375973 – [hardened] app-emulation/libvirt-1.2.0 fails test test-poll

Bug 375973 - [hardened] app-emulation/libvirt-1.2.0 fails test test-poll

Summary: [hardened] app-emulation/libvirt-1.2.0 fails test test-poll

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Duplicates (1):	422617 (view as bug list)
Depends on:
Blocks:

Reported:	2011-07-22 09:00 UTC by Markus Walter
Modified:	2016-08-16 08:01 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
build log (build.log,97.76 KB, text/plain) 2011-07-22 09:00 UTC, Markus Walter	Details
emerge --info (info.txt,5.37 KB, text/plain) 2011-07-22 09:00 UTC, Markus Walter	Details
grsec.log for merge of libvirt-0.9.10 (grsec.log,2.63 KB, text/plain) 2012-02-18 12:53 UTC, Markus Walter	Details
build.log (libvirt-0.10.2-r3_build.log,99.33 KB, text/plain) 2012-11-07 10:43 UTC, Nikoli	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Markus Walter 2011-07-22 09:00:25 UTC

Created attachment 280587 [details]
build log

Merging libvirt-0.9.3-r1 results in a failing test namely 'test-poll'. I'm using hardened-gcc-4.6.1. I see exactly the same error with libvirt-0.9.2 and libvirt-0.9.1.

Comment 1 Markus Walter 2011-07-22 09:00:40 UTC

Created attachment 280589 [details]
emerge --info

Comment 2 Markus Walter 2011-07-22 09:10:37 UTC

One more hint for this: I found a lot of resource oversteps for RLIMIT_NOFILE for the libvirt test-suite in /var/log/grsec.log.

Comment 3 Doug Goldstein (RETIRED) gentoo-dev

2012-02-09 19:49:03 UTC

hardened team: Any suggestions how to address this?

Comment 4 Magnus Granberg gentoo-dev

2012-02-09 20:00:32 UTC

we need the pax.log and grsec.log

Comment 5 Doug Goldstein (RETIRED) gentoo-dev

2012-02-17 21:57:02 UTC

Please upload the pax.log and grsec.log

Comment 6 Markus Walter 2012-02-18 12:53:43 UTC

Created attachment 302333 [details]
grsec.log for merge of libvirt-0.9.10

Here the requested grsec.log for libvirt-0.9.10. The pax.log was empty.

The test failure is still exactly the same.

Comment 7 Doug Goldstein (RETIRED) gentoo-dev

2012-03-05 23:45:43 UTC

hardened: any comments? The user has gotten the feedback you requested.

Comment 8 Doug Goldstein (RETIRED) gentoo-dev

2012-07-21 21:13:23 UTC

*** Bug 422617 has been marked as a duplicate of this bug. ***

Comment 9 Nikoli 2012-11-07 10:43:01 UTC

Created attachment 328648 [details]
build.log

Same problem with app-emulation/libvirt-0.10.2-r3

grsec messages:
Nov  7 14:32:38 x kernel: [933932.840335] grsec: denied resource overstep by requesting 1000000 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/conftest[conftest:16412] uid/euid:250/250 gid/egid:250/250, parent /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/configure[configure:16411] uid/euid:250/250 gid/egid:250/250
Nov  7 14:32:39 x kernel: [933933.199409] grsec: denied resource overstep by requesting 4294967295 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/conftest[conftest:16434] uid/euid:250/250 gid/egid:250/250, parent /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/configure[configure:16433] uid/euid:250/250 gid/egid:250/250
Nov  7 14:34:41 x kernel: [934055.075475] grsec: denied resource overstep by requesting 18446744073709551614 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/gnulib/tests/test-dup2[test-dup2:4724] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:4647] uid/euid:250/250 gid/egid:250/250
Nov  7 14:34:41 x kernel: [934055.075487] grsec: denied resource overstep by requesting 10000000 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/gnulib/tests/test-dup2[test-dup2:4724] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:4647] uid/euid:250/250 gid/egid:250/250
Nov  7 14:34:41 x kernel: [934055.075556] grsec: denied resource overstep by requesting 18446744073709551615 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/gnulib/tests/test-dup2[test-dup2:4724] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:4647] uid/euid:250/250 gid/egid:250/250
Nov  7 14:34:41 x kernel: [934055.120746] grsec: denied resource overstep by requesting 4294967295 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/gnulib/tests/test-fcntl[test-fcntl:4739] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:4647] uid/euid:250/250 gid/egid:250/250
Nov  7 14:34:41 x kernel: [934055.120760] grsec: denied resource overstep by requesting 10000000 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/gnulib/tests/test-fcntl[test-fcntl:4739] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:4647] uid/euid:250/250 gid/egid:250/250
Nov  7 14:34:41 x kernel: [934055.120772] grsec: denied resource overstep by requesting 4294967295 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/gnulib/tests/test-fcntl[test-fcntl:4739] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:4647] uid/euid:250/250 gid/egid:250/250
Nov  7 14:34:41 x kernel: [934055.120782] grsec: denied resource overstep by requesting 4294967295 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/gnulib/tests/test-fcntl[test-fcntl:4739] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:4647] uid/euid:250/250 gid/egid:250/250
Nov  7 14:34:41 x kernel: [934055.120785] grsec: more alerts, logging disabled for 10 seconds

Comment 10 Doug Goldstein (RETIRED) gentoo-dev

2012-11-07 16:14:33 UTC

For some background, it appears that the stock hardened/grsec configuration is to limit a process to a hard limit of 1024 opened files. Which is reasonable. grsec is thinking that the processes blocked want (2^32)-1 and (2^64)-2 files opened which exceeds the limit. These numbers are a bit too conspicuous to discount. Granted these are all configure checks and not that actual test-poll process because logging was disabled. So the reality is that hardened needs to let me know how to handle this from a configure side as well.

Comment 11 Nikoli 2013-07-05 22:07:00 UTC

The problem is still here for libvirt-1.1.0, if it is hard to fix, please disable this test with USE hardened or pax_kernel. All other tests work fine and i would to run them.

Comment 12 Doug Goldstein (RETIRED) gentoo-dev

2013-07-06 19:43:46 UTC

(In reply to Nikoli from comment #11)
> The problem is still here for libvirt-1.1.0, if it is hard to fix, please
> disable this test with USE hardened or pax_kernel. All other tests work fine
> and i would to run them.

Its not a hard fix. I need more debugging info as I requested and haven't gotten. I don't have any hardened systems setup so I can't get that info myself.

If you're volunteering to do it, that'd be great.

Comment 13 Nikoli 2013-07-06 19:51:55 UTC

I have hardened system with libvirtd install and would like to help. Output of which commands you want to see?

Comment 14 Markus Walter 2013-12-21 09:48:51 UTC

(In reply to Doug Goldstein from comment #10)
> For some background, it appears that the stock hardened/grsec configuration
> is to limit a process to a hard limit of 1024 opened files. Which is
> reasonable. grsec is thinking that the processes blocked want (2^32)-1 and
> (2^64)-2 files opened which exceeds the limit. These numbers are a bit too
> conspicuous to discount. Granted these are all configure checks and not that
> actual test-poll process because logging was disabled. So the reality is
> that hardened needs to let me know how to handle this from a configure side
> as well.

I just retested this with libvirt-1.2.0 and the situation seems to be unchanged. I'm unsure as to what to do now (as in I don't understand what you request).

Comment 15 Matthias Maier gentoo-dev

2016-08-16 08:01:58 UTC

I will close as obsolete. If the problem persists with current 2.1.0-r2, please reopen.