604824 – sys-kernel/hardend-sources: unprivileged users cannot create user namespaces

Bug 604824 - sys-kernel/hardend-sources: unprivileged users cannot create user namespaces

Summary: sys-kernel/hardend-sources: unprivileged users cannot create user namespaces

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-01-06 11:11 UTC by Alexander Miroshnichenko
Modified:	2017-12-04 12:19 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Miroshnichenko 2017-01-06 11:11:07 UTC

User Namespaces enabled in the kernel:
# zgrep USER_NS /proc/config.gz 
CONFIG_USER_NS=y

When I try to run chromium with user namespace sandbox I get error launch:
$ chromium-browser --disable-setuid-sandbox
[3903:3903:0106/135831:FATAL:zygote_host_impl_linux.cc(107)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
#0 0x001540dcdd85 <unknown>
#1 0x001540de6a18 <unknown>
#2 0x0015405570ce <unknown>
#3 0x0015401aa648 <unknown>
#4 0x0015401ae187 <unknown>
#5 0x0015401a5a08 <unknown>
#6 0x0015409ce1ad <unknown>
#7 0x0015409cd2f1 <unknown>
#8 0x00153f450f9d <unknown>
#9 0x038662661734 __libc_start_main
#10 0x00153f450e49 <unknown>

Aborted

I tried to rebuild www-client/chromium with "suid" USE flag disabled and got same error. Browser failed to start even without any cmd options.

minder@marie-laptop ~ $ equery u www-client/chromium                    
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for www-client/chromium-55.0.2883.75:
 U I
 + + cups               : Add support for CUPS (Common Unix Printing System)
 - - custom-cflags      : Build with user-specified CFLAGS (unsupported)
 - + gn                 : Use GN (generate ninja) instead of GYP for building
 - - gnome              : Add GNOME support
 - - gnome-keyring      : Enable support for storing passwords via gnome-keyring
 + - hangouts           : Enable support for Google Hangouts features such as screen sharing
 - + kerberos           : Add kerberos support
...
 + + proprietary-codecs : Enable proprietary codecs like H.264, MP3
 - + pulseaudio         : Add support for PulseAudio sound server
 - - suid               : Build the SUID sandbox, which is only needed on CONFIG_USER_NS=n kernels
 + + system-ffmpeg      : Use system ffmpeg instead of the bundled one
 + + tcmalloc           : Use bundled tcmalloc instead of system malloc
 - - test               : Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore
 - - widevine           : Unsupported closed-source DRM capability (required by Netflix VOD)


Strace output:
clone(child_stack=NULL, flags=CLONE_NEWUSER|SIGCHLD) = -1 EPERM (Operation not permitted)

The kernel don't allow syscall flag CLONE_NEWUSER without SYS_ADMINS capabilities.

$ unshare -fU
unshare: unshare failed: Operation not permitted

With other distributions (Ubuntu, ...) Chromium works fine with USER_NS ang "unshare -fU" cmd works fine too. Ubuntu kernel have patched with some sysctl switch "kernel.unprivileged_userns_clone".

How to enable chromium works with USER NS sandbox?

Comment 1 Mike Gilbert gentoo-dev

2017-01-11 13:41:27 UTC

Please provide emerge --info.

My guess is that you are running a kernel that restricts support for user namespaces. If I recall correctly, the grsecurity patchset (hardened-sources) does this.

Comment 2 Alexander Miroshnichenko 2017-01-11 19:05:45 UTC

Yes, I use hardened-sources. Is it possible to turn off some grsecurity switch in the kernel config to enable usernamespaces works?


