Created attachment 302355 [details] build log On my hardened ~amd64 machine with gcc-4.6.2 procps fails a lot of tests.
Created attachment 302357 [details] emerge --info
I found the following lines in grsec.log corresponding to the test failure of procps. Feb 18 14:59:55 localhost kernel: [1439677.980286] grsec: Segmentation fault occurred at fffffffffffffff0 in /var/tmp/portage/sys-process/procps-3.3.2_p2-r1/work/procps-ng-3.3.2/.libs/vmstat[vmstat:17873] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/expect[expect:17697] uid/euid:250/250 gid/egid:250/250 Feb 18 14:59:55 localhost kernel: [1439677.980300] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/sys-process/procps-3.3.2_p2-r1/work/procps-ng-3.3.2/.libs/vmstat[vmstat:17873] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/expect[expect:17697] uid/euid:250/250 gid/egid:250/250 Feb 18 14:59:55 localhost kernel: [1439678.021391] grsec: Segmentation fault occurred at fffffffffffffff0 in /var/tmp/portage/sys-process/procps-3.3.2_p2-r1/work/procps-ng-3.3.2/.libs/vmstat[vmstat:17906] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/expect[expect:17697] uid/euid:250/250 gid/egid:250/250 Feb 18 14:59:55 localhost kernel: [1439678.021405] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/sys-process/procps-3.3.2_p2-r1/work/procps-ng-3.3.2/.libs/vmstat[vmstat:17906] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/expect[expect:17697] uid/euid:250/250 gid/egid:250/250
Created attachment 312407 [details] build log for procps-3.3.3 An update on this: I see far less failing test with procps-3.3.3.
Created attachment 312519 [details] build log similar here at an unstable x86 user mode linux image
3.3.4 passes tests for me
For me the error is unchanged with procps-3.4.2.
(In reply to comment #6) > For me the error is unchanged with procps-3.4.2. Ignore that, for me 3.3.4 passes tests too.
Created attachment 341080 [details] emerge --info I also have the pmap test fail with: FAIL: pmap extended output (header) This looks like a hardened issue to me. Neither removing all CFLAGS nor using FEATURES="-userpriv" helped.
Oh, I should mention that this is version 3.3.4 (which apparently worked for Markus?).
This is a strange error. I reran and saw the the same errors as in the original report. Also no notable entries in grsec.log (besides two segfaults).
I still get fails with procps-3.3.4. The "pmap" test fails while trying to run "pmap -x <PID>". strace of that shows that pmap cannot open /proc/PID/smaps. This is indeed missing on both my systems (hardened and not). It is missing because CONFIG_PROC_PAGE_MONITOR is not set in kernel (see /usr/src/linux/fs/proc/Kconfig). Please, confirm normal function of the pmap test with CONFIG_PROC_PAGE_MONITOR on your system. The testsuite should probably skip the test when smaps is not available. I'm letting the core team know first; I don't know if this is something to talk to the upstream about (??). The "lib" test fails because a file is missing in the original procps-ng package. This has been fixed in 3.3.6. I can confirm normal function of the test there. I'm filing a bug requesting version bump. The "pmap" test fails even in 3.3.6. I still get fails on the "ps", "pgrep" and "pkill" tests: ERROR: not a tty child process exited abnormally while executing "exec tty "
3.3.6 in portage with this fixed, and 3.3.4 has this now restricted
I just want to note that CONFIG_PROC_PAGE_MONITOR depends on !GRKERNSEC, so this *is* in fact an incompatibility with Grsecurity.
(In reply to comment #13) > I just want to note that CONFIG_PROC_PAGE_MONITOR depends on !GRKERNSEC, so > this *is* in fact an incompatibility with Grsecurity. You are right. I only took one of the errors mentioned here into account.
I also didn't have CONFIG_PROC_PAGE_MONITOR=y in a non-hardened kernel with CONFIG_EXPERT=y.
(The point being it's not enought to check for grsec if that's the plan now.)
Created attachment 345444 [details] build log I do not have a hardened system but these tests fails here at an unstable 32 bit Gentoo : FAIL: pmap extra extended output (footer) FAIL: pmap X with unreachable process FAIL: pmap XX with unreachable process zgrep -e CONFIG_EXPERT -e CONFIG_PROC_PAGE_MONITOR /proc/config.gz # CONFIG_EXPERT is not set CONFIG_PROC_PAGE_MONITOR=y
Please post all 6 files created by these commands (from procps-3.3.6, run as root): strace -o pmap1-str pmap -X $BASHPID &>pmap1-out strace -o pmap2-str pmap -X 1 &>pmap2-out strace -o pmap3-str pmap -XX 1 &>pmap3-out If you don't run bash, substitute $BASHPID with a PID of some other common process.
Created attachment 353422 [details] pmap1-out
Created attachment 353424 [details] pmap1-str
Created attachment 353426 [details] pmap2-out
Created attachment 353428 [details] pmap2-str
Created attachment 353430 [details] pmap3-out
Created attachment 353432 [details] pmap3-str
(In reply to Roman Žilka from comment #18) > Please post all 6 files created by these commands (from procps-3.3.6, run as > root): > > strace -o pmap1-str pmap -X $BASHPID &>pmap1-out > strace -o pmap2-str pmap -X 1 &>pmap2-out > strace -o pmap3-str pmap -XX 1 &>pmap3-out I've attached these (ran as user, oops). procps-3.3.6. There is an interesting thing in pmap1-out: pmap: Unknown format in smaps file! Just in case, I'm running 3.8.13-gentoo kernel on 32-bit system, CONFIG_PROC_PAGE_MONITOR=y .
FAIL: pmap X with unreachable process FAIL: pmap XX with unreachable process These two will fail even with CONFIG_PROC_PAGE_MONITOR=y if you're using FEATURES=userpriv, probably because the portage user doesn't have read access to /proc/<pid>/smaps.
upstream has 92071e963e6ff50f0e221dde286f3229267b2ff9 which fixes at least the latest error. i'm going to push that and close out this bug. if people are still seeing problems, lets start a new one as i suspect this has more than one issue squashed in it at this point. https://gitlab.com/procps-ng/procps/commit/92071e963e6ff50f0e221dde286f3229267b2ff9
should be all set now in the tree; thanks for the report! Commit message: Fix pmap test when running under restrictive kernel/user settings http://sources.gentoo.org/sys-process/procps/files/procps-3.3.10-pmap-unreadable.patch?rev=1.1 http://sources.gentoo.org/sys-process/procps/procps-3.3.10-r1.ebuild?r1=1.1&r2=1.2
