Ubuntu
linux package

test-kernel-security failure on 3.0.0-5

Bug #810022 reported by C de-Avillez
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Kees Cook

Bug Description

while running the QRT tests on current Oneiric kernel, I found this error (running under KVM).

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: linux-image-3.0.0-5-server 3.0.0-5.6
ProcVersionSignature: Ubuntu 3.0.0-5.6-server 3.0.0-rc7
Uname: Linux 3.0.0-5-server x86_64
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 2011-07-13 10:40 seq
 crw-rw---- 1 root audio 116, 33 2011-07-13 10:40 timer
AplayDevices: Error: [Errno 2] No such file or directory
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CRDA: Error: [Errno 2] No such file or directory
Date: Wed Jul 13 12:18:59 2011
HibernationDevice: RESUME=UUID=9e0b4241-6b13-4f66-998b-2053f96f8218
InstallationMedia: Ubuntu-Server 11.10 "Oneiric Ocelot" - Alpha amd64 (20110713)
IwConfig:
 lo no wireless extensions.

 eth0 no wireless extensions.
Lsusb: Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: Bochs Bochs
PciMultimedia:

ProcEnviron:
 LC_TIME=en_DK.utf8
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.0.0-5-server root=UUID=357c3120-692a-4be4-8948-86a747bf0553 ro
RelatedPackageVersions:
 linux-restricted-modules-3.0.0-5-server N/A
 linux-backports-modules-3.0.0-5-server N/A
 linux-firmware 1.56
RfKill: Error: [Errno 2] No such file or directory
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 01/01/2007
dmi.bios.vendor: Bochs
dmi.bios.version: Bochs
dmi.chassis.type: 1
dmi.chassis.vendor: Bochs
dmi.modalias: dmi:bvnBochs:bvrBochs:bd01/01/2007:svnBochs:pnBochs:pvr:cvnBochs:ct1:cvr:
dmi.product.name: Bochs
dmi.sys.vendor: Bochs

CVE References

Revision history for this message
C de-Avillez (hggdh2) wrote :
Revision history for this message
C de-Avillez (hggdh2) wrote :
Download full text (5.7 KiB)

Running test: './test-kernel-security.py' distro: 'Ubuntu 11.10' kernel: '3.0.0-5.6 (Ubuntu 3.0.0-5.6-server 3.0.0-rc7)' arch: 'amd64' uid: 0/0 SUDO_USER: 'ubuntu')
test_000_make (__main__.KernelSecurityTest)
Build helper tools ... (4.6.1 (Ubuntu/Linaro 4.6.1-2ubuntu2)) ok
test_010_proc_maps (__main__.KernelSecurityTest)
/proc/$pid/maps is correctly protected ... ok
test_020_aslr_00_proc (__main__.KernelSecurityTest)
ASLR enabled ... ok
test_020_aslr_dapper_stack (__main__.KernelSecurityTest)
ASLR of stack ... ok
test_021_aslr_dapper_libs (__main__.KernelSecurityTest)
ASLR of libs ... ok
test_021_aslr_dapper_mmap (__main__.KernelSecurityTest)
ASLR of mmap ... ok
test_022_aslr_hardy_text (__main__.KernelSecurityTest)
ASLR of text ... ok
test_022_aslr_hardy_vdso (__main__.KernelSecurityTest)
ASLR of vdso ... ok
test_022_aslr_intrepid_brk (__main__.KernelSecurityTest)
ASLR of brk ... ok
test_030_mmap_min (__main__.KernelSecurityTest)
Low memory allocation respects mmap_min_addr ... (65536) ok
test_031_apparmor (__main__.KernelSecurityTest)
AppArmor loaded ... ok
test_031_seccomp (__main__.KernelSecurityTest)
PR_SET_SECCOMP works ... ok
test_032_dev_kmem (__main__.KernelSecurityTest)
/dev/kmem not available ... ok
test_033_syn_cookies (__main__.KernelSecurityTest)
SYN cookies is enabled ... ok
test_040_pcaps (__main__.KernelSecurityTest)
init's CAPABILITY list is clean ... FAIL
test_050_personality (__main__.KernelSecurityTest)
init missing READ_IMPLIES_EXEC ... (/proc/1/personality) ok
test_060_nx (__main__.KernelSecurityTest)
NX bit is working ... ok
test_061_guard_page (__main__.KernelSecurityTest)
Userspace stack guard page exists (CVE-2010-2240) ... ok
test_070_config_brk (__main__.KernelSecurityTest)
CONFIG_COMPAT_BRK disabled ... ok
test_070_config_devkmem (__main__.KernelSecurityTest)
CONFIG_DEVKMEM disabled ... ok
test_070_config_security (__main__.KernelSecurityTest)
CONFIG_SECURITY enabled ... ok
test_070_config_security_selinux (__main__.KernelSecurityTest)
CONFIG_SECURITY_SELINUX enabled ... ok
test_070_config_syn_cookies (__main__.KernelSecurityTest)
CONFIG_SYN_COOKIES enabled ... ok
test_071_config_seccomp (__main__.KernelSecurityTest)
CONFIG_SECCOMP enabled ... ok
test_072_config_compat_vdso (__main__.KernelSecurityTest)
CONFIG_COMPAT_VDSO disabled ... ok
test_072_config_debug_rodata (__main__.KernelSecurityTest)
CONFIG_DEBUG_RODATA enabled ... ok
test_072_config_debug_set_module_ronx (__main__.KernelSecurityTest)
CONFIG_DEBUG_SET_MODULE_RONX enabled ... ok
test_072_config_security_apparmor (__main__.KernelSecurityTest)
CONFIG_SECURITY_APPARMOR enabled ... ok
test_072_config_strict_devmem (__main__.KernelSecurityTest)
CONFIG_STRICT_DEVMEM enabled ... ok
test_072_strict_devmem (__main__.KernelSecurityTest)
/dev/mem unreadable for kernel memory ... (using 0x1c23968L) (exit code 0) ok
test_073_config_security_file_capabilities (__main__.KernelSecurityTest)
CONFIG_SECURITY_FILE_CAPABILITIES enabled ... (skipped: only Intrepid through Lucid) ok
test_073_config_security_smack (__main__.KernelSecurityTest)
CONFIG_SECURITY_SMACK enabled ... ok
test_074_config_security_default_mmap_min_addr (__main__.KernelSecurityTest)
CONFIG_DEFAULT...

