GNU bug report logs - #24108
CLONE_NEWUSER tests fail with EPERM instead of being skipped on Grsecurity kernels

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 24108 in the body.
You can then email your comments to 24108 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: sapientech <at> openmailbox.org
To: bug-guix <at> gnu.org
Subject: guix make tests failure
Date: Fri, 29 Jul 2016 19:26:10 -0400

[Message part 1 (text/plain, inline)]

Hi all,

Attached is the output log of `make tests`. Commands leading up to make 
tests:

$ guix environment guix --ad-hoc git vim
$ ./bootstrap
$ ./configure
$ make tests

[config.log (text/plain, attachment)]

[test-suite.log (text/plain, attachment)]

Message #8 received at 24108 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: sapientech <at> openmailbox.org
Cc: 24108 <at> debbugs.gnu.org
Subject: Re: bug#24108: guix make tests failure
Date: Sat, 30 Jul 2016 15:07:25 +0200

Hi,

sapientech <at> openmailbox.org skribis:

> test-name: substitute query, alternating URLs
> location: /home/sapientech/Dev/guix/guix_wip/tests/store.scm:456

[...]

> substitute: guix/ui.scm:1209:6: In procedure run-guix-command:
> substitute: guix/ui.scm:1209:6: unmatched line "<html><head><meta http-equiv=\"refresh\" content=\"0;url=http://www.dnsrsearch.com/index.php?origURL=http://does-not-exist/nix-cache-info&bc=\"/></head><body><script type=\"text/javascript\">window.location=\"http://www.dnsrsearch.com/index.php?origURL=\"+escape(window.location)+\"&r=\"+escape(document.referrer)+\"&bc=\";</script></body></html>"

It seems there’s a DNS hijacker in place where domain names such as
“does-not-exist” (used in this and other tests) are resolved to some
ISP-specific host or something.  This explains this and more of the
other test failures you are seeing; this is unsupported.

> test-name: clone
> location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> source:
> + (test-assert
> +   "clone"
> +   (match (clone (logior CLONE_NEWUSER SIGCHLD))
> +          (0 (primitive-exit 42))
> +          (pid (and (not (equal?
> +                           (readlink (user-namespace pid))
> +                           (readlink (user-namespace (getpid)))))
> +                    (match (waitpid pid)
> +                           ((_ . status) (= 42 (status:exit-val status))))))))
> actual-value: #f
> actual-error:
> + (system-error
> +   "clone"
> +   "~d: ~A"
> +   (268435473 "Operation not permitted")
> +   (1))
> result: FAIL

What does “uname -srv” report on this machine?  It seems this kernel
does not support namespaces.

Thanks,
Ludo’.

Message #11 received at 24108 <at> debbugs.gnu.org (full text, mbox):

From: Dylan Jeffers <sapientech <at> openmailbox.org>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 24108 <at> debbugs.gnu.org
Subject: Re: bug#24108: guix make tests failure
Date: Sat, 30 Jul 2016 10:43:12 -0700

On Sat, 30 Jul 2016 15:07:25 +0200
ludo <at> gnu.org (Ludovic Courtès) wrote:

> Hi,
> 
> sapientech <at> openmailbox.org skribis:
> 
> > test-name: substitute query, alternating URLs
> > location: /home/sapientech/Dev/guix/guix_wip/tests/store.scm:456  
> 
> [...]
> 
> > substitute: guix/ui.scm:1209:6: In procedure run-guix-command:
> > substitute: guix/ui.scm:1209:6: unmatched line "<html><head><meta
> > http-equiv=\"refresh\"
> > content=\"0;url=http://www.dnsrsearch.com/index.php?origURL=http://does-not-exist/nix-cache-info&bc=\"/></head><body><script
> > type=\"text/javascript\">window.location=\"http://www.dnsrsearch.com/index.php?origURL=\"+escape(window.location)+\"&r=\"+escape(document.referrer)+\"&bc=\";</script></body></html>"  
> 
> It seems there’s a DNS hijacker in place where domain names such as
> “does-not-exist” (used in this and other tests) are resolved to some
> ISP-specific host or something.  This explains this and more of the
> other test failures you are seeing; this is unsupported.
> 
> > test-name: clone
> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> > source:
> > + (test-assert
> > +   "clone"
> > +   (match (clone (logior CLONE_NEWUSER SIGCHLD))
> > +          (0 (primitive-exit 42))
> > +          (pid (and (not (equal?
> > +                           (readlink (user-namespace pid))
> > +                           (readlink (user-namespace (getpid)))))
> > +                    (match (waitpid pid)
> > +                           ((_ . status) (= 42 (status:exit-val
> > status)))))))) actual-value: #f
> > actual-error:
> > + (system-error
> > +   "clone"
> > +   "~d: ~A"
> > +   (268435473 "Operation not permitted")
> > +   (1))
> > result: FAIL  
> 
> What does “uname -srv” report on this machine?  It seems this kernel
> does not support namespaces.
> 
> Thanks,
> Ludo’.

