| Summary: | =sys-process/procps-3.3.6 fails pmap test without CONFIG_PROC_PAGE_MONITOR=y which conflicts with GRKERNSEC=y | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Markus Walter <gentoo> |
| Component: | [OLD] Core system | Assignee: | Gentoo's Team for Core System packages <base-system> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | hardened, kensington, phajdan.jr, quantheory, rhill, roman.zilka |
| Priority: | Normal | Keywords: | TESTFAILURE |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://gitlab.com/procps-ng/procps/commit/92071e963e6ff50f0e221dde286f3229267b2ff9 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 461272 | ||
| Bug Blocks: | |||
| Attachments: |
build log
emerge --info build log for procps-3.3.3 build log emerge --info build log pmap1-out pmap1-str pmap2-out pmap2-str pmap3-out pmap3-str |
||
Created attachment 302357 [details]
emerge --info
I found the following lines in grsec.log corresponding to the test failure of procps. Feb 18 14:59:55 localhost kernel: [1439677.980286] grsec: Segmentation fault occurred at fffffffffffffff0 in /var/tmp/portage/sys-process/procps-3.3.2_p2-r1/work/procps-ng-3.3.2/.libs/vmstat[vmstat:17873] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/expect[expect:17697] uid/euid:250/250 gid/egid:250/250 Feb 18 14:59:55 localhost kernel: [1439677.980300] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/sys-process/procps-3.3.2_p2-r1/work/procps-ng-3.3.2/.libs/vmstat[vmstat:17873] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/expect[expect:17697] uid/euid:250/250 gid/egid:250/250 Feb 18 14:59:55 localhost kernel: [1439678.021391] grsec: Segmentation fault occurred at fffffffffffffff0 in /var/tmp/portage/sys-process/procps-3.3.2_p2-r1/work/procps-ng-3.3.2/.libs/vmstat[vmstat:17906] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/expect[expect:17697] uid/euid:250/250 gid/egid:250/250 Feb 18 14:59:55 localhost kernel: [1439678.021405] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/sys-process/procps-3.3.2_p2-r1/work/procps-ng-3.3.2/.libs/vmstat[vmstat:17906] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/expect[expect:17697] uid/euid:250/250 gid/egid:250/250 Created attachment 312407 [details]
build log for procps-3.3.3
An update on this: I see far less failing test with procps-3.3.3.
Created attachment 312519 [details]
build log
similar here at an unstable x86 user mode linux image
3.3.4 passes tests for me For me the error is unchanged with procps-3.4.2. (In reply to comment #6) > For me the error is unchanged with procps-3.4.2. Ignore that, for me 3.3.4 passes tests too. Created attachment 341080 [details]
emerge --info
I also have the pmap test fail with:
FAIL: pmap extended output (header)
This looks like a hardened issue to me.
Neither removing all CFLAGS nor using FEATURES="-userpriv" helped.
Oh, I should mention that this is version 3.3.4 (which apparently worked for Markus?). This is a strange error. I reran and saw the the same errors as in the original report. Also no notable entries in grsec.log (besides two segfaults). I still get fails with procps-3.3.4.
The "pmap" test fails while trying to run "pmap -x <PID>". strace of that shows that pmap cannot open /proc/PID/smaps. This is indeed missing on both my systems (hardened and not). It is missing because CONFIG_PROC_PAGE_MONITOR is not set in kernel (see /usr/src/linux/fs/proc/Kconfig). Please, confirm normal function of the pmap test with CONFIG_PROC_PAGE_MONITOR on your system. The testsuite should probably skip the test when smaps is not available. I'm letting the core team know first; I don't know if this is something to talk to the upstream about (??).
The "lib" test fails because a file is missing in the original procps-ng package. This has been fixed in 3.3.6. I can confirm normal function of the test there. I'm filing a bug requesting version bump.
The "pmap" test fails even in 3.3.6.
I still get fails on the "ps", "pgrep" and "pkill" tests:
ERROR: not a tty
child process exited abnormally
while executing
"exec tty "
3.3.6 in portage with this fixed, and 3.3.4 has this now restricted I just want to note that CONFIG_PROC_PAGE_MONITOR depends on !GRKERNSEC, so this *is* in fact an incompatibility with Grsecurity. (In reply to comment #13) > I just want to note that CONFIG_PROC_PAGE_MONITOR depends on !GRKERNSEC, so > this *is* in fact an incompatibility with Grsecurity. You are right. I only took one of the errors mentioned here into account. I also didn't have CONFIG_PROC_PAGE_MONITOR=y in a non-hardened kernel with CONFIG_EXPERT=y. (The point being it's not enought to check for grsec if that's the plan now.) Created attachment 345444 [details]
build log
I do not have a hardened system but these tests fails here at an unstable 32 bit Gentoo :
FAIL: pmap extra extended output (footer)
FAIL: pmap X with unreachable process
FAIL: pmap XX with unreachable process
zgrep -e CONFIG_EXPERT -e CONFIG_PROC_PAGE_MONITOR /proc/config.gz
# CONFIG_EXPERT is not set
CONFIG_PROC_PAGE_MONITOR=y
Please post all 6 files created by these commands (from procps-3.3.6, run as root): strace -o pmap1-str pmap -X $BASHPID &>pmap1-out strace -o pmap2-str pmap -X 1 &>pmap2-out strace -o pmap3-str pmap -XX 1 &>pmap3-out If you don't run bash, substitute $BASHPID with a PID of some other common process. Created attachment 353422 [details]
pmap1-out
Created attachment 353424 [details]
pmap1-str
Created attachment 353426 [details]
pmap2-out
Created attachment 353428 [details]
pmap2-str
Created attachment 353430 [details]
pmap3-out
Created attachment 353432 [details]
pmap3-str
(In reply to Roman Žilka from comment #18) > Please post all 6 files created by these commands (from procps-3.3.6, run as > root): > > strace -o pmap1-str pmap -X $BASHPID &>pmap1-out > strace -o pmap2-str pmap -X 1 &>pmap2-out > strace -o pmap3-str pmap -XX 1 &>pmap3-out I've attached these (ran as user, oops). procps-3.3.6. There is an interesting thing in pmap1-out: pmap: Unknown format in smaps file! Just in case, I'm running 3.8.13-gentoo kernel on 32-bit system, CONFIG_PROC_PAGE_MONITOR=y . FAIL: pmap X with unreachable process FAIL: pmap XX with unreachable process These two will fail even with CONFIG_PROC_PAGE_MONITOR=y if you're using FEATURES=userpriv, probably because the portage user doesn't have read access to /proc/<pid>/smaps. upstream has 92071e963e6ff50f0e221dde286f3229267b2ff9 which fixes at least the latest error. i'm going to push that and close out this bug. if people are still seeing problems, lets start a new one as i suspect this has more than one issue squashed in it at this point. https://gitlab.com/procps-ng/procps/commit/92071e963e6ff50f0e221dde286f3229267b2ff9 should be all set now in the tree; thanks for the report! Commit message: Fix pmap test when running under restrictive kernel/user settings http://sources.gentoo.org/sys-process/procps/files/procps-3.3.10-pmap-unreadable.patch?rev=1.1 http://sources.gentoo.org/sys-process/procps/procps-3.3.10-r1.ebuild?r1=1.1&r2=1.2 |
Created attachment 302355 [details] build log On my hardened ~amd64 machine with gcc-4.6.2 procps fails a lot of tests.