CLONE_NEWUSER tests fail with EPERM instead of being skipped on Grsecurity kernels

  • Done
  • quality assurance status badge
Details
2 participants
  • Ludovic Courtès
  • sapientech
Owner
unassigned
Submitted by
sapientech
Severity
normal
S
S
sapientech wrote on 30 Jul 2016 01:26
guix make tests failure
(address . bug-guix@gnu.org)
4c03321977ef605cc34a23986d83ce47@openmailbox.org
Hi all,

Attached is the output log of `make tests`. Commands leading up to make
tests:

$ guix environment guix --ad-hoc git vim
$ ./bootstrap
$ ./configure
$ make tests
Attachment: config.log (.04 MiB)
Attachment: test-suite.log (.19 MiB)
L
L
Ludovic Courtès wrote on 30 Jul 2016 15:07
(address . sapientech@openmailbox.org)(address . 24108@debbugs.gnu.org)
874m77e0ky.fsf@gnu.org
Hi,

sapientech@openmailbox.org skribis:

Toggle quote (3 lines)
> test-name: substitute query, alternating URLs
> location: /home/sapientech/Dev/guix/guix_wip/tests/store.scm:456

[...]

Toggle quote (3 lines)
> substitute: guix/ui.scm:1209:6: In procedure run-guix-command:
> substitute: guix/ui.scm:1209:6: unmatched line "<html><head><meta http-equiv=\"refresh\" content=\"0;url=http://www.dnsrsearch.com/index.php?origURL=http://does-not-exist/nix-cache-info&bc=\"/></head><body><script type=\"text/javascript\">window.location=\"http://www.dnsrsearch.com/index.php?origURL=\"+escape(window.location)+\"&r=\"+escape(document.referrer)+\"&bc=\";</script></body></html>"

It seems there’s a DNS hijacker in place where domain names such as
“does-not-exist” (used in this and other tests) are resolved to some
ISP-specific host or something. This explains this and more of the
other test failures you are seeing; this is unsupported.

Toggle quote (21 lines)
> test-name: clone
> location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> source:
> + (test-assert
> + "clone"
> + (match (clone (logior CLONE_NEWUSER SIGCHLD))
> + (0 (primitive-exit 42))
> + (pid (and (not (equal?
> + (readlink (user-namespace pid))
> + (readlink (user-namespace (getpid)))))
> + (match (waitpid pid)
> + ((_ . status) (= 42 (status:exit-val status))))))))
> actual-value: #f
> actual-error:
> + (system-error
> + "clone"
> + "~d: ~A"
> + (268435473 "Operation not permitted")
> + (1))
> result: FAIL

What does “uname -srv” report on this machine? It seems this kernel
does not support namespaces.

Thanks,
Ludo’.
D
D
Dylan Jeffers wrote on 30 Jul 2016 19:43
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 24108@debbugs.gnu.org)
20160730104312.2166ffa5@openmailbox.org
On Sat, 30 Jul 2016 15:07:25 +0200
ludo@gnu.org (Ludovic Courtès) wrote:

Toggle quote (47 lines)
> Hi,
>
> sapientech@openmailbox.org skribis:
>
> > test-name: substitute query, alternating URLs
> > location: /home/sapientech/Dev/guix/guix_wip/tests/store.scm:456
>
> [...]
>
> > substitute: guix/ui.scm:1209:6: In procedure run-guix-command:
> > substitute: guix/ui.scm:1209:6: unmatched line "<html><head><meta
> > http-equiv=\"refresh\"
> > content=\"0;url=http://www.dnsrsearch.com/index.php?origURL=http://does-not-exist/nix-cache-info&bc=\"/></head><body><script
> > type=\"text/javascript\">window.location=\"http://www.dnsrsearch.com/index.php?origURL=\"+escape(window.location)+\"&r=\"+escape(document.referrer)+\"&bc=\";</script></body></html>"
>
> It seems there’s a DNS hijacker in place where domain names such as
> “does-not-exist” (used in this and other tests) are resolved to some
> ISP-specific host or something. This explains this and more of the
> other test failures you are seeing; this is unsupported.
>
> > test-name: clone
> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> > source:
> > + (test-assert
> > + "clone"
> > + (match (clone (logior CLONE_NEWUSER SIGCHLD))
> > + (0 (primitive-exit 42))
> > + (pid (and (not (equal?
> > + (readlink (user-namespace pid))
> > + (readlink (user-namespace (getpid)))))
> > + (match (waitpid pid)
> > + ((_ . status) (= 42 (status:exit-val
> > status)))))))) actual-value: #f
> > actual-error:
> > + (system-error
> > + "clone"
> > + "~d: ~A"
> > + (268435473 "Operation not permitted")
> > + (1))
> > result: FAIL
>
> What does “uname -srv” report on this machine? It seems this kernel
> does not support namespaces.
>
> Thanks,
> Ludo’.

