GNU bug report logs - #24108
CLONE_NEWUSER tests fail with EPERM instead of being skipped on Grsecurity kernels

Previous Next

Package: guix;

Reported by: sapientech <at> openmailbox.org

Date: Fri, 29 Jul 2016 23:51:01 UTC

Severity: normal

Tags: notabug

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #11 received at 24108 <at> debbugs.gnu.org (full text, mbox):

From: Dylan Jeffers <sapientech <at> openmailbox.org>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 24108 <at> debbugs.gnu.org
Subject: Re: bug#24108: guix make tests failure
Date: Sat, 30 Jul 2016 10:43:12 -0700

On Sat, 30 Jul 2016 15:07:25 +0200
ludo <at> gnu.org (Ludovic Courtès) wrote:

> Hi,
> 
> sapientech <at> openmailbox.org skribis:
> 
> > test-name: substitute query, alternating URLs
> > location: /home/sapientech/Dev/guix/guix_wip/tests/store.scm:456  
> 
> [...]
> 
> > substitute: guix/ui.scm:1209:6: In procedure run-guix-command:
> > substitute: guix/ui.scm:1209:6: unmatched line "<html><head><meta
> > http-equiv=\"refresh\"
> > content=\"0;url=http://www.dnsrsearch.com/index.php?origURL=http://does-not-exist/nix-cache-info&bc=\"/></head><body><script
> > type=\"text/javascript\">window.location=\"http://www.dnsrsearch.com/index.php?origURL=\"+escape(window.location)+\"&r=\"+escape(document.referrer)+\"&bc=\";</script></body></html>"  
> 
> It seems there’s a DNS hijacker in place where domain names such as
> “does-not-exist” (used in this and other tests) are resolved to some
> ISP-specific host or something.  This explains this and more of the
> other test failures you are seeing; this is unsupported.
> 
> > test-name: clone
> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> > source:
> > + (test-assert
> > +   "clone"
> > +   (match (clone (logior CLONE_NEWUSER SIGCHLD))
> > +          (0 (primitive-exit 42))
> > +          (pid (and (not (equal?
> > +                           (readlink (user-namespace pid))
> > +                           (readlink (user-namespace (getpid)))))
> > +                    (match (waitpid pid)
> > +                           ((_ . status) (= 42 (status:exit-val
> > status)))))))) actual-value: #f
> > actual-error:
> > + (system-error
> > +   "clone"
> > +   "~d: ~A"
> > +   (268435473 "Operation not permitted")
> > +   (1))
> > result: FAIL  
> 
> What does “uname -srv” report on this machine?  It seems this kernel
> does not support namespaces.
> 
> Thanks,
> Ludo’.

Hi Ludo,

Thanks for getting back so quick.
Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
PREEMPT Wed Jul 20 15:37:34 UYT 2016
It is a security enhanced kernel, so that may be the issue. Let me know
if there is a workaround for this kernel, or whether i should fall-back
to an lts, or standard kernel.

Best,
Dylan
This bug report was last modified 5 years and 30 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.