513690 – Current AMD64 hardened stage3 contains /dev entries

Bug 513690 - Current AMD64 hardened stage3 contains /dev entries

Summary: Current AMD64 hardened stage3 contains /dev entries

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Release Media
Classification:	Unclassified
Component:	Stages (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Release Team

URL:	http://distfiles.gentoo.org/releases/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-06-18 13:50 UTC by Sebastián Magrí
Modified:	2014-06-18 16:59 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastián Magrí 2014-06-18 13:50:06 UTC

The latest stages for AMD64 are broken. It contains dev entries making it impossible to extract it.

Reproducible: Always

Steps to Reproduce:
1. Download the latest stage3 for hardened AMD64
2. Try to extract the file

Actual Results:  
tar: ./dev/sdc11: No se puede mknod: Operación no permitida
tar: ./dev/hda8: No se puede mknod: Operación no permitida
tar: ./dev/tty21: No se puede mknod: Operación no permitida
tar: ./dev/sda7: No se puede mknod: Operación no permitida
tar: ./dev/sdb15: No se puede mknod: Operación no permitida
tar: ./dev/hda17: No se puede mknod: Operación no permitida
tar: ./dev/tty54: No se puede mknod: Operación no permitida
tar: ./dev/sdb: No se puede mknod: Operación no permitida
tar: ./dev/full: No se puede mknod: Operación no permitida
tar: ./dev/sdb12: No se puede mknod: Operación no permitida
tar: ./dev/hda31: No se puede mknod: Operación no permitida
tar: ./dev/sda5: No se puede mknod: Operación no permitida
tar: ./dev/sdb10: No se puede mknod: Operación no permitida
tar: ./dev/sdd12: No se puede mknod: Operación no permitida
tar: ./dev/tty33: No se puede mknod: Operación no permitida
tar: ./dev/hda3: No se puede mknod: Operación no permitida
tar: ./dev/sdb7: No se puede mknod: Operación no permitida
tar: ./dev/tty51: No se puede mknod: Operación no permitida
tar: ./dev/hda23: No se puede mknod: Operación no permitida
tar: ./dev/sdd4: No se puede mknod: Operación no permitida
tar: ./dev/tty20: No se puede mknod: Operación no permitida
tar: ./dev/tty48: No se puede mknod: Operación no permitida
tar: ./dev/sdc12: No se puede mknod: Operación no permitida
tar: ./dev/sda13: No se puede mknod: Operación no permitida
tar: ./dev/sdb4: No se puede mknod: Operación no permitida
tar: ./dev/tty10: No se puede mknod: Operación no permitida
tar: ./dev/sda15: No se puede mknod: Operación no permitida
tar: ./dev/sdd1: No se puede mknod: Operación no permitida
tar: ./dev/sdb14: No se puede mknod: Operación no permitida
tar: ./dev/sdb11: No se puede mknod: Operación no permitida
tar: ./dev/tty12: No se puede mknod: Operación no permitida
tar: ./dev/tty63: No se puede mknod: Operación no permitida
tar: ./dev/sdc13: No se puede mknod: Operación no permitida
tar: ./dev/hda24: No se puede mknod: Operación no permitida
tar: ./dev/hda13: No se puede mknod: Operación no permitida
tar: ./dev/sdb5: No se puede mknod: Operación no permitida
tar: ./dev/hda11: No se puede mknod: Operación no permitida
tar: Exiting with failure status due to previous errors

Expected Results:  
Successful extraction

Comment 1 Sebastián Magrí 2014-06-18 13:52:25 UTC

Sorry for the localized output in the actual results, that actually means "Cannot mknod: Operation not permitted".

Regards,

Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2014-06-18 15:42:56 UTC

What CD are you using? I assume you're using the admin-cd.
The stages are not broken. If you're using the admin-cd, this is the result of some hardened features being enabled in the admin-cd that prevent running mknod.
If you're using the admin-cd, please give me the complete ISO name.

Comment 3 Sebastián Magrí 2014-06-18 16:31:12 UTC

(In reply to Jorge Manuel B. S. Vicetto from comment #2)
> What CD are you using? I assume you're using the admin-cd.
> The stages are not broken. If you're using the admin-cd, this is the result
> of some hardened features being enabled in the admin-cd that prevent running
> mknod.
> If you're using the admin-cd, please give me the complete ISO name.

Hi Jorge,

I'm actually getting this output in my Gentoo AMD64 Desktop (not hardened).

Just checked and this is also happening with i686 stages.

Should I ignore this messages then?

