STABLE-9: compat error checking additions

[jandryuk]

The compat codepaths were missing some error checking which this PR adds.

mount_upgrade_compat wasn't exiting on failure, so execution continued. Return an error for that case.

mount_upgrade_compat can fail if it wasn't written into a logical volume. We need create_lv to return an error when it cannot create an LV.

While touching the seal_system, prefix the seal commands with do_cmd so they are logged.

NOTE: Regardless of this PR, we don't abort the installer on forward sealing failure. This means we'll reboot and fail the measured launch. At the time seal_system is called, all the files have been updated, so there isn't a way to fail gracefully.

"install-main: Return failure from create_lv " is a cherry pick from the master PR.
"install-main: Add do_cmd to seal_system" is a modified version of the master PR to include the compat code paths.

Master PR #104

[jandryuk]

There may be an issue with TPM 1.2. I'm investigating.

[jean-edouard]

Built here: http://openxt-builder.ainfosec.com:8010/builders/openxt64/builds/6518

[jean-edouard]

LGTM, merging soon.

[jandryuk]

A TPM 1.2 box failed a forward seal, but I didn't finish investigating.

There are two new AVCs for modprobe kmod_t inheriting updatemgr_t FDs. I think the should be benign.

I'll try and investigate more tomorrow, but maybe adding do_cmd to seal_system should be held off for now.

[jean-edouard]

Ok, thanks!
My TPM 1.2 box successfully forward-sealed.

[jean-edouard]

@jandryuk should we still hold off on this?

[jandryuk]

I think this PR is fine to go in. I've been running it a bunch and it doesn't seem to be a problem. This morning I saw a failed forward seal of a TPM 1.2 legacy boot system, but I OTA-ed it with the same installer and that one successfully forward sealed. Something is going on, but it's not this PR.

The kmod_t AVCs I noted above aren't from do_cmd or the >&2 redirects. I don't know if they are new or if they've always been there.

[jean-edouard]

Cool, thanks, merging soon then.
I've seen the kmod AVCs for a while now, they're really weird... It's like kmod_t is trying to load a kmod_t module, which doesn't exist...

[jandryuk]

I was referring to these two:

kernel:[ 1632.053192] audit: type=1400 audit(1555512417.960:5): avc: denied { use } for pid=20149 comm="modprobe" path="pipe:[142749]" dev="pipefs" ino=142749 scontext=system_u:system_r:kmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:updatemgr_t:s0-s0:c0.c1023 tclass=fd permissive=0
kernel:[ 1632.055475] audit: type=1400 audit(1555512417.960:6): avc: denied { use } for pid=20149 comm="modprobe" path="socket:[14774]" dev="sockfs" ino=14774 scontext=system_u:system_r:kmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:updatemgr_t:s0-s0:c0.c1023 tclass=fd permissive=0

I think they are from modprobe txt inside ml-functions (sourced by seal-system) using the inherited file descriptors.

[dpsmith]

@jandryuk, should we open a ticket for someone to review ml-functions for any SELinux malfeasance?