From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 17472C46CD2 for ; Wed, 24 Jan 2024 17:15:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9B26E6B0085; Wed, 24 Jan 2024 12:15:43 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 962246B0087; Wed, 24 Jan 2024 12:15:43 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 804236B0088; Wed, 24 Jan 2024 12:15:43 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 6C24A6B0085 for ; Wed, 24 Jan 2024 12:15:43 -0500 (EST) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id EDA89C0B8E for ; Wed, 24 Jan 2024 17:15:42 +0000 (UTC) X-FDA: 81714856524.20.3F53404 Received: from mail-il1-f170.google.com (mail-il1-f170.google.com [209.85.166.170]) by imf21.hostedemail.com (Postfix) with ESMTP id 2239C1C000F for ; Wed, 24 Jan 2024 17:15:40 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b="Fu/J65lI"; spf=pass (imf21.hostedemail.com: domain of keescook@chromium.org designates 209.85.166.170 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706116541; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=AtjqtWQJSzRmjQ40qBkgrmDmBtAr9tkAVMLkDK2JZy0=; b=gavwnwfScWrHmfjPnTYN/zXc+enlgtfLeKeCkc8H0pP4/8uUMSoWVNxYRZRU7i91nYCyZ7 u7bmZSvqsmgNJrhaHD4G7PCD2HalQ1Y9/vh+CWDBYQFu6kiy0hHZg4YKgLQW2fyngyduzp 3TW7IEbYXeVCBcBXGLJz9YuL/5m3gfQ= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706116541; a=rsa-sha256; cv=none; b=PBC34vGilftBBEQKFO/+3Rt++44ugrGAgFtMwJdHcPG8ViFQZ/0EA3keo9/1Qrh9VkyihT +h+tu4iM+dXFBjKAyC9NhPCrYDOhSTMb1QM+WaORVSGxVEBeydl4U593mK2QsZSG/AudOT QLFfesxQhgkEqekBTRh2tDqAuASlxl4= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b="Fu/J65lI"; spf=pass (imf21.hostedemail.com: domain of keescook@chromium.org designates 209.85.166.170 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org Received: by mail-il1-f170.google.com with SMTP id e9e14a558f8ab-361bcabedd7so22107285ab.3 for ; Wed, 24 Jan 2024 09:15:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706116540; x=1706721340; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=AtjqtWQJSzRmjQ40qBkgrmDmBtAr9tkAVMLkDK2JZy0=; b=Fu/J65lIIm1JZlLmNVRAOA9W54HbI6oVTk/fvZGMAWsMrZmwu0nVDoz+Ok/Kaxjr0R Re6D65PXq+AvG94Cuptbl3c5VqmAGUvLzBWfGE3XHwY2dQYXZCTLK7MBVanvakYGeCZ2 uuUEfYPS99TgHAPLQEb6Y+7z5x+J1JGOJvTgQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706116540; x=1706721340; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=AtjqtWQJSzRmjQ40qBkgrmDmBtAr9tkAVMLkDK2JZy0=; b=S1hVQZTz+ZtZMI+CwZhlHNy7p2vFcHwHc3f1OB+ZneSdj+/l0yax53omdj2JHlOUA9 THrSzoKvUoI5/kVsLmCh34viWzH/4cWTYN1Qn2juFiyKqepmCRZwXyTe3BiCb2v4q5rd gV/gioxvL/A+4DaZMJK7MU6SmjRJ22wahX62TbcHfgDoLk2E830dOeTXfOEBpig3e646 R1CkvKOyD+WyMeO0jQjV4aBLqz/GVDOOsQPNzUPQdw4VsTsKzLL6XP9Xco9yRAxdVO0+ CB2MVPcbs736+FhYZ2jszxTX8OeoZptakN5uChkDp1r8KkWh/n8fQPNCS8o7MsxdfTu5 9YNw== X-Gm-Message-State: AOJu0Yz/oPhh+BDdbCU4CMXqhicGSnagXFN1Wdzo0+4DyCgjMR3ju19/ Whq8UJ9ZLJlomw6WjXUaBM5RlcXnBsys0JWxgdDC118u9dIMNV3Z7zAR1zjGQg== X-Google-Smtp-Source: AGHT+IEumDQJqaq75I9i1VHN14DXtK52FPlkPRPNODL5r/5aNFoRHKNDUtbUXZxMuQxI43sueBUEvA== X-Received: by 2002:a92:c9c6:0:b0:361:a5a6:aa7b with SMTP id k6-20020a92c9c6000000b00361a5a6aa7bmr1577157ilq.38.1706116540247; Wed, 24 Jan 2024 09:15:40 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id i15-20020a63cd0f000000b005ce6b79ab6asm12175650pgg.82.2024.01.24.09.15.