Bug 1194332

Summary: kernel lsm boot parameter needs lsm=integrity to use IMA
Product: [openSUSE] openSUSE Tumbleweed Reporter: Petr Vorel <petr.vorel>
Component: BootloaderAssignee: Michael Chang <mchang>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: kanderssen, kernel-bugs, llzhao, mchang, security-team, yast2-maintainers
Version: CurrentFlags: kanderssen: needinfo? (kernel-bugs)
Target Milestone: ---   
Hardware: Other   
OS: Other   
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1196274
https://bugzilla.suse.com/show_bug.cgi?id=1189580
http://bugzilla.opensuse.org/show_bug.cgi?id=1197746
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Petr Vorel 2022-01-05 09:32:24 UTC 
Build 20211229 added 'lsm=apparmor' as a kernel parameter into GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub.

Please change it to 'lsm=integrity,apparmor' to allow using IMA (e.g. 'ima_policy=tcb' kernel parameter). That avoids kernel oops breaking boot [1]:

[    1.210321][    T1] Kernel panic - not syncing: integrity_inode_get: lsm=integrity required.
[    1.212119][    T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.12-1-default #1 openSUSE Tumbleweed dacaf19d133e8023737b25567dc90a32d973f26e
[    1.215246][    T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014
[    1.218496][    T1] Call Trace:
[    1.219715][    T1]  <TASK>
[    1.220844][    T1]  dump_stack_lvl+0x46/0x5a
[    1.222144][    T1]  panic+0xf3/0x2cb
[    1.223326][    T1]  integrity_inode_get.cold+0x13/0x13
[    1.224710][    T1]  process_measurement+0x86e/0x960
[    1.226069][    T1]  ? aa_file_perm+0x112/0x480
[    1.227359][    T1]  ? select_task_rq_fair+0x15a/0x1350
[    1.228744][    T1]  ? __kernel_read+0x14a/0x2d0
[    1.230068][    T1]  ? profile_signal_perm.part.0+0x91/0xb0
[    1.231516][    T1]  ima_bprm_check+0x55/0xb0
[    1.232810][    T1]  bprm_execve+0x22a/0x660
[    1.234104][    T1]  ? rest_init+0xc0/0xc0
[    1.235372][    T1]  kernel_execve+0x12e/0x1b0
[    1.236689][    T1]  kernel_init+0x76/0x120
[    1.237982][    T1]  ret_from_fork+0x22/0x30
[    1.239278][    T1]  </TASK>
[    1.240462][    T1] Kernel Offset: 0x7600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[    1.243605][    T1] Rebooting in 90 seconds..

[1] https://openqa.opensuse.org/tests/2122167#step/boot_ltp/13
Comment 1 Petr Vorel 2022-01-06 10:10:23 UTC 
As abergman noticed, it might come from yast2-security package:

https://github.com/yast/yast-security/blob/master/src/lib/y2security/lsm/app_armor.rb#L43
Comment 3 Knut Alejandro Anderssen González 2022-01-10 10:33:46 UTC 
We have moved back to the previous behavior in yast2-security module using the security=module paramater instead of lsm as using it to specify only the Major module to be activated looks wrong as we have seen in this bug report. We could write also integrity in case it is AppArmor is selected during installation but from implementation that would be strange.

The fix should be available in yast2-security-4.4.5

See https://github.com/yast/yast-security/pull/118 for more details.
SR: https://build.suse.de/request/show/261749
Comment 6 Petr Vorel 2022-01-12 09:25:18 UTC 
FYI boot fixed for x86_64 [1]. Other archs has not been tested yet, but they should work as well.

[1] https://openqa.opensuse.org/tests/2131290