Public bug reported:

On a system that has IMA appraisal enabled it is impossible to create
security.ima extended attribute files that contain IMA hash.

For instance, consider the following use case:

1) extract application files to a staging area as non root user
2) verify that installation is correct
3) create IMA extended attributes for the installed files
4) move the files to their destination
5) change the files ownership to root

With kernel 4.4.x step 3 will fail.

The issues is fixed in upstream kernels by the following commit [1]:

commit f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b
Author: Mimi Zohar <zo...@linux.vnet.ibm.com>
Date:   Wed Nov 2 09:14:16 2016 -0400

    Revert "ima: limit file hash setting by user to fix and log modes"

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i
d=f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: linux-image-4.4.0-124-generic 4.4.0-124.148
ProcVersionSignature: User Name 4.4.0-124.148-generic 4.4.117
Uname: Linux 4.4.0-124-generic x86_64
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116,  1 May 17 14:07 seq
 crw-rw---- 1 root audio 116, 33 May 17 14:07 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.20.1-0ubuntu2.15
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', 
'/dev/snd/timer'] failed with exit code 1:
CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not 
found.
Date: Thu May 17 14:08:59 2018
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
Lsusb: Error: command ['lsusb'] failed with exit code 1:
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
PciMultimedia:

ProcFB:

ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-124-generic 
root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro biosdevname=0 net.ifnames=0 
console=tty1 console=ttyS0 crashkernel=384M-:128M
RelatedPackageVersions:
 linux-restricted-modules-4.4.0-124-generic N/A
 linux-backports-modules-4.4.0-124-generic  N/A
 linux-firmware                             1.157.17
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-2.12
dmi.modalias: 
dmi:bvnSeaBIOS:bvrrel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-2.12:cvnQEMU:ct1:cvrpc-i440fx-2.12:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-2.12
dmi.sys.vendor: QEMU

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: xenial

** Description changed:

- Further information:
  On a system that has IMA appraisal enabled it is impossible to create
  security.ima extended attribute files that contain IMA hash.
  
  For instance, consider the following use case:
  
  1) extract application files to a staging area as non root user
  2) verify that installation is correct
  3) create IMA extended attributes for the installed files
  4) move the files to their destination
  5) change the files ownership to root
  
- 
  With kernel 4.4.x step 3 will fail.
  
  The issues is fixed in upstream kernels by the following commit [1]:
  
  commit f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b
  Author: Mimi Zohar <zo...@linux.vnet.ibm.com>
  Date:   Wed Nov 2 09:14:16 2016 -0400
  
-     Revert "ima: limit file hash setting by user to fix and log modes"
+     Revert "ima: limit file hash setting by user to fix and log modes"
  
  [1] 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i
  d=f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b
  
  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: linux-image-4.4.0-124-generic 4.4.0-124.148
  ProcVersionSignature: User Name 4.4.0-124.148-generic 4.4.117
  Uname: Linux 4.4.0-124-generic x86_64
  AlsaDevices:
-  total 0
-  crw-rw---- 1 root audio 116,  1 May 17 14:07 seq
-  crw-rw---- 1 root audio 116, 33 May 17 14:07 timer
+  total 0
+  crw-rw---- 1 root audio 116,  1 May 17 14:07 seq
+  crw-rw---- 1 root audio 116, 33 May 17 14:07 timer
  AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
  ApportVersion: 2.20.1-0ubuntu2.15
  Architecture: amd64
  ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
  AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', 
'/dev/snd/timer'] failed with exit code 1:
  CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 
not found.
  Date: Thu May 17 14:08:59 2018
  IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
  Lsusb: Error: command ['lsusb'] failed with exit code 1:
  MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
  PciMultimedia:
-  
+ 
  ProcFB:
-  
+ 
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-124-generic 
root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro biosdevname=0 net.ifnames=0 
console=tty1 console=ttyS0 crashkernel=384M-:128M
  RelatedPackageVersions:
-  linux-restricted-modules-4.4.0-124-generic N/A
-  linux-backports-modules-4.4.0-124-generic  N/A
-  linux-firmware                             1.157.17
+  linux-restricted-modules-4.4.0-124-generic N/A
+  linux-backports-modules-4.4.0-124-generic  N/A
+  linux-firmware                             1.157.17
  RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
  SourcePackage: linux
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 04/01/2014
  dmi.bios.vendor: SeaBIOS
  dmi.bios.version: rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org
  dmi.chassis.type: 1
  dmi.chassis.vendor: QEMU
  dmi.chassis.version: pc-i440fx-2.12
  dmi.modalias: 
dmi:bvnSeaBIOS:bvrrel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-2.12:cvnQEMU:ct1:cvrpc-i440fx-2.12:
  dmi.product.name: Standard PC (i440FX + PIIX, 1996)
  dmi.product.version: pc-i440fx-2.12
  dmi.sys.vendor: QEMU

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1771826

Title:
  Creation of IMA file hashes fails when appraisal is enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1771826/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to