In cgroup filesystem, security_kernfs_init_security() will initialize
the security data for newly created kernfs node after kernel 5.2.,
however, new EVM xattr value is not initialized, and the no_label
error appears when evm_verify_hmac() is triggered.
The detailed description:
When system boots up with IMA/EVM and SELinux enabled, we get:
" May 25 14:13:01 raspberrypi audit[1212]: INTEGRITY_METADATA pid=1212
uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t
op=appraise_metadata cause=no_label comm="(systemd)"
name="cgroup.procs" dev="cgroup2" ino=1360 res=0 errno=0 "
The root cause is that our customized SELinux file_contexts file does
not contain the line "/sys/fs/cgroup/.* <<none>>".
When systemd relabels directories under /sys/fs/cgroup/ during
booting, it will set SELinux label inside the iattr member of kernfs
node, and then security_kernfs_init_security() will initialize the
security data at the time new kernfs node created.
After systemd executes something to trigger evm_verify_hmac(), we get
this no_label error.
In evm_verify_hmac(), if there is no EVM xattr value, it will check
any other xattr values protected by EVM exist or not.
In this situation, there is no EVM xattr value (got from the iattr
member of kernfs node in cgroup filesystem), but SELinux label (also
got from the iattr member of kernfs node instead of from inode)
exists.
To sum up, the error seems to me is EVM mechanism doesn't initialize
EVM xattr value in kernfs node.
The environment:
/proc/version: Linux version 5.13.0-rc3-v7l+ (bighead@52-0453463-02)
(arm-linux-gnueabi-gcc (GCC) 9.1.0, GNU ld (GNU Binutils) 2.32) #1 SMP
Tue May 25 12:33:01 CST 2021
/proc/sys/kernel/tainted: 0
Operating System: Raspbian GNU/Linux 10 (buster)
Architecture: armv7l
systemd version: systemd 241 (241) +PAM +AUDIT +SELINUX +IMA +APPARMOR
+SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4
+SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2
default-hierarchy=hybrid
IMA/EVM kernel parameter: ima_policy=appraise_tcb ima_appraise=fix
SELinux kernel parameter: security=selinux selinux=1 (permissive mode)
How to reproduce the error in Raspbian:
1. Prepare an environment which SELinux and IMA/EVM are enabled and
boot up with kernel parameters: security=selinux selinux=1
ima_policy=appraise_tcb ima_appraise=fix evm=fix
2. Remove the line "/sys/fs/cgroup/.* <<none>>" in file_contexts
file, and fully relabel all system with SELinux official reference
policy
3. Walk through all regular files and generate ima/evm hash:
/usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
4. Reboot with kernel parameters: security=selinux selinux=1
ima_policy=appraise_tcb ima_appraise=fix
5. After boot up, you will get this EVM no_label error message
Reproduce the error directly:
1. Prepare an environment which SELinux and IMA/EVM are enabled and
boot up with kernel parameters: security=selinux selinux=1
ima_policy=appraise_tcb ima_appraise=fix evm=fix
2. Fully relabel all system with SELinux official reference policy
3. Walk through all regular files and generate ima/evm hash:
/usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \;
4. Reboot with kernel parameters: security=selinux selinux=1
ima_policy=appraise_tcb ima_appraise=fix
5. sudo setfattr -n security.selinux -v system_u:object_r:cgroup_t
/sys/fs/cgroup/unified
6. sudo mkdir /sys/fs/cgroup/unified/testevm
7. sudo chmod +x /sys/fs/cgroup/unified/testevm/cgroup.procs: you will
get this EVM error message
Reference:
Kernel config: https://140.96.154.7:5001/sharing/9cPNowmhK
Journal log: https://140.96.154.7:5001/sharing/sRISz6IPt
Patch for security_kernfs_init_security() :
https://lore.kernel.org/selinux/[email protected]/
--
Best Regards,
Hank Wang