Hi,
On 7/23/20 2:58 PM, Dominick Grift wrote:
On 7/23/20 2:47 PM, Richard Guy Briggs wrote:
> On 2020-07-22 22:04, Dominick Grift wrote:
>> On 7/22/20 9:47 PM, Richard Guy Briggs wrote:
>>> On 2020-07-18 20:56, Dominick Grift wrote:
>>>> On 7/18/20 8:40 PM, bauen1 wrote:
>>>>> Hi,
>>>>> After upgrading from linux 5.6 to 5.7 on my debian machines with
selinux I've started seeing this null pointer dereference in the audit system.
I've included shortened logs for 5.6 without the error and from 5.7 with the error
from my laptop. I've also seen it happen in a VM and a server, but don't have the
logs anymore. Grift was able to reproduced (presumably) the same issue on fedora with
5.8-rc4.
>>>>>
>>>>> Steps to reproduce:
>>>>> Write an selinux policy with a domain for systemd-user-runtime-dir
and audit all permissions of the dir class. E.g. `(auditallow systemd_user_runtime_dir_t
all_types (dir (all)))`
>>>>> Switch to permissive mode.
>>>>> Create a new user and login, log out and wait a few seconds for
systemd to stop user-runtime-dir(a)<uid>.service
>>>>
>>>> This should be a reproducer:
>>>>
>>>> echo "(auditallow systemd_logind_t file_type (dir (all)))" >
mytest.cil
>>>> && sudo semodule -i mytest.cil
>>>> reboot
>>>
>>> Is this recipe complete? Is permissive mode needed? Is the user
>>> create/login/logout needed?
>>
>> Are you saying you can't reproduce it?
>
> Not yet. This run caused a queue overflow but no pointer dereference.
>
>> It *should* be complete yes. with kernel 5.7/5.8 it should oops when you
>> reboot.
>
> I don't understand what this test does to cause an AVC. I assume we
> want the smiplest test that produces the smallest amount of output but
> certain to trigger the event.
Yes that is the idea, my test was a bit broader but i based this
conversion of the test on bauen1's test which is a bit more narrow ( i
think he managed to narrow it down a bit). Maybe this test is a bit to
narrow and a bit broader version triggers i>>
> Since this test is in place on reboot, how do I remove this test for
> subsequent reboots?
>
You would boot with selinux=0 and then run as root `semodule -n -r
mytest' to unload the offending mytest module without trying to reload.
then reboot with selinux enforcing/permissive (you might end up with
some mis and/or unlabeled files)
>> I will admit though that I adjusted the reproducer a little bit in an
>> attempt to make it fit fedora.
>
> I'm running the test on f32. I have 5 kernels that should blow up and
> two that might be fine with the ghak96 LSM_AUDIT_DATA_* audit_getpwd() fix.
>
>> So if it doesnt oops for you and if you use 5.7/5.8 then maybe the
>> reproducer got mangled in the conversion.
>
> Can you explain the mechanism and the conversion?
I use my own selinux security policy with different identifiers, so to
make my test work on Fedora I figured I just needed to translate the
identifiers applicable in my policy to the identifiers applicable in Fedora.
Basically it boils down to this:
The event was triggered by systemd-user-runtime-dir (which in fedora is
associated with type identifier systemd_logind_t) on particual (i
suspect) directory operations (like i guess "traverse"), when the event
is logged even if its granted. So I tried to express that scenario using
fedora identifiers rather than the ones I use.
The actual permission checks that cause the audit event are probably (dir (search
remove_name rmdir)), in refpolicy syntax `dir { search remove_name rmdir };`.
It doesn't really matter how the audit event is generated (permissive mode and denying
access or enforcing and auditing allows).
I've reproduced it with systemd version 245.6-1 on a debian system with gnupg
installed. Having something like gnupg installed is important as it creates its own
directory under /run/user/uid that is accessed by systemd-user-runtime-dir after log out.
--
bauen1
https://dn42.bauen1.xyz/