** Description changed: + SRU Justification: + + [Impact] + + * When auditd is installed and audit rules are used the console can be + flooded with the error message. + + error in audit_log_object_context + + [Fix] + + * The fix is backported from + + 5ba569134855 https://github.com/cschaufler/lsm-stacking. + + This is the development upstream for the out of tree LSM stacking patch + series. + + + * The fix is also carried the Oracular 6.14 kernel in its version of the patch + + commit 28b69ac0e2fc ("UBUNTU: SAUCE: apparmor4.0.0 [25/99]: Audit: Add + record for multiple object contexts") + + + Specifically the fix changes the test for failure on the result from security_secid_to_secctx(), which on success returns a size and on failure + returns an error. + + [Test Plan] + + * Install audit + * ensure AppArmor is enabled by running aa-enabled + * Add the audit rule + auditctl -a always,exit -S execve -k all_execs + * run applications, or shell commands + + If the fix is not applied each application or command run with result in + a message to the console. If the console is not displaying the error + message + + error in audit_log_object_context + + the fix is working. + + [Where problems could occur] + + * The regression can be considered as low, since: the fix is already + integrated into in the plucky 6.14, and questing 6.16/6.17 kernels + without reported issues. + + + [Other Info] + + * If audit is configured to panic on error via + auditctl -f 2 + + this bug can cause the kernel to panic + + + [Original Bug Text] + The log `error in audit_log_object_context` is keep printing in the kernel log and console when the system startup. [ 13.504243] audit_panic: 282 callbacks suppressed [ 13.504248] audit: error in audit_log_object_context [ 19.988510] audit: error in audit_log_object_context [ 20.104622] audit: error in audit_log_object_context [ 20.114842] audit: error in audit_log_object_context [ 20.468369] audit: error in audit_log_object_context [ 20.505565] audit: error in audit_log_object_context [ 20.629690] audit: error in audit_log_object_context [ 21.233722] audit: error in audit_log_object_context [ 21.280265] audit: error in audit_log_object_context [ 80.081721] audit: error in audit_log_object_context [ 88.384101] audit: error in audit_log_object_context [ 88.445175] audit: error in audit_log_object_context [ 88.460142] audit: error in audit_log_object_context [ 88.715815] audit: error in audit_log_object_context [ 88.732466] audit: error in audit_log_object_context [ 88.851304] Reproduce the issue: 1. Install auditd, enable AppArmor or SELinux. 2. Add audit rules like: - auditctl -a always,exit -S execve -k all_execs + auditctl -a always,exit -S execve -k all_execs Suggested patch: diff --git a/kernel/audit.c b/kernel/audit.c index 3dd2e9930550f..b1764ae17ad76 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2315,7 +2315,7 @@ void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob) if (lsm_blob_cnt < 2) { error = security_lsmblob_to_secctx(blob, &context, LSM_ID_UNDEF); - if (error) { + if (error < 0) { if (error != -EINVAL) goto error_path; return; @@ -2334,7 +2334,7 @@ void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob) continue; error = security_lsmblob_to_secctx(blob, &context, lsm_idlist[i]->id); - if (error) { + if (error < 0) { audit_log_format(ab, "%sobj_%s=?", space ? " " : "", lsm_idlist[i]->name); if (error != -EINVAL) Similar fix already in 6.14.x-HWE kernel, please help to add it to 6.8.0. thanks.
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2123815 Title: Ubuntu 24.04.2: error in audit_log_object_context keep printing in the kernel and console Status in linux package in Ubuntu: New Status in linux source package in Jammy: New Status in linux source package in Noble: New Bug description: SRU Justification: [Impact] * When auditd is installed and audit rules are used the console can be flooded with the error message. error in audit_log_object_context [Fix] * The fix is backported from 5ba569134855 https://github.com/cschaufler/lsm-stacking. This is the development upstream for the out of tree LSM stacking patch series. * The fix is also carried the Oracular 6.14 kernel in its version of the patch commit 28b69ac0e2fc ("UBUNTU: SAUCE: apparmor4.0.0 [25/99]: Audit: Add record for multiple object contexts") Specifically the fix changes the test for failure on the result from security_secid_to_secctx(), which on success returns a size and on failure returns an error. [Test Plan] * Install audit * ensure AppArmor is enabled by running aa-enabled * Add the audit rule auditctl -a always,exit -S execve -k all_execs * run applications, or shell commands If the fix is not applied each application or command run with result in a message to the console. If the console is not displaying the error message error in audit_log_object_context the fix is working. [Where problems could occur] * The regression can be considered as low, since: the fix is already integrated into in the plucky 6.14, and questing 6.16/6.17 kernels without reported issues. [Other Info] * If audit is configured to panic on error via auditctl -f 2 this bug can cause the kernel to panic [Original Bug Text] The log `error in audit_log_object_context` is keep printing in the kernel log and console when the system startup. [ 13.504243] audit_panic: 282 callbacks suppressed [ 13.504248] audit: error in audit_log_object_context [ 19.988510] audit: error in audit_log_object_context [ 20.104622] audit: error in audit_log_object_context [ 20.114842] audit: error in audit_log_object_context [ 20.468369] audit: error in audit_log_object_context [ 20.505565] audit: error in audit_log_object_context [ 20.629690] audit: error in audit_log_object_context [ 21.233722] audit: error in audit_log_object_context [ 21.280265] audit: error in audit_log_object_context [ 80.081721] audit: error in audit_log_object_context [ 88.384101] audit: error in audit_log_object_context [ 88.445175] audit: error in audit_log_object_context [ 88.460142] audit: error in audit_log_object_context [ 88.715815] audit: error in audit_log_object_context [ 88.732466] audit: error in audit_log_object_context [ 88.851304] Reproduce the issue: 1. Install auditd, enable AppArmor or SELinux. 2. Add audit rules like: auditctl -a always,exit -S execve -k all_execs Suggested patch: diff --git a/kernel/audit.c b/kernel/audit.c index 3dd2e9930550f..b1764ae17ad76 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2315,7 +2315,7 @@ void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob) if (lsm_blob_cnt < 2) { error = security_lsmblob_to_secctx(blob, &context, LSM_ID_UNDEF); - if (error) { + if (error < 0) { if (error != -EINVAL) goto error_path; return; @@ -2334,7 +2334,7 @@ void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob) continue; error = security_lsmblob_to_secctx(blob, &context, lsm_idlist[i]->id); - if (error) { + if (error < 0) { audit_log_format(ab, "%sobj_%s=?", space ? " " : "", lsm_idlist[i]->name); if (error != -EINVAL) Similar fix already in 6.14.x-HWE kernel, please help to add it to 6.8.0. thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2123815/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
