Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2662569imm; Tue, 4 Sep 2018 08:05:25 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYBsuot9YnjG7kqDEsf5mFbIhPv+1Oro5KL3JDqbObsbeGkjIhSvUYV2J+CBMmDjqU0I6aA X-Received: by 2002:a63:e40d:: with SMTP id a13-v6mr31546842pgi.289.1536073525033; Tue, 04 Sep 2018 08:05:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536073524; cv=none; d=google.com; s=arc-20160816; b=OFp+NLFeltzh9mMW27z4uNpFQL/s2oEekVFEcGsJVD0ReJS69rAA2SdtPUjw/8rq6x EoQ3zvbCqCgi9OjdDRZuII8d9VUEj2B4clJahUbgFpQGG6rhfNqf9ZAruLTaqr68BZgR pgEvyNbWBuz9O0CI8y93F6YMmJnDstQv6LgW953/ACIVn9RiRLy39bxcHV3vYXVuSpSK vFz+DN0j8ihOAtC8jTKDBj46GWHYHKCy+VvhSw/Xdc8lWWl0scfUwq2HZ8XIhvTpqLOV SWARCTcoQJeiRY9MWeM43MFZX7ARD+enSkT6hlXjL9f1jHqZ+a4lk7IGWxL6RpoSQnCS Vbuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=wZkKJggxwRiRWZ0+lIs7COwR3K4bYNSIpUOs6RwQyRk=; b=dWKczhuVVOS9qIJtXUhEgNXkjMOkxfOYtamZLG608nBRlQ7WvOy3RrBs3hnV50Zg0t 1I4XL1e9oczDmMx4EwKvhc3d1TCbzG1/CAMW6wJLCzaT3m2ekBNj/PcoIxJ0y0u1FVsz UOgao1zgxjr3cLQH/SsKqrxSaMRgi3BKk1w5KCTqd7DQgpPPrOs9cSPYWLfqCMEUIcPZ lPoQUC5XoqtzoHwFXZ3kO/Jug0spqP5zuq4jKqjzb9WcBoU7mXbR7NNbykgWoa8ou3Vj mLyR3L6cU0al7KONIHYMYNwc8i2P1CVw0zF8ERwELAHf9Bw67Ig96e2RNl0mMMrfBrMW yUAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sWqHkMDx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e7-v6si17389776pge.42.2018.09.04.08.05.08; Tue, 04 Sep 2018 08:05:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sWqHkMDx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727497AbeIDT2W (ORCPT + 99 others); Tue, 4 Sep 2018 15:28:22 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:34009 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726172AbeIDT2W (ORCPT ); Tue, 4 Sep 2018 15:28:22 -0400 Received: by mail-pl1-f195.google.com with SMTP id f6-v6so1775387plo.1 for ; Tue, 04 Sep 2018 08:02:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wZkKJggxwRiRWZ0+lIs7COwR3K4bYNSIpUOs6RwQyRk=; b=sWqHkMDxM13KJcGbUFvufEQsWekypInUlTbhuLPyUCKhntwKbhDP5C2KqMuLFMmDmU DB2DI2eQMQ3sUXCdTeea5VWFgKKYtoDeIA8Qk2jmCkt2h9H7koUT0rgsqA5uVVdG6pxz uSNhlWikK2h3RWBbkejMwLBrG1qHq26WnaZNiO6h1q+FoaKV3zuEYdB8KgAUUPx4dGOK mbEulBJUZxVmr1kLqckhq8BEHYMPoiCgitA/cnOGetzN+Px5JUKrl/0bq7xGrSJBo6Gw jjxmlrC2LtnNdTQjS+YLn1N7PC0vmAHKOlbbfxdpsYeATfH1BU2n/EAQL6Y0XHDKkIh+ rypA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wZkKJggxwRiRWZ0+lIs7COwR3K4bYNSIpUOs6RwQyRk=; b=jGj34LKD3x72pPJhFl4cDjJU9XtTjLsK1AoNtEwjDFFZ54D7EULbtUt1vtfOnCe84g n1vqNSh9XL29Gejck4NkBhvjvKwmuffANDp1UN/YFibpqGyXGDgZQLFz09ytqBmgXok3 kseVW3wP2hu2cU7pCRu2VBRUtsa9n7jNSWI+rJyNZSdJ0VkcZ+NeA18a3uGKtnrKXVs0 TJa/fmMBlFBkiPY+CbIF2mw02C0jkllgWyAByifHFca9Xc7FuRq9mxg05D4QBSxzE8CP cRg0Z2eTGfeU/P5mjAEkkBafqf2wCm3oIiilKJqwpQThlTgrhXwZerCoWpFgYvnWW8ay 7aGQ== X-Gm-Message-State: APzg51AyvNqVkVdtGQpjhD69t5eZ9mgfC1jIXk9PZcfhNKy5VHvAN/n2 eg1dvPqPdgjp9QvjEjqageok5COT7lo4SzSF2uqU0A== X-Received: by 2002:a17:902:aa49:: with SMTP id c9-v6mr9788294plr.195.1536073373238; Tue, 04 Sep 2018 08:02:53 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a17:90a:ac14:0:0:0:0 with HTTP; Tue, 4 Sep 2018 08:02:32 -0700 (PDT) In-Reply-To: <1ea19628-3bbe-2073-d623-824337c15ed6@tycho.nsa.gov> References: <000000000000c178e305749daba4@google.com> <37aec45f-69ad-9705-21f1-64ee4ce4a772@tycho.nsa.gov> <9537a6ff-daf4-d572-bf93-68230909b68e@tycho.nsa.gov> <4b37e892-4d79-aefb-92ab-7753b89b8963@tycho.nsa.gov> <1ea19628-3bbe-2073-d623-824337c15ed6@tycho.nsa.gov> From: Dmitry Vyukov Date: Tue, 4 Sep 2018 17:02:32 +0200 Message-ID: Subject: Re: WARNING in apparmor_secid_to_secctx To: Stephen Smalley Cc: Paul Moore , syzbot , tyhicks@canonical.com, John Johansen , James Morris , LKML , linux-security-module@vger.kernel.org, Serge Hallyn , syzkaller-bugs , Jeffrey Vander Stoep , SELinux , "russell@coker.com.au" , Laurent Bigonville Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 4, 2018 at 2:57 PM, Stephen Smalley wrote: >>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> syzbot found the following crash on: >>>>>>>> >>>>>>>> HEAD commit: 817e60a7a2bb Merge branch 'nfp-add-NFP5000-support' >>>>>>>> git tree: net-next >>>>>>>> console output: >>>>>>>> https://syzkaller.appspot.com/x/log.txt?x=1536d296400000 >>>>>>>> kernel config: >>>>>>>> https://syzkaller.appspot.com/x/.config?x=531a917630d2a492 >>>>>>>> dashboard link: >>>>>>>> https://syzkaller.appspot.com/bug?extid=21016130b0580a9de3b5 >>>>>>>> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >>>>>>>> >>>>>>>> Unfortunately, I don't have any reproducer for this crash yet. >>>>>>>> >>>>>>>> IMPORTANT: if you fix the bug, please add the following tag to the >>>>>>>> commit: >>>>>>>> Reported-by: syzbot+21016130b0580a9de3b5@syzkaller.appspotmail.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hi John, Tyler, >>>>>>> >>>>>>> I've switched syzbot from selinux to apparmor as we discussed on lss: >>>>>>> >>>>>>> >>>>>>> https://github.com/google/syzkaller/commit/2c6cb254ae6c06f61e3aba21bb89ffb05b5db946 >>>>>> >>>>>> >>>>>> >>>>>> Sorry, does this mean that you are no longer testing selinux via >>>>>> syzbot? >>>>>> That seems unfortunate. SELinux is default-enabled and used in >>>>>> Fedora, RHEL and all derivatives (e.g. CentOS), and mandatory in >>>>>> Android >>>>>> (and seemingly getting some use in ChromeOS now as well, at least for >>>>>> the Android container and possibly wider), so it seems unwise to drop >>>>>> it >>>>>> from your testing altogether. I was under the impression that you >>>>>> were >>>>>> just going to add apparmor to your testing matrix, not drop selinux >>>>>> altogether. >>>>> >>>>> >>>>> >>>>> It is also important to note that testing with SELinux enabled but no >>>>> policy loaded is not going to be very helpful (last we talked that is >>>>> what syzbot is/was doing). While syzbot did uncover some issues >>>>> relating to the enabled-no-policy case, those are much less >>>>> interesting and less relevant than the loaded-policy case. >>>> >>>> >>>> >>>> I had thought that they had switched over to at least loading a policy >>>> but >>>> possibly left it in permissive mode because the base distribution didn't >>>> properly support SELinux out of the box. But I may be mistaken. >>>> Regardless, the right solution is to migrate to testing with a policy >>>> loaded not to stop testing altogether. >>>> >>>> Optimally, they'd test on at least one distribution/OS where SELinux is >>>> in >>>> fact supported out of the box, e.g. CentOS, Android, and/or ChromeOS. >>> >>> >>> >>> Or Fedora, of course. >> >> >> Hi, >> >> Yes, we