Skip to content

when selinux is enforcing unsigned kernel modules can't be loaded #783

Open
Open
when selinux is enforcing unsigned kernel modules can't be loaded#783
Labels
area/selinuxIssues related to SELinuxkind/bugSomething isn't working
@jepio

Description

@jepio
jepio
opened on Jun 22, 2022

Description

When selinux is set to enforcing, the interaction with lockdown LSM prevents unsigned kernel modules from being loaded. This is not a bug that we intend to fix at this time, this issue is for informative purposes and to discuss impact.

This came up when adding a test for falco to mantle: flatcar/mantle#339 (comment). Searching comes up with this link that explains this restriction has been removed upstream recently: https://bugzilla.redhat.com/show_bug.cgi?id=1947002. The upstream commit is part of 5.16 but is not going to be backported: torvalds/linux@f5d0e5e.

The audit output when module loading fails is:

[   35.062402] audit: type=1400 audit(1655302156.066:213): avc:  denied  { integrity } for  pid=2468 comm="insmod" lockdown_reason="unsigned module loading" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lockdown permissive=0
[   35.064868] audit: type=1300 audit(1655302156.066:213): arch=c000003e syscall=175 success=no exit=-13 a0=7fe134cf8010 a1=c9b60 a2=55f83508f3f0 a3=0 items=0 ppid=1384 pid=2468 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="insmod" exe="/bin/kmod" subj=system_u:system_r:kernel_t:s0 key=(null)
[   35.067399] audit: type=1327 audit(1655302156.066:213): proctitle=696E736D6F64002F7661722F6C69622F646B6D732F66616C636F2F303735646130363961663335393935343132326564376238613966633938626337626366333131362F352E31352E34342D666C61746361722F7838365F36342F6D6F64756C652F66616C636F2E6B6F2E787A
[   35.137283] audit: type=1400 audit(1655302156.141:214): avc:  denied  { integrity } for  pid=2556 comm="insmod" lockdown_reason="unsigned module loading" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lockdown permissive=0
[   35.139327] audit: type=1300 audit(1655302156.141:214): arch=c000003e syscall=175 success=no exit=-13 a0=7fd3a3e51010 a1=c9b60 a2=55bd6dec23f0 a3=0 items=0 ppid=1384 pid=2556 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="insmod" exe="/bin/kmod" subj=system_u:system_r:kernel_t:s0 key=(null)
[   35.141855] audit: type=1327 audit(1655302156.141:214): proctitle=696E736D6F64002F7661722F6C69622F646B6D732F66616C636F2F303735646130363961663335393935343132326564376238613966633938626337626366333131362F352E31352E34342D666C61746361722F7838365F36342F6D6F64756C652F66616C636F2E6B6F2E787A
[   35.209311] audit: type=1400 audit(1655302156.213:215): avc:  denied  { integrity } for  pid=2644 comm="insmod" lockdown_reason="unsigned module loading" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lockdown permissive=0
[   35.211356] audit: type=1300 audit(1655302156.213:215): arch=c000003e syscall=175 success=no exit=-13 a0=7f1d7b637010 a1=c9b60 a2=561caaeb23f0 a3=0 items=0 ppid=1384 pid=2644 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="insmod" exe="/bin/kmod" subj=system_u:system_r:kernel_t:s0 key=(null)
[   35.213890] audit: type=1327 audit(1655302156.213:215): proctitle=696E736D6F64002F7661722F6C69622F646B6D732F66616C636F2F303735646130363961663335393935343132326564376238613966633938626337626366333131362F352E31352E34342D666C61746361722F7838365F36342F6D6F64756C652F66616C636F2E6B6F2E787A

Impact

User built modules can't be loaded (at all? or requires custom policy?) when selinux is enforcing.

Environment and steps to reproduce

Enable selinux enforcing and then run:

docker run --rm --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:master
  1. Set-up: [ describe the environment Flatcar/Lokomotive/Nebraska etc was running in when encountering the bug; Platform etc. ]
  2. Task: [ describe the task performing when encountering the bug ]
  3. Action(s): [ sequence of actions that triggered the bug, see example below ]
    a. [ requested the start of a new pod or container ]
    b. [ container image downloaded ]
  4. Error: [describe the error that was triggered]

Expected behavior

[ describe what you expected to happen at 4. above but instead got an error ]

Additional information

Please add any information here that does not fit the above format.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/selinuxIssues related to SELinuxkind/bugSomething isn't working

    Type

    No type

    Projects

    Flatcar tactical, release planning, and roadmap

    Status

    🪵Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions