519166 – app-portage/layman-2.1.0-r2 - layman: python2.7: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0

Bug 519166 - app-portage/layman-2.1.0-r2 - layman: python2.7: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0

Summary: app-portage/layman-2.1.0-r2 - layman: python2.7: grsec: denied resource overs...

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Third-Party Tools (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal
Assignee:	Brian Dolbec (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-08-05 21:07 UTC by Karl-Johan Karlsson
Modified:	2014-08-07 17:24 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karl-Johan Karlsson 2014-08-05 21:07:38 UTC

With app-portage/layman-2.1.0-r2 on Python 2.7.8 on a hardened kernel, trying to sync the overlays from https://api.gentoo.org/overlays/repositories.xml results in the layman process getting killed by PAX:

root@orley ~ # layman -S

 * Fetching remote list,...
Killed
root@orley ~ # dmesg | tail -n 5
[469640.615982] PAX: execution attempt in: <anonymous mapping>, 31d81759000-31d8179d000 31d81759000
[469640.616000] PAX: terminating task: /usr/bin/python2.7(layman):31490, uid/euid: 0/0, PC: 0000031d81759fc0, SP: 000003b40bbad038
[469640.616009] PAX: bytes at PC: 49 bb b6 1b 4d 7c 1d 03 00 00 49 ba c0 9f 75 81 1d 03 00 00 
[469640.616058] PAX: bytes at SP-8: 000003b40bbad090 0000031d7d8027d1 000003b40bbad090 0000031d81759fc0 00000024106d5ea0 a06d42f735dfe500 000003b40bbad090 0000031d81759fc0 00000024106d5ea0 0000002410643640 0000000000000003 
[469640.616136] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/python-exec/python2.7/layman[layman:31490] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:28857] uid/euid:0/0 gid/egid:0/0

Downgrading to app-portage/layman-2.0.0-r3, on the same Python, the same kernel, and the same layman.cfg, works.

Running layman under strace suggests that the crash happens while it is trying to set up TLS:

root@orley ~ # strace -fF layman -S
[...]
socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 3
fcntl(3, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(3, F_SETFL, O_RDWR)               = 0
connect(3, {sa_family=AF_INET6, sin6_port=htons(443), inet_pton(AF_INET6, "2001:41c8:0:936::136", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
setsockopt(3, SOL_TCP, TCP_NODELAY, [1], 4) = 0
[...]
open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=266884, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2dfdd149000
read(4, "-----BEGIN CERTIFICATE-----\nMIIH"..., 4096) = 4096
[...]
read(4, "", 4096)                       = 0
close(4)                                = 0
munmap(0x2dfdd149000, 4096)             = 0
write(3, "\26\3\1\1\7\1\0\1\3\3\3S\23\356\332,\6\346\303\250\370\362L\236\233\334\270:\302\345^\21"..., 268) = 268
read(3, "\26\3\3\0A\2\0", 7)            = 7
read(3, "\0=\3\3\210<\253~\340VKy\tX\253\333\326\312\212T;}\317\257J\17\377\275Qmox"..., 63) = 63
read(3, "\26\3\3\25\326", 5)            = 5
read(3, "\v\0\25\322\0\25\317\0\6h0\202\6d0\202\5L\240\3\2\1\2\2\20\1?\232\6@\5\303"..., 5590) = 5590
+++ killed by SIGKILL +++
Killed

I'm not fluent in TLS, but that looks like it dies right after receiving the server's certificate.