Regards,

P.S.: This is my emerge --info from the host machine

tage 2.2.10 (default/linux/amd64/13.0/desktop/gnome/systemd, gcc-4.8.3, glibc-2.19-r1, 3.15.0-gentoo-r1 x86_64)
=================================================================
System uname: Linux-3.15.0-gentoo-r1-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q8200_@_2.33GHz-with-gentoo-2.2
KiB Mem:     4031768 total,    510324 free
KiB Swap:    4094972 total,   4093692 free
Timestamp of tree: Wed, 18 Jun 2014 02:30:01 +0000
ld GNU ld (GNU Binutils) 2.24
ccache version 3.1.9 [disabled]
app-shells/bash:          4.2_p47
dev-java/java-config:     2.2.0
dev-lang/python:          2.7.6-r1, 3.3.5, 3.4.0
dev-util/ccache:          3.1.9-r3
dev-util/cmake:           2.8.12.2-r1
dev-util/pkgconfig:       0.28-r1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.6, 1.13.4, 1.14.1
sys-devel/binutils:       2.24-r3
sys-devel/gcc:            4.8.3
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2-r1
sys-devel/make:           4.0-r1
sys-kernel/linux-headers: 3.15 (virtual/os-headers)
sys-libs/glibc:           2.19-r1
Repositories: gentoo sebasmagri sunrise emery local_overlay
Installed sets: @system
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA Oracle-BCLA-JavaSE google-chrome google-talkplugin Google-TOS PUEL skype-4.0.0.7-copyright AdobeFlash-11.x"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=core2 -O2"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -march=core2 -O2"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--keep-going --quiet-build=y"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch parallel-install preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="es_ES.UTF-8"
LC_ALL="es_ES.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/sebasmagri /var/lib/layman/sunrise /var/lib/layman/emery /usr/local/portage"
USE="X a52 aac acl acpi aio alsa amd64 android apache2 apng applet archive aufs avahi bash-completion berkdb branding bzip2 cairo cdda cdr cli clutter colord cracklib crypt cups curl cxx dbus dconf declarative device-mapper djvu dri dts dvd dvdr eds emacs emboss encode evo exif fam ffmpeg fftw firefox flac fontconfig fortran fuse gd gdal gdbm geoip geos gif gimp git glade glamor gmp gnome gnome-keyring gnome-online-accounts gnome-shell gnutls gold gphoto2 gpm graphviz grilo gstreamer gtk gtk3 http iconv icu imagemagick imap imlib inotify introspection iproute2 ipv6 jabber jack jingle jpeg jpeg2k lasdpa latex lcms ldap libffi libnotify libsamplerate libsecret llvm lm_sensors lua lxc lzma mad midi mms mmx mmxext mng modemmanager modules mp3 mp4 mpeg msn mtp multilib mysql nautilus ncurses networkmanager nls nptl nsplugin ntfs ogg openal opengl openmp openrc openvpn opus pam pango pch pcre pdf php plymouth png policykit postgres pulseaudio python qt3support qt4 readline samba scanner schroedinger sdl session sip slang smp smtp socialweb sound sourceview spell spice sqlite sqlite3 sse sse2 sse3 sse4 sse41 ssl ssse3 startup-notification subversion svg systemd t1lib taglib tcpd theora threads tiff timidity tracker truetype udev udisks unicode upnp upower usb uxa v4l vaapi vala vcd vdpau vhosts video vorbis vpx vte wayland webkit wmf wxwidgets x264 xattr xcb xcomposite xft xinerama xml xmlrpc xmp xpm xscreensaver xv xvid xvmc zeitgeist zlib" ABI_X86="64 32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="alias auth_basic authn_file authn_core authz_core authz_host cache dav dir env mime mime_magic rewrite socache_shmcb unixd vhost_alias" APACHE2_MPMS="worker" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2 samsung" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CURL_SSL="openssl" DRACUT_MODULES="systemd" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="es es_ES ve es_VE en" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-4" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="intel i915" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="2.7 3.3"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, SYNC

Comment 4 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2014-06-18 16:59:15 UTC

(In reply to Sebastián Magrí from comment #3)
> (In reply to Jorge Manuel B. S. Vicetto from comment #2)
> > What CD are you using? I assume you're using the admin-cd.
> > The stages are not broken. If you're using the admin-cd, this is the result
> > of some hardened features being enabled in the admin-cd that prevent running
> > mknod.
> > If you're using the admin-cd, please give me the complete ISO name.
> 
> Hi Jorge,
> 
> I'm actually getting this output in my Gentoo AMD64 Desktop (not hardened).
> Just checked and this is also happening with i686 stages.
> Should I ignore this messages then?

If you want to be able to do an install under an hardened system, you need to "relax" some security restrictions.
The following are the restrictions we raise on our releng box:

echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
echo 0 > /proc/sys/kernel/grsecurity/linking_restrictions
echo 0 > /proc/sys/kernel/grsecurity/chroot_caps

This should allow you to unpack the stage, chroot and build / update it.

I'm closing this as INVALID since this expected in an hardened system. If you need more info, feel free to poke me in IRC (you can use any #gentoo* channel I'm in or use the release channel #gentoo-releng) or email me.