test-kernel-security fails on seccomp on Oneiric AWS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QA Regression Testing |
Fix Released
|
Medium
|
Unassigned |
Bug Description
When re-checking linux-image-virtual 3.0.0-23 I found this failure. I then re-checked 3.0.0-22, and repeated. I then went back looking at older tests, and found that 3.0.0-17 (the original run) did not report any error, but a re-run (using the official Ubuntu AWS kernel failed.
I do not see failures when running the QRT on both bare-metal and KVM.
Running test: './test-
test_000_make (__main_
Prepare to build helper tools ... (4.6.1 (Ubuntu/Linaro 4.6.1-9ubuntu3)) ok
test_010_proc_maps (__main_
/proc/$pid/maps is correctly protected ... ok
test_020_
ASLR enabled ... ok
test_020_
ASLR of stack ... ok
test_021_
ASLR of libs ... ok
test_021_
ASLR of mmap ... ok
test_022_
ASLR of text ... ok
test_022_
ASLR of vdso ... ok
test_022_
ASLR of brk ... ok
test_030_mmap_min (__main_
Low memory allocation respects mmap_min_addr ... (65536) ok
test_031_apparmor (__main_
AppArmor loaded ... ok
test_031_seccomp (__main_
PR_SET_SECCOMP works ... (skipped: LP: #725089) ok
test_032_dev_kmem (__main_
/dev/kmem not available ... ok
test_033_
SYN cookies is enabled ... ok
test_040_pcaps (__main_
init's CAPABILITY list is clean ... ok
test_050_
init missing READ_IMPLIES_EXEC ... (/proc/
test_060_nx (__main_
NX bit is working ... ok
test_061_guard_page (__main_
Userspace stack guard page exists (CVE-2010-2240) ... ok
test_070_config_brk (__main_
CONFIG_COMPAT_BRK disabled ... ok
test_070_
CONFIG_DEVKMEM disabled ... ok
test_070_
CONFIG_SECCOMP enabled ... ok
test_070_
CONFIG_SECURITY enabled ... ok
test_070_
CONFIG_
test_070_
CONFIG_SYN_COOKIES enabled ... ok
test_071_
CONFIG_SECCOMP enabled ... ok
test_072_
CONFIG_COMPAT_VDSO disabled ... ok
test_072_
CONFIG_DEBUG_RODATA enabled ... ok
test_072_
CONFIG_
test_072_
CONFIG_
test_072_
CONFIG_
test_072_
/dev/mem unreadable for kernel memory ... (using 0x2b190030) (exit code 0) ok
test_073_
CONFIG_
test_073_
CONFIG_
test_074_
CONFIG_
test_075_
CONFIG_
test_082_
Kernel stack guard ... FAIL
test_090_
Sysctl to disable module loading exists ... ok
test_091_
Symlinks not followable across differing uids in sticky directories ... ok
test_092_
Hardlink disallowed for unreadable/
test_093_
ptrace allowed only on children or declared processes ... (skipping PR_SET_PTRACER_ANY) ok
test_093_
ptrace from thread on tracee that used prctl(PR_
test_093_
ptrace of child works from parent threads (LP: #737676) ... ok
test_093_
prctl(PR_
test_094_
rare network modules do not autoload ... ok
test_095_
/proc/sys/
test_095_
kernel addresses in kallsyms and modules are zeroed out ... ok
test_096_
kernel addresses in /boot are not world readable ... ok
test_096_
sensitive files in /proc are not world readable ... ok
test_100_
/sys/kernel/
test_101_
/proc/$pid/ DAC bypass on setuid (CVE-2011-1020) ... ok
test_110_
seccomp_filter works ... FAIL
=======
FAIL: test_082_
Kernel stack guard
-------
Traceback (most recent call last):
File "./test-
self.
AssertionError: readelf: Error: '/lib/modules/
=======
FAIL: test_110_
seccomp_filter works
-------
Traceback (most recent call last):
File "./test-
shelltimeou
File "/home/
result = self.function(
File "/home/
self.
AssertionError: Got exit code 1, expected 0
Command: './seccomp_tests'
Output:
FAIL :: mode_one_ok
FAIL :: mode_one_kill
FAIL :: mode_one_ok
FAIL :: mode_one_kill
PASS :: add_filter_too_long
FAIL :: mode_one_ok
FAIL :: mode_one_kill
PASS :: add_filter_too_long
PASS :: add_filter_
Read in:
Mode: 13
1 (sys_exit): (error_code == 0 || error_code == 1) && (error_code != 1)
3 (sys_read): 1
4 (sys_write): fd == 1
5 (sys_open): 1
6 (sys_close): 1
33 (sys_access): 1
45 (sys_brk): 1
91 (sys_munmap): 1
122 (sys_newuname): 1
125 (sys_mprotect): 1
172 (sys_prctl): option > 32 && option < 37
192 (sys_mmap_pgoff): 1
197 (sys_fstat64): 1
243 (unknown): 1
FAIL :: mode_one_ok
FAIL :: mode_one_kill
PASS :: add_filter_too_long
PASS :: add_filter_
PASS :: add_filter_null
PASS :: add_bool_apply
PASS :: add_bool_
PASS :: add_bool_apply_fail
PASS :: add_bool_apply_get
PASS :: add_bool_apply_add
PASS :: add_bool_apply_drop
PASS :: add_bool_
PASS :: add_ftrace_apply
PASS :: add_ftrace_
PASS :: add_ftrace_
PASS :: add_ftrace_
PASS :: add_drop_
PASS :: keep_exec
PASS :: keep_exec_drop
PASS :: lose_exec
-------
Ran 51 tests in 48.984s
FAILED (failures=2)
description: | updated |
description: | updated |
tags: | added: qa-sru-testing |
tags: |
added: oneiric qa-regression-testing removed: qa-sru-testing |
Carlos, did the output get truncated or is the seccomp test failing so much that it's taking down the host? Your description ends with:
test_ 071_config_ seccomp (__main_ _.KernelSecurit yTest)
CONFIG_SECCOMP enabled ... ok
test_
Thanks.