** Changed in: linux (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1755804
Title:
IMA policy parsing is broken in 4.13
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Artful:
Fix Released
Bug description:
== SRU Justification ==
Artful has a bug in IMA policy parsing introduced by mailine commit
787d8c530af7.
This bug prevents setting IMA measurements and appraisal options per fsuuid.
This commit has been cc'd to upstream stable. However, it has not yet been
applied
to Artful, since upstream 4.13 is EOL.
== Fix ==
36447456e1cc ("ima/policy: fix parsing of fsuuid")
== Regression Potential ==
Low. This patch has also been sent to upstream stable, so it has had
additional upstream
review.
== Test Case ==
A test kernel was built with this patch and tested by the original bug
reporter.
The bug reporter states the test kernel resolved the bug.
Linux kernel version 4.13 has a bug in IMA policy parsing that prevents
setting IMA measurements and appraisal options per fsuuid.
The issue can be reproduced with simple ima_policy:
# fsuuid=$(blkid -s UUID -o value /dev/sda1)
# cat > ima_policy << EOF
dont_appraise fsuuid=$fsuuid
dont_measure fsuuid=$fsuuid
EOF
# cat ima_policy > /sys/kernel/security/ima/policy
cat: write error: Invalid argument
# dmesg | tail
[ 928.069606] audit: type=1805 audit(1521031959.907:18):
action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0
[ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0
auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0
[ 928.070829] IMA: policy update failed
[ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0
auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0
The same policy can be successfully loaded on v4.10:
(v4.10) # dmesg | tail
[ 54.071383] IMA: policy update completed
[ 54.071484] kauditd_printk_skb: 1 callbacks suppressed
[ 54.071487] audit: type=1805 audit(1521030962.958:15):
action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1
[ 54.071491] audit: type=1805 audit(1521030962.958:16):
action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1
[ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0
auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1
The bug is fixed in the mainline kernel:
[1]
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a
---
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Mar 14 12:37 seq
crw-rw---- 1 root audio 116, 33 Mar 14 12:37 timer
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.20.1-0ubuntu2.15
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq',
'/dev/snd/timer'] failed with exit code 1:
DistroRelease: Ubuntu 16.04
IwConfig: Error: [Errno 2] No such file or directory
Lsusb: Error: command ['lsusb'] failed with exit code 1:
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
Package: linux (not installed)
PciMultimedia:
ProcFB:
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic
root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0
crashkernel=384M-2G:128M,2G-:256M
ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13
RelatedPackageVersions:
linux-restricted-modules-4.13.0-36-generic N/A
linux-backports-modules-4.13.0-36-generic N/A
linux-firmware 1.157.17
RfKill: Error: [Errno 2] No such file or directory
Tags: xenial uec-images
Uname: Linux 4.13.0-36-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: pkcs11
_MarkForUpload: True
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: Ubuntu-1.8.2-1ubuntu1
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-xenial
dmi.modalias:
dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-xenial
dmi.sys.vendor: QEMU
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755804/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