switched from selinux to apparmor. The thing is that we >> effectively did not test selinux lately, so it's more like just >> enabling apparmor rather than disabling selinux. >> >> The story goes as follows. >> We enabled selinux, but did not have policy and selinux wasn't enabled. >> Then Paul (I think) pointer that out. After some debugging I figured >> out that our debian wheezy actually has a policy, it's just that >> selinux utilities were not installed, so init could not load the >> policy. >> I installed the tools, and we started loading policy. >> But then it turned out that wheezy policy does not allows mounting >> cgroup2 fs and maybe some others even in non-enforcing mode. As far as >> I understand that's because the policy does not have definition for >> the fs, and so loading bails out with an error. >> We need cgroup2 both for testing and for better sandboxing (no other >> way to restrict e.g. memory consumption). Moreover, we did not test >> any actual interesting interactions with selinux (there must be some? >> but I don't know what are they). >> So I had to uninstall the tool and policy is not loaded again. >> I investigated building a newer debian image with debootstrap (which >> should have newer policy I guess). But they don't work, some cryptic >> errors in init. Other people reported the same. >> So that's we are. I don't have any ideas left... > > > So why not ask for help from the SELinux community? I've cc'd the selinux > list and a couple of folks involved in Debian selinux. I see a couple of > options but I don't know your constraints for syzbot: > > 1) Run an instance of syzbot on a distro that supports SELinux enabled out > of the box like Fedora. Then you don't have to fight with SELinux and can > just focus on syzbot, while still testing SELinux enabled and enforcing. > > 2) Report the problems you are having with enabling SELinux on newer Debian > to the selinux list and/or the Debian selinux package maintainers so that > someone can help you resolve them. > > 3) Back-port the cgroup2 policy definitions to your wheezy policy, rebuild > it, and install that. We could help provide guidance on that. I think > you'll need to rebuild the base policy on wheezy; in distributions with > modern SELinux userspace, one could do it just by adding a CIL module > locally. Thanks, Stephen! I would like to understand first if failing mount(2) for unknown fs is selinux bug or not. Because if it is and it is fixed, then it would resolve the problem without actually doing anything (well, at least on our side :)). > As for exercising SELinux, you'll exercise SELinux just by enabling it and > loading a policy, since it will perform permission checking on all object > accesses. But you can get more extensive coverage by running the > selinux-testsuite. We only test that on Fedora and RHEL however, so getting > it to work on Debian might take some effort. That's good. I just thought that there is some potential in making the policy interact more with what the fuzzer does. With respect to fs accesses, it works within own temp directory, and I guess the policy is actually all the same for everything it does in that directory. There also may be something related to extended attributes, context changes, etc?