[Dev] [Tizen 4.0/Security] How to resolve SMACK audit problems.

Rafał Krypa r.krypa at samsung.com
Wed Jan 3 15:15:13 UTC 2018


On 2017-12-31 06:44, Hee-cheol Yang wrote:
>
> Hello.
>
> Some of you may remember I am trying to run Tizen 4.0 on my single board computer, but I still couldn’t display anything on my LCD.
>
> However, now it seems that I found what I have to do like followings:
>
>  1. Install my SOC’s GPU driver(SGX driver) and libdrm to test it.
>  2. Replace the original TBM/TDM backends (for exynos) with libtdm-dumb and libtbm-drm to use SGX driver.
>  3. Use dlogutil TBM/DBM to resolve the next problems…
>
> I started porting sequence from this image <http://download.tizen.org/releases/daily/tizen/unified/tizen-unified_20171228.4/images/standard/mobile-wayland-armv7l-tm2/> that I downloaed from ‘release.tizen.org”. (Tizen 4.0 image for mobile-wayland-armv7l-tm2). I created image via MIC and flashed it 
> with ‘dd’ command.
>
> However, I tested this image with my SMACK enabled kernel (4.4version), there were a lot of SMACK audit message like below;
>
> Also, because the TI-provided GPU driver installer should be run on my board (not host), I need to find the way to change smack policy on my board.
>
> In summary, could you give some advices once again for these questions?:
>
>  1. The way to change SMACK policies for files that I have to install on my board such as device drivers.
>

Hello,

You can adjust Smack labels of your files using "chsmack" command line tool, like:

     chsmack -a SOME_SMACK_LABEL /path/to/your/file

For device nodes that are created automatically by udev Smack labels are configured in the udev rules. Check this:

     grep smack /usr/lib/udev/rules.d/*


>  1. The reasony why the original Tizen-privided programs such as “key-manager” or “contextd” violate SMACK policy, and how to resolve it.
>

They don't. From the log file you provided it seems that key-manager is dying from signal 11 (SIGSEGV) and contextd is dying from signal 6 (SIGABRT). This has nothing to do with Smack policy, audit is simply letting you now that the program crashed. It includes information about the crashed process, 
including its Smack label.
In the below log file there are no audit messages informing about Smack rules violations.