Reproducible: Always




root@orley ~ # emerge --info layman
Portage 2.2.11 (python 2.7.8-final-0, hardened/linux/amd64, gcc-4.8.3, glibc-2.19-r1, 3.15.5-hardened x86_64)
=================================================================
                        System Settings
=================================================================
System uname: Linux-3.15.5-hardened-x86_64-Intel-R-_Core-TM-_i7-2640M_CPU_@_2.80GHz-with-gentoo-2.2
KiB Mem:     8125008 total,   1555364 free
KiB Swap:    4000180 total,   3774380 free
Timestamp of tree: Tue, 05 Aug 2014 20:30:01 +0000
ld GNU ld (Gentoo 2.24 p1.4) 2.24
app-shells/bash:          4.2_p47
dev-java/java-config:     2.2.0
dev-lang/python:          2.7.8, 3.2.5-r6, 3.3.5-r1, 3.4.1
dev-util/cmake:           2.8.12.2-r1
dev-util/pkgconfig:       0.28-r2
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.6, 1.13.4, 1.14.1
sys-devel/binutils:       2.24-r3
sys-devel/gcc:            4.7.4, 4.8.3
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2-r1
sys-devel/make:           4.0-r1
sys-kernel/linux-headers: 3.15 (virtual/os-headers)
sys-libs/glibc:           2.19-r1
Repositories: gentoo sunrise seden betagarden steam-overlay hasufell qt local
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA PUEL dlj-1.1 googleearth AdobeFlash-10.1 AdobeFlash-10.3 AdobeFlash-11.x google-talkplugin skype-eula QUAKE4 Oracle-BCLA-JavaSE Intel-SDP Introversion skype-4.0.0.7-copyright google-chrome"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe -fweb -ftracer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0 /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe -fweb -ftracer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--alphabetical --keep-going --quiet-build=n --backtrack=30"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch parallel-install preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://ftp.sunet.se/pub/Linux/distributions/gentoo http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-O1 -Wl,--hash-style=gnu -Wl,--enable-new-dtags"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="--timeout=10 --ipv6"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/sunrise /var/lib/layman/seden /var/lib/layman/betagarden /var/lib/layman/steam-overlay /var/lib/layman/hasufell /var/lib/layman/qt /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac aacs acl acpi alsa amd64 anthy avi bash-completion berkdb bluetooth bluray bzip2 c++0x cairo canna cdr cjk cli consolekit cracklib crypt css cups cvs cxx dbus dri dts dvd dvdr dvdread emacs exif ffmpeg fftw flac fontconfig fortran fuse gdbm gif gimp git gles gles1 gles2 glitz gphoto2 gstreamer gtk gtk3 hal handbook hardened iconv idn ipv6 javascript jingle jpeg justify kde laptop lcms lensfun lm_sensors logrotate mad matroska mmap mmx mmxext mng modules motif mp3 multilib ncurses nls nptl nsplugin offensive ogg opencl opengl openmp openvg pam pax_kernel pcre pdf phonon pic plasma png policykit postscript projectm qt qt3 qt3support qt4 quicktime qwt raw readline real resid rtmp s3tc samba sasl sdl semantic-desktop session sid smp sndfile sqlite sse sse2 sse3 sse4_1 ssl ssse3 steamgames_source_engine steamgames_tf2 steamruntime subversion svg tcpd theora tiff truetype unicode urandom usb v4l vaapi vorbis wayland wifi win32codecs windows_games wma wmf x264 xattr xcb xine xinerama xrandr xtpax xv xvid xvmc zlib" ABI_X86="32 64" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="braindump flow karbon kexi krita sheets stage words" CAMERAS="canon" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse joystick evdev wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_US en_GB en_UK sv sv_SE" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby21" SANE_BACKENDS="pixma hp" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON

=================================================================
                        Package Settings
=================================================================

app-portage/layman-2.1.0-r2 was built with the following:
USE="-bazaar cvs -darcs git -mercurial subversion -test" ABI_X86="64" PYTHON_TARGETS="-pypy python2_7 python3_3 -python3_4"

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2014-08-06 20:46:30 UTC

That's python2.7 getting killed not layman as such.

Comment 2 Brian Dolbec (RETIRED) gentoo-dev

2014-08-06 21:03:15 UTC

The new layman code is using a few new libs (dependencies) from code originally developed in layman, but not released in a regular release.  The new code uses dev-python/ssl-fetch which wraps dev-python/requests with common code used for authenticating/downloading files from gentoo's servers.

Please check your permissions, settings for those libs.

Comment 3 Magnus Granberg gentoo-dev

2014-08-06 21:08:46 UTC

paxctl-ng -v /usr/bin/python2.7?
Do you have emutramp enable in the kernel?

Comment 4 Karl-Johan Karlsson 2014-08-07 06:25:29 UTC

(In reply to Magnus Granberg from comment #3)
> paxctl-ng -v /usr/bin/python2.7?

/usr/bin/python2.7:
        PT_PAX    : -E---
        XATTR_PAX : not found

> Do you have emutramp enable in the kernel?

I did not. After switching to a 3.15.8 which has it enabled, Layman is no longer killed by PaX.

I am quite sure that help text (Google bait:

   NOTE: Hardened Gentoo users needs this option enabled for python
   to work properly.  Without it, all python apps, including portage,
   may fail.  By default, python has CONFIG_PAX_EMUTRAMP enabled by
   the ebuild when USE=pax_kernel is set, otherise CONFIG_PAX_PAGEEXEC
   is enabled as a fallback.

) wasn't there last time I read it (I usually just upgrade the kernel with "make oldconfig" and only read the help for any new options). I can't imagine why I would have left it switched off otherwise. When was it added? I've never had any PaX problems with anything Pythonic before this.

Comment 5 Karl-Johan Karlsson 2014-08-07 16:19:27 UTC

(In reply to Karl-Johan Karlsson from comment #4)
> When was it added?

I just found 
http://blog.siphos.be/2014/08/gentoo-hardened-july-meeting/ , which I guess answers that.

Comment 6 Brian Dolbec (RETIRED) gentoo-dev

2014-08-07 17:24:30 UTC

Marking as resolved since it was a user setup error.