# emerge --info
laymansync module's module_spec is old, missing attribute: 'sourcefile'.  Backward compatibility may be removed in the future.
File: /usr/lib64/python2.7/site-packages/portage/sync/modules/laymansync/__init__.pyc
Portage 2.3.0 (python 2.7.12-final-0, hardened/linux/amd64, gcc-4.9.4, glibc-2.23-r3, 4.8.15-hardened x86_64)
=================================================================
System uname: Linux-4.8.15-hardened-x86_64-Intel-R-_Core-TM-_i7-3770T_CPU_@_2.50GHz-with-gentoo-2.3
KiB Mem:     4737920 total,   4418424 free
KiB Swap:    8388604 total,   8388604 free
Timestamp of repository gentoo: Mon, 09 Jan 2017 06:30:01 +0000
sh bash 4.3_p48-r1
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
app-shells/bash:          4.3_p48-r1::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.22.3_rc4::gentoo
dev-lang/python:          2.7.12::gentoo, 3.4.5::gentoo
dev-util/cmake:           3.6.3::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/openrc:          0.22.4::gentoo
sys-apps/sandbox:         2.10-r1::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
sys-devel/automake:       1.9.6-r4::gentoo, 1.11.6-r1::gentoo, 1.12.6::gentoo, 1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils:       2.25.1-r1::gentoo
sys-devel/gcc:            4.9.4::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6-r2::gentoo
sys-devel/make:           4.1-r1::gentoo
sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r3::gentoo
Repositories:

gentoo                                                                                                                                                                             
    location: /usr/portage                                                                                                                                                         
    sync-type: rsync                                                                                                                                                               
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage                                                                                                                              
    priority: -1000                                                                                                                                                                
                                                                                                                                                                                   
x-portage                                                                                                                                                                          
    location: /usr/local/portage                                                                                                                                                   
    masters: gentoo
    priority: 0

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-mssse3 -march=core2 -O2 -pipe -mtune=core-avx-i -ggdb"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/genkernel/arch/x86_64/modules_load /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0 /usr/share/themes/oxygen-gtk/gtk-3.0"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-mssse3 -march=core2 -O2 -pipe -mtune=core-avx-i -ggdb"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--jobs=2 "
