ubuntu-kernel-tests

test_310_config_security_perf_events_restrict / test_400_refcount_config in ubuntu_qrt_kernel_security failed on F-OEM-5.6

Bug #1879339 reported by Po-Hsu Lin on 2020-05-18

This bug affects 1 person

	Status	Importance	Assigned to
QA Regression Testing	Fix Released	Undecided	Unassigned
ubuntu-kernel-tests	New	Undecided	Unassigned
linux-oem-5.6 (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

  ======================================================================
  FAIL: test_310_config_security_perf_events_restrict (__main__.KernelSecurityConfigTest)
  Ensure CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 2704, in test_310_config_security_perf_events_restrict
      self.assertKernelConfig(config_name, expected)
    File "./test-kernel-security.py", line 214, in assertKernelConfig
      self.assertKernelConfigSet(name)
    File "./test-kernel-security.py", line 201, in assertKernelConfigSet
      '%s option was expected to be set in the kernel config' % name)
  AssertionError: SECURITY_PERF_EVENTS_RESTRICT option was expected to be set in the kernel config

  ======================================================================
  FAIL: test_400_refcount_config (__main__.KernelSecurityConfigTest)
  Ensure kernel refcount protections are enabled
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 2817, in test_400_refcount_config
      self.assertKernelConfig(config_name, expected)
    File "./test-kernel-security.py", line 214, in assertKernelConfig
      self.assertKernelConfigSet(name)
    File "./test-kernel-security.py", line 201, in assertKernelConfigSet
      '%s option was expected to be set in the kernel config' % name)
  AssertionError: ARCH_HAS_REFCOUNT option was expected to be set in the kernel config

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: linux-image-5.6.0-1010-oem 5.6.0-1010.10
ProcVersionSignature: User Name 5.6.0-1010.10-oem 5.6.8
Uname: Linux 5.6.0-1010-oem x86_64
ApportVersion: 2.20.11-0ubuntu27
Architecture: amd64
CasperMD5CheckResult: skip
Date: Mon May 18 14:44:11 2020
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=C.UTF-8
SHELL=/bin/bash
SourcePackage: linux-signed-oem-5.6
UpgradeStatus: No upgrade log present (probably fresh install)

Tags:

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2020-05-18:

Dependencies.txt Edit (2.4 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.0 KiB, text/plain; charset="utf-8")

tags:

added: sru-20200427 ubuntu-qrt-kernel-security

Timo Aaltonen (tjaalton) on 2020-05-19

affects:

linux-signed-oem-5.6 (Ubuntu) → linux-oem-5.6 (Ubuntu)

Revision history for this message

Steve Beattie (sbeattie) wrote on 2020-05-20:

For the test_310_config_security_perf_events_restrict -- missing SECURITY_PERF_EVENTS_RESTRICT option; it appears the linux-oem-5.6 kernel is missing the following Ubuntu SAUCE patch:

  commit 4e6246de75c468397327fa741b380c926020c81f
  Author: Ben Hutchings <email address hidden>
  Date: Tue Aug 16 10:27:00 2016 -0600

UBUNTU: SAUCE: security,perf: Allow further restriction of perf_event_open

For the test_400_refcount_config test, the ARCH_HAS_REFCOUNT and REFCOUNT_FULL config options were removed upstream in the 5.5. kernel cycle. I'm working on a patch to qrt to address this.

Thanks.

Changed in qa-regression-testing:
status:	New → Confirmed
Changed in linux-oem-5.6 (Ubuntu):
status:	New → Confirmed

Revision history for this message

Steve Beattie (sbeattie) wrote on 2020-05-21:

The test_400_refcount_config failure has been addressed in qa-regression-testing commit
https://git.launchpad.net/qa-regression-testing/commit/?id=480aaab47c0e7e11ab5bad5b56f61742ac8fdf9e

Thanks.

Steve Beattie (sbeattie) on 2020-05-21

Changed in qa-regression-testing:
status:	Confirmed → Fix Released

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2020-05-22:

Download full text (3.6 KiB)

does this upstream change replace the sauce patch?

commit da97e18458fb42d7c00fac5fd1c56a3896ec666e
Author: Joel Fernandes (Google) <email address hidden>
Date: Mon Oct 14 13:03:08 2019 -0400

perf_event: Add support for LSM and SELinux checks

    In current mainline, the degree of access to perf_event_open(2) system
    call depends on the perf_event_paranoid sysctl. This has a number of
    limitations:

    1. The sysctl is only a single value. Many types of accesses are controlled
       based on the single value thus making the control very limited and
       coarse grained.
    2. The sysctl is global, so if the sysctl is changed, then that means
       all processes get access to perf_event_open(2) opening the door to
       security issues.

    This patch adds LSM and SELinux access checking which will be used in
    Android to access perf_event_open(2) for the purposes of attaching BPF
    programs to tracepoints, perf profiling and other operations from
    userspace. These operations are intended for production systems.

    5 new LSM hooks are added:
    1. perf_event_open: This controls access during the perf_event_open(2)
       syscall itself. The hook is called from all the places that the
       perf_event_paranoid sysctl is checked to keep it consistent with the
       systctl. The hook gets passed a 'type' argument which controls CPU,
       kernel and tracepoint accesses (in this context, CPU, kernel and
       tracepoint have the same semantics as the perf_event_paranoid sysctl).
       Additionally, I added an 'open' type which is similar to
       perf_event_paranoid sysctl == 3 patch carried in Android and several other
       distros but was rejected in mainline [1] in 2016.

