Bug 1197746 - [Staging] Kernel 5.17 fails to boot with SELinux enabled setup
Summary: [Staging] Kernel 5.17 fails to boot with SELinux enabled setup
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Kernel (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Michał Rostecki
QA Contact: E-mail List
URL: https://openqa.opensuse.org/tests/227...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-30 15:01 UTC by Dominique Leuenberger
Modified: 2023-04-26 14:09 UTC (History)
8 users (show)

See Also:
Found By: openQA
Services Priority:
Business Priority:
Blocker: Yes
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dominique Leuenberger 2022-03-30 15:01:39 UTC 
## Observation

openQA test in scenario microos-Staging:O-Staging-DVD-x86_64-container-host-microos@64bit-2G-HD40G fails in
[disk_boot](https://openqa.opensuse.org/tests/2272740/modules/disk_boot/steps/4)

The system is SELinux enabled, but fails to boot


## Reproducible

Fails since (at least) Build [O.136.3](https://openqa.opensuse.org/tests/2261447)


## Expected result

Last good: [O.136.2](https://openqa.opensuse.org/tests/2257082) (or more recent)


## Further details

Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=microos&flavor=Staging-DVD&machine=64bit-2G-HD40G&test=container-host-microos&version=Staging%3AO)
Comment 1 Dominique Leuenberger 2022-03-30 15:01:59 UTC 
Rundown by debug by Fabian:

5.17 changes CONFIG_LSM="integrity,apparmor" to  CONFIG_LSM="integrity,apparmor,bpf" (https://github.com/openSUSE/kernel-source/commit/c2c25b18721866d6211054f542987036ed6e0a50)

As a result, the effective LSMs (/sys/kernel/security/lsm) with security=selinux changes from lockdown,capability,selinux to lockdown,capability,bpf,selinux.

For /proc/self/attr/current, the kernel calls the getprocattr LSM hook for each enabled module in order. lockdown and capability don't define it, but bpf does because it uses lsm_hook_defs.h: https://github.com/torvalds/linux/blob/d888c83fcec75194a8a48ccd283953bdba7b2550/security/bpf/hooks.c#L12. Thus bpf is the first module to get the call and the default implementation returns -EINVAL.

Using selinux,bpf explicitly by passing lsm=selinux,bpf works.

FWICT, lsm_hook_defs is only meant to be used with LSMs which define LSM_FLAG_LEGACY_MAJOR.

Broken: security=selinux

[    0.021124][    T0] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.17.1-1-default root=UUID=b5d02679-d959-4c26-8221-f205d9c12ed8 rd.timeout=60 rd.retry=45 systemd.show_status=yes console=ttyS0,115200 ignition_firstboot ignition.platform.id=qemu security=selinux selinux=1 lsm.debug debug

[    0.153158][    T0] LSM: Security Framework initializing
[    0.153737][    T0] LSM: first ordering: capability (enabled)
[    0.154337][    T0] LSM: security=selinux disabled: tomoyo
[    0.154900][    T0] LSM: security=selinux disabled: apparmor
[    0.155484][    T0] LSM: builtin ordering: integrity (enabled)
[    0.155527][    T0] LSM: builtin ordering: apparmor (disabled)
[    0.155527][    T0] LSM: builtin ordering: bpf (enabled)
[    0.155527][    T0] LSM: security= ordering: selinux (enabled)
[    0.155527][    T0] LSM: builtin disabled: tomoyo
[    0.155527][    T0] LSM: builtin disabled: yama
[    0.155527][    T0] LSM: builtin disabled: landlock
[    0.155527][    T0] LSM: exclusive chosen: selinux
[    0.155527][    T0] LSM: cred blob size       = 24
[    0.155527][    T0] LSM: file blob size       = 16
[    0.155527][    T0] LSM: inode blob size      = 64
[    0.155527][    T0] LSM: ipc blob size        = 8
[    0.155527][    T0] LSM: msg_msg blob size    = 4
[    0.155527][    T0] LSM: superblock blob size = 72
[    0.155527][    T0] LSM: task blob size       = 8
[    0.155527][    T0] LSM: initializing capability
[    0.155527][    T0] LSM: initializing integrity
[    0.155527][    T0] LSM: initializing bpf
[    0.155527][    T0] LSM support for eBPF active
[    0.155527][    T0] LSM: initializing selinux
[    0.155527][    T0] SELinux:  Initializing.

[   10.534768][    T1] systemd[1]: Failed to compute init label, ignoring.

Broken: lsm=bpf,selinux
    
[    0.021020][    T0] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.17.1-1-default root=UUID=b5d02679-d959-4c26-8221-f205d9c12ed8 rd.timeout=60 rd.retry=45 systemd.show_status=yes console=ttyS0,115200 ignition_firstboot ignition.platform.id=qemu selinux=1 lsm.debug lsm=bpf,selinux

[    0.146955][    T0] LSM: Security Framework initializing
[    0.147570][    T0] LSM: first ordering: capability (enabled)
[    0.148192][    T0] LSM: cmdline ordering: bpf (enabled)
[    0.148783][    T0] LSM: cmdline ordering: selinux (enabled)
[    0.149317][    T0] LSM: cmdline disabled: tomoyo
[    0.149317][    T0] LSM: cmdline disabled: apparmor
[    0.149317][    T0] LSM: cmdline disabled: yama
[    0.149317][    T0] LSM: cmdline disabled: landlock
[    0.149317][    T0] LSM: cmdline disabled: integrity
[    0.149317][    T0] LSM: exclusive chosen: selinux
[    0.149317][    T0] LSM: cred blob size       = 24
[    0.149317][    T0] LSM: file blob size       = 16
[    0.149317][    T0] LSM: inode blob size      = 64
[    0.149317][    T0] LSM: ipc blob size        = 8
[    0.149317][    T0] LSM: msg_msg blob size    = 4
[    0.149317][    T0] LSM: superblock blob size = 72
[    0.149317][    T0] LSM: task blob size       = 8
[    0.149317][    T0] LSM: initializing capability
[    0.149317][    T0] LSM: initializing bpf
[    0.149317][    T0] LSM support for eBPF active
[    0.149317][    T0] LSM: initializing selinux
[    0.149317][    T0] SELinux:  Initializing.

Works: lsm=selinux,bpf

[    0.021052][    T0] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.17.1-1-default root=UUID=b5d02679-d959-4c26-8221-f205d9c12ed8 rd.timeout=60 rd.retry=45 systemd.show_status=yes console=ttyS0,115200 ignition_firstboot ignition.platform.id=qemu selinux=1 lsm.debug lsm=selinux,bpf

[    0.165850][    T0] LSM: Security Framework initializing
[    0.166495][    T0] LSM: first ordering: capability (enabled)
[    0.167110][    T0] LSM: cmdline ordering: selinux (enabled)
[    0.167689][    T0] LSM: cmdline ordering: bpf (enabled)
[    0.168228][    T0] LSM: cmdline disabled: tomoyo
[    0.168293][    T0] LSM: cmdline disabled: apparmor
[    0.168293][    T0] LSM: cmdline disabled: yama
[    0.168293][    T0] LSM: cmdline disabled: landlock
[    0.168293][    T0] LSM: cmdline disabled: integrity
[    0.168293][    T0] LSM: exclusive chosen: selinux
[    0.168293][    T0] LSM: cred blob size       = 24
[    0.168293][    T0] LSM: file blob size       = 16
[    0.168293][    T0] LSM: inode blob size      = 64
[    0.168293][    T0] LSM: ipc blob size        = 8
[    0.168293][    T0] LSM: msg_msg blob size    = 4
[    0.168293][    T0] LSM: superblock blob size = 72
[    0.168293][    T0] LSM: task blob size       = 8
[    0.168293][    T0] LSM: initializing capability
[    0.168293][    T0] LSM: initializing selinux
[    0.168293][    T0] SELinux:  Initializing.
[    0.168293][    T0] LSM: initializing bpf
[    0.168293][    T0] LSM support for eBPF active
Comment 2 Jiri Slaby 2022-03-31 05:27:13 UTC 
Enabled in:
commit c2c25b18721866d6211054f542987036ed6e0a50
Author: Michal Rostecki <mrostecki@suse.de>
Date:   Tue Jan 25 20:08:42 2022 +0100

    config: Enable BPF LSM


Going to revert temporarily in stable. If you fix the issue, please revert my disablement.
Comment 3 Jiri Slaby 2022-03-31 05:28:38 UTC 
Also CC Michal, I am not sure, if you want to revert this in master too. I assume this will be fixed in short term...
Comment 4 Michal Kubeček 2022-03-31 08:20:42 UTC 
This is exactly why I was reluctant to enable a new LSM by default, we had
a similar issue last time we did it.