Hi Ludo,

Thanks for getting back so quick.
Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
PREEMPT Wed Jul 20 15:37:34 UYT 2016
It is a security enhanced kernel, so that may be the issue. Let me know
if there is a workaround for this kernel, or whether i should fall-back
to an lts, or standard kernel.

Best,
Dylan

Message #14 received at 24108 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Dylan Jeffers <sapientech <at> openmailbox.org>
Cc: 24108 <at> debbugs.gnu.org
Subject: Re: bug#24108: guix make tests failure
Date: Sat, 30 Jul 2016 23:31:54 +0200

Dylan Jeffers <sapientech <at> openmailbox.org> skribis:

> On Sat, 30 Jul 2016 15:07:25 +0200
> ludo <at> gnu.org (Ludovic Courtès) wrote:

[...]

>> > test-name: clone
>> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
>> > source:
>> > + (test-assert
>> > +   "clone"
>> > +   (match (clone (logior CLONE_NEWUSER SIGCHLD))
>> > +          (0 (primitive-exit 42))
>> > +          (pid (and (not (equal?
>> > +                           (readlink (user-namespace pid))
>> > +                           (readlink (user-namespace (getpid)))))
>> > +                    (match (waitpid pid)
>> > +                           ((_ . status) (= 42 (status:exit-val
>> > status)))))))) actual-value: #f
>> > actual-error:
>> > + (system-error
>> > +   "clone"
>> > +   "~d: ~A"
>> > +   (268435473 "Operation not permitted")
>> > +   (1))
>> > result: FAIL  
>> 
>> What does “uname -srv” report on this machine?  It seems this kernel
>> does not support namespaces.
>> 
>> Thanks,
>> Ludo’.
>
> Hi Ludo,
>
> Thanks for getting back so quick.
> Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
> PREEMPT Wed Jul 20 15:37:34 UYT 2016

These tests are skipped when user namespaces are not supported, as per
this condition:

  (define perform-container-tests?
    (and (user-namespace-supported?)
         (unprivileged-user-namespace-supported?)))

… which is true iff (1) /proc/self/ns/user exists, and (2)
/proc/sys/kernel/unprivileged_userns_clone does not exist, or it exists
and contains “1”.

Do these files exist on this system?

Maybe we should just ignore EPERM from (clone CLONE_NEWUSER) but it’s
annoying to annotate every single test that uses it.

From a user viewpoint, this test failure simply mean that you cannot use
the ‘--container’ option ‘guix environment’ on your system.

Thanks,
Ludo’.

Message #17 received at 24108 <at> debbugs.gnu.org (full text, mbox):

From: Dylan Jeffers <sapientech <at> openmailbox.org>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 24108 <at> debbugs.gnu.org
Subject: Re: bug#24108: guix make tests failure
Date: Sat, 30 Jul 2016 17:40:27 -0700

On Sat, 30 Jul 2016 23:31:54 +0200
ludo <at> gnu.org (Ludovic Courtès) wrote:

> Dylan Jeffers <sapientech <at> openmailbox.org> skribis:
> 
> > On Sat, 30 Jul 2016 15:07:25 +0200
> > ludo <at> gnu.org (Ludovic Courtès) wrote:  
> 
> [...]
> 
> >> > test-name: clone
> >> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> >> > source:
> >> > + (test-assert
> >> > +   "clone"
> >> > +   (match (clone (logior CLONE_NEWUSER SIGCHLD))
> >> > +          (0 (primitive-exit 42))
> >> > +          (pid (and (not (equal?
> >> > +                           (readlink (user-namespace pid))
> >> > +                           (readlink (user-namespace
> >> > (getpid)))))
> >> > +                    (match (waitpid pid)
> >> > +                           ((_ . status) (= 42 (status:exit-val
> >> > status)))))))) actual-value: #f
> >> > actual-error:
> >> > + (system-error
> >> > +   "clone"
> >> > +   "~d: ~A"
> >> > +   (268435473 "Operation not permitted")
> >> > +   (1))
> >> > result: FAIL    
> >> 
> >> What does “uname -srv” report on this machine?  It seems this
> >> kernel does not support namespaces.
> >> 
> >> Thanks,
> >> Ludo’.  
> >
> > Hi Ludo,
> >
> > Thanks for getting back so quick.
> > Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
> > PREEMPT Wed Jul 20 15:37:34 UYT 2016  
> 
> These tests are skipped when user namespaces are not supported, as per
> this condition:
> 
>   (define perform-container-tests?
>     (and (user-namespace-supported?)
>          (unprivileged-user-namespace-supported?)))
> 
> … which is true iff (1) /proc/self/ns/user exists, and (2)
> /proc/sys/kernel/unprivileged_userns_clone does not exist, or it
> exists and contains “1”.
> 
> Do these files exist on this system?

(1) /proc/self/ns/user exists, and
(2) /proc/sys/kernel/unpriviledged_userns_clone D.N.E

Ideas on the best approach to allow the build to succeed?

I also have had issues with qemu, so it makes sense that vm/container
stuff both have issues. I have a feeling its due to the
grsec kernel.
https://wiki.archlinux.org/index.php/Grsecurity_Patchset talks a
bit about userspace/namespace hardening + issues with xen and
virtbox. Going to reboot with an lts kernel and try again. Will post
update...

Best,
Dylan

Best,
Dylan

Message #20 received at 24108 <at> debbugs.gnu.org (full text, mbox):

From: Dylan Jeffers <sapientech <at> openmailbox.org>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 24108 <at> debbugs.gnu.org
Subject: Re: bug#24108: guix make tests failure
Date: Sat, 30 Jul 2016 18:53:05 -0700

[Message part 1 (text/plain, inline)]

On Sat, 30 Jul 2016 17:40:27 -0700
Dylan Jeffers <sapientech <at> openmailbox.org> wrote:

> On Sat, 30 Jul 2016 23:31:54 +0200
> ludo <at> gnu.org (Ludovic Courtès) wrote:
> 
> > Dylan Jeffers <sapientech <at> openmailbox.org> skribis:
> >   
> > > On Sat, 30 Jul 2016 15:07:25 +0200
> > > ludo <at> gnu.org (Ludovic Courtès) wrote:    
> > 
> > [...]
> >   
> > >> > test-name: clone
> > >> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> > >> > source:
> > >> > + (test-assert
> > >> > +   "clone"
> > >> > +   (match (clone (logior CLONE_NEWUSER SIGCHLD))
> > >> > +          (0 (primitive-exit 42))
> > >> > +          (pid (and (not (equal?
> > >> > +                           (readlink (user-namespace pid))
> > >> > +                           (readlink (user-namespace
> > >> > (getpid)))))
> > >> > +                    (match (waitpid pid)
> > >> > +                           ((_ . status) (= 42
> > >> > (status:exit-val status)))))))) actual-value: #f
> > >> > actual-error:
> > >> > + (system-error
> > >> > +   "clone"
> > >> > +   "~d: ~A"
> > >> > +   (268435473 "Operation not permitted")
> > >> > +   (1))
> > >> > result: FAIL      
> > >> 
> > >> What does “uname -srv” report on this machine?  It seems this
> > >> kernel does not support namespaces.
> > >> 
> > >> Thanks,
> > >> Ludo’.    
> > >
> > > Hi Ludo,
> > >
> > > Thanks for getting back so quick.
> > > Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
> > > PREEMPT Wed Jul 20 15:37:34 UYT 2016    
> > 
> > These tests are skipped when user namespaces are not supported, as
> > per this condition:
> > 
> >   (define perform-container-tests?
> >     (and (user-namespace-supported?)
> >          (unprivileged-user-namespace-supported?)))
> > 
> > … which is true iff (1) /proc/self/ns/user exists, and (2)
> > /proc/sys/kernel/unprivileged_userns_clone does not exist, or it
> > exists and contains “1”.
> > 
> > Do these files exist on this system?  
> 
> (1) /proc/self/ns/user exists, and
> (2) /proc/sys/kernel/unpriviledged_userns_clone D.N.E
> 
> Ideas on the best approach to allow the build to succeed?
> 
> I also have had issues with qemu, so it makes sense that vm/container
> stuff both have issues. I have a feeling its due to the
> grsec kernel.
> https://wiki.archlinux.org/index.php/Grsecurity_Patchset talks a
> bit about userspace/namespace hardening + issues with xen and
> virtbox. Going to reboot with an lts kernel and try again. Will post
> update...
> 
> Best,
> Dylan
> 
> Best,
> Dylan

