Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 461500

Summary: sys-process/procps: vmstat test fails with hardened/grsec & FEATURES="userpriv"
Product: Gentoo Linux Reporter: Roman Žilka <roman.zilka>
Component: [OLD] Core systemAssignee: Gentoo's Team for Core System packages <base-system>
Status: CONFIRMED ---    
Severity: minor CC: hardened
Priority: Normal Keywords: TESTFAILURE
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gitlab.com/procps-ng/procps/issues/3
Whiteboard:
Package list:
Runtime testing required: ---

Description Roman Žilka 2013-03-12 10:09:02 UTC
With /proc and /sys restricted by grsec + non-root privileges, procps-3.3.6 fails the test "vmstat". It requires access to /proc/vmstat, /proc/slabinfo, /sys/block/sda, neither of which are available with grsec and FEATURES="userpriv".

The test succeeds on non-hardened kernel even with FEATURES="userpriv" (verified).

Reproducible: Always
Comment 1 Roman Žilka 2013-03-12 10:18:35 UTC
In case you want more evidence:

# grep ^spawn sys-process/procps-3.3.6/work/procps-ng-3.3.6/testsuite/vmstat.log
spawn /boot/tmp/portage/sys-process/procps-3.3.6/work/procps-ng-3.3.6/vmstat
spawn /boot/tmp/portage/sys-process/procps-3.3.6/work/procps-ng-3.3.6/vmstat -a
spawn /boot/tmp/portage/sys-process/procps-3.3.6/work/procps-ng-3.3.6/vmstat -f
spawn /boot/tmp/portage/sys-process/procps-3.3.6/work/procps-ng-3.3.6/vmstat -m
spawn /boot/tmp/portage/sys-process/procps-3.3.6/work/procps-ng-3.3.6/vmstat -d
spawn /boot/tmp/portage/sys-process/procps-3.3.6/work/procps-ng-3.3.6/vmstat -p sda1

But as a non-root:
 $ for i in '' '-a' '-f' '-m' '-d' '-p sda1'; do echo -e '\n==============' vmstat $i; strace -e open,access vmstat $i; done

============== vmstat
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libprocps.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
open("/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_GB.utf8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_GB/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
procs -----------memory---------- ---swap-- -----io---- -system-- ----cpu----
 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa
open("/proc/meminfo", O_RDONLY)         = 3
open("/proc/stat", O_RDONLY)            = 4
open("/proc/vmstat", O_RDONLY)          = -1 EACCES (Permission denied)
Error: /proc must be mounted
  To mount /proc at boot you need an /etc/fstab line like:
      proc   /proc   proc    defaults
  In the meantime, run "mount proc /proc -t proc"
+++ exited with 102 +++

============== vmstat -a
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libprocps.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
open("/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_GB.utf8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_GB/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
procs -----------memory---------- ---swap-- -----io---- -system-- ----cpu----
 r  b   swpd   free  inact active   si   so    bi    bo   in   cs us sy id wa
open("/proc/meminfo", O_RDONLY)         = 3
open("/proc/stat", O_RDONLY)            = 4
open("/proc/vmstat", O_RDONLY)          = -1 EACCES (Permission denied)
Error: /proc must be mounted
  To mount /proc at boot you need an /etc/fstab line like:
      proc   /proc   proc    defaults
  In the meantime, run "mount proc /proc -t proc"
+++ exited with 102 +++

============== vmstat -f
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libprocps.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
open("/proc/stat", O_RDONLY)            = 3
open("/proc/vmstat", O_RDONLY)          = -1 EACCES (Permission denied)
Error: /proc must be mounted
  To mount /proc at boot you need an /etc/fstab line like:
      proc   /proc   proc    defaults
  In the meantime, run "mount proc /proc -t proc"
+++ exited with 102 +++

============== vmstat -m
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libprocps.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
open("/proc/slabinfo", O_RDONLY)        = -1 EACCES (Permission denied)
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
open("/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_GB.utf8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_GB/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
vmstat: your kernel does not support slabinfo or your permissions are insufficient
+++ exited with 0 +++

============== vmstat -d
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libprocps.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
open("/proc/diskstats", O_RDONLY)       = 3
open("/proc/diskstats", O_RDONLY)       = 3
access("/sys/block/sda", F_OK)          = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xfffffffffffffff0} ---
+++ killed by SIGSEGV +++
Segmentation fault

============== vmstat -p sda1
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libprocps.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
open("/proc/diskstats", O_RDONLY)       = 3
open("/proc/diskstats", O_RDONLY)       = 3
access("/sys/block/sda", F_OK)          = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xfffffffffffffff0} ---
+++ killed by SIGSEGV +++
Segmentation fault
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2013-03-12 19:14:37 UTC
This looks like a duplicate of bug 404389, can you check?
Comment 3 Roman Žilka 2013-03-12 19:52:50 UTC
Bug 404398 is about /proc/something missing, because a kernel option is missing because of ( grsec || CONFIG_EXPERT ). In this case the /proc/something is there, but is restricted to root because of grsec.
Comment 4 Roman Žilka 2013-03-12 19:53:29 UTC
Two typos in two words: bug 404389 was what I meant, of course.
Comment 5 SpanKY gentoo-dev 2015-05-18 04:29:59 UTC
sent upstream