CLONE_NEWUSER tests fail with EPERM instead of being skipped on Grsecurity kernels

  • Done
  • quality assurance status badge
Details
2 participants
  • Ludovic Courtès
  • sapientech
Owner
unassigned
Submitted by
sapientech
Severity
normal
S
S
sapientech wrote on 30 Jul 2016 01:26
guix make tests failure
(address . bug-guix@gnu.org)
4c03321977ef605cc34a23986d83ce47@openmailbox.org
Hi all,

Attached is the output log of `make tests`. Commands leading up to make
tests:

$ guix environment guix --ad-hoc git vim
$ ./bootstrap
$ ./configure
$ make tests
Attachment: config.log (.04 MiB)
Attachment: test-suite.log (.19 MiB)
L
L
Ludovic Courtès wrote on 30 Jul 2016 15:07
(address . sapientech@openmailbox.org)(address . 24108@debbugs.gnu.org)
874m77e0ky.fsf@gnu.org
Hi,

sapientech@openmailbox.org skribis:

Toggle quote (3 lines)
> test-name: substitute query, alternating URLs
> location: /home/sapientech/Dev/guix/guix_wip/tests/store.scm:456

[...]

Toggle quote (3 lines)
> substitute: guix/ui.scm:1209:6: In procedure run-guix-command:
> substitute: guix/ui.scm:1209:6: unmatched line "<html><head><meta http-equiv=\"refresh\" content=\"0;url=http://www.dnsrsearch.com/index.php?origURL=http://does-not-exist/nix-cache-info&bc=\"/></head><body><script type=\"text/javascript\">window.location=\"http://www.dnsrsearch.com/index.php?origURL=\"+escape(window.location)+\"&r=\"+escape(document.referrer)+\"&bc=\";</script></body></html>"

It seems there’s a DNS hijacker in place where domain names such as
“does-not-exist” (used in this and other tests) are resolved to some
ISP-specific host or something. This explains this and more of the
other test failures you are seeing; this is unsupported.

Toggle quote (21 lines)
> test-name: clone
> location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> source:
> + (test-assert
> + "clone"
> + (match (clone (logior CLONE_NEWUSER SIGCHLD))
> + (0 (primitive-exit 42))
> + (pid (and (not (equal?
> + (readlink (user-namespace pid))
> + (readlink (user-namespace (getpid)))))
> + (match (waitpid pid)
> + ((_ . status) (= 42 (status:exit-val status))))))))
> actual-value: #f
> actual-error:
> + (system-error
> + "clone"
> + "~d: ~A"
> + (268435473 "Operation not permitted")
> + (1))
> result: FAIL

What does “uname -srv” report on this machine? It seems this kernel
does not support namespaces.

Thanks,
Ludo’.
D
D
Dylan Jeffers wrote on 30 Jul 2016 19:43
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 24108@debbugs.gnu.org)
20160730104312.2166ffa5@openmailbox.org
On Sat, 30 Jul 2016 15:07:25 +0200
ludo@gnu.org (Ludovic Courtès) wrote:

Toggle quote (47 lines)
> Hi,
>
> sapientech@openmailbox.org skribis:
>
> > test-name: substitute query, alternating URLs
> > location: /home/sapientech/Dev/guix/guix_wip/tests/store.scm:456
>
> [...]
>
> > substitute: guix/ui.scm:1209:6: In procedure run-guix-command:
> > substitute: guix/ui.scm:1209:6: unmatched line "<html><head><meta
> > http-equiv=\"refresh\"
> > content=\"0;url=http://www.dnsrsearch.com/index.php?origURL=http://does-not-exist/nix-cache-info&bc=\"/></head><body><script
> > type=\"text/javascript\">window.location=\"http://www.dnsrsearch.com/index.php?origURL=\"+escape(window.location)+\"&r=\"+escape(document.referrer)+\"&bc=\";</script></body></html>"
>
> It seems there’s a DNS hijacker in place where domain names such as
> “does-not-exist” (used in this and other tests) are resolved to some
> ISP-specific host or something. This explains this and more of the
> other test failures you are seeing; this is unsupported.
>
> > test-name: clone
> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> > source:
> > + (test-assert
> > + "clone"
> > + (match (clone (logior CLONE_NEWUSER SIGCHLD))
> > + (0 (primitive-exit 42))
> > + (pid (and (not (equal?
> > + (readlink (user-namespace pid))
> > + (readlink (user-namespace (getpid)))))
> > + (match (waitpid pid)
> > + ((_ . status) (= 42 (status:exit-val
> > status)))))))) actual-value: #f
> > actual-error:
> > + (system-error
> > + "clone"
> > + "~d: ~A"
> > + (268435473 "Operation not permitted")
> > + (1))
> > result: FAIL
>
> What does “uname -srv” report on this machine? It seems this kernel
> does not support namespaces.
>
> Thanks,
> Ludo’.

