Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect SELinux labels on Qubes-provided kernel module directory #4278

Closed
DemiMarie opened this issue Sep 7, 2018 · 12 comments · Fixed by QubesOS/qubes-linux-kernel#447
Closed

Incorrect SELinux labels on Qubes-provided kernel module directory #4278

DemiMarie opened this issue Sep 7, 2018 · 12 comments · Fixed by QubesOS/qubes-linux-kernel#447
Labels
affects-4.1 This issue affects Qubes OS 4.1. C: kernel P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. r4.1-dom0-stable T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Milestone
Release 4.1 updates

Comments

@DemiMarie
Copy link

DemiMarie commented Sep 7, 2018
edited
Loading

Qubes OS version:

R4.0

Affected component(s):

dom0 block devi

Steps to reproduce the behavior:

Enable SELinux in a TemplateVM (only tested with Fedora 28 so far).

Expected behavior:

Kernel modules load normally

Actual behavior:

Kernel modules fail to load

General notes:

Incorrect SELinux labelling in the filesystem mounted from /var/lib/qubes/vm-kernels/*/modules.img is the culprit.

Related issues:

#4279, #4239
@DemiMarie DemiMarie mentioned this issue Sep 7, 2018
Closed
@marmarek
Copy link
Member

marmarek commented Sep 7, 2018

The modules.img is built here, at kernel-qubes-vm package installation time in dom0. Feel free to provide a patch adding proper labeling. Note that selinux may not be available in dom0 at that time (and even if it is, policy version may be totally different than in VM).

On the other hand, the problem shouldn't apply to kernel installed in VM (virt_mode=hvm, kernel=).

@andrewdavidwong andrewdavidwong added T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. C: kernel labels Sep 7, 2018
@andrewdavidwong andrewdavidwong added this to the Release 4.0 updates milestone Sep 7, 2018
@RWGuy
Copy link

RWGuy commented May 12, 2019

@DemiMarie can you provide the list of changes you had to implement for selinux to work?

@andrewdavidwong andrewdavidwong added the P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. label May 12, 2019
@DemiMarie
Copy link
Author

DemiMarie commented Jul 8, 2019
edited
Loading

@RWGuy

@DemiMarie can you provide the list of changes you had to implement for selinux to work?

  • I wrote a custom SELinux policy module, which allows QubesOS’s daemons the permissions they need. It also runs qubes-gui-runuser as xdm_t and qrexec-agent as local_login_t, so pam_selinux.so works correctly. Finally, it allows various programs access to unlabeled_t.
  • I turned on polyinstantiation of /tmp and /var/tmp. This is not strictly necessary, but it did force me to make pam_selinux.so work properly. It is also necessary for maximum protection by SELinux, as QubesOS does not do anything to protect against /tmp-based symlink attacks.
  • I had to modify the PAM configs to ensure that pam_namespace.so and pam_selinux.so are used by su, qrexec-agent, and qubes-gui-runuser.
  • I had to add a drop-in file for gnome-terminal-server.service to pass DISPLAY=:0 in the environment. Otherwise, it did not start reliably.

The main reason for doing is that some users of QubesOS, especially as a server, benefit greately. For example, while QubesOS does a far better job of preventing a compromised Apache or NGINX from gaining complete control than Linux ever could, forensics is much easier if the attacker did not get root privileges on the VM they managed to compromise. Similarly, it is not practical to run one ProxyVM per AppVM, but one can easily run multiple sandboxed proxy instances in the same ProxyVM and use SELinux to separate them. Vulnerabilities that allow breaking out of a properly-constructed Linux sandbox are rare, as shown by Sandstorm. Sandstorm went at least a year without a single such vulnerability, and has probably gone more.

This was referenced Aug 3, 2019
Closed
Closed
@DemiMarie
Copy link
Author

@marmarek The correct fix is probably to apply extended attributes before building the image.

DemiMarie added a commit to DemiMarie/qubes-linux-kernel that referenced this issue Aug 27, 2021
@DemiMarie
Set SELinux contexts of dom0-provided kernels
49b34f6 
This is necessary for qubes to work with SELinux enforcing, and fixes
several bugs that appear even when SELinux is not enforcing.

Fixes QubesOS/qubes-issues#4278
Fixes QubesOS/qubes-issues#5765
@DemiMarie DemiMarie mentioned this issue Aug 27, 2021
Merged
DemiMarie added a commit to DemiMarie/qubes-linux-kernel that referenced this issue Dec 2, 2021
@DemiMarie
Set SELinux contexts of dom0-provided kernels
b4d6a5f 
This is necessary for qubes to work with SELinux enforcing, and fixes
several bugs that appear even when SELinux is not enforcing.