Read more...

Revision history for this message
Steve Beattie (sbeattie) wrote :

So it seems like in oneiric, init's effective capability set no longer has cap_setpcap dropped (/sbin/getpcaps 1is returning "=ep" rather than the expected "=ep cap_setpcap-e"). Kees will have to answer whether that's an expected change in behavior.

Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Andy Whitcroft (apw) wrote :

I seem to remember this being discussed at Rally, that this might be that cap_setpcap is no longer present.

Revision history for this message
Kees Cook (kees) wrote :

It looks like this is an intentional change.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

It is intentional:

commit ffa8e59df047d57e812a04f7d6baf6a25c652c0c
Author: Eric Paris <email address hidden>
Date: Fri Apr 1 17:08:34 2011 -0400

    capabilities: do not drop CAP_SETPCAP from the initial task

    In olden' days of yore CAP_SETPCAP had special meaning for the init task.
    We actually have code to make sure that CAP_SETPCAP wasn't in pE of things
    using the init_cred. But CAP_SETPCAP isn't so special any more and we
    don't have a reason to special case dropping it for init or kthreads....

    Signed-off-by: Eric Paris <email address hidden>
    Acked-by: Andrew G. Morgan <email address hidden>
    Signed-off-by: James Morris <email address hidden>

I really appreciate checking, as changes like this *should* be scary :)

Revision history for this message
Kees Cook (kees) wrote :

I take it back... there's no mention of it in the commt:

commit a3232d2fa2e3cbab3e76d91cdae5890fee8a4034
Author: Eric Paris <email address hidden>
Date: Fri Apr 1 17:08:45 2011 -0400

    capabilities: delete all CAP_INIT macros

    The CAP_INIT macros of INH, BSET, and EFF made sense at one point in time,
    but now days they aren't helping. Just open code the logic in the
    init_cred.

    Signed-off-by: Eric Paris <email address hidden>
    Acked-by: David Howells <email address hidden>
    Signed-off-by: James Morris <email address hidden>

Revision history for this message
Kees Cook (kees) wrote :

Ah, nevermind, Serge is right. I found the wrong commit. Heh. :)

Kees Cook (kees)
Changed in linux (Ubuntu):
assignee: nobody → Kees Cook (kees)
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.