bug description: == SRU Justification == Artful has a bug in IMA policy parsing introduced by mailine commit 787d8c530af7. This bug prevents setting IMA measurements and appraisal options per fsuuid. This commit has been cc'd to upstream stable. However, it has not yet been applied to Artful, since upstream 4.13 is EOL. == Fix == 36447456e1cc ("ima/policy: fix parsing of fsuuid") == Regression Potential == Low. This patch has also been sent to upstream stable, so it has had additional upstream review. == Test Case == A test kernel was built with this patch and tested by the original bug reporter. The bug reporter states the test kernel resolved the bug. Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 The same policy can be successfully loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a --- AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Mar 14 12:37 seq crw-rw 1 root audio 116, 33 Mar 14 12:37 timer AplayDevices: Error: [Errno 2] No such file or directory ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: DistroRelease: Ubuntu 16.04 IwConfig: Error: [Errno 2] No such file or directory Lsusb: Error: command ['lsusb'] failed with exit code 1: MachineType: QEMU Standard PC (i440FX + PIIX, 1996) Package: linux (not installed) PciMultimedia: ProcFB: ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.157.17 RfKill: Error: [Errno 2] No such file or directory Tags: xenial uec-images Uname: Linux 4.13.0-36-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: pkcs11 _MarkForUpload: True dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: Ubuntu-1.8.2-1ubuntu1 dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-xenial dmi.modalias:
[Kernel-packages] [Bug 1755804] Re: IMA policy parsing is broken in 4.13
** Changed in: linux (Ubuntu Artful) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755804 Title: IMA policy parsing is broken in 4.13 Status in linux package in Ubuntu: In Progress Status in linux source package in Artful: Fix Committed Bug description: == SRU Justification == Artful has a bug in IMA policy parsing introduced by mailine commit 787d8c530af7. This bug prevents setting IMA measurements and appraisal options per fsuuid. This commit has been cc'd to upstream stable. However, it has not yet been applied to Artful, since upstream 4.13 is EOL. == Fix == 36447456e1cc ("ima/policy: fix parsing of fsuuid") == Regression Potential == Low. This patch has also been sent to upstream stable, so it has had additional upstream review. == Test Case == A test kernel was built with this patch and tested by the original bug reporter. The bug reporter states the test kernel resolved the bug. Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 The same policy can be successfully loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a --- AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Mar 14 12:37 seq crw-rw 1 root audio 116, 33 Mar 14 12:37 timer AplayDevices: Error: [Errno 2] No such file or directory ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: DistroRelease: Ubuntu 16.04 IwConfig: Error: [Errno 2] No such file or directory Lsusb: Error: command ['lsusb'] failed with exit code 1: MachineType: QEMU Standard PC (i440FX + PIIX, 1996) Package: linux (not installed) PciMultimedia: ProcFB: ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.157.17 RfKill: Error: [Errno 2] No such file or directory Tags: xenial uec-images Uname: Linux 4.13.0-36-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: pkcs11 _MarkForUpload: True dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: Ubuntu-1.8.2-1ubuntu1 dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-xenial dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-xenial dmi.sys.vendor: QEMU To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1755804] Re: IMA policy parsing is broken in 4.13
SRU request submitted: https://lists.ubuntu.com/archives/kernel-team/2018-March/090843.html ** Description changed: - Linux kernel version 4.13 has a bug in IMA policy parsing that prevents - setting IMA measurements and appraisal options per fsuuid. + + == SRU Justification == + Artful has a bug in IMA policy parsing introduced by mailine commit 787d8c530af7. + This bug prevents setting IMA measurements and appraisal options per fsuuid. + + This commit has been cc'd to upstream stable. However, it has not yet been applied + to Artful, since upstream 4.13 is EOL. + + == Fix == + 36447456e1cc ("ima/policy: fix parsing of fsuuid") + + == Regression Potential == + Low. This patch has also been sent to upstream stable, so it has had additional upstream + review. + + == Test Case == + A test kernel was built with this patch and tested by the original bug reporter. + The bug reporter states the test kernel resolved the bug. + + + + + + Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 The same policy can be successfully loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a --- AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Mar 14 12:37 seq crw-rw 1 root audio 116, 33 Mar 14 12:37 timer AplayDevices: Error: [Errno 2] No such file or directory ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: DistroRelease: Ubuntu 16.04 IwConfig: Error: [Errno 2] No such file or directory Lsusb: Error: command ['lsusb'] failed with exit code 1: MachineType: QEMU Standard PC (i440FX + PIIX, 1996) Package: linux (not installed) PciMultimedia: ProcFB: ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.157.17 RfKill: Error: [Errno 2] No such file or directory Tags: xenial uec-images Uname: Linux 4.13.0-36-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: pkcs11 _MarkForUpload: True dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: Ubuntu-1.8.2-1ubuntu1 dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-xenial dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-xenial dmi.sys.vendor: QEMU -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755804 Title: IMA policy parsing is broken in 4.13 Status in linux package in Ubuntu: In Progress Status in linux source package in Artful: In Progress Bug description: == SRU Justification == Artful has a bug in IMA policy parsing introduced by mailine commit 787d8c530af7. This bug prevents setting IMA measurements
[Kernel-packages] [Bug 1755804] Re: IMA policy parsing is broken in 4.13
Yes, that is correct. Any commits applied to the Artful kernel will also get applied to the 4.13 based HWE kernel. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755804 Title: IMA policy parsing is broken in 4.13 Status in linux package in Ubuntu: In Progress Status in linux source package in Artful: In Progress Bug description: Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 The same policy can be successfully loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a --- AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Mar 14 12:37 seq crw-rw 1 root audio 116, 33 Mar 14 12:37 timer AplayDevices: Error: [Errno 2] No such file or directory ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: DistroRelease: Ubuntu 16.04 IwConfig: Error: [Errno 2] No such file or directory Lsusb: Error: command ['lsusb'] failed with exit code 1: MachineType: QEMU Standard PC (i440FX + PIIX, 1996) Package: linux (not installed) PciMultimedia: ProcFB: ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.157.17 RfKill: Error: [Errno 2] No such file or directory Tags: xenial uec-images Uname: Linux 4.13.0-36-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: pkcs11 _MarkForUpload: True dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: Ubuntu-1.8.2-1ubuntu1 dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-xenial dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-xenial dmi.sys.vendor: QEMU To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1755804] Re: IMA policy parsing is broken in 4.13
Yes, this kernel works as expected, thanks. I presume that despite this being marked as Artful the fix will get into Xenail hwe releases. Is this correct? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755804 Title: IMA policy parsing is broken in 4.13 Status in linux package in Ubuntu: In Progress Status in linux source package in Artful: In Progress Bug description: Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 The same policy can be successfully loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a --- AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Mar 14 12:37 seq crw-rw 1 root audio 116, 33 Mar 14 12:37 timer AplayDevices: Error: [Errno 2] No such file or directory ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: DistroRelease: Ubuntu 16.04 IwConfig: Error: [Errno 2] No such file or directory Lsusb: Error: command ['lsusb'] failed with exit code 1: MachineType: QEMU Standard PC (i440FX + PIIX, 1996) Package: linux (not installed) PciMultimedia: ProcFB: ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.157.17 RfKill: Error: [Errno 2] No such file or directory Tags: xenial uec-images Uname: Linux 4.13.0-36-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: pkcs11 _MarkForUpload: True dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: Ubuntu-1.8.2-1ubuntu1 dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-xenial dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-xenial dmi.sys.vendor: QEMU To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1755804] Re: IMA policy parsing is broken in 4.13