Best regards,
Rafal Krypa

> Thank you very much in advance and happy new year!
>
> Best Regards.
>
> Heecheol Yan.g
>
> P.S: following is part of my booting log. It would be very appreciate if someone check it.
>
> Thanks a lot!
>
> 'systemctl status display-manager.service' for details.
>
> [  OK  ] Started Smart Traffic Control Iptables.
>
> [  OK  ] Started Cynara service.
>
> [  OK  ] Started Start cynara agent that pro...ctions for license verification.
>
> [  OK  ] Started D-Bus System Message Bus.
>
> [  OK  ] Started Alarm server.
>
> [  OK  ] Started Accounts service.
>
> [  OK  ] Started Sensor Daemon.
>
> [  OK  ] Started System storage daemon.
>
> localhost login: [ 19.693524] resize2fs[384]: resize2fs 1.43.4 (31-Jan-2017)
>
> [   19.760305] resize2fs[384]: The filesystem is already 932864 (4k) blocks long.  Nothing to do!
>
> [   19.954640] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
>
> [   20.458290] ln[396]: /bin/ln: creating symbolic link `/etc/systemd/system/resize2fs at dev-disk-by\\x2dlabel-rootfs.service': Read-only file system
>
> [   26.130936] audit: type=1701 audit(1469476208.920:3): auid=4294967295 uid=444 gid=402 ses=4294967295 subj=System pid=437 comm="key-manager" exe="/usr/bin/key-manager" sig=11 res=1
>
> [   26.232382] net eth0: initializing cpsw version 1.12 (0)
>
> [   26.240908] cpsw 4a100000.ethernet: initialized cpsw ale version 1.4
>
> [   26.250283] cpsw 4a100000.ethernet: ALE Table size 1024
>
> [   26.671079] SMSC LAN8710/LAN8720 4a101000.mdio:00: attached PHY driver [SMSC LAN8710/LAN8720] (mii_bus:phy_addr=4a101000.mdio:00, irq=POLL)
>
> [   26.821931] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
>
> [   29.283022] audit: type=1701 audit(1469476212.072:4): auid=4294967295 uid=444 gid=402 ses=4294967295 subj=System pid=491 comm="key-manager" exe="/usr/bin/key-manager" sig=11 res=1
>
> localhost login: [ 29.533355] audit: type=1006 audit(1469476212.160:5): pid=505 uid=0 subj=User old-auid=4294967295 auid=5001 tty=(none) old-ses=4294967295 ses=1 res=1
>
> [   29.860051] cpsw 4a100000.ethernet eth0: Link is Up - 100Mbps/Full - flow control rx/tx
>
> [   29.985203] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
>
> [   31.127517] audit: type=1701 audit(1469476213.916:6): auid=4294967295 uid=651 gid=651 ses=4294967295 subj=System pid=413 comm="contextd" exe="/usr/bin/contextd" sig=6 res=1
>
> localhost login:
>
> localhost login: [ 32.900047] audit: type=1701 audit(1469476215.688:7): auid=4294967295 uid=444 gid=402 ses=4294967295 subj=System pid=518 comm="key-manager" exe="/usr/bin/key-manager" sig=11 res=1
>
> root
>
> Password: [   34.939955] audit: type=1701 audit(1469476217.728:8): auid=4294967295 uid=651 gid=651 ses=4294967295 subj=System pid=537 comm="contextd" exe="/usr/bin/contextd" sig=6 res=1
>
> [   35.185897] audit: type=1006 audit(1469476217.868:9): pid=240 uid=0 subj=System old-auid=4294967295 auid=0 tty=ttyS0 old-ses=4294967295 ses=2 res=1
>
> Welcome to Tizen
>
> [   36.046204] audit: type=1701 audit(1469476218.836:10): auid=4294967295 uid=444 gid=402 ses=4294967295 subj=System pid=563 comm="key-manager" exe="/usr/bin/key-manager" sig=11 res=1
>
> root at localhost:~# [ 37.564845] audit: type=1701 audit(1469476220.352:11): auid=4294967295 uid=651 gid=651 ses=4294967295 subj=System pid=599 comm="contextd" exe="/usr/bin/contextd" sig=6 res=1
>
> [   38.150316] audit: type=1701 audit(1469476220.940:12): auid=4294967295 uid=444 gid=402 ses=4294967295 subj=System pid=622 comm="key-manager" exe="/usr/bin/key-manager" sig=11 res=1
>
> [   39.877237] audit: type=1701 audit(1469476222.664:13): auid=4294967295 uid=651 gid=651 ses=4294967295 subj=System pid=650 comm="contextd" exe="/usr/bin/contextd" sig=6 res=1
>
> [   40.462909] audit: type=1701 audit(1469476223.252:14): auid=4294967295 uid=444 gid=402 ses=4294967295 subj=System pid=661 comm="key-manager" exe="/usr/bin/key-manager" sig=11 res=1
>
> [   41.960612] audit: type=1701 audit(1469476224.748:15): auid=4294967295 uid=651 gid=651 ses=4294967295 subj=System pid=698 comm="contextd" exe="/usr/bin/contextd" sig=6 res=1
>
> [   42.261807] audit: type=1701 audit(1469476225.048:16): auid=4294967295 uid=444 gid=402 ses=4294967295 subj=System pid=710 comm="key-manager" exe="/usr/bin/key-manager" sig=11 res=1
>
> [   43.507807] audit: type=1701 audit(1469476226.296:17): auid=4294967295 uid=651 gid=651 ses=4294967295 subj=System pid=741 comm="contextd" exe="/usr/bin/contextd" sig=6 res=1
>
> [   43.753304] audit: type=1701 audit(1469476226.540:18): auid=4294967295 uid=444 gid=402 ses=4294967295 subj=System pid=748 comm="key-manager" exe="/usr/bin/key-manager" sig=11 res=1
>
> [   44.562007] audit: type=1701 audit(1469476227.352:19): auid=4294967295 uid=651 gid=651 ses=4294967295 subj=System pid=772 comm="contextd" exe="/usr/bin/contextd" sig=6 res=1
>
> [   44.707718] audit: type=1701 audit(1469476227.496:20): auid=4294967295 uid=444 gid=402 ses=4294967295 subj=System pid=775 comm="key-manager" exe="/usr/bin/key-manager" sig=11 res=1
>
> [   45.523248] audit: type=1701 audit(1469476228.312:21): auid=4294967295 uid=444 gid=402 ses=4294967295 subj=System pid=790 comm="key-manager" exe="/usr/bin/key-manager" sig=11 res=1
>
> [   45.679296] audit: type=1701 audit(1469476228.344:22): auid=4294967295 uid=651 gid=651 ses=4294967295 subj=System pid=792 comm="contextd" exe="/usr/bin/contextd" sig=6 res=1
>
> [   46.426657] audit: type=1701 audit(1469476229.216:23): auid=4294967295 uid=651 gid=651 ses=4294967295 subj=System pid=810 comm="contextd" exe="/usr/bin/contextd" sig=6 res=1
>
> [   46.558867] audit: type=1701 audit(1469476229.260:24): auid=4294967295 uid=444 gid=402 ses=4294967295 subj=System pid=811 comm="key-manager" exe="/usr/bin/key-manager" sig=11 res=1
>
> [   47.298035] audit: type=1701 audit(1469476230.088:25): auid=4294967295 uid=444 gid=402 ses=4294967295 subj=System pid=827 comm="key-manager" exe="/usr/bin/key-manager" sig=11 res=1
>
> [   47.416991] audit: type=1701 audit(1469476230.136:26): auid=4294967295 uid=651 gid=651 ses=4294967295 subj=System pid=828 comm="contextd" exe="/usr/bin/contextd" sig=6 res=1
>
> [   51.875141] kauditd_printk_skb: 1 callbacks suppressed
>
> [   51.875149] audit: type=1006 audit(1469476234.664:28): pid=457 uid=0 subj=System old-auid=4294967295 auid=5001 tty=(none) old-ses=4294967295 ses=3 res=1
>
>
>
> _______________________________________________
> Dev mailing list
> Dev at lists.tizen.org
> https://lists.tizen.org/listinfo/dev


-- 


Samsung logo

Rafał Krypa
Samsung R&D institute Poland
Samsung Electronics
Office +48 22 377 8135
r.krypa at samsung.com <mailto:r.krypa at samsung.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.tizen.org/pipermail/dev/attachments/20180103/80441f3d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature-logo.png
Type: image/png
Size: 18408 bytes
Desc: not available
URL: <https://lists.tizen.org/pipermail/dev/attachments/20180103/80441f3d/attachment-0001.png>


More information about the Dev mailing list