Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 649396

Summary: net-libs/gnutls-3.5.18 fails 4 seccomp using tests
Product: Gentoo Linux Reporter: Mart Raudsepp <leio>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: CONFIRMED ---    
Severity: normal CC: alonbl
Priority: Normal Keywords: TESTFAILURE
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=711104
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: build.log
tests/test-suite.log

Description Mart Raudsepp gentoo-dev 2018-03-02 18:57:28 UTC
FAIL: tls-with-seccomp
FAIL: tls-client-with-seccomp
FAIL: dtls-with-seccomp
FAIL: dtls-client-with-seccomp

I don't have libseccomp installed and USE=test does not pull it in. Also not all platforms have libseccomp possibility.

$(multilib_native_use_enable seccomp seccomp-tests)  seems to be ineffective.
Comment 1 Mart Raudsepp gentoo-dev 2018-03-02 18:58:34 UTC
Created attachment 521968 [details]
build.log
Comment 2 Mart Raudsepp gentoo-dev 2018-03-02 18:58:51 UTC
Created attachment 521970 [details]
tests/test-suite.log
Comment 3 Mart Raudsepp gentoo-dev 2018-03-02 18:59:35 UTC
Portage 2.3.19 (python 2.7.14-final-0, default/linux/arm64/17.0, gcc-6.4.0, glibc-2.25-r10, 4.9.0-4-arm64 aarch64)
=================================================================
System uname: Linux-4.9.0-4-arm64-aarch64-with-gentoo-2.4.1
KiB Mem:   131544964 total, 115916212 free
KiB Swap:    3321056 total,   3321056 free
Timestamp of repository gentoo: Fri, 02 Mar 2018 17:00:01 +0000
Head commit of repository gentoo: be9e3223c6ee365a84bd10754e44a0d3f3dda62f
sh bash 4.3_p48-r1
ld GNU ld (Gentoo 2.29.1 p3) 2.29.1
app-shells/bash:          4.3_p48-r1::gentoo
dev-lang/perl:            5.24.3::gentoo
dev-lang/python:          2.7.14-r1::gentoo, 3.5.4-r1::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.4.1-r2::gentoo
sys-apps/openrc:          0.34.11::gentoo
sys-apps/sandbox:         2.12::gentoo
sys-devel/autoconf:       2.69-r4::gentoo
sys-devel/automake:       1.15.1-r1::gentoo
sys-devel/binutils:       2.29.1-r1::gentoo
sys-devel/gcc:            6.4.0-r1::gentoo
sys-devel/gcc-config:     1.8-r1::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.1-r1::gentoo
sys-kernel/linux-headers: 4.13::gentoo (virtual/os-headers)
sys-libs/glibc:           2.25-r10::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-extra-opts: 

ACCEPT_KEYWORDS="arm64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="aarch64-unknown-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="aarch64-unknown-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict test unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2"
GENTOO_MIRRORS="http://gentoo.osuosl.org/"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j50"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl arm64 berkdb bzip2 cli crypt cxx dri fortran gdbm iconv ipv6 modules multilib ncurses nls nptl openmp pam pcre readline seccomp ssl tcpd unicode xattr zlib" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_ARM="edsp neon thumb thumb2 v4 v5 v6 v7 v8 vfp vfp-d32 vfpv3 vfpv4" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_5" PYTHON_TARGETS="python2_7 python3_5" RUBY_TARGETS="ruby21 ruby22 ruby23" USERLAND="GNU" VIDEO_CARDS="fbdev dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 4 Mart Raudsepp gentoo-dev 2018-03-02 19:26:10 UTC
Oops, actually I did have libseccomp installed and the USE flag was enabled from profile as well.

So it seems tests fail with USE=seccomp and pass without. Might be platform-specific too
Comment 5 Alon Bar-Lev (RETIRED) gentoo-dev 2018-03-02 19:28:56 UTC
Hi,

You have seccomp USE

You do have libseccomp:
checking for libseccomp... yes
checking how to link with libseccomp... -lseccomp

The question - do you have seccomp enabled in kernel?
If not, please disable seccomp USE as it does not make sense to enable it.
If use, please attach tests/*.log