I built a test kernel with commit 36447456e1cca853188505f2a964dbbeacfc7a7a. The test kernel can be downloaded from: http://kernel.ubuntu.com/~jsalisbury/lp1755804 Can you test this kernel and see if it resolves this bug? Note, to test this kernel, you need to install both the linux-image and linux-image-extra .deb packages. Thanks in advance! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755804 Title: IMA policy parsing is broken in 4.13 Status in linux package in Ubuntu: In Progress Status in linux source package in Artful: In Progress Bug description: Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 The same policy can be successfully loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a --- AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Mar 14 12:37 seq crw-rw 1 root audio 116, 33 Mar 14 12:37 timer AplayDevices: Error: [Errno 2] No such file or directory ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: DistroRelease: Ubuntu 16.04 IwConfig: Error: [Errno 2] No such file or directory Lsusb: Error: command ['lsusb'] failed with exit code 1: MachineType: QEMU Standard PC (i440FX + PIIX, 1996) Package: linux (not installed) PciMultimedia: ProcFB: ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.157.17 RfKill: Error: [Errno 2] No such file or directory Tags: xenial uec-images Uname: Linux 4.13.0-36-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: pkcs11 _MarkForUpload: True dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: Ubuntu-1.8.2-1ubuntu1 dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-xenial dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-xenial dmi.sys.vendor: QEMU To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1755804] Re: IMA policy parsing is broken in 4.13
** Changed in: linux (Ubuntu Artful) Status: Triaged => In Progress ** Changed in: linux (Ubuntu) Status: Triaged => In Progress ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Joseph Salisbury (jsalisbury) ** Changed in: linux (Ubuntu Artful) Assignee: (unassigned) => Joseph Salisbury (jsalisbury) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755804 Title: IMA policy parsing is broken in 4.13 Status in linux package in Ubuntu: In Progress Status in linux source package in Artful: In Progress Bug description: Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 The same policy can be successfully loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a --- AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Mar 14 12:37 seq crw-rw 1 root audio 116, 33 Mar 14 12:37 timer AplayDevices: Error: [Errno 2] No such file or directory ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: DistroRelease: Ubuntu 16.04 IwConfig: Error: [Errno 2] No such file or directory Lsusb: Error: command ['lsusb'] failed with exit code 1: MachineType: QEMU Standard PC (i440FX + PIIX, 1996) Package: linux (not installed) PciMultimedia: ProcFB: ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.157.17 RfKill: Error: [Errno 2] No such file or directory Tags: xenial uec-images Uname: Linux 4.13.0-36-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: pkcs11 _MarkForUpload: True dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: Ubuntu-1.8.2-1ubuntu1 dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-xenial dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-xenial dmi.sys.vendor: QEMU To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1755804] Re: IMA policy parsing is broken in 4.13
** Also affects: linux (Ubuntu Artful) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Artful) Status: New => Triaged ** Changed in: linux (Ubuntu) Status: Incomplete => Triaged ** Changed in: linux (Ubuntu) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Artful) Importance: Undecided => Medium -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755804 Title: IMA policy parsing is broken in 4.13 Status in linux package in Ubuntu: In Progress Status in linux source package in Artful: In Progress Bug description: Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 The same policy can be successfully loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a --- AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Mar 14 12:37 seq crw-rw 1 root audio 116, 33 Mar 14 12:37 timer AplayDevices: Error: [Errno 2] No such file or directory ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: DistroRelease: Ubuntu 16.04 IwConfig: Error: [Errno 2] No such file or directory Lsusb: Error: command ['lsusb'] failed with exit code 1: MachineType: QEMU Standard PC (i440FX + PIIX, 1996) Package: linux (not installed) PciMultimedia: ProcFB: ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.157.17 RfKill: Error: [Errno 2] No such file or directory Tags: xenial uec-images Uname: Linux 4.13.0-36-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: pkcs11 _MarkForUpload: True dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: Ubuntu-1.8.2-1ubuntu1 dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-xenial dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-xenial dmi.sys.vendor: QEMU To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1755804] Re: IMA policy parsing is broken in 4.13
** Description changed: Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 - The same policy can be successively loaded on v4.10: + The same policy can be successfully loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a - --- + --- AlsaDevices: - total 0 - crw-rw 1 root audio 116, 1 Mar 14 12:37 seq - crw-rw 1 root audio 116, 33 Mar 14 12:37 timer + total 0 + crw-rw 1 root audio 116, 1 Mar 14 12:37 seq + crw-rw 1 root audio 116, 33 Mar 14 12:37 timer AplayDevices: Error: [Errno 2] No such file or directory ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: DistroRelease: Ubuntu 16.04 IwConfig: Error: [Errno 2] No such file or directory Lsusb: Error: command ['lsusb'] failed with exit code 1: MachineType: QEMU Standard PC (i440FX + PIIX, 1996) Package: linux (not installed) PciMultimedia: - + ProcFB: - + ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 RelatedPackageVersions: - linux-restricted-modules-4.13.0-36-generic N/A - linux-backports-modules-4.13.0-36-generic N/A - linux-firmware 1.157.17 + linux-restricted-modules-4.13.0-36-generic N/A + linux-backports-modules-4.13.0-36-generic N/A + linux-firmware 1.157.17 RfKill: Error: [Errno 2] No such file or directory Tags: xenial uec-images Uname: Linux 4.13.0-36-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: pkcs11 _MarkForUpload: True dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: Ubuntu-1.8.2-1ubuntu1 dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-xenial dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-xenial dmi.sys.vendor: QEMU -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755804 Title: IMA policy parsing is broken in 4.13 Status in linux package in Ubuntu: Incomplete Bug description: Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802
[Kernel-packages] [Bug 1755804] Re: IMA policy parsing is broken in 4.13
apport information ** Tags added: apport-collected uec-images xenial ** Description changed: Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 The same policy can be successively loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: - [1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a + [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a + --- + AlsaDevices: + total 0 + crw-rw 1 root audio 116, 1 Mar 14 12:37 seq + crw-rw 1 root audio 116, 33 Mar 14 12:37 timer + AplayDevices: Error: [Errno 2] No such file or directory + ApportVersion: 2.20.1-0ubuntu2.15 + Architecture: amd64 + ArecordDevices: Error: [Errno 2] No such file or directory + AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: + DistroRelease: Ubuntu 16.04 + IwConfig: Error: [Errno 2] No such file or directory + Lsusb: Error: command ['lsusb'] failed with exit code 1: + MachineType: QEMU Standard PC (i440FX + PIIX, 1996) + Package: linux (not installed) + PciMultimedia: + + ProcFB: + + ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M + ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 + RelatedPackageVersions: + linux-restricted-modules-4.13.0-36-generic N/A + linux-backports-modules-4.13.0-36-generic N/A + linux-firmware 1.157.17 + RfKill: Error: [Errno 2] No such file or directory + Tags: xenial uec-images + Uname: Linux 4.13.0-36-generic x86_64 + UpgradeStatus: No upgrade log present (probably fresh install) + UserGroups: pkcs11 + _MarkForUpload: True + dmi.bios.date: 04/01/2014 + dmi.bios.vendor: SeaBIOS + dmi.bios.version: Ubuntu-1.8.2-1ubuntu1 + dmi.chassis.type: 1 + dmi.chassis.vendor: QEMU + dmi.chassis.version: pc-i440fx-xenial + dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial: + dmi.product.name: Standard PC (i440FX + PIIX, 1996) + dmi.product.version: pc-i440fx-xenial + dmi.sys.vendor: QEMU ** Attachment added: "CRDA.txt" https://bugs.launchpad.net/bugs/1755804/+attachment/5079324/+files/CRDA.txt -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1755804 Title: IMA policy parsing is broken in 4.13 Status in linux package in Ubuntu: Incomplete Bug description: Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802