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync metadata-transfer news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="3des 64bit S3TC X a52 aac aacplus aacs acl acpi aes aio airplay alsa amd64 ap apm apng app ares arping avx berkdb bidi bittorrent bluetooth bluray branding btrfs bzip2 cairo caps cdda cdr cdrom cec cgroups charconv chm cli client client-libs colord colorpicker conntrack contrast cpufreq_bench cpuload cpumining cracklib crash-reporter crda crypt cryptsetup css cue cups cxx d3d9 daap dbus declarative demosaic device-mapper djvu dkim dnotify dns dpi dri dri3 drm drmkms dropbox dts dv dvb dvbplayer dvbpsi dvbsetup dvd dvdarchive dvdnav dvdr ebook egl emboss encode epub evdev exif faac faad facebook fam fat ffmpeg filecaps firefox flac font-styles fontconfig g3dvl gbm gcrypt gdbm geo geoip gif gimp glamor glew glgd glsl gnuefi gold google googledrive gost gpg gphoto2 gpm gps gpu gssapi gui hardened hd hddtemp hidpi hpcups hpijs hvm hwinfo ico icons iconv icq icu idle idn imagemagick infinality iostats iproute2 iptv ipv6 jabber jemalloc jemalloc3 jingle jpeg justify kde kdepim kdm kerberos kernel kipi kolab kontact kvm largepages lcdfilter lcms ldap leaps_timezone lensfun libaio libinput libkms libnotify libsoxr libusb libuv linuxthreads llvm llvm-shared-libs lm_sensors localstorage logrotate lpsol lto lvm lximage lz4 lzma lzo mac mad matroska metalink minizip mmx mmxext mng modern-top modules mp3 mp4 mpeg mpeg2 mpg123 mplayer mtp multicore multilib musicbrainz nat nat-pmp native natspec ncat ndiff netlink network networkmanager networkmonitor nls nokia nonblockdialogs nping npp nptl nsplugin ofa ogg openal opencl opencv openexr opengl openmax openmp openssl openvg openxml opus otr pam pango pax_kernel pbins pcre pdf peer_perms pgo phonon pie pim plasma png polarssl policykit powermanagement ppds pulseaudio python python3 qml qt3support qt4 qt5 r600-llvm-compiler rar raw rawspeed rdesktop readline reiserfs replaygain resize-optimization resolveids ru-dv ru-g ru-i ru-k s3tc scanner screensaver sdl search-index seccomp semantic-desktop sensors session sip skype smime smp smpeg spell spice sse sse2 sse3 sse4_1 sse4_2 ssl ssp ssse3 startup-notification steamgames_bioshock_infinite steamgames_dwarfs steamgames_journey_down steamgames_narcissu steamgames_painkiller steamgames_portal steamgames_source_engine steamgames_tf2 steamgames_unwritten_tales steamgames_witcher2 svc svg sync-plugin-portage sysstat system-binutils system-boost system-cairo system-clang system-crontab system-ffmpeg system-harfbuzz system-icu system-jpeg system-jsoncpp system-libevent system-libs system-libvpx system-libyaml system-llvm system-lua system-mitkrb5 system-mpmath system-mupdf system-qemu system-qt system-renpy system-sqlite system-wine systemd systeminfo systemlib taglib tci tcmalloc theora thin threaded threads tiering tiff tls touchpad truetype tta udev udisks ukit unicode upower urandom usb usbredir v8 vaapi vamp vc vdpau vhost-net virtfs visio vnc volume vorbis vpx vulkan wayland wayland-compositor web-services webchannel webgl webinterface webkit webkit2 webm webp websocket websockets widgets win32 wma wmf wxwidgets x264 x265 xa xattr xcb xcomposite xface xfs xft xinerama xml xmpp xscreensaver xspice xtpax xv xvfb xvid xvmc xwayland yandexdisk zip zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 multiboot pc" INPUT_DEVICES="evdev keyboard mouse synaptics libinput" KERNEL="linux" L10N="ru en ru_RU en_US" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer pdfimport" LINGUAS="ru en ru_RU en_US" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" QEMU_SOFTMMU_TARGETS="x86_64" QEMU_USER_TARGETS="x86_64" RUBY_TARGETS="ruby21" USERLAND="GNU" VIDEO_CARDS="i965 radeonsi radeon qxl nouveau ilo modesetting" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

Comment 3 Mike Gilbert gentoo-dev

2017-01-11 19:18:49 UTC

(In reply to Alexander Miroshnichenko from comment #2)
> Yes, I use hardened-sources. Is it possible to turn off some grsecurity
> switch in the kernel config to enable usernamespaces works?

I have no idea. Giving this to the hardened team to answer.

Comment 4 Jiří Moravec 2017-01-17 12:03:35 UTC

I have same problem. Two days ago, chromium suddenly started crashing. Partial strace output follow, but there is a difference - no I'm on hardened profile, but not on hardened kernel. Symptoms are just same :-( .

strace.log:
...
pipe([11, 12])                          = 0
clone(child_stack=0x7f2fcb877db0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f2fcb8789d0, tls=0x7f2fcb878700, child_tidptr=0x7f2fcb8789d0) = 5298
futex(0x7ffc9e564c54, FUTEX_WAIT_PRIVATE, 1, NULL) = 0
futex(0x7ffc9e564c28, FUTEX_WAKE_PRIVATE, 1) = 0
access("/usr/lib64/chromium-browser/chrome-sandbox", F_OK) = 0
clone(child_stack=NULL, flags=CLONE_NEWUSER|SIGCHLD) = 5299
wait4(5299, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 5299
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5299, si_uid=1001, si_status=0, si_utime=0, si_stime=0} ---
socketpair(AF_UNIX, SOCK_SEQPACKET, 0, [13, 14]) = 0
setsockopt(13, SOL_SOCKET, SO_PASSCRED, [1], 4) = 0
access("/proc/self/ns/user", F_OK)      = 0
access("/proc/self/ns/user", F_OK)      = 0
access("/proc/self/ns/pid", F_OK)       = 0
access("/proc/self/ns/user", F_OK)      = 0
access("/proc/self/ns/net", F_OK)       = 0
getuid()                                = 1001
getgid()                                = 1001
access("/proc/self/setgroups", F_OK)    = 0
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
clone(child_stack=0x7ffc9e564270, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = 5300
rt_sigprocmask(SIG_SETMASK, [], ~[KILL STOP RTMIN RT_1], 8) = 0
close(14)                               = 0
recvmsg(13, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="ZYGOTE_BOOT\0", iov_len=13}], msg_iovlen=1, msg_control=[{cmsg_len=28, cmsg_level=SOL_SOCKET, cmsg_type=SCM_CREDENTIALS, cmsg_data={pid=5300, uid=1001, gid=1001}}], msg_controllen=32, msg_flags=0}, 0) = 12
recvmsg(13, [1:1:0117/125742:FATAL:sandbox_linux.cc(180)] Check failed: sandbox::Credentials::MoveToNewUserNS(). 
#0 0x55f1988d9821 <unknown>
#1 0x55f1988f301e <unknown>
#2 0x55f197208c30 <unknown>
#3 0x55f197cc35a0 <unknown>
#4 0x55f1984fedb3 <unknown>
#5 0x55f1984ff4ac <unknown>
#6 0x55f1984fd6d9 <unknown>
#7 0x55f197100d4b ChromeMain
#8 0x7fbaa3b6f70c __libc_start_main
#9 0x55f197100c09 _start

Received signal 6
#0 0x55f1988d9821 <unknown>
#1 0x55f1988d9bf9 <unknown>
#2 0x7fbaa7747fd0 <unknown>
#3 0x7fbaa3b82898 gsignal
#4 0x7fbaa3b83ca9 abort
#5 0x55f1988d9354 <unknown>
#6 0x55f1988f3165 <unknown>
#7 0x55f197208c30 <unknown>
#8 0x55f197cc35a0 <unknown>
#9 0x55f1984fedb3 <unknown>
#10 0x55f1984ff4ac <unknown>
#11 0x55f1984fd6d9 <unknown>
#12 0x55f197100d4b ChromeMain
#13 0x7fbaa3b6f70c __libc_start_main
#14 0x55f197100c09 _start
  r8: ffffaa2b6e0df540  r9: ffffaa2b6e0df530 r10: 0000000000000008 r11: 0000000000000202
 r12: 00007ffde63d88e0 r13: 00007ffde63d8d68 r14: 00007ffde63d8890 r15: 0000000000000000
  di: 0000000000000001  si: 0000000000000001  bp: 00007ffde63d8880  bx: 00007ffde63d8d60
  dx: 0000000000000006  ax: 0000000000000000  cx: 00007fbaa3b82898  sp: 00007ffde63d8528
  ip: 00007fbaa3b82898 efl: 0000000000000202 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
{msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="", iov_len=11}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5300, si_uid=1001, si_status=1, si_utime=101, si_stime=7} ---
gettid()                                = 5283
open("/proc/self/status", O_RDONLY)     = 14
read(14, "Name:\tchrome\nUmask:\t0022\nState:\t"..., 1024) = 1024
close(14)                               = 0
write(2, "[5283:5283:0117/125742:FATAL:zyg"..., 166[5283:5283:0117/125742:FATAL:zygote_host_impl_linux.cc(196)] Check failed: ReceiveFixedMessage(fds[0], kZygoteHelloMessage, sizeof(kZygoteHelloMessage), &real_pid). 
) = 166
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
tgkill(5283, 5283, SIGABRT)             = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=5283, si_uid=1001} ---
+++ killed by SIGABRT +++

Comment 5 Mike Gilbert gentoo-dev

2017-01-18 02:42:05 UTC

(In reply to Jiří Moravec from comment #4)
> I have same problem. Two days ago, chromium suddenly started crashing.

That's not the same problem.

Comment 6 Alexander Miroshnichenko 2017-12-04 12:18:40 UTC

There are no mor hardened-sources. I will close the case.