Hi Ludo,

Thanks for getting back so quick.
Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
PREEMPT Wed Jul 20 15:37:34 UYT 2016
It is a security enhanced kernel, so that may be the issue. Let me know
if there is a workaround for this kernel, or whether i should fall-back
to an lts, or standard kernel.

Best,
Dylan
L
L
Ludovic Courtès wrote on 30 Jul 2016 23:31
(name . Dylan Jeffers)(address . sapientech@openmailbox.org)(address . 24108@debbugs.gnu.org)
87bn1ebynp.fsf@gnu.org
Dylan Jeffers <sapientech@openmailbox.org> skribis:

Toggle quote (3 lines)
> On Sat, 30 Jul 2016 15:07:25 +0200
> ludo@gnu.org (Ludovic Courtès) wrote:

[...]

Toggle quote (33 lines)
>> > test-name: clone
>> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
>> > source:
>> > + (test-assert
>> > + "clone"
>> > + (match (clone (logior CLONE_NEWUSER SIGCHLD))
>> > + (0 (primitive-exit 42))
>> > + (pid (and (not (equal?
>> > + (readlink (user-namespace pid))
>> > + (readlink (user-namespace (getpid)))))
>> > + (match (waitpid pid)
>> > + ((_ . status) (= 42 (status:exit-val
>> > status)))))))) actual-value: #f
>> > actual-error:
>> > + (system-error
>> > + "clone"
>> > + "~d: ~A"
>> > + (268435473 "Operation not permitted")
>> > + (1))
>> > result: FAIL
>>
>> What does “uname -srv” report on this machine? It seems this kernel
>> does not support namespaces.
>>
>> Thanks,
>> Ludo’.
>
> Hi Ludo,
>
> Thanks for getting back so quick.
> Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
> PREEMPT Wed Jul 20 15:37:34 UYT 2016

These tests are skipped when user namespaces are not supported, as per
this condition:

(define perform-container-tests?
(and (user-namespace-supported?)
(unprivileged-user-namespace-supported?)))

… which is true iff (1) /proc/self/ns/user exists, and (2)
/proc/sys/kernel/unprivileged_userns_clone does not exist, or it exists
and contains “1”.

Do these files exist on this system?

Maybe we should just ignore EPERM from (clone CLONE_NEWUSER) but it’s
annoying to annotate every single test that uses it.

From a user viewpoint, this test failure simply mean that you cannot use
the ‘--container’ option ‘guix environment’ on your system.

Thanks,
Ludo’.
D
D
Dylan Jeffers wrote on 31 Jul 2016 02:40
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 24108@debbugs.gnu.org)
20160730174027.0551e855@openmailbox.org
On Sat, 30 Jul 2016 23:31:54 +0200
ludo@gnu.org (Ludovic Courtès) wrote:

Toggle quote (54 lines)
> Dylan Jeffers <sapientech@openmailbox.org> skribis:
>
> > On Sat, 30 Jul 2016 15:07:25 +0200
> > ludo@gnu.org (Ludovic Courtès) wrote:
>
> [...]
>
> >> > test-name: clone
> >> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> >> > source:
> >> > + (test-assert
> >> > + "clone"
> >> > + (match (clone (logior CLONE_NEWUSER SIGCHLD))
> >> > + (0 (primitive-exit 42))
> >> > + (pid (and (not (equal?
> >> > + (readlink (user-namespace pid))
> >> > + (readlink (user-namespace
> >> > (getpid)))))
> >> > + (match (waitpid pid)
> >> > + ((_ . status) (= 42 (status:exit-val
> >> > status)))))))) actual-value: #f
> >> > actual-error:
> >> > + (system-error
> >> > + "clone"
> >> > + "~d: ~A"
> >> > + (268435473 "Operation not permitted")
> >> > + (1))
> >> > result: FAIL
> >>
> >> What does “uname -srv” report on this machine? It seems this
> >> kernel does not support namespaces.
> >>
> >> Thanks,
> >> Ludo’.
> >
> > Hi Ludo,
> >
> > Thanks for getting back so quick.
> > Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
> > PREEMPT Wed Jul 20 15:37:34 UYT 2016
>
> These tests are skipped when user namespaces are not supported, as per
> this condition:
>
> (define perform-container-tests?
> (and (user-namespace-supported?)
> (unprivileged-user-namespace-supported?)))
>
> … which is true iff (1) /proc/self/ns/user exists, and (2)
> /proc/sys/kernel/unprivileged_userns_clone does not exist, or it
> exists and contains “1”.
>
> Do these files exist on this system?

(1) /proc/self/ns/user exists, and
(2) /proc/sys/kernel/unpriviledged_userns_clone D.N.E

Ideas on the best approach to allow the build to succeed?

I also have had issues with qemu, so it makes sense that vm/container
stuff both have issues. I have a feeling its due to the
grsec kernel.
bit about userspace/namespace hardening + issues with xen and
virtbox. Going to reboot with an lts kernel and try again. Will post
update...

Best,
Dylan

Best,
Dylan
D
D
Dylan Jeffers wrote on 31 Jul 2016 03:53
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 24108@debbugs.gnu.org)
20160730185305.0c8cfe59@openmailbox.org
On Sat, 30 Jul 2016 17:40:27 -0700
Dylan Jeffers <sapientech@openmailbox.org> wrote:

Toggle quote (76 lines)
> On Sat, 30 Jul 2016 23:31:54 +0200
> ludo@gnu.org (Ludovic Courtès) wrote:
>
> > Dylan Jeffers <sapientech@openmailbox.org> skribis:
> >
> > > On Sat, 30 Jul 2016 15:07:25 +0200
> > > ludo@gnu.org (Ludovic Courtès) wrote:
> >
> > [...]
> >
> > >> > test-name: clone
> > >> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> > >> > source:
> > >> > + (test-assert
> > >> > + "clone"
> > >> > + (match (clone (logior CLONE_NEWUSER SIGCHLD))
> > >> > + (0 (primitive-exit 42))
> > >> > + (pid (and (not (equal?
> > >> > + (readlink (user-namespace pid))
> > >> > + (readlink (user-namespace
> > >> > (getpid)))))
> > >> > + (match (waitpid pid)
> > >> > + ((_ . status) (= 42
> > >> > (status:exit-val status)))))))) actual-value: #f
> > >> > actual-error:
> > >> > + (system-error
> > >> > + "clone"
> > >> > + "~d: ~A"
> > >> > + (268435473 "Operation not permitted")
> > >> > + (1))
> > >> > result: FAIL
> > >>
> > >> What does “uname -srv” report on this machine? It seems this
> > >> kernel does not support namespaces.
> > >>
> > >> Thanks,
> > >> Ludo’.
> > >
> > > Hi Ludo,
> > >
> > > Thanks for getting back so quick.
> > > Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
> > > PREEMPT Wed Jul 20 15:37:34 UYT 2016
> >
> > These tests are skipped when user namespaces are not supported, as
> > per this condition:
> >
> > (define perform-container-tests?
> > (and (user-namespace-supported?)
> > (unprivileged-user-namespace-supported?)))
> >
> > … which is true iff (1) /proc/self/ns/user exists, and (2)
> > /proc/sys/kernel/unprivileged_userns_clone does not exist, or it
> > exists and contains “1”.
> >
> > Do these files exist on this system?
>
> (1) /proc/self/ns/user exists, and
> (2) /proc/sys/kernel/unpriviledged_userns_clone D.N.E
>
> Ideas on the best approach to allow the build to succeed?
>
> I also have had issues with qemu, so it makes sense that vm/container
> stuff both have issues. I have a feeling its due to the
> grsec kernel.
> https://wiki.archlinux.org/index.php/Grsecurity_Patchset talks a
> bit about userspace/namespace hardening + issues with xen and
> virtbox. Going to reboot with an lts kernel and try again. Will post
> update...
>
> Best,
> Dylan
>
> Best,
> Dylan

