Created attachment 367840 [details] build.log On hardened profile ifstat program doesn't include "proc" driver. emerged version: ifstat -v ifstat version 1.1. Copyright (C) 2001-2003, Gaël Roualland <gael.roualland@dial.oleane.com> Compiled-in drivers: . With manual build it does. manual build: ./ifstat -v ifstat version 1.1. Copyright (C) 2001-2003, Gaël Roualland <gael.roualland@dial.oleane.com> Compiled-in drivers: proc. /proc/net/dev is available for normal user $ ls -laF /proc/net/dev -r--r--r-- 1 root wheel 0 Jan 14 17:11 /proc/net/dev $ cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed eth0: 496494965 7294182 0 270300 0 0 0 0 395081727 3696689 0 0 0 0 0 0 lo: 83017933 964304 0 0 0 0 0 0 83017933 964304 0 0 0 0 0 0 emerge --info Portage 2.2.7 (hardened/linux/amd64, gcc-4.7.3, glibc-2.16.0, 3.10.1-hardened-r1 x86_64) ================================================================= System uname: Linux-3.10.1-hardened-r1-x86_64-Intel-R-_Xeon-R-_CPU_E5-2620_0_@_2.00GHz-with-gentoo-2.2 KiB Mem: 5006360 total, 4523316 free KiB Swap: 0 total, 0 free Timestamp of tree: Mon, 23 Dec 2013 04:45:01 +0000 ld GNU ld (GNU Binutils) 2.23.2 app-shells/bash: 4.2_p45 dev-lang/python: 2.7.5-r3, 3.3.2-r2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.69 sys-devel/automake: 1.13.4 sys-devel/binutils: 2.23.2 sys-devel/gcc: 4.7.3-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.9 (virtual/os-headers) sys-libs/glibc: 2.16.0 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-mtune=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-mtune=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://tux.rainside.sk/gentoo/ http://gentoo.wheel.sk/" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" USE="acl amd64 berkdb bindist bzip2 cli cracklib crypt cxx dri gdbm hardened iconv justify mmx modules mudflap multilib ncurses nls nptl openmp pam pax_kernel pcre readline session sse sse2 ssl tcpd unicode urandom zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NGINX_MODULES_HTTP="access charset gzip limit_conn limit_req log proxy rewrite" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Created attachment 367842 [details] manual_build.log
Manual build is working because it is compiled under user in wheel group which is excluded from grsec /proc protection and so has access to /proc/net/dev. CONFIG_GRKERNSEC_PROC_GID=10 CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USERGROUP=y Portage user under which packages are emerged doesn't have that access. Is it possible to add RESTRICT="userpriv" into ebuild to avoid this problem or is there any better way to do that? # diff -u /usr/portage/net-analyzer/ifstat/ifstat-1.1-r2.ebuild ifstat-1.1-r3.ebuild --- /usr/portage/net-analyzer/ifstat/ifstat-1.1-r2.ebuild 2013-12-22 13:31:24.000000000 +0100 +++ ifstat-1.1-r3.ebuild 2014-01-14 18:07:12.112737107 +0100 @@ -14,6 +14,7 @@ SLOT="0" LICENSE="GPL-2" KEYWORDS="~alpha amd64 hppa ~mips ppc ppc64 sparc x86" +RESTRICT="userpriv" DEPEND="snmp? ( >=net-analyzer/net-snmp-5.0 )" RDEPEND="${DEPEND}"
At a guess, the configure script is checking for read access to /proc/net/dev, and the portage user does not have access to it (while root would)?
Index: ifstat-1.1-r2.ebuild =================================================================== RCS file: /var/cvsroot/gentoo-x86/net-analyzer/ifstat/ifstat-1.1-r2.ebuild,v retrieving revision 1.8 diff -u -B -r1.8 ifstat-1.1-r2.ebuild --- ifstat-1.1-r2.ebuild 22 Dec 2013 12:05:26 -0000 1.8 +++ ifstat-1.1-r2.ebuild 15 Jan 2014 15:38:18 -0000 @@ -26,5 +26,5 @@ } src_configure() { - econf $(use_with snmp) + econf $(use_with snmp) --with-proc } Does it work when you force it with this patch?
The test in question is: grep -q Inter- /proc/net/dev
(In reply to Jeroen Roovers from comment #4) > Index: ifstat-1.1-r2.ebuild > =================================================================== > RCS file: /var/cvsroot/gentoo-x86/net-analyzer/ifstat/ifstat-1.1-r2.ebuild,v > retrieving revision 1.8 > diff -u -B -r1.8 ifstat-1.1-r2.ebuild > --- ifstat-1.1-r2.ebuild 22 Dec 2013 12:05:26 -0000 1.8 > +++ ifstat-1.1-r2.ebuild 15 Jan 2014 15:38:18 -0000 > @@ -26,5 +26,5 @@ > } > > src_configure() { > - econf $(use_with snmp) > + econf $(use_with snmp) --with-proc > } > > > Does it work when you force it with this patch? No, this doesn't work.
(In reply to Tomas Mozes from comment #6) > No, this doesn't work. Why? Please attach the config.log file located in the build directory.
Created attachment 368040 [details] config.log
Created attachment 368042 [details] build.log
(In reply to Jeroen Roovers from comment #7) > (In reply to Tomas Mozes from comment #6) > > No, this doesn't work. > > Why? Please attach the config.log file located in the build directory. Maybe because `grep -q Inter- /proc/net/dev` fails. A non-priviliged user cannot read from /proc/net/dev on hardened with /proc limitations.
Created attachment 368092 [details, diff] ifstat-1.1-hardened.patch Does it work with this patch?
(In reply to Jeroen Roovers from comment #11) > Created attachment 368092 [details, diff] [details, diff] > ifstat-1.1-hardened.patch > > Does it work with this patch? Yes, this works. Why is this approach better than compiling with root?
(In reply to Tomas Mozes from comment #12) > (In reply to Jeroen Roovers from comment #11) > > Created attachment 368092 [details, diff] [details, diff] [details, diff] > > ifstat-1.1-hardened.patch > > > > Does it work with this patch? > > Yes, this works. Why is this approach better than compiling with root? Because having read access on /proc/net/dev at compile time is not a good test to begin with. The patch is now in CVS. Thanks for the report!
Thanks for the patch.