Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 498074 - net-analyzer/ifstat-1.1-r2 proc driver not compiled on hardened
Summary: net-analyzer/ifstat-1.1-r2 proc driver not compiled on hardened
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Jeroen Roovers (RETIRED)
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2014-01-14 16:18 UTC by John Default
Modified: 2014-01-19 17:01 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
build.log (build.log,6.62 KB, text/plain)
2014-01-14 16:18 UTC, John Default 		Details
manual_build.log (manual_build.log,1.74 KB, text/plain)
2014-01-14 16:19 UTC, John Default 		Details
config.log (config.log,77.02 KB, text/plain)
2014-01-17 20:17 UTC, Tomáš Mózes 		Details
build.log (build.log,8.79 KB, text/plain)
2014-01-17 20:18 UTC, Tomáš Mózes 		Details
ifstat-1.1-hardened.patch (ifstat-1.1-hardened.patch,416 bytes, patch)
2014-01-18 15:11 UTC, Jeroen Roovers (RETIRED) 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Default 2014-01-14 16:18:43 UTC 
Created attachment 367840 [details]
build.log

On hardened profile ifstat program doesn't include "proc" driver. 

emerged version:

ifstat -v
ifstat version 1.1.
Copyright (C) 2001-2003, Gaël Roualland <gael.roualland@dial.oleane.com>
Compiled-in drivers: .

With manual build it does.

manual build: 

./ifstat -v
ifstat version 1.1.
Copyright (C) 2001-2003, Gaël Roualland <gael.roualland@dial.oleane.com>
Compiled-in drivers: proc.

/proc/net/dev is available for normal user

$ ls -laF /proc/net/dev  
-r--r--r-- 1 root wheel 0 Jan 14 17:11 /proc/net/dev

$ cat /proc/net/dev
Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
  eth0: 496494965 7294182    0 270300    0     0          0         0 395081727 3696689    0    0    0     0       0          0
    lo: 83017933  964304    0    0    0     0          0         0 83017933  964304    0    0    0     0       0          0

emerge --info
Portage 2.2.7 (hardened/linux/amd64, gcc-4.7.3, glibc-2.16.0, 3.10.1-hardened-r1 x86_64)
=================================================================
System uname: Linux-3.10.1-hardened-r1-x86_64-Intel-R-_Xeon-R-_CPU_E5-2620_0_@_2.00GHz-with-gentoo-2.2
KiB Mem:     5006360 total,   4523316 free
KiB Swap:          0 total,         0 free
Timestamp of tree: Mon, 23 Dec 2013 04:45:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
app-shells/bash:          4.2_p45
dev-lang/python:          2.7.5-r3, 3.3.2-r2
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.69
sys-devel/automake:       1.13.4
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.7.3-r1
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.9 (virtual/os-headers)
sys-libs/glibc:           2.16.0
Repositories: gentoo
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-mtune=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-mtune=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://tux.rainside.sk/gentoo/ http://gentoo.wheel.sk/"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
USE="acl amd64 berkdb bindist bzip2 cli cracklib crypt cxx dri gdbm hardened iconv justify mmx modules mudflap multilib ncurses nls nptl openmp pam pax_kernel pcre readline session sse sse2 ssl tcpd unicode urandom zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NGINX_MODULES_HTTP="access charset gzip limit_conn limit_req log proxy rewrite" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 1 John Default 2014-01-14 16:19:08 UTC 
Created attachment 367842 [details]
manual_build.log
Comment 2 John Default 2014-01-14 17:16:38 UTC 
Manual build is working because it is compiled under user in wheel group which is excluded from grsec /proc protection and so has access to /proc/net/dev. 

CONFIG_GRKERNSEC_PROC_GID=10
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USERGROUP=y

Portage user under which packages are emerged doesn't have that access.

Is it possible to add RESTRICT="userpriv" into ebuild to avoid this problem or is there any better way to do that?