After changing kernel, and stopping paxd.service, build still
failed :(

It looks like the failed tests are different though (see attachment)

Dylan
Attachment: config.log
Attachment: config.status
Attachment: test-suite.log
L
L
Ludovic Courtès wrote on 31 Jul 2016 12:53
(name . Dylan Jeffers)(address . sapientech@openmailbox.org)(address . 24108@debbugs.gnu.org)
87d1lu84ex.fsf@gnu.org
Hello,

Dylan Jeffers <sapientech@openmailbox.org> skribis:

[...]

Toggle quote (16 lines)
> > > These tests are skipped when user namespaces are not supported, as
> > > per this condition:
> > >
> > > (define perform-container-tests?
> > > (and (user-namespace-supported?)
> > > (unprivileged-user-namespace-supported?)))
> > >
> > > … which is true iff (1) /proc/self/ns/user exists, and (2)
> > > /proc/sys/kernel/unprivileged_userns_clone does not exist, or it
> > > exists and contains “1”.
> > >
> > > Do these files exist on this system?
>>
>> (1) /proc/self/ns/user exists, and
>> (2) /proc/sys/kernel/unpriviledged_userns_clone D.N.E

They do not exist now with the new ‘test-suite.log’ that you posted, but
they did exist before (with the Grsec kernel), otherwise the user
namespaces tests would have been skipped.

Toggle quote (19 lines)
>> Ideas on the best approach to allow the build to succeed?
>>
>> I also have had issues with qemu, so it makes sense that vm/container
>> stuff both have issues. I have a feeling its due to the
>> grsec kernel.
>> https://wiki.archlinux.org/index.php/Grsecurity_Patchset talks a
>> bit about userspace/namespace hardening + issues with xen and
>> virtbox. Going to reboot with an lts kernel and try again. Will post
>> update...
>>
>> Best,
>> Dylan
>>
>> Best,
>> Dylan
>
> After changing kernel, and stopping paxd.service, build still
> failed :(

[...]

Toggle quote (14 lines)
> test-name: clone
> location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> source:
> + (test-assert
> + "clone"
> + (match (clone (logior CLONE_NEWUSER SIGCHLD))
> + (0 (primitive-exit 42))
> + (pid (and (not (equal?
> + (readlink (user-namespace pid))
> + (readlink (user-namespace (getpid)))))
> + (match (waitpid pid)
> + ((_ . status) (= 42 (status:exit-val status))))))))
> result: SKIP

This and other container-related tests are now properly skipped.

Toggle quote (16 lines)
> test-name: home-page: host not found
> location: /home/sapientech/Dev/guix/guix_wip/tests/lint.scm:393
> source:
> + (test-assert
> + "home-page: host not found"
> + (->bool
> + (string-contains
> + (with-warnings
> + (let ((pkg (package
> + (inherit (dummy-package "x"))
> + (home-page "http://does-not-exist"))))
> + (check-home-page pkg)))
> + "domain not found")))
> actual-value: #f
> result: FAIL

This and the remaining failures are due to DNS hijacking, so nothing we
can do about it. You’d have to use a well-behaved DNS server (e.g.,
“echo nameserver 8.8.8.8 > /etc/resolv.conf” to use Google’s name
server) to work around that.

Thanks,
Ludo’.
L
L
Ludovic Courtès wrote on 31 Jul 2016 12:54
retitle
(address . request@debbugs.gnu.org)
878twi84cm.fsf@gnu.org
retitle 24108 CLONE_NEWUSER tests fail with EPERM instead of being skipped on Grsecurity kernels
thanks
L
L
Ludovic Courtès wrote on 9 Jul 2020 15:58
control message for bug #24108
(address . control@debbugs.gnu.org)
877dvcbxj0.fsf@gnu.org
tags 24108 notabug
close 24108
quit
?
Your comment

This issue is archived.

To comment on this conversation send an email to 24108@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 24108
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch