Bug 1719067 - BUG: EACCES on writing empty value to /proc/self/attr/keycreate
Summary: BUG: EACCES on writing empty value to /proc/self/attr/keycreate
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: kernel
Version: 8.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Ondrej Mosnacek 🌽
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-11 00:40 UTC by Kir Kolyshkin
Modified: 2019-11-05 21:57 UTC (History)
4 users (show)

Fixed In Version: kernel-4.18.0-112.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 21:57:39 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3517 None None None 2019-11-05 21:57:53 UTC

Description Kir Kolyshkin 2019-06-11 00:40:42 UTC
Description of problem:

The kernel returns EACCES when trying to write an empty value to /proc/self/attr/keycreate. According to Dan Walsh, writing an empty value is legitimate way to tell "reset it to whatever defaults are there", and yet the kernel returns an error. I believe this is a bug.

Here's a repro and how it works:

[root@kir-ce7-selinux-01 ~]# cat a.c 
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>

int main(void) {
	int fd, r;

	fd = open("/proc/self/attr/keycreate", O_WRONLY);
	if (fd < 0) {
		perror("open");
	}

	r = write(fd, "", 0);
	if (r < 0) {
		perror("write");
	}

	return 0;
}

[root@kir-ce7-selinux-01 ~]# uname -a
Linux kir-ce7-selinux-01 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

[root@kir-ce7-selinux-01 ~]# gcc -Wall -O2 -o a a.c

[root@kir-ce7-selinux-01 ~]# ./a
write: Permission denied
[root@kir-ce7-selinux-01 ~]# strace ./a
...
open("/proc/self/attr/keycreate", O_WRONLY) = 3
write(3, "", 0)                         = -1 EACCES (Permission denied)
...


NOTE you need a freshly booted kernel for that. Something like yum update container-selinux makes the bug disappear (I suspect something in the post-install scripts resets the selinux state in the kernel or something).

Version-Release number of selected component (if applicable):

[root@kir-ce7-selinux-01 ~]# uname -a
Linux kir-ce7-selinux-01 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux


How reproducible:

See above. NOTE you need a freshly booted kernel for that. Something like yum update container-selinux makes the bug disappear (I suspect something in the post-install scripts resets the selinux state in the kernel or something).

Actual results:

See above (EACCES returned from write).


Expected results:

No error.

Additional info:

This breaks runc, containerd, and docker :)

Comment 2 Kir Kolyshkin 2019-06-11 01:50:50 UTC
I am always able to reproduce it on a freshly installed (latest) CentOS. Once I do something, say install container-selinux package, the bug disappears entirely, and removing container-selinux won't help. Sometimes a reboot helps to bring it back, sometimes not, and to repro I have to install a fresh CentOS system.

Comment 4 Ondrej Mosnacek 🌽 2019-06-12 07:54:28 UTC
After going through the code, I agree that this is a bug. The kernel shouldn't check the key/create permission when the value is being cleared. The bug has been present upstream since the very introduction of the keycreate file (almost 13 years)...

I'll send a fix to upstream soon. It is not clear at this point whether we will fix this in RHEL-7 or defer to RHEL-8.

Comment 5 Ondrej Mosnacek 🌽 2019-06-12 08:17:03 UTC
Patch posted upstream: https://lore.kernel.org/selinux/20190612081226.21004-1-omosnace@redhat.com/T/

Comment 6 Daniel Walsh 2019-06-12 08:48:35 UTC
I think this is fine in RHEL7, we can work around with the updated container-selinux policy.

Comment 7 Ondrej Mosnacek 🌽 2019-06-12 10:49:58 UTC
Thanks, Dan. I'm moving this to RHEL-8 then.

Comment 8 Ondrej Mosnacek 🌽 2019-06-13 09:12:43 UTC
Upstream commit:

commit 464c258aa45b09f16aa0f05847ed8895873262d9
Author: Ondrej Mosnacek <omosnace@redhat.com>
Date:   Wed Jun 12 10:12:26 2019 +0200

    selinux: fix empty write to keycreate file

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?id=464c258aa45b09f16aa0f05847ed8895873262d9

Comment 12 Herton R. Krzesinski 2019-07-05 20:13:40 UTC
Patch(es) available on kernel-4.18.0-112.el8

Comment 24 errata-xmlrpc 2019-11-05 21:57:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3517


Note You need to log in before you can comment on or make changes to this bug.