Fixes QubesOS/qubes-issues#4278
Fixes QubesOS/qubes-issues#5765
DemiMarie added a commit to DemiMarie/qubes-linux-kernel that referenced this issue Dec 3, 2021
@DemiMarie
Fix filesystem metadata of dom0-provided kernels
f4a6386 
All files in the dom0-provided kernel images should be owned by
root:root, not user:mock!  They also need to have proper SELinux
contexts to be bootable with SELinux enforcing.  Furthermore, an SELinux
relabel can still damage the filesystem if the policy changes in the
future; prevent that by marking the files immutable.
fixes the UID and

Fixes QubesOS/qubes-issues#4278
Fixes QubesOS/qubes-issues#5765
DemiMarie added a commit to DemiMarie/qubes-linux-kernel that referenced this issue Dec 6, 2021
@DemiMarie
Fix filesystem metadata of dom0-provided kernels
ed67c38 
All files in the dom0-provided kernel images should be owned by
root:root, not user:mock!  They also need to have proper SELinux
contexts to be bootable with SELinux enforcing.  Furthermore, an SELinux
relabel can still damage the filesystem if the policy changes in the
future; prevent that by marking the files immutable.

Fixes QubesOS/qubes-issues#4278
Fixes QubesOS/qubes-issues#5765
DemiMarie added a commit to DemiMarie/qubes-linux-kernel that referenced this issue Dec 10, 2021
@DemiMarie
Fix filesystem metadata of dom0-provided kernels
5711536 
All files in the dom0-provided kernel images should be owned by
root:root, not user:mock!  They also need to have proper SELinux
contexts to be bootable with SELinux enforcing.  Furthermore, an SELinux
relabel can still damage the filesystem if the policy changes in the
future; prevent that by marking the files immutable.

Fixes QubesOS/qubes-issues#4278
Fixes QubesOS/qubes-issues#5765
DemiMarie added a commit to DemiMarie/qubes-linux-kernel that referenced this issue Dec 10, 2021
@DemiMarie
Fix filesystem metadata of dom0-provided kernels
3a4af91 
All files in the dom0-provided kernel images should be owned by
root:root, not user:mock!  They also need to have proper SELinux
contexts to be bootable with SELinux enforcing.  Furthermore, an SELinux
relabel can still damage the filesystem if the policy changes in the
future; prevent that by marking the files immutable.

Fixes QubesOS/qubes-issues#4278
Fixes QubesOS/qubes-issues#5765
DemiMarie added a commit to DemiMarie/qubes-linux-kernel that referenced this issue Dec 10, 2021
@DemiMarie
Fix filesystem metadata of dom0-provided kernels
686adca 
All files in the dom0-provided kernel images should be owned by
root:root, not user:mock!  They also need to have proper SELinux
contexts to be bootable with SELinux enforcing.  Furthermore, an SELinux
relabel can still damage the filesystem if the policy changes in the
future; prevent that by marking the files immutable.

Fixes QubesOS/qubes-issues#4278
Fixes QubesOS/qubes-issues#5765
DemiMarie added a commit to DemiMarie/qubes-linux-kernel that referenced this issue Dec 11, 2021
@DemiMarie
Fix filesystem metadata of dom0-provided kernels
cec9cfa 
All files in the dom0-provided kernel images should be owned by
root:root, not user:mock!  They also need to have proper SELinux
contexts to be bootable with SELinux enforcing.  Furthermore, an SELinux
relabel can still damage the filesystem if the policy changes in the
future; prevent that by marking the files immutable.

Fixes QubesOS/qubes-issues#4278
Fixes QubesOS/qubes-issues#5765
@qubesos-bot
Copy link

Automated announcement from builder-github

The component linux-kernel-latest (including package kernel-latest-5.15.13-1.fc32.qubes) has been pushed to the r4.1 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Jan 8, 2022
Closed
@DemiMarie DemiMarie added the backport pending On closed issues, indicates fix released for newer version will be backported to older version. label Jan 9, 2022
This was referenced Jan 9, 2022
Closed
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The component linux-kernel-latest (including package kernel-latest-5.15.14-1.fc25.qubes) has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Jan 11, 2022
Closed
marmarek pushed a commit to QubesOS/qubes-linux-kernel that referenced this issue Jan 13, 2022
@DemiMarie @marmarek
Fix filesystem metadata of dom0-provided kernels
fbbb88c 
This is a combination of 10 commits:

Fix filesystem metadata of dom0-provided kernels

All files in the dom0-provided kernel images should be owned by
root:root, not user:mock!  They also need to have proper SELinux
contexts to be bootable with SELinux enforcing.  Furthermore, an SELinux
relabel can still damage the filesystem if the policy changes in the
future; prevent that by marking the files immutable.

Fixes QubesOS/qubes-issues#4278
Fixes QubesOS/qubes-issues#5765

(cherry picked from commit 0d82ee5)

Ensure that all inodes have sufficient permissions

Since the entirety of /dev/xvdd is publicly accessible online, trying to
hide anything in it is pointless.  Fix this by ensuring that all files
and symlinks have at least 0644 permissions, and that all directories
have exactly 0755 permissions.  The one exception is /lost+found, which
should be 0700 for consistency with other ext3 filesystems.

(cherry picked from commit 98e1e79)

Error out on unusual inode types

The dom0-provided kernel module directory should not contain anything
that is not a regular file, directory, or symbolic link.  If one does
exist, it is a bug in the build process, so error out.

(cherry picked from commit 4bb18b4)

Fix build on R4.0

Fedora 25's gcc doesn't support `-fcf-protection`,
`-fstack-clash-protection`, or `-fwrapv-pointer`.  genfs runs on trusted
input, so these flags are not necessary.  Drop them.

(cherry picked from commit d8f8a09)

Skip . and .. in root_iterate_callback()

This avoids causing problems for other code.

(cherry picked from commit 3b134b7)

/lib/modules/<kernel-version> must be writable

depmod creates temporary files under it.

(cherry picked from commit 4add7de)

Reject unexpected paths in kernel module tree

A dom0-provided kernel module directory should only have 7 entries: `.`,
`..`, `vmlinuz`, `firmware`, `lost+found`, `initramfs`, and a directory
with a name equal to the kernel version.  Error out if there are any
unexpected ones.

(cherry picked from commit b637f76)

Disable genfs on R4.0

It doesn't build and isn't needed.

(cherry picked from commit 5be99b7)

/lib/modules should be mutable

The mount point of the modules filesystem can have new entries added to
it, so it should be mutable.  OverlayFS currently seems to ignore the
immutable attribute on the lower directory, but this might be an
OverlayFS bug, so don't rely on it.  The immutable attribute is honored
on subdirectories.

(cherry picked from commit a9c159e)

Only mark regular files and /lost+found immutable

Marking other directories as immutable is too risky.

(cherry picked from commit 3825161)
@qubesos-bot
Copy link

Automated announcement from builder-github

The component linux-kernel (including package kernel-5.10.90-1.fc32.qubes) has been pushed to the r4.1 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Jan 13, 2022
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The component linux-kernel-latest (including package kernel-latest-5.15.14-1.fc32.qubes) has been pushed to the r4.1 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component linux-kernel (including package kernel-5.10.90-1.fc32.qubes) has been pushed to the r4.1 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Feb 5, 2022
Closed
@qubesos-bot qubesos-bot mentioned this issue Feb 26, 2022
Closed
This was referenced Mar 9, 2022
Closed
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The component linux-kernel-latest (including package kernel-latest-5.16.13-2.fc25.qubes) has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@DemiMarie DemiMarie removed r4.0-dom0-stable backport pending On closed issues, indicates fix released for newer version will be backported to older version. labels Mar 21, 2022
@qubesos-bot
Copy link

Automated announcement from builder-github

The component linux-kernel (including package kernel-5.15.46-2.fc32.qubes) has been pushed to the r4.1 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Jun 14, 2022
Closed
@qubesos-bot qubesos-bot mentioned this issue Jun 23, 2022
Closed
@qubesos-bot qubesos-bot mentioned this issue Jul 5, 2022
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The component linux-kernel (including package kernel-5.15.52-1.fc32.qubes) has been pushed to the r4.1 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@andrewdavidwong andrewdavidwong added the affects-4.1 This issue affects Qubes OS 4.1. label Aug 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects-4.1 This issue affects Qubes OS 4.1. C: kernel P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. r4.1-dom0-stable T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Milestone
Release 4.1 updates
Development

Successfully merging a pull request may close this issue.

Set SELinux contexts of dom0-provided kernels DemiMarie/qubes-linux-kernel
5 participants
@marmarek @DemiMarie @andrewdavidwong @qubesos-bot @RWGuy