After changing kernel, and stopping paxd.service, build still
failed :(

It looks like the failed tests are different though (see attachment)

Dylan

[config.log (text/x-log, attachment)]

[config.status (application/octet-stream, attachment)]

[test-suite.log (text/x-log, attachment)]

Message #23 received at 24108 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Dylan Jeffers <sapientech <at> openmailbox.org>
Cc: 24108 <at> debbugs.gnu.org
Subject: Re: bug#24108: guix make tests failure
Date: Sun, 31 Jul 2016 12:53:26 +0200

Hello,

Dylan Jeffers <sapientech <at> openmailbox.org> skribis:

[...]

> > > These tests are skipped when user namespaces are not supported, as
> > > per this condition:
> > > 
> > >   (define perform-container-tests?
> > >     (and (user-namespace-supported?)
> > >          (unprivileged-user-namespace-supported?)))
> > > 
> > > … which is true iff (1) /proc/self/ns/user exists, and (2)
> > > /proc/sys/kernel/unprivileged_userns_clone does not exist, or it
> > > exists and contains “1”.
> > > 
> > > Do these files exist on this system?  
>>
>> (1) /proc/self/ns/user exists, and
>> (2) /proc/sys/kernel/unpriviledged_userns_clone D.N.E

They do not exist now with the new ‘test-suite.log’ that you posted, but
they did exist before (with the Grsec kernel), otherwise the user
namespaces tests would have been skipped.

>> Ideas on the best approach to allow the build to succeed?
>> 
>> I also have had issues with qemu, so it makes sense that vm/container
>> stuff both have issues. I have a feeling its due to the
>> grsec kernel.
>> https://wiki.archlinux.org/index.php/Grsecurity_Patchset talks a
>> bit about userspace/namespace hardening + issues with xen and
>> virtbox. Going to reboot with an lts kernel and try again. Will post
>> update...
>> 
>> Best,
>> Dylan
>> 
>> Best,
>> Dylan
>
> After changing kernel, and stopping paxd.service, build still
> failed :(

[...]

> test-name: clone
> location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> source:
> + (test-assert
> +   "clone"
> +   (match (clone (logior CLONE_NEWUSER SIGCHLD))
> +          (0 (primitive-exit 42))
> +          (pid (and (not (equal?
> +                           (readlink (user-namespace pid))
> +                           (readlink (user-namespace (getpid)))))
> +                    (match (waitpid pid)
> +                           ((_ . status) (= 42 (status:exit-val status))))))))
> result: SKIP

This and other container-related tests are now properly skipped.

> test-name: home-page: host not found
> location: /home/sapientech/Dev/guix/guix_wip/tests/lint.scm:393
> source:
> + (test-assert
> +   "home-page: host not found"
> +   (->bool
> +     (string-contains
> +       (with-warnings
> +         (let ((pkg (package
> +                      (inherit (dummy-package "x"))
> +                      (home-page "http://does-not-exist"))))
> +           (check-home-page pkg)))
> +       "domain not found")))
> actual-value: #f
> result: FAIL

This and the remaining failures are due to DNS hijacking, so nothing we
can do about it.  You’d have to use a well-behaved DNS server (e.g.,
“echo nameserver 8.8.8.8 > /etc/resolv.conf” to use Google’s name
server) to work around that.

Thanks,
Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.