apport information ** Tags added: apport-collected uec-images xenial
** Description changed: Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 The same policy can be successively loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: - [1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a + [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a + --- + AlsaDevices: + total 0 + crw-rw---- 1 root audio 116, 1 Mar 14 12:37 seq + crw-rw---- 1 root audio 116, 33 Mar 14 12:37 timer + AplayDevices: Error: [Errno 2] No such file or directory + ApportVersion: 2.20.1-0ubuntu2.15 + Architecture: amd64 + ArecordDevices: Error: [Errno 2] No such file or directory + AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: + DistroRelease: Ubuntu 16.04 + IwConfig: Error: [Errno 2] No such file or directory + Lsusb: Error: command ['lsusb'] failed with exit code 1: + MachineType: QEMU Standard PC (i440FX + PIIX, 1996) + Package: linux (not installed) + PciMultimedia: + + ProcFB: + + ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M + ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 + RelatedPackageVersions: + linux-restricted-modules-4.13.0-36-generic N/A + linux-backports-modules-4.13.0-36-generic N/A + linux-firmware 1.157.17 + RfKill: Error: [Errno 2] No such file or directory + Tags: xenial uec-images + Uname: Linux 4.13.0-36-generic x86_64 + UpgradeStatus: No upgrade log present (probably fresh install) + UserGroups: pkcs11 + _MarkForUpload: True + dmi.bios.date: 04/01/2014 + dmi.bios.vendor: SeaBIOS + dmi.bios.version: Ubuntu-1.8.2-1ubuntu1 + dmi.chassis.type: 1 + dmi.chassis.vendor: QEMU + dmi.chassis.version: pc-i440fx-xenial + dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial: + dmi.product.name: Standard PC (i440FX + PIIX, 1996) + dmi.product.version: pc-i440fx-xenial + dmi.sys.vendor: QEMU ** Attachment added: "CRDA.txt" https://bugs.launchpad.net/bugs/1755804/+attachment/5079324/+files/CRDA.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1755804 Title: IMA policy parsing is broken in 4.13 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755804/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
