QA Regression test kernel-security reports two failures on 2.6.24-28.84 Xen
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Build helper tools ... (8.04) ok
/proc/$pid/maps is correctly protected ... ok
ASLR enabled ... (skipped: boolean on Hardy and earlier) ok
ASLR of stack ... ok
ASLR of libs ... ok
ASLR of mmap ... ok
ASLR of text ... ok
ASLR of vdso ... ok
ASLR of brk ... (skipped: only Intrepid and later) ok
Low memory allocation respects mmap_min_addr ... ok
AppArmor loaded ... ok
PR_SET_SECCOMP works ... ok
/dev/kmem not available ... ok
SYN cookies is enabled ... (skipped: only Jaunty and later) ok
init's CAPABILITY list is clean ... ok
init missing READ_IMPLIES_EXEC ... (heap check) ok
NX bit is working ... ok
Userspace stack guard page exists (CVE-2010-2240) ... ok
CONFIG_COMPAT_BRK disabled ... ok
CONFIG_DEVKMEM disabled ... ok
CONFIG_SECURITY enabled ... ok
CONFIG_
CONFIG_SYN_COOKIES enabled ... ok
CONFIG_SECCOMP enabled ... ok
CONFIG_COMPAT_VDSO disabled ... ok
CONFIG_DEBUG_RODATA enabled ... FAIL
CONFIG_
CONFIG_
CONFIG_
/dev/mem unreadable for kernel memory ... FAIL
CONFIG_
CONFIG_
CONFIG_
CONFIG_
Kernel stack guard ... (skipped: only Karmic and later) ok
Sysctl to disable module loading exists ... (skipped: only Karmic and later) ok
Symlinks not followable across differing uids in sticky directories ... (skipped: only Maverick and later) ok
Hardlink disallowed for unreadable/
PTRACE allowed only on children or declared processes ... (skipped: only Maverick and later) ok
Make sure rare network modules do not autoload ... (skipped: only Natty and later) ok
Make sure kernel addresses in kallsyms and modules are zeroed out ... (skipped: only Natty and later) ok
Make sure kernel addresses in /boot/ are not world readable ... (skipped: only Natty and later) ok
=======
FAIL: CONFIG_DEBUG_RODATA enabled
-------
Traceback (most recent call last):
File "./test-
self.
AssertionError: False != True
=======
FAIL: /dev/mem unreadable for kernel memory
-------
Traceback (most recent call last):
File "./test-
self.
File "/home/
self.
AssertionError: Got exit code 4, expected 0
Command: './readmem'
Output:
0x1000 ... readable
0x2000 ... readable
0x4000 ... readable
0x8000 ... readable
0x10000 ... readable
0x20000 ... readable
0x40000 ... readable
0x80000 ... readable
0x100000 ... readable
0x200000 ... readable
0x400000 ... readable
0x800000 ... readable
0x1000000 ... readable
0x2000000 ... readable
0x4000000 ... readable
0x8000000 ... readable
0x10000000 ... readable
0x20000000 ... readable
0x40000000 ... readable
0x80000000 ... readable
0x100000000 ... readable
0x200000000 ... readable
0x400000000 ... readable
0x800000000 ... readable
0x1000000000 ... readable
0x2000000000 ... readable
0x4000000000 ... readable
0x8000000000 ... readable
0x10000000000 ... readable
0x20000000000 ... readable
0x40000000000 ... readable
0x80000000000 ... readable
0x100000000000 ... readable
0x200000000000 ... readable
0x400000000000 ... readable
0x800000000000 ... readable
0x1000000000000 ... missing, ran off end of physical memory
FAIL: scanned memory, got successful reads, and no EPERMs
-------
Ran 42 tests in 5.262s
FAILED (failures=2)
I don't think these are regressions, but they're a delta from the regular hardy kernel. It might be interesting to try to fix DEBUG_RODATA (is it incompatible with Xen host patches?), and to get to the bottom of /dev/mem (again, something Xen-specific?). In the meantime, I can add a skip-check in the tests for hardy dom0, but I need to know how to identify the kernel from the standard kernel.