    2. perf_event_alloc: This allocates a new security object for the event
       which stores the current SID within the event. It will be useful when
       the perf event's FD is passed through IPC to another process which may
       try to read the FD. Appropriate security checks will limit access.

3. perf_event_free: Called when the event is closed.

4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event.

5. perf_event_write: Called from the ioctl(2) syscalls for the event.

[1] https://lwn.net/Articles/696240/

Since Peter had suggest LSM hooks in 2016 [1], I am adding his
Suggested-by tag below.

    To use this patch, we set the perf_event_paranoid sysctl to -1 and then
    apply selinux checking as appropriate (default deny everything, and then
    add policy rules to give access to domains that need it). In the future
    we can remove the perf_event_paranoid sysctl altogether.

    Suggested-by: Peter Zijlstra <email address hidden>
    Co-developed-by: Peter Zijlstra <email address hidden>
    Signed-off-by: Joel Fernandes (Google) <email address hidden>
    Signed-off-by: Peter Zijlstra (Intel) <email address hidden>
    Acked-by: James Morris <email address hidden>
    Cc: Arnaldo Carvalho de Melo <email address hidden>
    Cc: <email address hidden>
    Cc: Yonghong Song <email address hidden>
    Cc: Kees Cook <email address hidden>
    Cc:...

does this upstream change replace the sauce patch?

commit da97e18458fb42d7c00fac5fd1c56a3896ec666e
Author: Joel Fernandes (Google) <joel@joelfernandes.org>
Date:   Mon Oct 14 13:03:08 2019 -0400

perf_event: Add support for LSM and SELinux checks
    
    In current mainline, the degree of access to perf_event_open(2) system
    call depends on the perf_event_paranoid sysctl.  This has a number of
    limitations:
    
    1. The sysctl is only a single value. Many types of accesses are controlled
       based on the single value thus making the control very limited and
       coarse grained.
    2. The sysctl is global, so if the sysctl is changed, then that means
       all processes get access to perf_event_open(2) opening the door to
       security issues.
    
    This patch adds LSM and SELinux access checking which will be used in
    Android to access perf_event_open(2) for the purposes of attaching BPF
    programs to tracepoints, perf profiling and other operations from
    userspace. These operations are intended for production systems.
    
    5 new LSM hooks are added:
    1. perf_event_open: This controls access during the perf_event_open(2)
       syscall itself. The hook is called from all the places that the
       perf_event_paranoid sysctl is checked to keep it consistent with the
       systctl. The hook gets passed a 'type' argument which controls CPU,
       kernel and tracepoint accesses (in this context, CPU, kernel and
       tracepoint have the same semantics as the perf_event_paranoid sysctl).
       Additionally, I added an 'open' type which is similar to
       perf_event_paranoid sysctl == 3 patch carried in Android and several other
       distros but was rejected in mainline [1] in 2016.
    
    2. perf_event_alloc: This allocates a new security object for the event
       which stores the current SID within the event. It will be useful when
       the perf event's FD is passed through IPC to another process which may
       try to read the FD. Appropriate security checks will limit access.
    
    3. perf_event_free: Called when the event is closed.
    
    4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event.
    
    5. perf_event_write: Called from the ioctl(2) syscalls for the event.
    
    [1] https://lwn.net/Articles/696240/
    
    Since Peter had suggest LSM hooks in 2016 [1], I am adding his
    Suggested-by tag below.
    
    To use this patch, we set the perf_event_paranoid sysctl to -1 and then
    apply selinux checking as appropriate (default deny everything, and then
    add policy rules to give access to domains that need it). In the future
    we can remove the perf_event_paranoid sysctl altogether.
    
    Suggested-by: Peter Zijlstra <peterz@infradead.org>
    Co-developed-by: Peter Zijlstra <peterz@infradead.org>
    Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Acked-by: James Morris <jmorris@namei.org>
    Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
    Cc: rostedt@goodmis.org
    Cc: Yonghong Song <yhs@fb.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Alexei Starovoitov <ast@kernel.org>
    Cc: jeffv@google.com
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Daniel Borkmann <daniel@iogearbox.net>
    Cc: primiano@google.com
    Cc: Song Liu <songliubraving@fb.com>
    Cc: rsavitski@google.com
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Matthew Garrett <matthewgarrett@google.com>
    Link: https://lkml.kernel.org/r/20191014170308.70668-1-joel@joelfernandes.org

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2020-06-22:

Hello Steve,
test_310_config_security_perf_events_restrict is still failing with F-OEM-5.6, do you want me to open a new bug for it?

Thanks

tags:

added: sru-20200608

Kelsey Steele (kelsey-steele) on 2021-05-11

tags:

added: 5.6 oem oem-5.6 sru-20210412

Revision history for this message

Steve Beattie (sbeattie) wrote on 2021-05-11:

Sorry for the lag on this issue.

Timo, while the added hooks are useful, they don't for the time being obviate the need for the larger hammer of the sysctl, so we'd still like to keep the referred to patch available, until we are forced to make a choice if and when upstream drops the sysctl entirely.

Po-Hsu, if it's easier for tracking for it to be a separate bug report, that's fine. Am hoping ot have more time soon to focus on qa-r-t issues when they come up.

Thanks.