kernel security test failures on Trusty arm64

Bug #1630000 reported by Brad Figg on 2016-10-03
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QA Regression Testing
Undecided
Unassigned

Bug Description

While trying to run the kernel security tests on the latest Trusty SRU kernel (3.13.0-97.144):

utils:0153| [stderr] test_000_make (__main__.KernelSecurityTest)
utils:0153| [stderr] Prepare to build helper tools ... ok
utils:0153| [stderr] test_010_proc_maps (__main__.KernelSecurityTest)
utils:0153| [stderr] /proc/$pid/maps is correctly protected (CVE-2013-2929) ... ok
utils:0153| [stderr] test_020_aslr_00_proc (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR enabled ... ok
utils:0153| [stderr] test_020_aslr_dapper_stack (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR of stack ... FAIL
utils:0153| [stderr] test_021_aslr_dapper_libs (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR of libs ... FAIL
utils:0153| [stderr] test_021_aslr_dapper_mmap (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR of mmap ... FAIL
utils:0153| [stderr] test_022_aslr_hardy_text (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR of text ... FAIL
utils:0153| [stderr] test_022_aslr_hardy_vdso (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR of vdso ... FAIL
utils:0153| [stderr] test_022_aslr_intrepid_brk (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR of brk ... FAIL
utils:0153| [stderr] test_023_aslr_wily_pie (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR of text vs libs ... ok
utils:0153| [stderr] test_025_kaslr (__main__.KernelSecurityTest)
utils:0153| [stderr] kernel ASLR enabled ... ok
utils:0153| [stderr] test_030_mmap_min (__main__.KernelSecurityTest)
utils:0153| [stderr] Low memory allocation respects mmap_min_addr ... ok
utils:0153| [stderr] test_031_apparmor (__main__.KernelSecurityTest)
utils:0153| [stderr] AppArmor loaded ... ok
utils:0153| [stderr] test_031_seccomp (__main__.KernelSecurityTest)
utils:0153| [stderr] PR_SET_SECCOMP works ... ok
utils:0153| [stderr] test_032_dev_kmem (__main__.KernelSecurityTest)
utils:0153| [stderr] /dev/kmem not available ... ok
utils:0153| [stderr] test_033_syn_cookies (__main__.KernelSecurityTest)
utils:0153| [stderr] SYN cookies is enabled ... ok
utils:0153| [stderr] test_040_pcaps (__main__.KernelSecurityTest)
utils:0153| [stderr] init's CAPABILITY list is clean ... ok
utils:0153| [stderr] test_050_personality (__main__.KernelSecurityTest)
utils:0153| [stderr] init missing READ_IMPLIES_EXEC ... FAIL
utils:0153| [stderr] test_060_nx (__main__.KernelSecurityTest)
utils:0153| [stderr] NX bit is working ... ok
utils:0153| [stderr] test_061_guard_page (__main__.KernelSecurityTest)
utils:0153| [stderr] Userspace stack guard page exists (CVE-2010-2240) ... ok
utils:0153| [stderr] test_070_config_brk (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_COMPAT_BRK disabled ... ok
utils:0153| [stderr] test_070_config_devkmem (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_DEVKMEM disabled ... ok
utils:0153| [stderr] test_070_config_seccomp (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SECCOMP enabled ... ok
utils:0153| [stderr] test_070_config_security (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SECURITY enabled ... ok
utils:0153| [stderr] test_070_config_security_selinux (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SECURITY_SELINUX enabled ... ok
utils:0153| [stderr] test_070_config_syn_cookies (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SYN_COOKIES enabled ... ok
utils:0153| [stderr] test_072_config_compat_vdso (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_COMPAT_VDSO disabled ... ok
utils:0153| [stderr] test_072_config_debug_rodata (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_DEBUG_RODATA enabled ... FAIL
utils:0153| [stderr] test_072_config_debug_set_module_ronx (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_DEBUG_SET_MODULE_RONX enabled ... ok
utils:0153| [stderr] test_072_config_security_apparmor (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SECURITY_APPARMOR enabled ... ok
utils:0153| [stderr] test_072_config_strict_devmem (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_STRICT_DEVMEM enabled ... ok
utils:0153| [stderr] test_072_strict_devmem (__main__.KernelSecurityTest)
utils:0153| [stderr] /dev/mem unreadable for kernel memory ... FAIL
utils:0153| [stderr] test_073_config_security_file_capabilities (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SECURITY_FILE_CAPABILITIES enabled ... ok
utils:0153| [stderr] test_073_config_security_smack (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SECURITY_SMACK enabled ... ok
utils:0153| [stderr] test_073_config_security_tomoyo (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SECURITY_TOMOYO enabled ... ok
utils:0153| [stderr] test_074_config_security_default_mmap_min_addr (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_DEFAULT_MMAP_MIN_ADDR ... ok
utils:0153| [stderr] test_075_config_stack_protector (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_CC_STACKPROTECTOR set ... FAIL
utils:0153| [stderr] test_076_config_security_acl_ext3 (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_EXT3_FS_SECURITY set (LP: #1295948) ... ok
utils:0153| [stderr] test_076_config_security_acl_ext4 (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_EXT4_FS_SECURITY set (LP: #1295948) ... ok
utils:0153| [stderr] test_077_config_security_ecryptfs (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_ECRYPT_FS is set ... ok
utils:0153| [stderr] test_077_config_security_ipsec (__main__.KernelSecurityTest)
utils:0153| [stderr] Config options for IPsec ... ok
utils:0153| [stderr] test_082_stack_guard_kernel (__main__.KernelSecurityTest)
utils:0153| [stderr] Kernel stack guard ... FAIL
utils:0153| [stderr] test_090_module_blocking (__main__.KernelSecurityTest)
utils:0153| [stderr] Sysctl to disable module loading exists ... ok
utils:0153| [stderr] test_091_symlink_following_in_sticky_directories (__main__.KernelSecurityTest)
utils:0153| [stderr] Symlinks not followable across differing uids in sticky directories ... ok
utils:0153| [stderr] test_092_hardlink_restriction (__main__.KernelSecurityTest)
utils:0153| [stderr] Hardlink disallowed for unreadable/unwritable sources ... ok
utils:0153| [stderr] test_093_ptrace_restriction (__main__.KernelSecurityTest)
utils:0153| [stderr] ptrace allowed only on children or declared processes ... ok
utils:0153| [stderr] test_093_ptrace_restriction_extras (__main__.KernelSecurityTest)
utils:0153| [stderr] ptrace from thread on tracee that used prctl(PR_SET_PTRACER) ... ok
utils:0153| [stderr] test_093_ptrace_restriction_parent_via_thread (__main__.KernelSecurityTest)
utils:0153| [stderr] prctl(PR_SET_PTRACER) works from threads (LP: #729839) ... ok
utils:0153| [stderr] test_094_rare_net_autoload (__main__.KernelSecurityTest)
utils:0153| [stderr] rare network modules do not autoload ... ok
utils:0153| [stderr] test_095_kernel_symbols_acl (__main__.KernelSecurityTest)
utils:0153| [stderr] /proc/sys/kernel/kptr_restrict is enabled ... ok
utils:0153| [stderr] test_095_kernel_symbols_missing (__main__.KernelSecurityTest)
utils:0153| [stderr] kernel addresses in kallsyms and modules are zeroed out ... ok
utils:0153| [stderr] test_096_boot_symbols_unreadable (__main__.KernelSecurityTest)
utils:0153| [stderr] kernel addresses in /boot are not world readable ... ok
utils:0153| [stderr] test_096_proc_entries_unreadable (__main__.KernelSecurityTest)
utils:0153| [stderr] sensitive files in /proc are not world readable ... ok
utils:0153| [stderr] test_100_keep_acpi_method_disabled (__main__.KernelSecurityTest)
utils:0153| [stderr] /sys/kernel/debug/acpi/custom_method stays disabled ... ok
utils:0153| [stderr] test_101_proc_fd_leaks (__main__.KernelSecurityTest)
utils:0153| [stderr] /proc/$pid/ DAC bypass on setuid (CVE-2011-1020) ... ok
utils:0153| [stderr] test_110_seccomp_filter (__main__.KernelSecurityTest)
utils:0153| [stderr] seccomp_filter works ... ok
utils:0153| [stderr] test_120_smep_works (__main__.KernelSecurityTest)
utils:0153| [stderr] SMEP works ... ok
utils:0153| [stderr] test_130_kexec_disabled_00_proc (__main__.KernelSecurityTest)
utils:0153| [stderr] kexec_disabled sysctl supported ... ok
utils:0153| [stderr] test_140_kernel_modules_not_tainted (__main__.KernelSecurityTest)
utils:0153| [stderr] kernel modules are not marked with a taint flag (especially 'E' for TAINT_UNSIGNED_MODULE) ... FAIL
utils:0153| [stderr] test_150_privileged_user_namespaces (__main__.KernelSecurityTest)
utils:0153| [stderr] test whether user namespaces work at all (with root) ... ok
utils:0153| [stderr] test_150_sysctl_disables_unpriv_userns (__main__.KernelSecurityTest)
utils:0153| [stderr] unprivileged_userns_clone sysctl supported ... ok
utils:0153| [stderr] test_150_unprivileged_user_namespaces (__main__.KernelSecurityTest)
utils:0153| [stderr] test whether user namespaces work as unprivileged user ... ok
utils:0153| [stderr] test_151_sysctl_disables_bpf_unpriv_userns (__main__.KernelSecurityTest)
utils:0153| [stderr] unprivileged_bpf_disabled sysctl supported ... ok
utils:0153| [stderr] test_152_sysctl_disables_apparmor_unpriv_userns (__main__.KernelSecurityTest)
utils:0153| [stderr] unprivileged_userns_apparmor_policy sysctl supported ... ok

