search

ibm-s390-linux / s390-tools

Tools for use with the s390 Linux kernel and device drivers
MIT License
62 stars 58 forks source link

`vmur` not detecting unauthorized when punching to another system's reader #119

Closed vmorris closed 2 years ago

vmorris commented 3 years ago

I ran into this issue where vmur thinks it was able to successfully punch and transfer a file to another system's reader, but in fact RACF is blocking it.

I ran the command:

# vmur punch -r rhcos-live-kernel-s390x -u etpgxku -N kernel.img
Reader file with spoolid E YO created and transferred to ETPGXKU.

This was not obvious to me what the problem was, but I could see that no messages were being logged at the hardware console for either the driving or the receiving systems.

strace gave some more details:

[root@dgbglbi rhcos-bootfiles]# strace vmur punch -r rhcos-live-kernel-s390x -u etpgxku -N kernel.img
execve("/usr/sbin/vmur", ["vmur", "punch", "-r", "rhcos-live-kernel-s390x", "-u", "etpgxku", "-N", "kernel.img"], 0x3ffe3cfec18 /* 18 vars */) = 0
brk(NULL)                               = 0x2aa143cf000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3ffb0cfc000
<<< OUTPUT REMOVED >>>
close(5)                                = 0
openat(AT_FDCWD, "/dev/vmcp", O_RDWR)   = 5
ioctl(5, VMCP_SETBUF, 0x3ffe407ebd8)    = 0
write(5, "CLOSE D TO ETPGXKU RDR NAME kern"..., 38) = 38
ioctl(5, VMCP_GETCODE, 0x3ffe407ebe0)   = 0
ioctl(5, VMCP_GETSIZE, 0x3ffe407ebf0)   = 0
read(5, "RPIMGR032E YOU ARE NOT AUTHORIZE"..., 98) = 98
close(5)                                = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
write(1, "Reader file with spoolid E YO cr"..., 66Reader file with spoolid E YO created and transferred to ETPGXKU.
) = 66
close(4)                                = 0
flock(3, LOCK_UN)                       = 0
close(3)                                = 0
exit_group(0)                           = ?
+++ exited with 0 +++

Shouldn't vmur detect RPIMGR032E and fail with a message back to the user?

vmorris commented 2 years ago

Further investigation yields this message:

21:47:38 MSG FROM RACFVM  : ICH408I USER(ETPGXJS ) GROUP(GXJS    ) NAME(IBM DALLAS          )
21:47:38 MSG FROM RACFVM  :   TATAC05.ETPGXKU CL(VMRDR   )                    
21:47:38 MSG FROM RACFVM  :   INSUFFICIENT ACCESS AUTHORITY                   
21:47:38 MSG FROM RACFVM  :   ACCESS INTENT(UPDATE )  ACCESS ALLOWED(NONE   )
hoeppnerj commented 2 years ago

@tmricht can you have a look please? Thanks!

tmricht commented 2 years ago

@Jan, thanks for the notification. Sorry for the late reply, but I had to refreshen my brain first :-).

Can you please append (attach) the complete strace log to the ticket, this would help me a lot. Thanks. The vmur command uses the vmcp device driver interface for communication with the CP command layer. These errors are reported to the user but rarely interpreted by programs.

From the strace output it looks like the error occurs when closing the device with command "CLOSE D TO ETPGXKU RDR NAME kern...". This is done in function close_ur_device() and uses the vmcp() device driver, which just reports there error but does not act on any errors. Can you tell me the exact error number this command is failing with? So I can add a check. Thanks.

tmricht commented 2 years ago

On what linux distro + version and what s390-tools version did the error occur?

vmorris commented 2 years ago

I cannot reproduce the error at this time, and unfortunately I did not preserve the strace log.

This occurred on RHEL 8.4.

[root@dgbglbi bin]# vmur --version
vmur: Control virtual reader, punch, and printer version 2.15.1-5.el8
Copyright IBM Corp. 2007, 2017
vmorris commented 2 years ago

Actually, I can reproduce it, here's the strace log:

https://gist.github.com/vmorris/ff12382a91c09ba8ada99f7eb9167c07

tmricht commented 2 years ago

Thanks a lot and good to know you can reproduce the issue. As explained above, the error happens when closing the punch device 000d using a vmcp command. The error response of this command is not interpreted. So I need to know the exact error code to be returned in your case. Since we do not have such a RACF in place here in our lab, I would like you to rerun the command again with a modifed vmur program I modified for you. The only change is a printf statement to see the error return code from the close command, here is the output from my box:

[root@s8360046 vmur]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.4 (Ootpa) [root@s8360046 vmur]# uname -a Linux s8360046.lnxne.boe 4.18.0-305.el8.s390x #1 SMP Thu Apr 29 09:06:01 EDT 2021 s390x s390x s390x GNU/Linux [root@s8360046 vmur]# ./vmur punch -r Makefile -u s8360047 -N kernel.img close_ur_device response PUN FILE 0328 SENT TO S8360047 RDR AS 0381 RECS 0008 CPY 001 A NOHOLD NOKEEP cprc:0 Reader file with spoolid 0328 created and transferred to S8360047. [root@s8360046 vmur]#

You just install the vmur program (I send it to your LN user-id as attachment) in a local directory and issue this command:

./vmur punch -r rhcos-live-kernel-s390x -u etpgxku -N kernel.img

and send me the output, I need the lines in bold.

Thanks a lot.

vmorris commented 2 years ago

@tmricht - 

close_ur_device response RPIMGR032E YOU ARE NOT AUTHORIZED TO CLOSE TO TATAC05.ETPGXKU
HCPCSL007E Invalid userid - ETPGXKU
 cprc:7