GNU bug report logs - #24108
CLONE_NEWUSER tests fail with EPERM instead of being skipped on Grsecurity kernels

Previous Next

Package: guix;

Reported by: sapientech <at> openmailbox.org

Date: Fri, 29 Jul 2016 23:51:01 UTC

Severity: normal

Tags: notabug

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: ludo <at> gnu.org (Ludovic Courtès)
To: Dylan Jeffers <sapientech <at> openmailbox.org>
Cc: 24108 <at> debbugs.gnu.org
Subject: bug#24108: guix make tests failure
Date: Sun, 31 Jul 2016 12:53:26 +0200

Hello,

Dylan Jeffers <sapientech <at> openmailbox.org> skribis:

[...]

> > > These tests are skipped when user namespaces are not supported, as
> > > per this condition:
> > > 
> > >   (define perform-container-tests?
> > >     (and (user-namespace-supported?)
> > >          (unprivileged-user-namespace-supported?)))
> > > 
> > > … which is true iff (1) /proc/self/ns/user exists, and (2)
> > > /proc/sys/kernel/unprivileged_userns_clone does not exist, or it
> > > exists and contains “1”.
> > > 
> > > Do these files exist on this system?  
>>
>> (1) /proc/self/ns/user exists, and
>> (2) /proc/sys/kernel/unpriviledged_userns_clone D.N.E

They do not exist now with the new ‘test-suite.log’ that you posted, but
they did exist before (with the Grsec kernel), otherwise the user
namespaces tests would have been skipped.

>> Ideas on the best approach to allow the build to succeed?
>> 
>> I also have had issues with qemu, so it makes sense that vm/container
>> stuff both have issues. I have a feeling its due to the
>> grsec kernel.
>> https://wiki.archlinux.org/index.php/Grsecurity_Patchset talks a
>> bit about userspace/namespace hardening + issues with xen and
>> virtbox. Going to reboot with an lts kernel and try again. Will post
>> update...
>> 
>> Best,
>> Dylan
>> 
>> Best,
>> Dylan
>
> After changing kernel, and stopping paxd.service, build still
> failed :(

[...]

> test-name: clone
> location: /home/sapientech/Dev/guix/guix_wip/tests/syscalls.scm:109
> source:
> + (test-assert
> +   "clone"
> +   (match (clone (logior CLONE_NEWUSER SIGCHLD))
> +          (0 (primitive-exit 42))
> +          (pid (and (not (equal?
> +                           (readlink (user-namespace pid))
> +                           (readlink (user-namespace (getpid)))))
> +                    (match (waitpid pid)
> +                           ((_ . status) (= 42 (status:exit-val status))))))))
> result: SKIP

This and other container-related tests are now properly skipped.

> test-name: home-page: host not found
> location: /home/sapientech/Dev/guix/guix_wip/tests/lint.scm:393
> source:
> + (test-assert
> +   "home-page: host not found"
> +   (->bool
> +     (string-contains
> +       (with-warnings
> +         (let ((pkg (package
> +                      (inherit (dummy-package "x"))
> +                      (home-page "http://does-not-exist"))))
> +           (check-home-page pkg)))
> +       "domain not found")))
> actual-value: #f
> result: FAIL

This and the remaining failures are due to DNS hijacking, so nothing we
can do about it.  You’d have to use a well-behaved DNS server (e.g.,
“echo nameserver 8.8.8.8 > /etc/resolv.conf” to use Google’s name
server) to work around that.

Thanks,
Ludo’.
This bug report was last modified 5 years and 30 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.