test-kernel-security fails on seccomp on Oneiric AWS

Bug #1026853 reported by C de-Avillez
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QA Regression Testing
Fix Released

Bug Description

When re-checking linux-image-virtual 3.0.0-23 I found this failure. I then re-checked 3.0.0-22, and repeated. I then went back looking at older tests, and found that 3.0.0-17 (the original run) did not report any error, but a re-run (using the official Ubuntu AWS kernel failed.

I do not see failures when running the QRT on both bare-metal and KVM.

Running test: './test-kernel-security.py' distro: 'Ubuntu 11.10' kernel: '3.0.0-22.36 (Ubuntu 3.0.0-22.36-virtual 3.0.33)' arch: 'i386' uid: 0/0 SUDO_USER: 'ubuntu')
test_000_make (__main__.KernelSecurityTest)
Prepare to build helper tools ... (4.6.1 (Ubuntu/Linaro 4.6.1-9ubuntu3)) ok
test_010_proc_maps (__main__.KernelSecurityTest)
/proc/$pid/maps is correctly protected ... ok
test_020_aslr_00_proc (__main__.KernelSecurityTest)
ASLR enabled ... ok
test_020_aslr_dapper_stack (__main__.KernelSecurityTest)
ASLR of stack ... ok
test_021_aslr_dapper_libs (__main__.KernelSecurityTest)
ASLR of libs ... ok
test_021_aslr_dapper_mmap (__main__.KernelSecurityTest)
ASLR of mmap ... ok
test_022_aslr_hardy_text (__main__.KernelSecurityTest)
ASLR of text ... ok
test_022_aslr_hardy_vdso (__main__.KernelSecurityTest)
ASLR of vdso ... ok
test_022_aslr_intrepid_brk (__main__.KernelSecurityTest)
ASLR of brk ... ok
test_030_mmap_min (__main__.KernelSecurityTest)
Low memory allocation respects mmap_min_addr ... (65536) ok
test_031_apparmor (__main__.KernelSecurityTest)
AppArmor loaded ... ok
test_031_seccomp (__main__.KernelSecurityTest)
PR_SET_SECCOMP works ... (skipped: LP: #725089) ok
test_032_dev_kmem (__main__.KernelSecurityTest)
/dev/kmem not available ... ok
test_033_syn_cookies (__main__.KernelSecurityTest)
SYN cookies is enabled ... ok
test_040_pcaps (__main__.KernelSecurityTest)
init's CAPABILITY list is clean ... ok
test_050_personality (__main__.KernelSecurityTest)
init missing READ_IMPLIES_EXEC ... (/proc/1/personality) ok
test_060_nx (__main__.KernelSecurityTest)
NX bit is working ... ok
test_061_guard_page (__main__.KernelSecurityTest)
Userspace stack guard page exists (CVE-2010-2240) ... ok
test_070_config_brk (__main__.KernelSecurityTest)
CONFIG_COMPAT_BRK disabled ... ok
test_070_config_devkmem (__main__.KernelSecurityTest)
CONFIG_DEVKMEM disabled ... ok
test_070_config_seccomp (__main__.KernelSecurityTest)
CONFIG_SECCOMP enabled ... ok
test_070_config_security (__main__.KernelSecurityTest)
CONFIG_SECURITY enabled ... ok
test_070_config_security_selinux (__main__.KernelSecurityTest)
test_070_config_syn_cookies (__main__.KernelSecurityTest)
CONFIG_SYN_COOKIES enabled ... ok
test_071_config_seccomp (__main__.KernelSecurityTest)
CONFIG_SECCOMP enabled ... ok
test_072_config_compat_vdso (__main__.KernelSecurityTest)
CONFIG_COMPAT_VDSO disabled ... ok
test_072_config_debug_rodata (__main__.KernelSecurityTest)
CONFIG_DEBUG_RODATA enabled ... ok
test_072_config_debug_set_module_ronx (__main__.KernelSecurityTest)
test_072_config_security_apparmor (__main__.KernelSecurityTest)
test_072_config_strict_devmem (__main__.KernelSecurityTest)
test_072_strict_devmem (__main__.KernelSecurityTest)
/dev/mem unreadable for kernel memory ... (using 0x2b190030) (exit code 0) ok
test_073_config_security_file_capabilities (__main__.KernelSecurityTest)
CONFIG_SECURITY_FILE_CAPABILITIES enabled ... (skipped: only Intrepid through Lucid) ok
test_073_config_security_smack (__main__.KernelSecurityTest)
test_074_config_security_default_mmap_min_addr (__main__.KernelSecurityTest)
test_075_config_stack_protector (__main__.KernelSecurityTest)
test_082_stack_guard_kernel (__main__.KernelSecurityTest)
Kernel stack guard ... FAIL
test_090_module_blocking (__main__.KernelSecurityTest)
Sysctl to disable module loading exists ... ok
test_091_symlink_following_in_sticky_directories (__main__.KernelSecurityTest)
Symlinks not followable across differing uids in sticky directories ... ok
test_092_hardlink_restriction (__main__.KernelSecurityTest)
Hardlink disallowed for unreadable/unwritable sources ... ok
test_093_ptrace_restriction (__main__.KernelSecurityTest)
ptrace allowed only on children or declared processes ... (skipping PR_SET_PTRACER_ANY) ok
test_093_ptrace_restriction_extras (__main__.KernelSecurityTest)
ptrace from thread on tracee that used prctl(PR_SET_PTRACER) ... ok
test_093_ptrace_restriction_parent_via_thread (__main__.KernelSecurityTest)
ptrace of child works from parent threads (LP: #737676) ... ok
test_093_ptrace_restriction_prctl_via_thread (__main__.KernelSecurityTest)
prctl(PR_SET_PTRACER) works from threads (LP: #729839) ... ok
test_094_rare_net_autoload (__main__.KernelSecurityTest)
rare network modules do not autoload ... ok
test_095_kernel_symbols_acl (__main__.KernelSecurityTest)
/proc/sys/kernel/kptr_restrict is enabled ... ok
test_095_kernel_symbols_missing (__main__.KernelSecurityTest)
kernel addresses in kallsyms and modules are zeroed out ... ok
test_096_boot_symbols_unreadable (__main__.KernelSecurityTest)
kernel addresses in /boot are not world readable ... ok
test_096_proc_entries_unreadable (__main__.KernelSecurityTest)
sensitive files in /proc are not world readable ... ok
test_100_keep_acpi_method_disabled (__main__.KernelSecurityTest)
/sys/kernel/debug/acpi/custom_method stays disabled ... ok
test_101_proc_fd_leaks (__main__.KernelSecurityTest)
/proc/$pid/ DAC bypass on setuid (CVE-2011-1020) ... ok
test_110_seccomp_filter (__main__.KernelSecurityTest)
seccomp_filter works ... FAIL