Thanks!
Comment 6 Mart Raudsepp gentoo-dev 2018-03-02 19:47:55 UTC
I don't know about the kernel, I'm in a chroot. I don't think things should fail though if USE=seccomp and no support in kernel.
How do I find out if it's enabled? At least journald says on the host:
systemd 232 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)

but that might mean just built with support, not necessarily at runtime (I don't know). At least it doesn't fail like the tests fail. Also maybe seccomp isn't functional inside chroot.
Comment 7 Mart Raudsepp gentoo-dev 2018-03-02 19:50:44 UTC
(In reply to Alon Bar-Lev from comment #5)
> If use, please attach tests/*.log

test-suite.log was already attached; the individual (dozens) files seemed to be short files with exactly the same content already concatenated into test-suite.log
Comment 8 Alon Bar-Lev (RETIRED) gentoo-dev 2018-03-02 20:00:19 UTC
You can check CONFIG_SECCOMP=y in kernel configuration.

Please do not enable seccomp if you do not have this, it is like enabling selinux, fuse or any other feature that depend on kernel feature and/or hardware feature, you cannot enable if not configured/available.

Please tell me if configured.
Comment 9 Mart Raudsepp gentoo-dev 2018-03-02 20:05:35 UTC
I do not have config file, I'm in a chroot on foreign host. No /proc/config* there either. I am quite sure the host does have support though, it might be not available to the chroot though, not sure how that works.

It is often not valid to disable seccomp support on packages, even if you happen to prepare things in a chroot and not have support at runtime. I'm also about to even use.force seccomp for tracker where platform has support, and am contemplating on doing it globally instead (at least on arches I am member of and have seccomp support).
I will most definitely not disable USE=seccomp globally, I might however ignore the test failure for future stabilization concerns or mask it per-package to gnutls if it can't be properly fixed.
Comment 10 Alon Bar-Lev (RETIRED) gentoo-dev 2018-03-02 20:09:45 UTC
I do not understand...

You enable seccomp - ok, you assume build succeeds - ok, makes sense in most cases.

You enable tests and seccomp - this means that you instruct build to actually test that things work with seccomp enabled... what do you expect? tests to succeed?

I am closing this as you cannot report if seccomp is enabled or not, it is perfectly valid for tests to fail if you do not have it on.
Comment 11 Mart Raudsepp gentoo-dev 2018-03-02 20:12:59 UTC
I fount config from /boot of the host, it has:

CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y
Comment 12 Mart Raudsepp gentoo-dev 2018-03-02 20:24:26 UTC
We are working on a full gentoo system out of those chroots in parallel, after which I can test natively too. Meanwhile I'm pretty sure libseccomp is enabled in the kernel, but maybe something is messing things up via the chroot fact.
Comment 13 Mart Raudsepp gentoo-dev 2018-05-03 08:07:28 UTC
Still fails the same with gnutls-3.5.18. Now in a full systemd-nspawn container with proper namespacing and so on, not a dumb chroot.
libseccomp itself has an extensive test suite, which all passes just fine and dandy, so I would claim that it's NOT a kernel problem (unless libseccomp tests don't exercise that somehow...).
Comment 14 Alon Bar-Lev (RETIRED) gentoo-dev 2018-05-07 11:02:23 UTC
Hi,
Can you please provide strace output of one of the failing tests?
Thanks!
Comment 15 Larry the Git Cow gentoo-dev 2020-09-04 16:14:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=807088725f04adee3a1e0ed9a8b41d8d647262b3

commit 807088725f04adee3a1e0ed9a8b41d8d647262b3
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-09-04 15:28:14 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-09-04 16:13:47 +0000

    net-libs/gnutls: bump to v3.6.15
    
    Bug: https://bugs.gentoo.org/649396
    Bug: https://bugs.gentoo.org/711104
    Bug: https://bugs.gentoo.org/740390
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/gnutls/Manifest                           |   1 +
 .../gnutls-3.6.15-skip-dtls-seccomp-tests.patch    |  26 ++++
 net-libs/gnutls/gnutls-3.6.15.ebuild               | 134 +++++++++++++++++++++
 3 files changed, 161 insertions(+)
Comment 16 Rolf Eike Beer archtester 2021-05-10 13:53:00 UTC
Still happens with 3.7.1 on hppa:

 * USE:        cxx elibc_glibc hppa idn kernel_linux nls openssl seccomp test tls-heartbeat userland_GNU
Comment 17 Rolf Eike Beer archtester 2021-08-12 07:28:35 UTC
and 3.7.2