# diff -u /usr/portage/net-analyzer/ifstat/ifstat-1.1-r2.ebuild ifstat-1.1-r3.ebuild
--- /usr/portage/net-analyzer/ifstat/ifstat-1.1-r2.ebuild 2013-12-22 13:31:24.000000000 +0100
+++ ifstat-1.1-r3.ebuild        2014-01-14 18:07:12.112737107 +0100
@@ -14,6 +14,7 @@
 SLOT="0"
 LICENSE="GPL-2"
 KEYWORDS="~alpha amd64 hppa ~mips ppc ppc64 sparc x86"
+RESTRICT="userpriv"

 DEPEND="snmp? ( >=net-analyzer/net-snmp-5.0 )"
 RDEPEND="${DEPEND}"
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-15 15:38:10 UTC 
At a guess, the configure script is checking for read access to /proc/net/dev, and the portage user does not have access to it (while root would)?
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-15 15:38:37 UTC 
Index: ifstat-1.1-r2.ebuild
===================================================================
RCS file: /var/cvsroot/gentoo-x86/net-analyzer/ifstat/ifstat-1.1-r2.ebuild,v
retrieving revision 1.8
diff -u -B -r1.8 ifstat-1.1-r2.ebuild
--- ifstat-1.1-r2.ebuild        22 Dec 2013 12:05:26 -0000      1.8
+++ ifstat-1.1-r2.ebuild        15 Jan 2014 15:38:18 -0000
@@ -26,5 +26,5 @@
 }
 
 src_configure() {
-       econf $(use_with snmp)
+       econf $(use_with snmp) --with-proc
 }


Does it work when you force it with this patch?
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-15 15:40:14 UTC 
The test in question is:

    grep -q Inter- /proc/net/dev
Comment 6 Tomáš Mózes 2014-01-16 18:11:49 UTC 
(In reply to Jeroen Roovers from comment #4)
> Index: ifstat-1.1-r2.ebuild
> ===================================================================
> RCS file: /var/cvsroot/gentoo-x86/net-analyzer/ifstat/ifstat-1.1-r2.ebuild,v
> retrieving revision 1.8
> diff -u -B -r1.8 ifstat-1.1-r2.ebuild
> --- ifstat-1.1-r2.ebuild        22 Dec 2013 12:05:26 -0000      1.8
> +++ ifstat-1.1-r2.ebuild        15 Jan 2014 15:38:18 -0000
> @@ -26,5 +26,5 @@
>  }
>  
>  src_configure() {
> -       econf $(use_with snmp)
> +       econf $(use_with snmp) --with-proc
>  }
> 
> 
> Does it work when you force it with this patch?

No, this doesn't work.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-17 15:05:44 UTC 
(In reply to Tomas Mozes from comment #6)
> No, this doesn't work.

Why? Please attach the config.log file located in the build directory.
Comment 8 Tomáš Mózes 2014-01-17 20:17:05 UTC 
Created attachment 368040 [details]
config.log
Comment 9 Tomáš Mózes 2014-01-17 20:18:12 UTC 
Created attachment 368042 [details]
build.log
Comment 10 Tomáš Mózes 2014-01-17 20:21:38 UTC 
(In reply to Jeroen Roovers from comment #7)
> (In reply to Tomas Mozes from comment #6)
> > No, this doesn't work.
> 
> Why? Please attach the config.log file located in the build directory.

Maybe because `grep -q Inter- /proc/net/dev` fails. A non-priviliged user cannot read from /proc/net/dev on hardened with /proc limitations.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-18 15:11:20 UTC 
Created attachment 368092 [details, diff]
ifstat-1.1-hardened.patch

Does it work with this patch?
Comment 12 Tomáš Mózes 2014-01-19 12:14:02 UTC 
(In reply to Jeroen Roovers from comment #11)
> Created attachment 368092 [details, diff] [details, diff]
> ifstat-1.1-hardened.patch
> 
> Does it work with this patch?

Yes, this works. Why is this approach better than compiling with root?
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-19 12:27:07 UTC 
(In reply to Tomas Mozes from comment #12)
> (In reply to Jeroen Roovers from comment #11)
> > Created attachment 368092 [details, diff] [details, diff] [details, diff]
> > ifstat-1.1-hardened.patch
> > 
> > Does it work with this patch?
> 
> Yes, this works. Why is this approach better than compiling with root?

Because having read access on /proc/net/dev at compile time is not a good test to begin with.

The patch is now in CVS. Thanks for the report!
Comment 14 Tomáš Mózes 2014-01-19 17:01:22 UTC 
Thanks for the patch.