Re: [opensuse-factory] openSUSE:Factory - Build fail notification

26 Oct 2020


      Am Samstag, 24. Oktober 2020, 19:41:20 CET schrieb Hans-Peter Jansen:
...
Okay, here's my current state diving into this issue:
The PR_{GET,SET}_NO_NEW_PRIVS capability test fails for TW, because limiting
the caps in order to disallow ping fails for some reason. Could it be, that
TW handles capabilities differently?
Here's a strace excerpt:
27605 prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) = 0
27605 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|
SIGCHLD, child_tidptr=0x7fa5ed092a10) = 27606
27606 set_robust_list(0x7fa5ed092a20, 24) = 0
27605 write(1</dev/pts/52>, "pid: 27606\n", 11) = 11
27605 wait4(27606,  <unfinished ...>
27606 write(1</dev/pts/52>, "pid: 0\n", 7) = 7
27606 write(1</dev/pts/52>, "fork..\n", 7) = 7
27606 prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
27606 prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) = 1
Obviously, PR_SET_NO_NEW_PRIVS succeeds.
27606 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|
SIGCHLD, child_tidptr=0x7fa5ed092a10) = 27607
[...]
but ping succeeds, even if it should not:
27607 prctl(PR_CAPBSET_READ, CAP_MAC_OVERRIDE) = 1
27607 prctl(PR_CAPBSET_READ, 0x30 /* CAP_??? */) = -1 EINVAL (Das Argument
ist ungültig)
27607 prctl(PR_CAPBSET_READ, CAP_CHECKPOINT_RESTORE) = 1
27607 prctl(PR_CAPBSET_READ, 0x2c /* CAP_??? */) = -1 EINVAL (Das Argument
ist ungültig)
27607 prctl(PR_CAPBSET_READ, 0x2a /* CAP_??? */) = -1 EINVAL (Das Argument
ist ungültig)
27607 prctl(PR_CAPBSET_READ, 0x29 /* CAP_??? */) = -1 EINVAL (Das Argument
ist ungültig)
27607 brk(NULL)                         = 0x55b43b2b0000
27607 brk(0x55b43b2d1000)               = 0x55b43b2d1000
27607 capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
27607 capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0,
permitted=0, inheritable=0}) = 0
27607 capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
27607 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0,
permitted=0, inheritable=0}) = 0
27607 prctl(PR_SET_KEEPCAPS, 1)         = 0
27607 getuid()                          = 1000
27607 setuid(1000)                      = 0
27607 prctl(PR_SET_KEEPCAPS, 0)         = 0
27607 getuid()                          = 1000
[...]
27607 write(1</dev/pts/52>, "64 Bytes von localhost (::1): icmp_seq=1 ttl=64
Zeit=0.042 ms\n", 62) = 62
Ideas? Just disable the test for TW might be feasible, but I would like to
understand, what's going wrong here..
If somebody want to play with this, here's some debug code applied:
home:frispete:python/python-python-prctl
Anybody with capability know how around here?
-- 
To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-factory+owner@opensuse.org