Hi Ludo,

Thanks for getting back so quick.
Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
PREEMPT Wed Jul 20 15:37:34 UYT 2016
It is a security enhanced kernel, so that may be the issue. Let me know
if there is a workaround for this kernel, or whether i should fall-back
to an lts, or standard kernel.

Best,
Dylan
L
L
Ludovic Courtès wrote on 30 Jul 2016 23:31
(name . Dylan Jeffers)(address . sapientech@openmailbox.org)(address . 24108@debbugs.gnu.org)
87bn1ebynp.fsf@gnu.org
Dylan Jeffers <sapientech@openmailbox.org> skribis:

Toggle quote (3 lines)
> On Sat, 30 Jul 2016 15:07:25 +0200
> ludo@gnu.org (Ludovic Courtès) wrote:

[...]

Toggle quote (33 lines)
>> > test-name: clone
>> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
>> > source:
>> > + (test-assert
>> > + "clone"
>> > + (match (clone (logior CLONE_NEWUSER SIGCHLD))
>> > + (0 (primitive-exit 42))
>> > + (pid (and (not (equal?
>> > + (readlink (user-namespace pid))
>> > + (readlink (user-namespace (getpid)))))
>> > + (match (waitpid pid)
>> > + ((_ . status) (= 42 (status:exit-val
>> > status)))))))) actual-value: #f
>> > actual-error:
>> > + (system-error
>> > + "clone"
>> > + "~d: ~A"
>> > + (268435473 "Operation not permitted")
>> > + (1))
>> > result: FAIL
>>
>> What does “uname -srv” report on this machine? It seems this kernel
>> does not support namespaces.
>>
>> Thanks,
>> Ludo’.
>
> Hi Ludo,
>
> Thanks for getting back so quick.
> Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
> PREEMPT Wed Jul 20 15:37:34 UYT 2016

These tests are skipped when user namespaces are not supported, as per
this condition:

(define perform-container-tests?
(and (user-namespace-supported?)
(unprivileged-user-namespace-supported?)))

… which is true iff (1) /proc/self/ns/user exists, and (2)
/proc/sys/kernel/unprivileged_userns_clone does not exist, or it exists
and contains “1”.

Do these files exist on this system?

Maybe we should just ignore EPERM from (clone CLONE_NEWUSER) but it’s
annoying to annotate every single test that uses it.

From a user viewpoint, this test failure simply mean that you cannot use
the ‘--container’ option ‘guix environment’ on your system.

Thanks,
Ludo’.
D
D
Dylan Jeffers wrote on 31 Jul 2016 02:40
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 24108@debbugs.gnu.org)
20160730174027.0551e855@openmailbox.org
On Sat, 30 Jul 2016 23:31:54 +0200
ludo@gnu.org (Ludovic Courtès) wrote:

Toggle quote (54 lines)
> Dylan Jeffers <sapientech@openmailbox.org> skribis:
>
> > On Sat, 30 Jul 2016 15:07:25 +0200
> > ludo@gnu.org (Ludovic Courtès) wrote:
>
> [...]
>
> >> > test-name: clone
> >> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> >> > source:
> >> > + (test-assert
> >> > + "clone"
> >> > + (match (clone (logior CLONE_NEWUSER SIGCHLD))
> >> > + (0 (primitive-exit 42))
> >> > + (pid (and (not (equal?
> >> > + (readlink (user-namespace pid))
> >> > + (readlink (user-namespace
> >> > (getpid)))))
> >> > + (match (waitpid pid)
> >> > + ((_ . status) (= 42 (status:exit-val
> >> > status)))))))) actual-value: #f
> >> > actual-error:
> >> > + (system-error
> >> > + "clone"
> >> > + "~d: ~A"
> >> > + (268435473 "Operation not permitted")
> >> > + (1))
> >> > result: FAIL
> >>
> >> What does “uname -srv” report on this machine? It seems this
> >> kernel does not support namespaces.
> >>
> >> Thanks,
> >> Ludo’.
> >
> > Hi Ludo,
> >
> > Thanks for getting back so quick.
> > Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
> > PREEMPT Wed Jul 20 15:37:34 UYT 2016
>
> These tests are skipped when user namespaces are not supported, as per
> this condition:
>
> (define perform-container-tests?
> (and (user-namespace-supported?)
> (unprivileged-user-namespace-supported?)))
>
> … which is true iff (1) /proc/self/ns/user exists, and (2)
> /proc/sys/kernel/unprivileged_userns_clone does not exist, or it
> exists and contains “1”.
>
> Do these files exist on this system?

(1) /proc/self/ns/user exists, and
(2) /proc/sys/kernel/unpriviledged_userns_clone D.N.E

Ideas on the best approach to allow the build to succeed?

I also have had issues with qemu, so it makes sense that vm/container
stuff both have issues. I have a feeling its due to the
grsec kernel.
bit about userspace/namespace hardening + issues with xen and
virtbox. Going to reboot with an lts kernel and try again. Will post
update...

Best,
Dylan

Best,
Dylan
D
D
Dylan Jeffers wrote on 31 Jul 2016 03:53
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 24108@debbugs.gnu.org)
20160730185305.0c8cfe59@openmailbox.org
On Sat, 30 Jul 2016 17:40:27 -0700
Dylan Jeffers <sapientech@openmailbox.org> wrote:

Toggle quote (76 lines)
> On Sat, 30 Jul 2016 23:31:54 +0200
> ludo@gnu.org (Ludovic Courtès) wrote:
>
> > Dylan Jeffers <sapientech@openmailbox.org> skribis:
> >
> > > On Sat, 30 Jul 2016 15:07:25 +0200
> > > ludo@gnu.org (Ludovic Courtès) wrote:
> >
> > [...]
> >
> > >> > test-name: clone
> > >> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> > >> > source:
> > >> > + (test-assert
> > >> > + "clone"
> > >> > + (match (clone (logior CLONE_NEWUSER SIGCHLD))
> > >> > + (0 (primitive-exit 42))
> > >> > + (pid (and (not (equal?
> > >> > + (readlink (user-namespace pid))
> > >> > + (readlink (user-namespace
> > >> > (getpid)))))
> > >> > + (match (waitpid pid)
> > >> > + ((_ . status) (= 42
> > >> > (status:exit-val status)))))))) actual-value: #f
> > >> > actual-error:
> > >> > + (system-error
> > >> > + "clone"
> > >> > + "~d: ~A"
> > >> > + (268435473 "Operation not permitted")
> > >> > + (1))
> > >> > result: FAIL
> > >>
> > >> What does “uname -srv” report on this machine? It seems this
> > >> kernel does not support namespaces.
> > >>
> > >> Thanks,
> > >> Ludo’.
> > >
> > > Hi Ludo,
> > >
> > > Thanks for getting back so quick.
> > > Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
> > > PREEMPT Wed Jul 20 15:37:34 UYT 2016
> >
> > These tests are skipped when user namespaces are not supported, as
> > per this condition:
> >
> > (define perform-container-tests?
> > (and (user-namespace-supported?)
> > (unprivileged-user-namespace-supported?)))
> >
> > … which is true iff (1) /proc/self/ns/user exists, and (2)
> > /proc/sys/kernel/unprivileged_userns_clone does not exist, or it
> > exists and contains “1”.
> >
> > Do these files exist on this system?
>
> (1) /proc/self/ns/user exists, and
> (2) /proc/sys/kernel/unpriviledged_userns_clone D.N.E
>
> Ideas on the best approach to allow the build to succeed?
>
> I also have had issues with qemu, so it makes sense that vm/container
> stuff both have issues. I have a feeling its due to the
> grsec kernel.
> https://wiki.archlinux.org/index.php/Grsecurity_Patchset talks a
> bit about userspace/namespace hardening + issues with xen and
> virtbox. Going to reboot with an lts kernel and try again. Will post
> update...
>
> Best,
> Dylan
>
> Best,
> Dylan