Po-Hsu Lin (cypressyew) wrote :

In this cycle (3.13.0-111.158), the failed test cases is a bit different:

test_021_aslr_dapper_libs (__main__.KernelSecurityTest)
ASLR of libs ... FAIL
test_021_aslr_dapper_mmap (__main__.KernelSecurityTest)
ASLR of mmap ... FAIL
test_022_aslr_hardy_vdso (__main__.KernelSecurityTest)
ASLR of vdso ... FAIL
test_050_personality (__main__.KernelSecurityTest)
init missing READ_IMPLIES_EXEC ... FAIL
test_072_config_debug_rodata (__main__.KernelSecurityTest)
CONFIG_DEBUG_RODATA enabled ... FAIL
test_072_strict_devmem (__main__.KernelSecurityTest)
/dev/mem unreadable for kernel memory ... FAIL
test_075_config_stack_protector (__main__.KernelSecurityTest)
CONFIG_CC_STACKPROTECTOR set ... FAIL
test_082_stack_guard_kernel (__main__.KernelSecurityTest)
Kernel stack guard ... FAIL
test_140_kernel_modules_not_tainted (__main__.KernelSecurityTest)
kernel modules are not marked with a taint flag (especially 'E' for TAINT_UNSIGNED_MODULE) ... FAIL

Full log: http://pastebin.ubuntu.com/24099998/

Po-Hsu Lin (cypressyew) wrote :

Closing this bug as all the failures have been addressed individually.

Changed in qa-regression-testing:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers