693582 – sys-apps/sandbox: detect strace invocation better for users

Bug 693582 - sys-apps/sandbox: detect strace invocation better for users

Summary: sys-apps/sandbox: detect strace invocation better for users

Status:	CONFIRMED

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Sandbox (show other bugs)
Hardware:	All All

Importance:	Normal enhancement (vote)
Assignee:	Sandbox Maintainers

URL:
Whiteboard:
Keywords:

Duplicates (1):	729950 (view as bug list)
Depends on:
Blocks:

Reported:	2019-09-05 20:24 UTC by SpanKY
Modified:	2020-11-17 13:51 UTC (History)
CC List:	4 users (show)

See Also:	640698
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SpanKY gentoo-dev

2019-09-05 20:24:24 UTC

strace is a pretty common debug tool for users when things go wrong and it's not clear why.  they'll often break out something like `strace -f -o $T/log ...` to get the full process tree.

unfortunately this breaks sandbox's ability to ptrace static children.  the error message we emit is confusing for them.

for example:
$ echo 'main(){return 3;}' | gcc -x c - -o a.out -static
$ sandbox
$ ./a.out; echo $?
3
$ strace ./a.out
+++ exited with 3 +++
$ strace -f -o log ./a.out
strace -f -o log ./a.out
 * /var/tmp/portage/sys-apps/sandbox-2.11-r4/work/sandbox-2.11/libsandbox/trace.c:_do_ptrace():75: failure (Operation not permitted):
 * ISE:_do_ptrace: ptrace(PTRACE_TRACEME, ..., 0x0000000000000000, 0x0000000000000000): Operation not permitted
/usr/lib64/libsandbox.so(+0xa935)[0x7f6dbadd3935]
/usr/lib64/libsandbox.so(+0xaa15)[0x7f6dbadd3a15]
/usr/lib64/libsandbox.so(+0x5dee)[0x7f6dbadcedee]
/usr/lib64/libsandbox.so(+0x5b18)[0x7f6dbadceb18]
/usr/lib64/libsandbox.so(+0x955f)[0x7f6dbadd255f]
/usr/lib64/libsandbox.so(execv+0x50)[0x7f6dbadd1cb0]
strace[0x42b8ca]
strace[0x42a3ee]
strace[0x4280af]
/lib64/libc.so.6(__libc_start_main+0xee)[0x7f6dba82da8e]
/proc/178078/cmdline: strace -f -o log ./a.out

i'm not sure we've hit any scenarios in the years since ptrace has been deployed where PTRACE_TRACEME would fail with EPERM ... the only way that would happen is if the process is already being traced, or the kernel LSMs have restricted things in general (e.g. /proc/sys/kernel/yama/ptrace_scope is set to 2 or 3).

we already whine when we're unable to ptrace a process on an unsupported system.  we should special case PTRACE_TRACEME EPERM failures to do the same: whine but otherwise don't block/abort execution.

Comment 1 Sergei Trofimovich (RETIRED) gentoo-dev

2019-09-05 22:33:39 UTC

Agreed. A minor complication is that we detect failure of PTRACE_TRACEME in the running child when parent is about to track it's state in trace_loop().

I tried to shut down child and run execve() handler in parent of trace_main() but failed. Running handler in child is a bit more successful.

Will spend a bit more time tomorrow and attach what I've got.

Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev

2020-07-02 06:37:41 UTC

*** Bug 729950 has been marked as a duplicate of this bug. ***

Comment 3 Marc Joliet 2020-11-17 13:51:03 UTC

Since I had the same issue with podman as mentioned in bug #729950 (only with gobject-introspection as the triggering package), I just wanted to mention that an alternative workaround to disabling the portage sandbox is to just pass --cap-add=CAP_SYS_PTRACE to podman-run(1) or podman-build(1), which also works in rootless mode.