Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2716886pxb; Tue, 23 Feb 2021 13:54:51 -0800 (PST) X-Google-Smtp-Source: ABdhPJzSHD2fs+SU1N3ErMPYxImXzgt2wsROiAyvY2QY25/gPo4mamrXUGarYSdiXeu8ftWPtze6 X-Received: by 2002:a05:6402:2298:: with SMTP id cw24mr2561971edb.157.1614117290917; Tue, 23 Feb 2021 13:54:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614117290; cv=none; d=google.com; s=arc-20160816; b=tox0r+ZXNBQ4CNSH2C9+yieBVZ/lWdZj/HDejxI0qkZx2sYZSuRmAoGf9dfqNBaRR1 GmIghunXpZ2HzpQ581IbAXSSmQFWvLWJ57gfJrC3JxCdpWLDNhG1/V3s8C/J8ovW3p4m jFz+lCd+RTOpcaGrNLoIvqJXNzVCOPtk6s+u4FR/5A5RAlMno+Z4s5SXLYusGIOF08mf VWJc/fiNzuJZsn8QZ4rIPZbBVJqzxGupTCq3SnSBgvRuUU34lMspQyZNnH4E3ML7PPS5 8MjKc/bJQvq5i4VfcK7hIdVocvVhaDZkWu1rCsjU9b4ERLhDtsicGfEDA4H3m8miJUFl BZOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-filter; bh=/FDgRyczYUTc1V/w1Z6FW2alV0DNZbytQBsd3UGv5GQ=; b=WO9csQF4lnIXYDImhbQwr16I8sQ6npVxmZmHisC6B9+8X3dlbpdN+fN3vG3pR8j5nA IauxQ4eHnGnJTVBcorpMZ9TZ1xCYSCFNsahMR+WhRK2O9yhrPNIOPiNAQVakaJ0u3Qxf G3kxmA/0AAOYb4RfiZyT13Dy4pv88PMzZ1TtqygwL6cFL9aq6fnoeGpr4WvDg4r9tLOe NJpIns2p3+NOsE4Aw23Z10wyD5LZb6ZJHgF+LjMKrWytW1qm8TbkOJw9WcBgq7EuDFl1 Zgb/LVYXtaWSFnof1DwNm8VlfwJyPCnICqvQiOABJJmhZ4IFgWr9UVCYxCTZGHWHv/mE YFow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=YOYoCrdv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s11si45680ejb.114.2021.02.23.13.54.26; Tue, 23 Feb 2021 13:54:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=YOYoCrdv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232450AbhBWVvp (ORCPT + 99 others); Tue, 23 Feb 2021 16:51:45 -0500 Received: from linux.microsoft.com ([13.77.154.182]:59696 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230128AbhBWVvj (ORCPT ); Tue, 23 Feb 2021 16:51:39 -0500 Received: from sequoia (162-237-133-238.lightspeed.rcsntx.sbcglobal.net [162.237.133.238]) by linux.microsoft.com (Postfix) with ESMTPSA id 2BF8920B57A0; Tue, 23 Feb 2021 13:50:56 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 2BF8920B57A0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1614117056; bh=/FDgRyczYUTc1V/w1Z6FW2alV0DNZbytQBsd3UGv5GQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=YOYoCrdvwpm2mjTzt1POBUKtveAp2lVOBu0GfubFrNkirQi+MDPCQ3EmnNnCcnBMm LpWH/LzQRfpSkSkUILBFH667ao2pVWtADS0kvExhpHKJqd/7zHPVAnyysVIhLxTKBR iUlZorcl0J3EJrCWhIOWUzjJ4G5U6eEjJfl4XkkI= Date: Tue, 23 Feb 2021 15:50:54 -0600 From: Tyler Hicks To: Paul Moore , Stephen Smalley , Ondrej Mosnacek Cc: selinux@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [BUG] Race between policy reload sidtab conversion and live conversion Message-ID: <20210223215054.GC6000@sequoia> References: <20210223214346.GB6000@sequoia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210223214346.GB6000@sequoia> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021-02-23 15:43:48, Tyler Hicks wrote: > I'm seeing a race during policy load while the "regular" sidtab > conversion is happening and a live conversion starts to take place in > sidtab_context_to_sid(). > > We have an initial policy that's loaded by systemd ~0.6s into boot and > then another policy gets loaded ~2-3s into boot. That second policy load > is what hits the race condition situation because the sidtab is only > partially populated and there's a decent amount of filesystem operations > happening, at the same time, which are triggering live conversions. Here are the relevant messages written to the ring buffer showing the initial policy load, the second policy load, the sidtab conversion starting, and then the stack trace: [ 0.112159] SELinux: Initializing. ... [ 0.624107] audit: type=1404 audit(0.492:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1 [ 0.664063] SELinux: Permission perfmon in class capability2 not defined in policy. [ 0.664068] SELinux: Permission bpf in class capability2 not defined in policy. [ 0.664070] SELinux: Permission checkpoint_restore in class capability2 not defined in policy. [ 0.664077] SELinux: Permission perfmon in class cap2_userns not defined in policy. [ 0.664079] SELinux: Permission bpf in class cap2_userns not defined in policy. [ 0.664080] SELinux: Permission checkpoint_restore in class cap2_userns not defined in policy. [ 0.664114] SELinux: Class perf_event not defined in policy. [ 0.664115] SELinux: Class lockdown not defined in policy. [ 0.664117] SELinux: the