562762 – app-crypt/monkeysphere: processes left after installation at hardened

Bug 562762 - app-crypt/monkeysphere: processes left after installation at hardened

Summary: app-crypt/monkeysphere: processes left after installation at hardened

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Kristian Fiskerstrand (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-10-10 20:53 UTC by Toralf Förster
Modified:	2015-11-01 17:30 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Toralf Förster gentoo-dev

2015-10-10 20:53:42 UTC

At my tinderbox (hardened amd64 host) I'm wondering about those processes :


tor-relay ~ # ps -efla | grep gpg-agent
Warning: /usr/src/linux/System.map not parseable as a System.map
1 S root     12416     1  0  90  10 - 41781      - 11:53 ?        00:00:00 gpg-agent --homedir /var/lib/monkeysphere/authentication/core --use-standard-socket --daemon
1 S 193      12726     1  0  90  10 - 41780      - 11:53 ?        00:00:00 gpg-agent --homedir /var/lib/monkeysphere/authentication/sphere --use-standard-socket --daemon
4 S root     16056 24470  0  80   0 -  2257      - 22:47 pts/6    00:00:00 grep --colour=auto gpg-agent
1 S root     20246     1  0  90  10 - 41781      - 15:16 ?        00:00:00 gpg-agent --homedir /var/lib/monkeysphere/authentication/core --use-standard-socket --daemon
1 S 157      20289     1  0  90  10 - 41780      - 15:16 ?        00:00:00 gpg-agent --homedir /var/lib/monkeysphere/authentication/sphere --use-standard-socket --daemon



which might correlate to those entries here :


tor-relay ~ # grep monkey /var/log/grsec.log
Oct  9 16:57:53 tor-relay kernel: [1547514.117287] grsec: From 78.54.130.181: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/var/tmp/portage/games-strategy/0ad-0.0.18_alpha-r2/work/0ad-0.0.18-alpha/libraries/source/spidermonkey/mozjs31/js/src/build-release/_virtualenv/bin/python2.7[python2.7:30034] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/usr/bin/python2.7[python2.7:30032] uid/euid:250/250 gid/egid:250/250
Oct  9 16:58:06 tor-relay kernel: [1547527.781998] grsec: From 78.54.130.181: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/var/tmp/portage/games-strategy/0ad-0.0.18_alpha-r2/work/0ad-0.0.18-alpha/libraries/source/spidermonkey/mozjs31/js/src/build-release/_virtualenv/bin/python2.7[python:3089] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/var/tmp/portage/games-strategy/0ad-0.0.18_alpha-r2/work/0ad-0.0.18-alpha/libraries/source/spidermonkey/mozjs31/js/src/configure[configure:29343] uid/euid:250/250 gid/egid:250/250
Oct  9 16:58:07 tor-relay kernel: [1547528.209449] grsec: From 78.54.130.181: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/var/tmp/portage/games-strategy/0ad-0.0.18_alpha-r2/work/0ad-0.0.18-alpha/libraries/source/spidermonkey/mozjs31/js/src/build-release/_virtualenv/bin/python2.7[python:3235] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/usr/bin/gmake[make:3233] uid/euid:250/250 gid/egid:250/250
Oct  9 16:58:07 tor-relay kernel: [1547528.352074] grsec: From 78.54.130.181: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/var/tmp/portage/games-strategy/0ad-0.0.18_alpha-r2/work/0ad-0.0.18-alpha/libraries/source/spidermonkey/mozjs31/js/src/build-release/_virtualenv/bin/python2.7[python:3245] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/usr/bin/gmake[make:3233] uid/euid:250/250 gid/egid:250/250
Oct  9 16:58:07 tor-relay kernel: [1547528.480061] grsec: From 78.54.130.181: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/var/tmp/portage/games-strategy/0ad-0.0.18_alpha-r2/work/0ad-0.0.18-alpha/libraries/source/spidermonkey/mozjs31/js/src/build-release/_virtualenv/bin/python2.7[python:3249] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/usr/bin/gmake[make:3233] uid/euid:250/250 gid/egid:250/250
Oct  9 16:58:07 tor-relay kernel: [1547528.633099] grsec: From 78.54.130.181: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/var/tmp/portage/games-strategy/0ad-0.0.18_alpha-r2/work/0ad-0.0.18-alpha/libraries/source/spidermonkey/mozjs31/js/src/build-release/_virtualenv/bin/python2.7[python:3275] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/usr/bin/gmake[make:3233] uid/euid:250/250 gid/egid:250/250
Oct  9 16:58:07 tor-relay kernel: [1547528.799402] grsec: From 78.54.130.181: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/var/tmp/portage/games-strategy/0ad-0.0.18_alpha-r2/work/0ad-0.0.18-alpha/libraries/source/spidermonkey/mozjs31/js/src/build-release/_virtualenv/bin/python2.7[python:3311] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/usr/bin/gmake[make:3233] uid/euid:250/250 gid/egid:250/250
Oct  9 16:58:08 tor-relay kernel: [1547528.939010] grsec: From 78.54.130.181: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/var/tmp/portage/games-strategy/0ad-0.0.18_alpha-r2/work/0ad-0.0.18-alpha/libraries/source/spidermonkey/mozjs31/js/src/build-release/_virtualenv/bin/python2.7[python:3339] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-desktop-unstable_20151004-161203/usr/bin/gmake[make:3233] uid/euid:250/250 gid/egid:250/250




I do wonder if there's something in the ebuild which could kill those processes or if there's no chance to do it and therefore it would be my tasks (via cron or so) ?

And BTW: it is ok to be filed as a bug or is there another preferred way for such issues ?

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-10-11 11:03:50 UTC

(In reply to Toralf Förster from comment #0)
> At my tinderbox (hardened amd64 host) I'm wondering about those processes :
> 
> 
> tor-relay ~ # ps -efla | grep gpg-agent
> Warning: /usr/src/linux/System.map not parseable as a System.map
> 1 S root     12416     1  0  90  10 - 41781      - 11:53 ?        00:00:00
> gpg-agent --homedir /var/lib/monkeysphere/authentication/core
> --use-standard-socket --daemon
> 1 S 193      12726     1  0  90  10 - 41780      - 11:53 ?        00:00:00
> gpg-agent --homedir /var/lib/monkeysphere/authentication/sphere
> --use-standard-socket --daemon
> 4 S root     16056 24470  0  80   0 -  2257      - 22:47 pts/6    00:00:00
> grep --colour=auto gpg-agent
> 1 S root     20246     1  0  90  10 - 41781      - 15:16 ?        00:00:00
> gpg-agent --homedir /var/lib/monkeysphere/authentication/core
> --use-standard-socket --daemon
> 1 S 157      20289     1  0  90  10 - 41780      - 15:16 ?        00:00:00
> gpg-agent --homedir /var/lib/monkeysphere/authentication/sphere
> --use-standard-socket --daemon
> 

Yup, monkeysphere-authenticate setup generates a new key used for certification as part of this setup procedure, in particular for gnupg 2.1 this requires an agent (as all secret key operations are performed by the agent). Gnupg 2.1 will auto-spawn the agent as needed for OpenPGP operation. The only thing I wonder about is actually the number of running agents, as it is using standard sockets the same one should be used for the respective --homedir locations.

> 
> 
> 
> I do wonder if there's something in the ebuild which could kill those
> processes or if there's no chance to do it and therefore it would be my
> tasks (via cron or so) ?

It is not something I'd like to do in ebuild, first of all because there wouldn't be a way to track whether it is actually started by an action in the ebuild or using an existing agent instance. 

> 
> And BTW: it is ok to be filed as a bug or is there another preferred way for
> such issues ?

Bug is preferred way as it allows for separation of threads and transparency, although in this particular case I wonder if it isn't more a question of upstream behavior than our packaging.

Comment 2 Toralf Förster gentoo-dev

2015-10-11 13:21:41 UTC

(In reply to Kristian Fiskerstrand from comment #1)
> The only thing I wonder about is actually the number of running agents, as
> it is using standard sockets the same one should be used for the respective
> --homedir locations.
Well, 7 different chroot images at a hardened host - they shouldn't see the other IMO, or ?

Ok, so the gpg-agent is spawned up but not finished after the setup - maybe really an upstream topic.

Comment 3 Toralf Förster gentoo-dev

2015-10-15 19:45:47 UTC

ok, bot a bug, it is a feature

Comment 4 Toralf Förster gentoo-dev

2015-11-01 17:30:10 UTC

(In reply to Toralf Förster from comment #3)
> ok, bot a bug, it is a feature

https://labs.riseup.net/code/issues/10465