GNU bug report logs - #24108
CLONE_NEWUSER tests fail with EPERM instead of being skipped on Grsecurity kernels

Previous Next

Full log

Message #20 received at 24108 <at> debbugs.gnu.org (full text, mbox):

From: Dylan Jeffers <sapientech <at> openmailbox.org>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 24108 <at> debbugs.gnu.org
Subject: Re: bug#24108: guix make tests failure
Date: Sat, 30 Jul 2016 18:53:05 -0700

[Message part 1 (text/plain, inline)]

On Sat, 30 Jul 2016 17:40:27 -0700
Dylan Jeffers <sapientech <at> openmailbox.org> wrote:

> On Sat, 30 Jul 2016 23:31:54 +0200
> ludo <at> gnu.org (Ludovic Courtès) wrote:
> 
> > Dylan Jeffers <sapientech <at> openmailbox.org> skribis:
> >   
> > > On Sat, 30 Jul 2016 15:07:25 +0200
> > > ludo <at> gnu.org (Ludovic Courtès) wrote:    
> > 
> > [...]
> >   
> > >> > test-name: clone
> > >> > location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> > >> > source:
> > >> > + (test-assert
> > >> > +   "clone"
> > >> > +   (match (clone (logior CLONE_NEWUSER SIGCHLD))
> > >> > +          (0 (primitive-exit 42))
> > >> > +          (pid (and (not (equal?
> > >> > +                           (readlink (user-namespace pid))
> > >> > +                           (readlink (user-namespace
> > >> > (getpid)))))
> > >> > +                    (match (waitpid pid)
> > >> > +                           ((_ . status) (= 42
> > >> > (status:exit-val status)))))))) actual-value: #f
> > >> > actual-error:
> > >> > + (system-error
> > >> > +   "clone"
> > >> > +   "~d: ~A"
> > >> > +   (268435473 "Operation not permitted")
> > >> > +   (1))
> > >> > result: FAIL      
> > >> 
> > >> What does “uname -srv” report on this machine?  It seems this
> > >> kernel does not support namespaces.
> > >> 
> > >> Thanks,
> > >> Ludo’.    
> > >
> > > Hi Ludo,
> > >
> > > Thanks for getting back so quick.
> > > Output of uname -srv: Linux 4.6.4-gnu-201607192040-1-grsec #1 SMP
> > > PREEMPT Wed Jul 20 15:37:34 UYT 2016    
> > 
> > These tests are skipped when user namespaces are not supported, as
> > per this condition:
> > 
> >   (define perform-container-tests?
> >     (and (user-namespace-supported?)
> >          (unprivileged-user-namespace-supported?)))
> > 
> > … which is true iff (1) /proc/self/ns/user exists, and (2)
> > /proc/sys/kernel/unprivileged_userns_clone does not exist, or it
> > exists and contains “1”.
> > 
> > Do these files exist on this system?  
> 
> (1) /proc/self/ns/user exists, and
> (2) /proc/sys/kernel/unpriviledged_userns_clone D.N.E
> 
> Ideas on the best approach to allow the build to succeed?
> 
> I also have had issues with qemu, so it makes sense that vm/container
> stuff both have issues. I have a feeling its due to the
> grsec kernel.
> https://wiki.archlinux.org/index.php/Grsecurity_Patchset talks a
> bit about userspace/namespace hardening + issues with xen and
> virtbox. Going to reboot with an lts kernel and try again. Will post
> update...
> 
> Best,
> Dylan
> 
> Best,
> Dylan

After changing kernel, and stopping paxd.service, build still
failed :(

It looks like the failed tests are different though (see attachment)

Dylan

[config.log (text/x-log, attachment)]

[config.status (application/octet-stream, attachment)]

[test-suite.log (text/x-log, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.