above unknown classes and permissions will be allowed [ 0.667863] SELinux: policy capability network_peer_controls=1 [ 0.667866] SELinux: policy capability open_perms=1 [ 0.667867] SELinux: policy capability extended_socket_class=1 [ 0.667868] SELinux: policy capability always_check_network=0 [ 0.667870] SELinux: policy capability cgroup_seclabel=1 [ 0.667871] SELinux: policy capability nnp_nosuid_transition=1 [ 0.667873] SELinux: policy capability genfs_seclabel_symlinks=0 [ 0.712152] audit: type=1403 audit(0.584:3): auid=4294967295 ses=4294967295 lsm=selinux res=1 [ 0.714430] systemd[1]: Successfully loaded SELinux policy in 91.004ms. ... [ 3.042735] SELinux: Permission perfmon in class capability2 not defined in policy. [ 3.042741] SELinux: Permission bpf in class capability2 not defined in policy. [ 3.042743] SELinux: Permission checkpoint_restore in class capability2 not defined in policy. [ 3.042750] SELinux: Permission perfmon in class cap2_userns not defined in policy. [ 3.042751] SELinux: Permission bpf in class cap2_userns not defined in policy. [ 3.042753] SELinux: Permission checkpoint_restore in class cap2_userns not defined in policy. [ 3.042787] SELinux: Class perf_event not defined in policy. [ 3.042789] SELinux: Class lockdown not defined in policy. [ 3.042791] SELinux: the above unknown classes and permissions will be allowed [ 3.042801] SELinux: Converting 208 SID table entries... [ 3.044951] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000040000028 [ 3.050919] SELinux: policy capability network_peer_controls=1 [ 3.055990] Mem abort info: [ 3.055992] ESR = 0x96000004 [ 3.055994] EC = 0x25: DABT (current EL), IL = 32 bits [ 3.055995] SET = 0, FnV = 0 [ 3.055996] EA = 0, S1PTW = 0 [ 3.055997] Data abort info: [ 3.055998] ISV = 0, ISS = 0x00000004 [ 3.055999] CM = 0, WnR = 0 [ 3.056002] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000940ea000 [ 3.056003] [0000000040000028] pgd=0000000000000000, p4d=0000000000000000 [ 3.058894] SELinux: policy capability open_perms=1 [ 3.062037] [ 3.062041] Internal error: Oops: 96000004 [#1] SMP [ 3.062044] Modules linked in: bnxt_en pcie_iproc_platform [ 3.067530] SELinux: policy capability extended_socket_class=1 [ 3.070674] pcie_iproc diagbe(O) [ 3.070680] CPU: 1 PID: 512 Comm: (tservice) Tainted: G O 5.10.17.1 #1 [ 3.070683] Hardware name: redacted (DT) [ 3.073924] SELinux: policy capability always_check_network=0 [ 3.076890] pstate: 20400085 (nzCv daIf +PAN -UAO -TCO BTYPE=--) [ 3.076904] pc : sidtab_do_lookup+0x128/0x1b4 [ 3.076908] lr : sidtab_context_to_sid+0x210/0x378 [ 3.080864] SELinux: policy capability cgroup_seclabel=1 [ 3.083920] sp : ffff800011bfbaf0 [ 3.083922] x29: ffff800011bfbaf0 [ 3.090570] SELinux: policy capability nnp_nosuid_transition=1 [ 3.097564] x28: 0000000000000000 [ 3.097566] x27: 0000000000000005 x26: ffffd1b6451f2000 [ 3.097568] x25: 00000000ffffffff x24: 0000000000000000 [ 3.102693] SELinux: policy capability genfs_seclabel_symlinks=0 [ 3.104225] x23: 0000000000000001 x22: 0000000000000005 [ 3.104227] x21: 0000000040000028 x20: 0000000000000001 [ 3.104230] x19: 00000000000000d0 x18: 5b00000000000000 [ 3.217640] x17: 0000000077493ecb x16: 00000000c2b2ae35 [ 3.223120] x15: 00000000639285d3 x14: 0000000000000010 [ 3.228600] x13: 00000000128b8525 x12: 000000005128b852 [ 3.234079] x11: 0000000049dd48c1 x10: 0000000000004e00 [ 3.239559] x9 : 00000000000000d1 x8 : 0000000000000005 [ 3.245039] x7 : 0000000000000001 x6 : 0000000000000000 [ 3.250518] x5 : ffff800011bfbc48 x4 : 0000000000000010 [ 3.255998] x3 : 0000000000000002 x2 : 0000000000000001 [ 3.261477] x1 : 00000000000000d0 x0 : 0000000040000000 [ 3.266957] Call trace: [ 3.269480] sidtab_do_lookup+0x128/0x1b4 [ 3.273615] sidtab_context_to_sid+0x210/0x378 [ 3.278198] security_compute_sid+0x3f4/0x60c [ 3.282692] security_transition_sid+0x30/0x38 [ 3.287277] selinux_bprm_creds_for_exec+0x11c/0x2e8 [ 3.292398] security_bprm_creds_for_exec+0x30/0x4c [ 3.297432] bprm_execve+0x100/0x1d4 [ 3.301118] do_execveat_common+0x1e8/0x228 [ 3.305432] __arm64_sys_execve+0x3c/0x4c [ 3.309569] do_el0_svc+0xec/0x154 [ 3.313079] el0_svc+0xc/0x14 [ 3.316139] el0_sync_handler+0x7c/0xd8 [ 3.320095] el0_sync+0x144/0x180 [ 3.323516] Code: 51002718 340001d7 1ad82768 8b284c15 (f94002a0) [ 3.329808] ---[ end trace 69ebb6381d57e49b ]--- Tyler