[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04
This trivial patch reduces the clutter from build output. ** Patch added: "0002-KEYS-Print-insert-sys-cert-information-to-stout-inst.patch" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+attachment/4629381/+files/0002-KEYS-Print-insert-sys-cert-information-to-stout-inst.patch -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1558553 Title: IMA-appraisal is unusable in Ubuntu 16.04 Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Bug description: At some point, the IMA keyring changed from _ima to a trusted .ima keyring. At that point, we couldn't add keys to the IMA keyring. Other distros import UEFI keys onto the system keyring. Another method of loading keys on the system keyring is needed, which doesn't require the UEFI keys or rebuilding the kernel. To resolve this problem, the kernel should be built so that certificate memory is reserved and randomized. Two patches are being upstreamed in this open window (linux-4.6): 8e16789 KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert c4c3610 KEYS: Reserve an extra certificate symbol for inserting without recompiling We need to include these Kconfig options to reserve the memory: CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 An additional patch, which will be upstreamed, is needed to fill the reserved memory with random data before it is compressed. (The patch is attached.) After compiling the kernel with the reserved memory, the following build step is required: scripts/insert-sys-cert -b vmlinux -c /dev/null If you want to add a cert, the following command will unpack a bzImage, install the cert (DER format) in the vmlinuz, and repack the bzImage. scripts/insert-sys-cert -s -z -c Contact Information = George Wilson/ Mimi Zohar To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04
This bug is not fixed yet, since the random bytes are not added to the build. The attached patch fixes it by adding the step for inserting the null key during build. ** Patch added: "0001-KEYS-Insert-incompressible-bytes-to-vmlinux-to-reser.patch" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+attachment/4629379/+files/0001-KEYS-Insert-incompressible-bytes-to-vmlinux-to-reser.patch -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1558553 Title: IMA-appraisal is unusable in Ubuntu 16.04 Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Bug description: At some point, the IMA keyring changed from _ima to a trusted .ima keyring. At that point, we couldn't add keys to the IMA keyring. Other distros import UEFI keys onto the system keyring. Another method of loading keys on the system keyring is needed, which doesn't require the UEFI keys or rebuilding the kernel. To resolve this problem, the kernel should be built so that certificate memory is reserved and randomized. Two patches are being upstreamed in this open window (linux-4.6): 8e16789 KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert c4c3610 KEYS: Reserve an extra certificate symbol for inserting without recompiling We need to include these Kconfig options to reserve the memory: CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 An additional patch, which will be upstreamed, is needed to fill the reserved memory with random data before it is compressed. (The patch is attached.) After compiling the kernel with the reserved memory, the following build step is required: scripts/insert-sys-cert -b vmlinux -c /dev/null If you want to add a cert, the following command will unpack a bzImage, install the cert (DER format) in the vmlinuz, and repack the bzImage. scripts/insert-sys-cert -s -z -c Contact Information = George Wilson/ Mimi Zohar To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04
This bug was fixed in the package linux - 4.4.0-15.31 --- linux (4.4.0-15.31) xenial; urgency=low [ Tim Gardner ] * Release Tracking Bug - LP: #1559252 * Xilinx KU3 Capi card does not show up in Ubuntu 16.04 (LP: #1557001) - SAUCE: (noup) cxl: Allow initialization on timebase sync failures * policy namespace stacking (LP: #1379535) - Revert "UBUNTU: SAUCE: Move replacedby allocation into label_alloc" - Revert "UBUNTU: SAUCE: Fixup: __label_update() still doesn't handle some cases correctly." - Revert "UBUNTU: SAUCE: fix: audit "no_new_privs" case for exec failure" - Revert "UBUNTU: SAUCE: fixup: warning about aa_label_vec_find_or_create not being static" - Revert "UBUNTU: SAUCE: apparmor: fix refcount race when finding a child profile" - Revert "UBUNTU: SAUCE: fixup: cast poison values to remove warnings" - Revert "UBUNTU: SAUCE: fixup: get rid of unused var build warning" - Revert "UBUNTU: SAUCE: fixup: 20/23 locking issue around in __label_update" - Revert "UBUNTU: SAUCE: fixup: make __share_replacedby private to get rid of build warning" - Revert "UBUNTU: SAUCE: fix: replacedby forwarding is not being properly update when ns is destroyed" - Revert "UBUNTU: SAUCE: apparmor: fix log of apparmor audit message when kern_path() fails" - Revert "UBUNTU: SAUCE: fixup: cleanup return handling of labels" - Revert "UBUNTU: SAUCE: apparmor: fix: ref count leak when profile sha1 hash is read" - Revert "UBUNTU: SAUCE: apparmor: Fix: query label file permission" - Revert "UBUNTU: SAUCE: apparmor: Don't remove label on rcu callback if the label has already been removed" - Revert "UBUNTU: SAUCE: apparmor: Fix: break circular refcount for label that is directly freed." - Revert "UBUNTU: SAUCE: apparmor: Fix: refcount bug when inserting label update that transitions ns" - Revert "UBUNTU: SAUCE: apparmor: Fix: now that insert can force replacement use it instead of remove_and_insert" - Revert "UBUNTU: SAUCE: apparmor Fix: refcount bug in pivotroot mediation" - Revert "UBUNTU: SAUCE: apparmor: ensure that repacedby sharing is done correctly" - Revert "UBUNTU: SAUCE: apparmor: Fix: update replacedby allocation to take a gfp parameter" - Revert "UBUNTU: SAUCE: apparmor: Fix: convert replacedby update to be protected by the labelset lock" - Revert "UBUNTU: SAUCE: apparmor: Fix: add required locking of __aa_update_replacedby on merge path" - Revert "UBUNTU: SAUCE: apparmor: Fix: deadlock in aa_put_label() call chain" - Revert "UBUNTU: SAUCE: apparmor: Fix: label_vec_merge insertion" - Revert "UBUNTU: SAUCE: apparmor: Fix: ensure new labels resulting from merge have a replacedby" - Revert "UBUNTU: SAUCE: apparmor: Fix: refcount leak in aa_label_merge" - Revert "UBUNTU: SAUCE: apparmor: Fix: refcount race between locating in labelset and get" - Revert "UBUNTU: SAUCE: apparmor: Fix: label merge handling of marking unconfined and stale" - Revert "UBUNTU: SAUCE: apparmor: add underscores to indicate aa_label_next_not_in_set() use needs locking" - Revert "UBUNTU: SAUCE: apparmor: debug: POISON label and replaceby pointer on free" - Revert "UBUNTU: SAUCE: apparmor: Fix: ensure aa_get_newest will trip debugging if the replacedby is not setup" - Revert "UBUNTU: SAUCE: apparmor: Fix: insert race between label_update and label_merge" - Revert "UBUNTU: SAUCE: apparmor: rework retrieval of the current label in the profile update case" - Revert "UBUNTU: SAUCE: apparmor: Disallow update of cred when then subjective != the objective cred" - Revert "UBUNTU: SAUCE: apparmor: Fix: oops do to invalid null ptr deref in label print fns" - Revert "UBUNTU: SAUCE: fix-up: kern_mount fail path should not be doing put_buffers()" - Revert "UBUNTU: SAUCE: apparmor: fix sleep from invalid context" - Revert "UBUNTU: SAUCE: (no-up): apparmor: fix for failed mediation of socket that is being shutdown" - Revert "UBUNTU: SAUCE: (no-up) apparmor: Fix incompatible pointer type warnings" - Revert "UBUNTU: SAUCE: (no-up) apparmor: fix mount not handling disconnected paths" - Revert "UBUNTU: SAUCE: (no-up): apparmor: fix mediation of fs unix sockets" - Revert "UBUNTU: apparmor -- follow change to this_cpu_ptr" - Revert "UBUNTU: SAUCE: (no-up) fix: bad unix_addr_fs macro" - Revert "UBUNTU: SAUCE: Revert: fix: only allow a single threaded process to ..." - Revert "UBUNTU: SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot" - Revert "UBUNTU: SAUCE: (no-up) apparmor: add parameter to control whether policy hashing is used" - SAUCE: (no-up) apparmor: sync of apparmor3.5-beta1 snapshot - SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading * Add arm64 NUMA support (LP: #1558765) - SAUCE: (noup) efi: ARM/arm64: ignore DT memory nodes instead of removing them - SAUCE:
[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04
** Also affects: linux (Ubuntu Xenial) Importance: High Assignee: Canonical Kernel Team (canonical-kernel-team) Status: Triaged ** Changed in: linux (Ubuntu Xenial) Status: Triaged => In Progress ** Changed in: linux (Ubuntu Xenial) Assignee: Canonical Kernel Team (canonical-kernel-team) => Tim Gardner (timg-tpi) ** Changed in: linux (Ubuntu Xenial) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1558553 Title: IMA-appraisal is unusable in Ubuntu 16.04 Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Fix Committed Bug description: At some point, the IMA keyring changed from _ima to a trusted .ima keyring. At that point, we couldn't add keys to the IMA keyring. Other distros import UEFI keys onto the system keyring. Another method of loading keys on the system keyring is needed, which doesn't require the UEFI keys or rebuilding the kernel. To resolve this problem, the kernel should be built so that certificate memory is reserved and randomized. Two patches are being upstreamed in this open window (linux-4.6): 8e16789 KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert c4c3610 KEYS: Reserve an extra certificate symbol for inserting without recompiling We need to include these Kconfig options to reserve the memory: CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 An additional patch, which will be upstreamed, is needed to fill the reserved memory with random data before it is compressed. (The patch is attached.) After compiling the kernel with the reserved memory, the following build step is required: scripts/insert-sys-cert -b vmlinux -c /dev/null If you want to add a cert, the following command will unpack a bzImage, install the cert (DER format) in the vmlinuz, and repack the bzImage. scripts/insert-sys-cert -s -z -c Contact Information = George Wilson/ Mimi Zohar To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04
** Package changed: ubuntu => linux (Ubuntu) ** Changed in: linux (Ubuntu) Importance: Undecided => High ** Changed in: linux (Ubuntu) Status: New => Triaged ** Changed in: linux (Ubuntu) Assignee: Taco Screen team (taco-screen-team) => Canonical Kernel Team (canonical-kernel-team) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1558553 Title: IMA-appraisal is unusable in Ubuntu 16.04 Status in linux package in Ubuntu: Triaged Bug description: At some point, the IMA keyring changed from _ima to a trusted .ima keyring. At that point, we couldn't add keys to the IMA keyring. Other distros import UEFI keys onto the system keyring. Another method of loading keys on the system keyring is needed, which doesn't require the UEFI keys or rebuilding the kernel. To resolve this problem, the kernel should be built so that certificate memory is reserved and randomized. Two patches are being upstreamed in this open window (linux-4.6): 8e16789 KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert c4c3610 KEYS: Reserve an extra certificate symbol for inserting without recompiling We need to include these Kconfig options to reserve the memory: CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 An additional patch, which will be upstreamed, is needed to fill the reserved memory with random data before it is compressed. (The patch is attached.) After compiling the kernel with the reserved memory, the following build step is required: scripts/insert-sys-cert -b vmlinux -c /dev/null If you want to add a cert, the following command will unpack a bzImage, install the cert (DER format) in the vmlinuz, and repack the bzImage. scripts/insert-sys-cert -s -z -c Contact Information = George Wilson/ Mimi Zohar To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp