Hi Roberto Thank you for the reply Before I try this patch, I am sorry that I forget to mention that I have loaded the EVM HMAC key in initramfs during system bootup. Therefore, I don't think this patch will fix this issue although I will give it a try. Because when issue happens, the key has already loaded. Thanks ! Roberto Sassu <roberto.sassu@xxxxxxxxxx> 於 2021年5月25日 週二 下午5:29寫道: > > > From: Bighead Wang [mailto:ex200208049@xxxxxxxxx] > > Sent: Tuesday, May 25, 2021 11:19 AM > > In cgroup filesystem, security_kernfs_init_security() will initialize > > the security data for newly created kernfs node after kernel 5.2., > > however, new EVM xattr value is not initialized, and the no_label > > error appears when evm_verify_hmac() is triggered. > > > > > > The detailed description: > > When system boots up with IMA/EVM and SELinux enabled, we get: > > " May 25 14:13:01 raspberrypi audit[1212]: INTEGRITY_METADATA pid=1212 > > uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t > > op=appraise_metadata cause=no_label comm="(systemd)" > > name="cgroup.procs" dev="cgroup2" ino=1360 res=0 errno=0 " > > > > The root cause is that our customized SELinux file_contexts file does > > not contain the line "/sys/fs/cgroup/.* <<none>>". > > When systemd relabels directories under /sys/fs/cgroup/ during > > booting, it will set SELinux label inside the iattr member of kernfs > > node, and then security_kernfs_init_security() will initialize the > > security data at the time new kernfs node created. > > After systemd executes something to trigger evm_verify_hmac(), we get > > this no_label error. > > > > In evm_verify_hmac(), if there is no EVM xattr value, it will check > > any other xattr values protected by EVM exist or not. > > In this situation, there is no EVM xattr value (got from the iattr > > member of kernfs node in cgroup filesystem), but SELinux label (also > > got from the iattr member of kernfs node instead of from inode) > > exists. > > To sum up, the error seems to me is EVM mechanism doesn't initialize > > EVM xattr value in kernfs node. > > Hi Hank > > this patch should help: > > https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/commit/?h=next-integrity-testing&id=4a804b8a4572dfc81c3a59709d49ae206e4370ba > > Could you please try it? > > Thanks > > Roberto > > HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 > Managing Director: Li Peng, Li Jian, Shi Yanli > > > The environment: > > /proc/version: Linux version 5.13.0-rc3-v7l+ (bighead@52-0453463-02) > > (arm-linux-gnueabi-gcc (GCC) 9.1.0, GNU ld (GNU Binutils) 2.32) #1 SMP > > Tue May 25 12:33:01 CST 2021 > > /proc/sys/kernel/tainted: 0 > > Operating System: Raspbian GNU/Linux 10 (buster) > > Architecture: armv7l > > systemd version: systemd 241 (241) +PAM +AUDIT +SELINUX +IMA > > +APPARMOR > > +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ > > +LZ4 > > +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 > > default-hierarchy=hybrid > > IMA/EVM kernel parameter: ima_policy=appraise_tcb ima_appraise=fix > > SELinux kernel parameter: security=selinux selinux=1 (permissive mode) > > > > How to reproduce the error in Raspbian: > > 1. Prepare an environment which SELinux and IMA/EVM are enabled and > > boot up with kernel parameters: security=selinux selinux=1 > > ima_policy=appraise_tcb ima_appraise=fix evm=fix > > 2. Remove the line "/sys/fs/cgroup/.* <<none>>" in file_contexts > > file, and fully relabel all system with SELinux official reference > > policy > > 3. Walk through all regular files and generate ima/evm hash: > > /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \; > > 4. Reboot with kernel parameters: security=selinux selinux=1 > > ima_policy=appraise_tcb ima_appraise=fix > > 5. After boot up, you will get this EVM no_label error message > > > > Reproduce the error directly: > > 1. Prepare an environment which SELinux and IMA/EVM are enabled and > > boot up with kernel parameters: security=selinux selinux=1 > > ima_policy=appraise_tcb ima_appraise=fix evm=fix > > 2. Fully relabel all system with SELinux official reference policy > > 3. Walk through all regular files and generate ima/evm hash: > > /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \; > > 4. Reboot with kernel parameters: security=selinux selinux=1 > > ima_policy=appraise_tcb ima_appraise=fix > > 5. sudo setfattr -n security.selinux -v system_u:object_r:cgroup_t > > /sys/fs/cgroup/unified > > 6. sudo mkdir /sys/fs/cgroup/unified/testevm > > 7. sudo chmod +x /sys/fs/cgroup/unified/testevm/cgroup.procs: you will > > get this EVM error message > > > > Reference: > > Kernel config: https://140.96.154.7:5001/sharing/9cPNowmhK > > Journal log: https://140.96.154.7:5001/sharing/sRISz6IPt > > Patch for security_kernfs_init_security() : > > https://lore.kernel.org/selinux/20190130114150.27807-1- > > omosnace@xxxxxxxxxx/ > > > > -- > > Best Regards, > > Hank Wang -- Best Regards, 王禹軒 Hank
