Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

when selinux is enforcing unsigned kernel modules can't be loaded #783

Open
jepio opened this issue Jun 22, 2022 · 0 comments
Open

when selinux is enforcing unsigned kernel modules can't be loaded #783

jepio opened this issue Jun 22, 2022 · 0 comments
Labels
area/selinux Issues related to SELinux kind/bug Something isn't working

Comments

@jepio
Copy link
Member

jepio commented Jun 22, 2022

Description

When selinux is set to enforcing, the interaction with lockdown LSM prevents unsigned kernel modules from being loaded. This is not a bug that we intend to fix at this time, this issue is for informative purposes and to discuss impact.

This came up when adding a test for falco to mantle: flatcar/mantle#339 (comment). Searching comes up with this link that explains this restriction has been removed upstream recently: https://bugzilla.redhat.com/show_bug.cgi?id=1947002. The upstream commit is part of 5.16 but is not going to be backported: torvalds/linux@f5d0e5e.

The audit output when module loading fails is:

[   35.062402] audit: type=1400 audit(1655302156.066:213): avc:  denied  { integrity } for  pid=2468 comm="insmod" lockdown_reason="unsigned module loading" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lockdown permissive=0
[   35.064868] audit: type=1300 audit(1655302156.066:213): arch=c000003e syscall=175 success=no exit=-13 a0=7fe134cf8010 a1=c9b60 a2=55f83508f3f0 a3=0 items=0 ppid=1384 pid=2468 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="insmod" exe="/bin/kmod" subj=system_u:system_r:kernel_t:s0 key=(null)
[   35.067399] audit: type=1327 audit(1655302156.066:213): proctitle=696E736D6F64002F7661722F6C69622F646B6D732F66616C636F2F303735646130363961663335393935343132326564376238613966633938626337626366333131362F352E31352E34342D666C61746361722F7838365F36342F6D6F64756C652F66616C636F2E6B6F2E787A
[   35.137283] audit: type=1400 audit(1655302156.141:214): avc:  denied  { integrity } for  pid=2556 comm="insmod" lockdown_reason="unsigned module loading" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lockdown permissive=0
[   35.139327] audit: type=1300 audit(1655302156.141:214): arch=c000003e syscall=175 success=no exit=-13 a0=7fd3a3e51010 a1=c9b60 a2=55bd6dec23f0 a3=0 items=0 ppid=1384 pid=2556 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="insmod" exe="/bin/kmod" subj=system_u:system_r:kernel_t:s0 key=(null)
[   35.141855] audit: type=1327 audit(1655302156.141:214): proctitle=696E736D6F64002F7661722F6C69622F646B6D732F66616C636F2F303735646130363961663335393935343132326564376238613966633938626337626366333131362F352E31352E34342D666C61746361722F7838365F36342F6D6F64756C652F66616C636F2E6B6F2E787A
[   35.209311] audit: type=1400 audit(1655302156.213:215): avc:  denied  { integrity } for  pid=2644 comm="insmod" lockdown_reason="unsigned module loading" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lockdown permissive=0
[   35.211356] audit: type=1300 audit(1655302156.213:215): arch=c000003e syscall=175 success=no exit=-13 a0=7f1d7b637010 a1=c9b60 a2=561caaeb23f0 a3=0 items=0 ppid=1384 pid=2644 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="insmod" exe="/bin/kmod" subj=system_u:system_r:kernel_t:s0 key=(null)
[   35.213890] audit: type=1327 audit(1655302156.213:215): proctitle=696E736D6F64002F7661722F6C69622F646B6D732F66616C636F2F303735646130363961663335393935343132326564376238613966633938626337626366333131362F352E31352E34342D666C61746361722F7838365F36342F6D6F64756C652F66616C636F2E6B6F2E787A

Impact

User built modules can't be loaded (at all? or requires custom policy?) when selinux is enforcing.

Environment and steps to reproduce

Enable selinux enforcing and then run:

docker run --rm --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:master
  1. Set-up: [ describe the environment Flatcar/Lokomotive/Nebraska etc was running in when encountering the bug; Platform etc. ]
  2. Task: [ describe the task performing when encountering the bug ]
  3. Action(s): [ sequence of actions that triggered the bug, see example below ]
    a. [ requested the start of a new pod or container ]
    b. [ container image downloaded ]
  4. Error: [describe the error that was triggered]

Expected behavior

[ describe what you expected to happen at 4. above but instead got an error ]

Additional information

Please add any information here that does not fit the above format.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/selinux Issues related to SELinux kind/bug Something isn't working
Projects
Flatcar tactical, release planning, and roadmap
Status: 🪵Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jepio