Public bug reported: Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid.
The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 The same policy can be successively loaded on v4.10: (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a --- AlsaDevices: total 0 crw-rw---- 1 root audio 116, 1 Mar 14 12:37 seq crw-rw---- 1 root audio 116, 33 Mar 14 12:37 timer AplayDevices: Error: [Errno 2] No such file or directory ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: DistroRelease: Ubuntu 16.04 IwConfig: Error: [Errno 2] No such file or directory Lsusb: Error: command ['lsusb'] failed with exit code 1: MachineType: QEMU Standard PC (i440FX + PIIX, 1996) Package: linux (not installed) PciMultimedia: ProcFB: ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-36-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0 crashkernel=384M-2G:128M,2G-:256M ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 RelatedPackageVersions: linux-restricted-modules-4.13.0-36-generic N/A linux-backports-modules-4.13.0-36-generic N/A linux-firmware 1.157.17 RfKill: Error: [Errno 2] No such file or directory Tags: xenial uec-images Uname: Linux 4.13.0-36-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: pkcs11 _MarkForUpload: True dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: Ubuntu-1.8.2-1ubuntu1 dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-xenial dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-xenial dmi.sys.vendor: QEMU ** Affects: linux (Ubuntu) Importance: Undecided Status: Incomplete ** Tags: apport-collected uec-images xenial ** Description changed: Linux kernel version 4.13 has a bug in IMA policy parsing that prevents setting IMA measurements and appraisal options per fsuuid. The issue can be reproduced with simple ima_policy: # fsuuid=$(blkid -s UUID -o value /dev/sda1) # cat > ima_policy << EOF dont_appraise fsuuid=$fsuuid dont_measure fsuuid=$fsuuid EOF # cat ima_policy > /sys/kernel/security/ima/policy cat: write error: Invalid argument # dmesg | tail [ 928.069606] audit: type=1805 audit(1521031959.907:18): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=0 [ 928.069895] audit: type=1802 audit(1521031959.908:19): pid=1806 uid=0 auid=0 ses=1 op="update_policy" cause="invalid-policy" comm="cat" res=0 [ 928.070829] IMA: policy update failed [ 928.070860] audit: type=1802 audit(1521031959.909:20): pid=1806 uid=0 auid=0 ses=1 op="policy_update" cause="failed" comm="cat" res=0 The same policy can be successively loaded on v4.10: + (v4.10) # dmesg | tail [ 54.071383] IMA: policy update completed [ 54.071484] kauditd_printk_skb: 1 callbacks suppressed [ 54.071487] audit: type=1805 audit(1521030962.958:15): action="dont_appraise" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071491] audit: type=1805 audit(1521030962.958:16): action="dont_measure" fsuuid="aef88a4e-dbea-4cc7-be8b-03cf8501cc8f" res=1 [ 54.071493] audit: type=1802 audit(1521030962.958:17): pid=1793 uid=0 auid=0 ses=1 op="policy_update" cause="completed" comm="cat" res=1 The bug is fixed in the mainline kernel: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_policy.c?id=36447456e1cca853188505f2a964dbbeacfc7a7a -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1755804 Title: IMA policy parsing is broken in 4.13 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1755804/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
