https://bugzilla.suse.com/show_bug.cgi?id=1194332
Bug ID: 1194332 Summary: kernel lsm boot parameter needs lsm=integrity to use IMA Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: screening-team-bugs@suse.de Reporter: petr.vorel@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: ---
Build 20211229 added 'lsm=apparmor' as a kernel parameter into GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub.
Please change it to 'lsm=integrity,apparmor' to allow using IMA (e.g. 'ima_policy=tcb' kernel parameter). That avoids kernel oops breaking boot [1]:
[ 1.210321][ T1] Kernel panic - not syncing: integrity_inode_get: lsm=integrity required. [ 1.212119][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.12-1-default #1 openSUSE Tumbleweed dacaf19d133e8023737b25567dc90a32d973f26e [ 1.215246][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 [ 1.218496][ T1] Call Trace: [ 1.219715][ T1] <TASK> [ 1.220844][ T1] dump_stack_lvl+0x46/0x5a [ 1.222144][ T1] panic+0xf3/0x2cb [ 1.223326][ T1] integrity_inode_get.cold+0x13/0x13 [ 1.224710][ T1] process_measurement+0x86e/0x960 [ 1.226069][ T1] ? aa_file_perm+0x112/0x480 [ 1.227359][ T1] ? select_task_rq_fair+0x15a/0x1350 [ 1.228744][ T1] ? __kernel_read+0x14a/0x2d0 [ 1.230068][ T1] ? profile_signal_perm.part.0+0x91/0xb0 [ 1.231516][ T1] ima_bprm_check+0x55/0xb0 [ 1.232810][ T1] bprm_execve+0x22a/0x660 [ 1.234104][ T1] ? rest_init+0xc0/0xc0 [ 1.235372][ T1] kernel_execve+0x12e/0x1b0 [ 1.236689][ T1] kernel_init+0x76/0x120 [ 1.237982][ T1] ret_from_fork+0x22/0x30 [ 1.239278][ T1] </TASK> [ 1.240462][ T1] Kernel Offset: 0x7600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 1.243605][ T1] Rebooting in 90 seconds..
[1] https://openqa.opensuse.org/tests/2122167#step/boot_ltp/13
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Petr Vorel petr.vorel@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mchang@suse.com
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Chenzi Cao chcao@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|screening-team-bugs@suse.de |mchang@suse.com
https://bugzilla.suse.com/show_bug.cgi?id=1194332 https://bugzilla.suse.com/show_bug.cgi?id=1194332#c1
--- Comment #1 from Petr Vorel petr.vorel@suse.com --- As abergman noticed, it might come from yast2-security package:
https://github.com/yast/yast-security/blob/master/src/lib/y2security/lsm/app...
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Petr Vorel petr.vorel@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |yast2-maintainers@suse.de
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Lukas Ocilka locilka@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |kanderssen@suse.com
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Knut Alejandro Anderssen Gonz�lez kanderssen@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |kernel-bugs@suse.de, | |security-team@suse.de Flags| |needinfo?(security-team@sus | |e.de), | |needinfo?(kernel-bugs@suse. | |de)
https://bugzilla.suse.com/show_bug.cgi?id=1194332
lili zhao llzhao@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |llzhao@suse.com
https://bugzilla.suse.com/show_bug.cgi?id=1194332 https://bugzilla.suse.com/show_bug.cgi?id=1194332#c3
Knut Alejandro Anderssen Gonz�lez kanderssen@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #3 from Knut Alejandro Anderssen Gonz�lez kanderssen@suse.com --- We have moved back to the previous behavior in yast2-security module using the security=module paramater instead of lsm as using it to specify only the Major module to be activated looks wrong as we have seen in this bug report. We could write also integrity in case it is AppArmor is selected during installation but from implementation that would be strange.
The fix should be available in yast2-security-4.4.5
See https://github.com/yast/yast-security/pull/118 for more details. SR: https://build.suse.de/request/show/261749
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Petr Vorel petr.vorel@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.suse.com/s | |how_bug.cgi?id=1196274
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Petr Vorel petr.vorel@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.suse.com/s | |how_bug.cgi?id=1189580
https://bugzilla.suse.com/show_bug.cgi?id=1194332
Johannes Segitz jsegitz@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(security-team@sus | |e.de) |
-
bugzilla_noreply@suse.com