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jan 2024 09:15:39 -0800 (PST) Date: Wed, 24 Jan 2024 09:15:38 -0800 From: Kees Cook To: Kevin Locke , John Johansen Cc: Linus Torvalds , Josh Triplett , Mateusz Guzik , Al Viro , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [6.8-rc1 Regression] Unable to exec apparmor_parser from virt-aa-helper Message-ID: <202401240910.E0449F0F@keescook> References: <202401240832.02940B1A@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202401240832.02940B1A@keescook> X-Rspamd-Queue-Id: 2239C1C000F X-Rspam-User: X-Stat-Signature: ex8p1yjpwenztcbqs8ywu9wxq7tu6kr5 X-Rspamd-Server: rspam03 X-HE-Tag: 1706116540-447471 X-HE-Meta: U2FsdGVkX1/bxtdomeK1jR5XoP/18MGzcXRfWRIQIZD+S1gDGghUJ+tUDBBZAxcjUIromb1FE6kr0AfMg5I8EYPTgYcj6xo8ybVPrMgPoturMa0WeqHNwa1YibC9Sf3W0PGQyK5yRfdAPyF5oyM3N+YUysm2RSPTynTws6ZR9rjbXcR8d6Rr9xOZL3KfAXFiiu+5uJSFXuAnOPQseodiMlAYqyxdnhd3Gw2qRVkbpPvRFlQmah/RTls7nZrlvISuxHhYb98mtW7c7ORxs6QAnlnCvyV4ksPRS/1DtUBjtDWJp8dUhsIV0JvM9fwcz55+PHqmh2s2p2q+x9qmv5kU+ECbhh/pk3O5Qcq/SzoqfdbtEiSiqUXlyW9YDDRBdG/4X9vEUhGNYpTK1PjKgqQKuQQM6HlPitV8NItfQKZc6ZaUKjPsbE+ToNUukFzdx6Nl/SDcnJhg24O1Q25PN1r2j1btsx71QaGGdI37ClC+lRjedvWq8MBoLM0HczfXFoIsXnLulN2ra1vftVpvn7uQake819L1ZRutu30zsFfarmGhYoCVQ36yP98bGs5XPP5QCQswQ3PIBKttaadTn9yMVaiMUswjbw/aN/kQvy0ZVNsLtcrZwWvjhfMzYusaJrOFRumoU4dcC54M+jLg5GcGeTaB6whXMGv8zysCbzMPdXJvbB4j+ffu54LGp5AyTtSkWjJluS12NK9zzrDJXXG5O6Pivibfv5wo54wXLT2dCrXOPGyTIF54CazMRbfOzmaJtq/nAzgVTwcvgss/1J3IjYEwFIrGQ7Eo65CrUA+kGZ9ofQg63hbWlNysS6J8uGes/PhQW8M9V4X8E9k0JQIQPudK6EXmcFW635PFr3dY+gkFTUvNBR7inb2o+RQc4fpQwpQ1HtUrNdv/ViRV2Q2swack/Of72t6BNfr0IFqv05XUynFJLCi/8qeqUuQnzWoS229+M9XFwmj/DRp/Kug nB3b7TmB bnquWLqhP/WQcOqew9FBCl1gfnNVsqy6T16XbhrOFOidHSs5gk40kbv+iUKnadAkeXV1xoa7r4Cf+K/az4+SQ6h+DsruXNe7tn42RuPRno0CsBG+GG0aPNGj8zvBNruGuOKMlQBlXArcL6v1RkGrpqKf9JVmmwll7+Uz9akUljVdBsnMtNm6IkZ2PxIX1dqZyPkC23a1FXGNJWO/1DEa+thEL/IfUZkYhDIa5aZvlsJ99zm8FrsdJxL7PHAkhHNJb3TEMzooODWkC0pXWnuIiq6MhffZINf77ClPCO64sUOksX04sIj5aTg6M+e0fJQ3kQks/SLxXHD1eT/HrNmAHQzGmtT0jvP1BiKwMHXd5q4btzVf9qbng56x3AMnbVaFwtCHhZLI4MSebgrS0Cs2cY/H8hg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Jan 24, 2024 at 08:35:29AM -0800, Kees Cook wrote: > On Wed, Jan 24, 2024 at 09:19:54AM -0700, Kevin Locke wrote: > > Hello Linux developers, > > > > Using AppArmor 3.0.12 and libvirt 10.0.0 (from Debian packages) with > > Linux 6.8-rc1 (unpatched), I'm unable to start KVM domains due to > > AppArmor errors. Everything works fine on Linux 6.7. After attempting > > to start a domain, syslog contains: > > > > libvirtd[38705]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -c -u libvirt-4fad83ef-4285-4cf5-953c-5c13d943c1fb) unexpected exit status 1: virt-aa-helper: error: apparmor_parser exited with error > > libvirtd[38705]: internal error: cannot load AppArmor profile 'libvirt-4fad83ef-4285-4cf5-953c-5c13d943c1fb' > > > > dmesg contains the additional message: > > > > audit: type=1400 audit(1706112657.438:74): apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/usr/sbin/apparmor_parser" pid=6333 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > Oh, yikes. This means the LSM lost the knowledge that this open is an > _exec_, not a _read_. > > I will starting looking at this. John might be able to point me in the > right direction more quickly, though. Here's a possible patch for in_execve. Can you test this? I'm going to also examine switching to FMODE_EXEC ... I think I know why this wasn't done in the past, but I have to check the history... diff --git a/fs/exec.c b/fs/exec.c index 39d773021fff..ddd0fa2e84a7 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1505,7 +1505,7 @@ static int prepare_bprm_creds(struct linux_binprm *bprm) /* Matches do_open_execat() */ static void do_close_execat(struct file *file) { - if (!file) + if (IS_ERR_OR_NULL(file)) return; allow_write_access(file); fput(file); @@ -1530,23 +1530,30 @@ static void free_bprm(struct linux_binprm *bprm) kfree(bprm->interp); kfree(bprm->fdpath); kfree(bprm); + current->in_execve = 0; } static struct linux_binprm *alloc_bprm(int fd, struct filename *filename, int flags) { - struct linux_binprm *bprm; - struct file *file; + struct linux_binprm *bprm = NULL; + struct file *file = NULL; int retval = -ENOMEM; + /* + * Mark this "open" as an exec attempt for the LSMs. We reset + * it in bprm_free() (and our common error path below). + */ + current->in_execve = 1; + file = do_open_execat(fd, filename, flags); - if (IS_ERR(file)) - return ERR_CAST(file); + if (IS_ERR(file)) { + retval = PTR_ERR(file); + goto out_cleanup; + } bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); - if (!bprm) { - do_close_execat(file); - return ERR_PTR(-ENOMEM); - } + if (!bprm) + goto out_cleanup; bprm->file = file; @@ -1559,7 +1566,7 @@ static struct linux_binprm *alloc_bprm(int fd, struct filename *filename, int fl bprm->fdpath = kasprintf(GFP_KERNEL, "/dev/fd/%d/%s", fd, filename->name); if (!bprm->fdpath) - goto out_free; + goto out_cleanup; /* * Record that a name derived from an O_CLOEXEC fd will be @@ -1581,8 +1588,11 @@ static struct linux_binprm *alloc_bprm(int fd, struct filename *filename, int fl if (!retval) return bprm; -out_free: - free_bprm(bprm); +out_cleanup: + if (bprm) + free_bprm(bprm); + do_close_execat(file); + current->in_execve = 0; return ERR_PTR(retval); } @@ -1633,6 +1643,7 @@ static void check_unsafe_exec(struct linux_binprm *bprm) } rcu_read_unlock(); + /* "users" and "in_exec" locked for copy_fs() */ if (p->fs->users > n_fs) bprm->unsafe |= LSM_UNSAFE_SHARE; else @@ -1863,7 +1874,6 @@ static int bprm_execve(struct linux_binprm *bprm) * where setuid-ness is evaluated. */ check_unsafe_exec(bprm); - current->in_execve = 1; sched_mm_cid_before_execve(current); sched_exec(); @@ -1880,7 +1890,6 @@ static int bprm_execve(struct linux_binprm *bprm) sched_mm_cid_after_execve(current); /* execve succeeded */ current->fs->in_exec = 0; - current->in_execve = 0; rseq_execve(current); user_events_execve(current); acct_update_integrals(current); @@ -1899,7 +1908,6 @@ static int bprm_execve(struct linux_binprm *bprm) sched_mm_cid_after_execve(current); current->fs->in_exec = 0; - current->in_execve = 0; return retval; } diff --git a/kernel/fork.c b/kernel/fork.c index 47ff3b35352e..0d944e92a43f 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1748,6 +1748,7 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk) if (clone_flags & CLONE_FS) { /* tsk->fs is already what we want */ spin_lock(&fs->lock); + /* "users" and "in_exec" locked for check_unsafe_exec() */ if (fs->in_exec) { spin_unlock(&fs->lock); return -EAGAIN; -- Kees Cook