After changing kernel, and stopping paxd.service, build still
failed :(

It looks like the failed tests are different though (see attachment)

Dylan
Attachment: config.log
Attachment: config.status
Attachment: test-suite.log
L
L
Ludovic Courtès wrote on 31 Jul 2016 12:53
(name . Dylan Jeffers)(address . sapientech@openmailbox.org)(address . 24108@debbugs.gnu.org)
87d1lu84ex.fsf@gnu.org
Hello,

Dylan Jeffers <sapientech@openmailbox.org> skribis:

[...]

Toggle quote (16 lines)
> > > These tests are skipped when user namespaces are not supported, as
> > > per this condition:
> > >
> > > (define perform-container-tests?
> > > (and (user-namespace-supported?)
> > > (unprivileged-user-namespace-supported?)))
> > >
> > > … which is true iff (1) /proc/self/ns/user exists, and (2)
> > > /proc/sys/kernel/unprivileged_userns_clone does not exist, or it
> > > exists and contains “1”.
> > >
> > > Do these files exist on this system?
>>
>> (1) /proc/self/ns/user exists, and
>> (2) /proc/sys/kernel/unpriviledged_userns_clone D.N.E

They do not exist now with the new ‘test-suite.log’ that you posted, but
they did exist before (with the Grsec kernel), otherwise the user
namespaces tests would have been skipped.

Toggle quote (19 lines)
>> Ideas on the best approach to allow the build to succeed?
>>
>> I also have had issues with qemu, so it makes sense that vm/container
>> stuff both have issues. I have a feeling its due to the
>> grsec kernel.
>> https://wiki.archlinux.org/index.php/Grsecurity_Patchset talks a
>> bit about userspace/namespace hardening + issues with xen and
>> virtbox. Going to reboot with an lts kernel and try again. Will post
>> update...
>>
>> Best,
>> Dylan
>>
>> Best,
>> Dylan
>
> After changing kernel, and stopping paxd.service, build still
> failed :(

[...]

Toggle quote (14 lines)
> test-name: clone
> location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> source:
> + (test-assert
> + "clone"
> + (match (clone (logior CLONE_NEWUSER SIGCHLD))
> + (0 (primitive-exit 42))
> + (pid (and (not (equal?
> + (readlink (user-namespace pid))
> + (readlink (user-namespace (getpid)))))
> + (match (waitpid pid)
> + ((_ . status) (= 42 (status:exit-val status))))))))
> result: SKIP

This and other container-related tests are now properly skipped.

Toggle quote (16 lines)
> test-name: home-page: host not found
> location: /home/sapientech/Dev/guix/guix_wip/tests/lint.scm:393
> source:
> + (test-assert
> + "home-page: host not found"
> + (->bool
> + (string-contains
> + (with-warnings
> + (let ((pkg (package
> + (inherit (dummy-package "x"))
> + (home-page "http://does-not-exist"))))
> + (check-home-page pkg)))
> + "domain not found")))
> actual-value: #f
> result: FAIL

This and the remaining failures are due to DNS hijacking, so nothing we
can do about it. You’d have to use a well-behaved DNS server (e.g.,
“echo nameserver 8.8.8.8 > /etc/resolv.conf” to use Google’s name
server) to work around that.

Thanks,
Ludo’.
L
L
Ludovic Courtès wrote on 31 Jul 2016 12:54
retitle
(address . request@debbugs.gnu.org)
878twi84cm.fsf@gnu.org
retitle 24108 CLONE_NEWUSER tests fail with EPERM instead of being skipped on Grsecurity kernels
thanks
L
L
Ludovic Courtès wrote on 9 Jul 2020 15:58
control message for bug #24108
(address . control@debbugs.gnu.org)
877dvcbxj0.fsf@gnu.org
tags 24108 notabug
close 24108
quit
?