Could someone familiar with the issue check the kernel in home:mkubecek:rc0
OBS project? (It's a mainline snapshot from yesterday evening.) If there is no
known fix yet, I'm going to revert the config change also in master until
there is one.
Comment 5 Jiri Slaby 2022-03-31 10:31:18 UTC 
(In reply to Michal Kubeček from comment #4)
> Could someone familiar with the issue check the kernel in home:mkubecek:rc0
> OBS project? (It's a mainline snapshot from yesterday evening.)

FWIW still broken in 5.17.0-3-g74164d2-1-default.
Comment 7 Michał Rostecki 2022-04-01 13:23:03 UTC 
What is setting the security=selinux parameter? Is it YaST? I will try to check, but I would appreciate some hints from someone who knows the answer.

If so, I think the good solution would be setting lsm=[...],bpf (with ensuring that BPF is the last one) exactly at the same place.
Comment 8 Jiri Slaby 2022-04-01 13:40:18 UTC 
(In reply to Michał Rostecki from comment #7)
> What is setting the security=selinux parameter? Is it YaST? I will try to
> check, but I would appreciate some hints from someone who knows the answer.

I am no expert, I found this yesterday by coincidence:
# rpm -q selinux-targeted-setup --scripts |grep -A 4 if.*\$GRUB_CFG
if [[ -f $GRUB_CFG ]]; then
  if [[ ! $(grep "^GRUB_CMDLINE_LINUX_DEFAULT=" $GRUB_CFG | grep security=selinux) ]]; then
    sed -i -e 's|\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)"|\1 security=selinux selinux=1"|g' $GRUB_CFG
  fi
fi
Comment 9 Fabian Vogt 2022-04-01 13:46:23 UTC 
(In reply to Michał Rostecki from comment #7)
> What is setting the security=selinux parameter? Is it YaST? I will try to
> check, but I would appreciate some hints from someone who knows the answer.

YaST and prebuilt images at least, it's also part of the documentation. It's also used in some scripts like transactional-update.

> If so, I think the good solution would be setting lsm=[...],bpf (with
> ensuring that BPF is the last one) exactly at the same place.

IMO breaking the security= option is not acceptable, especially with this rather misleading error and using lsm=...,bpf instead is a workaround at best. It would have to be implemented in YaST, changed in prebuilt images and also handled on kernel update installation (editing grub config in %post...).

Is there any reason bpf signals that it implements the getprocattr hook?
Comment 10 Michal Kubeček 2022-04-06 07:25:50 UTC 
For the record, the config change is now also reverted in master branch.
Comment 11 Michal Suchanek 2022-04-20 09:17:37 UTC 
Is there an upstream bug report for this?

Clearly this breaks compatibility with existing setups and upstream fix is desirable.
Comment 12 Dirk Mueller 2022-04-21 17:36:24 UTC 
I think this doesn't happen upstream because the upstream default for CONFIG_LSM is simply everything:

default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR

basically you can list apparmor,selinux and apparmor will be preferred, but you can switch to selinux using security=selinux bootparameter. in any case bpf is initialized last and it just works. 

I've submitted this change accordingly.
Comment 13 Dirk Mueller 2022-05-25 12:28:57 UTC 
so the kernel with my change entered factory. can we close this or is there still an issue?
Comment 14 Dominique Leuenberger 2022-05-25 12:34:16 UTC 
(In reply to Dirk Mueller from comment #13)
> so the kernel with my change entered factory. can we close this or is there
> still an issue?

From a TW PoV, yes, this is fixed. Reading through the bug it's not clear if the kernel team wants to keep it alive as a reminder to not run into it again
  https://bugzilla.suse.com/show_bug.cgi?id=1197746#c2
Comment 15 Jiri Slaby 2022-07-21 10:55:43 UTC 
Let's close this. If someone feels bpf should be enabled, they can open a new bug...