FAIL: test_082_stack_guard_kernel (__main__.KernelSecurityTest)
Kernel stack guard
Traceback (most recent call last):
  File "./test-kernel-security.py", line 888, in test_082_stack_guard_kernel
    self.assertEqual(rc, 0, out)
AssertionError: readelf: Error: '/lib/modules/3.0.0-22-virtual/kernel/fs/befs/befs.ko': No such file

FAIL: test_110_seccomp_filter (__main__.KernelSecurityTest)
seccomp_filter works
Traceback (most recent call last):
  File "./test-kernel-security.py", line 1504, in test_110_seccomp_filter
    shelltimeout(expected, ["./seccomp_tests"])
  File "/home/ubuntu/qrt-test-kernel/testlib.py", line 1136, in __call__
    result = self.function(*args, **kwargs)
  File "/home/ubuntu/qrt-test-kernel/testlib.py", line 957, in assertShellExitEquals
    self.assertEquals(expected, rc, msg + result + report)
AssertionError: Got exit code 1, expected 0
Command: './seccomp_tests'
FAIL :: mode_one_ok
FAIL :: mode_one_kill
FAIL :: mode_one_ok
FAIL :: mode_one_kill
PASS :: add_filter_too_long
FAIL :: mode_one_ok
FAIL :: mode_one_kill
PASS :: add_filter_too_long
PASS :: add_filter_too_short
Read in:
Mode: 13
1 (sys_exit): (error_code == 0 || error_code == 1) && (error_code != 1)
3 (sys_read): 1
4 (sys_write): fd == 1
5 (sys_open): 1
6 (sys_close): 1
33 (sys_access): 1
45 (sys_brk): 1
91 (sys_munmap): 1
122 (sys_newuname): 1
125 (sys_mprotect): 1
172 (sys_prctl): option > 32 && option < 37
192 (sys_mmap_pgoff): 1
197 (sys_fstat64): 1
243 (unknown): 1
FAIL :: mode_one_ok
FAIL :: mode_one_kill
PASS :: add_filter_too_long
PASS :: add_filter_too_short
PASS :: add_filter_null
PASS :: add_bool_apply
PASS :: add_bool_apply_event
PASS :: add_bool_apply_fail
PASS :: add_bool_apply_get
PASS :: add_bool_apply_add
PASS :: add_bool_apply_drop
PASS :: add_bool_apply_drop_die
PASS :: add_ftrace_apply
PASS :: add_ftrace_apply_fail
PASS :: add_ftrace_apply_get
PASS :: add_ftrace_apply_append_get
PASS :: add_drop_ftrace_proc
PASS :: keep_exec
PASS :: keep_exec_drop
PASS :: lose_exec

Ran 51 tests in 48.984s

FAILED (failures=2)

C de-Avillez (hggdh2)
description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

Carlos, did the output get truncated or is the seccomp test failing so much that it's taking down the host? Your description ends with:

  test_071_config_seccomp (__main__.KernelSecurityTest)
  CONFIG_SECCOMP enabled ... ok


Revision history for this message
C de-Avillez (hggdh2) wrote :

Bad copy & paste, sorry. Please note that the befs issue is due to the lack of linux-image-extra.

C de-Avillez (hggdh2)
description: updated
Revision history for this message
C de-Avillez (hggdh2) wrote :

This seems to be caused by an old Xen version in the AWS. Still to be confirmed, though. See:


for possible symptoms.

C de-Avillez (hggdh2)
tags: added: qa-sru-testing
tags: added: oneiric qa-regression-testing
removed: qa-sru-testing
Revision history for this message
Steve Beattie (sbeattie) wrote :

Marking this as confirmed, though I'm not entirely sure what we should do about this in QRT. John, can we detect the version of AWS Xen that we're running within, and expect a failure if the old version is detected?

Changed in qa-regression-testing:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Steve Beattie (sbeattie) wrote :

I believe this is no longer an issue, closing.

Changed in qa-regression-testing:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers