GNU bug report logs - #24108
CLONE_NEWUSER tests fail with EPERM instead of being skipped on Grsecurity kernels

Previous Next

Package: guix;

Reported by: sapientech <at> openmailbox.org

Date: Fri, 29 Jul 2016 23:51:01 UTC

Severity: normal

Tags: notabug

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Dylan Jeffers <sapientech <at> openmailbox.org>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 24108 <at> debbugs.gnu.org
Subject: bug#24108: guix make tests failure
Date: Sat, 30 Jul 2016 17:40:27 -0700

On Sat, 30 Jul 2016 23:31:54 +0200
ludo <at> gnu.org (Ludovic Courtès) wrote:

> Dylan Jeffers <sapientech <at> openmailbox.org> skribis:
> 
> > On Sat, 30 Jul 2016 15:07:25 +0200
> > ludo <at> gnu.org (Ludovic Courtès) wrote:  
> 
> [...]
> 
> >> > test-name: clone
> >> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> >> > source:
> >> > + (test-assert
> >> > +   "clone"
> >> > +   (match (clone (logior CLONE_NEWUSER SIGCHLD))
> >> > +          (0 (primitive-exit 42))
> >> > +          (pid (and (not (equal?
> >> > +                           (readlink (user-namespace pid))
> >> > +                           (readlink (user-namespace
> >> > (getpid)))))
> >> > +                    (match (waitpid pid)
> >> > +                           ((_ . status) (= 42 (status:exit-val
> >> > status)))))))) actual-value: #f
> >> > actual-error:
> >> > + (system-error
> >> > +   "clone"
> >> > +   "~d: ~A"
> >> > +   (268435473 "Operation not permitted")
> >> > +   (1))
> >> > result: FAIL    
> >> 
> >> What does “uname -srv” report on this machine?  It seems this
> >> kernel does not support namespaces.
> >> 
> >> Thanks,
> >> Ludo’.  
> >
> > Hi Ludo,
> >
> > Thanks for getting back so quick.
> > Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
> > PREEMPT Wed Jul 20 15:37:34 UYT 2016  
> 
> These tests are skipped when user namespaces are not supported, as per
> this condition:
> 
>   (define perform-container-tests?
>     (and (user-namespace-supported?)
>          (unprivileged-user-namespace-supported?)))
> 
> … which is true iff (1) /proc/self/ns/user exists, and (2)
> /proc/sys/kernel/unprivileged_userns_clone does not exist, or it
> exists and contains “1”.
> 
> Do these files exist on this system?

(1) /proc/self/ns/user exists, and
(2) /proc/sys/kernel/unpriviledged_userns_clone D.N.E

Ideas on the best approach to allow the build to succeed?

I also have had issues with qemu, so it makes sense that vm/container
stuff both have issues. I have a feeling its due to the
grsec kernel.
https://wiki.archlinux.org/index.php/Grsecurity_Patchset talks a
bit about userspace/namespace hardening + issues with xen and
virtbox. Going to reboot with an lts kernel and try again. Will post
update...

Best,
Dylan

Best,
Dylan
This bug report was last modified 5 years and 30 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.