[kernel-bugs] [Bug 1177499] New: prctl test fails on Tumbleweed
https://bugzilla.suse.com/show_bug.cgi?id=1177499 Bug ID: 1177499 Summary: prctl test fails on Tumbleweed Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: msuchanek@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- https://build.opensuse.org/package/live_build_log/home:michals/python-python... @require('get_no_new_privs') def test_no_new_privs(self): """Test the no_new_privs function""" self.assertEqual(prctl.get_no_new_privs(), 0) pid = os.fork() if pid: self.assertEqual(os.waitpid(pid, 0)[1], 0) else: prctl.set_no_new_privs(1) self.assertEqual(prctl.get_no_new_privs(), 1) if os.geteuid() != 0: sp = subprocess.Popen(['ping', '-c1', 'localhost'], stderr=subprocess.PIPE) sp.communicate() self.assertNotEqual(sp.returncode, 0) os._exit(0) It assumes that by default you cannot ping, and PR_SET_NO_NEW_PRIVS is inherited across fork. Has there been some change in the capabilities recently? -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177499
https://bugzilla.suse.com/show_bug.cgi?id=1177499#c1
--- Comment #1 from Michal Suchanek
self.assertiNotEqual(os.waitpid(pid, 0)[1], 0)
else: prctl.set_no_new_privs(1) os.execvp('ping',['ping', '-c1', 'localhost']) os._exit(0)
and the indicated assert fails. So either ping no longer needs privileges or the PR_SET_NO_NEW_PRIVS stopped working. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177499
https://bugzilla.suse.com/show_bug.cgi?id=1177499#c2
--- Comment #2 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1177499
https://bugzilla.suse.com/show_bug.cgi?id=1177499#c3
--- Comment #3 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1177499
https://bugzilla.suse.com/show_bug.cgi?id=1177499#c4
Anthony Iliopoulos
https://bugzilla.suse.com/show_bug.cgi?id=1177499
https://bugzilla.suse.com/show_bug.cgi?id=1177499#c5
--- Comment #5 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1177499
https://bugzilla.suse.com/show_bug.cgi?id=1177499#c6
--- Comment #6 from Anthony Iliopoulos
Replacing the command with dumpcap from wireshark does not work either - the test fails with EPERM
'dumpcap', '-i', 'lo', '-a', 'duration:1'
that's because dumpcap is by default installed with 0750/-rwxr-x--- perms, and I presume the test user doesn't belong to the "wireshark" group. you can try to reproduce the ping issue to confirm that the prctl is functioning as expected: # restrict unprivileged icmp socket creation echo 1 0 | sudo tee /proc/sys/net/ipv4/ping_group_range dev@localhost:~> ping -c1 localhost PING localhost(localhost (::1)) 56 data bytes 64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.049 ms --- localhost ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.049/0.049/0.049/0.000 ms dev@localhost:~> setpriv --nnp ping -c1 localhost ping: socket: Operation not permitted Anyway, I'd assume that relying on a package binary that is expected to have filecaps may not be the most reliable method for testing this. It's probably best to have a test.c that prints its own cap bits (via libcap), that gets compiled and has some cap bits set on it (which is a problem I suppose since it requires root), or just make this binary into an rpm package as a dependency. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177499
https://bugzilla.suse.com/show_bug.cgi?id=1177499#c7
Miroslav Bene��
https://bugzilla.suse.com/show_bug.cgi?id=1177499
https://bugzilla.suse.com/show_bug.cgi?id=1177499#c8
--- Comment #8 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1177499
https://bugzilla.suse.com/show_bug.cgi?id=1177499#c9
Miroslav Bene��
Read the previous comment: everything works as designed but there is no reasonable way to test this in our build environment.
I did and that is why I asked about...
At best we could probably create a test package that contains a binary which is installed with some capabilities and fails when the capabilities are missing.
...something like this. Or what Anthony proposed. Anyway, you are right that there is nothing to fix here, so let me close. -- You are receiving this mail because: You are the assignee for the bug.
participants (1)
-
bugzilla_noreply@suse.com