Ubuntu

test-kernel-security failure on 3.0.0-5

Reported by C de-Avillez on 2011-07-13
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Kees Cook

Bug Description

while running the QRT tests on current Oneiric kernel, I found this error (running under KVM).

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: linux-image-3.0.0-5-server 3.0.0-5.6
ProcVersionSignature: Ubuntu 3.0.0-5.6-server 3.0.0-rc7
Uname: Linux 3.0.0-5-server x86_64
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 2011-07-13 10:40 seq
 crw-rw---- 1 root audio 116, 33 2011-07-13 10:40 timer
AplayDevices: Error: [Errno 2] No such file or directory
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CRDA: Error: [Errno 2] No such file or directory
Date: Wed Jul 13 12:18:59 2011
HibernationDevice: RESUME=UUID=9e0b4241-6b13-4f66-998b-2053f96f8218
InstallationMedia: Ubuntu-Server 11.10 "Oneiric Ocelot" - Alpha amd64 (20110713)
IwConfig:
 lo no wireless extensions.

 eth0 no wireless extensions.
Lsusb: Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: Bochs Bochs
PciMultimedia:

ProcEnviron:
 LC_TIME=en_DK.utf8
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.0.0-5-server root=UUID=357c3120-692a-4be4-8948-86a747bf0553 ro
RelatedPackageVersions:
 linux-restricted-modules-3.0.0-5-server N/A
 linux-backports-modules-3.0.0-5-server N/A
 linux-firmware 1.56
RfKill: Error: [Errno 2] No such file or directory
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 01/01/2007
dmi.bios.vendor: Bochs
dmi.bios.version: Bochs
dmi.chassis.type: 1
dmi.chassis.vendor: Bochs
dmi.modalias: dmi:bvnBochs:bvrBochs:bd01/01/2007:svnBochs:pnBochs:pvr:cvnBochs:ct1:cvr:
dmi.product.name: Bochs
dmi.sys.vendor: Bochs

CVE References

C de-Avillez (hggdh2) wrote :
C de-Avillez (hggdh2) wrote :
Download full text (5.7 KiB)

Running test: './test-kernel-security.py' distro: 'Ubuntu 11.10' kernel: '3.0.0-5.6 (Ubuntu 3.0.0-5.6-server 3.0.0-rc7)' arch: 'amd64' uid: 0/0 SUDO_USER: 'ubuntu')
test_000_make (__main__.KernelSecurityTest)
Build helper tools ... (4.6.1 (Ubuntu/Linaro 4.6.1-2ubuntu2)) ok
test_010_proc_maps (__main__.KernelSecurityTest)
/proc/$pid/maps is correctly protected ... ok
test_020_aslr_00_proc (__main__.KernelSecurityTest)
ASLR enabled ... ok
test_020_aslr_dapper_stack (__main__.KernelSecurityTest)
ASLR of stack ... ok
test_021_aslr_dapper_libs (__main__.KernelSecurityTest)
ASLR of libs ... ok
test_021_aslr_dapper_mmap (__main__.KernelSecurityTest)
ASLR of mmap ... ok
test_022_aslr_hardy_text (__main__.KernelSecurityTest)
ASLR of text ... ok
test_022_aslr_hardy_vdso (__main__.KernelSecurityTest)
ASLR of vdso ... ok
test_022_aslr_intrepid_brk (__main__.KernelSecurityTest)
ASLR of brk ... ok
test_030_mmap_min (__main__.KernelSecurityTest)
Low memory allocation respects mmap_min_addr ... (65536) ok
test_031_apparmor (__main__.KernelSecurityTest)
AppArmor loaded ... ok
test_031_seccomp (__main__.KernelSecurityTest)
PR_SET_SECCOMP works ... ok
test_032_dev_kmem (__main__.KernelSecurityTest)
/dev/kmem not available ... ok
test_033_syn_cookies (__main__.KernelSecurityTest)
SYN cookies is enabled ... ok
test_040_pcaps (__main__.KernelSecurityTest)
init's CAPABILITY list is clean ... FAIL
test_050_personality (__main__.KernelSecurityTest)
init missing READ_IMPLIES_EXEC ... (/proc/1/personality) ok
test_060_nx (__main__.KernelSecurityTest)
NX bit is working ... ok
test_061_guard_page (__main__.KernelSecurityTest)
Userspace stack guard page exists (CVE-2010-2240) ... ok
test_070_config_brk (__main__.KernelSecurityTest)
CONFIG_COMPAT_BRK disabled ... ok
test_070_config_devkmem (__main__.KernelSecurityTest)
CONFIG_DEVKMEM disabled ... ok
test_070_config_security (__main__.KernelSecurityTest)
CONFIG_SECURITY enabled ... ok
test_070_config_security_selinux (__main__.KernelSecurityTest)
CONFIG_SECURITY_SELINUX enabled ... ok
test_070_config_syn_cookies (__main__.KernelSecurityTest)
CONFIG_SYN_COOKIES enabled ... ok
test_071_config_seccomp (__main__.KernelSecurityTest)
CONFIG_SECCOMP enabled ... ok
test_072_config_compat_vdso (__main__.KernelSecurityTest)
CONFIG_COMPAT_VDSO disabled ... ok
test_072_config_debug_rodata (__main__.KernelSecurityTest)
CONFIG_DEBUG_RODATA enabled ... ok
test_072_config_debug_set_module_ronx (__main__.KernelSecurityTest)
CONFIG_DEBUG_SET_MODULE_RONX enabled ... ok
test_072_config_security_apparmor (__main__.KernelSecurityTest)
CONFIG_SECURITY_APPARMOR enabled ... ok
test_072_config_strict_devmem (__main__.KernelSecurityTest)
CONFIG_STRICT_DEVMEM enabled ... ok
test_072_strict_devmem (__main__.KernelSecurityTest)
/dev/mem unreadable for kernel memory ... (using 0x1c23968L) (exit code 0) ok
test_073_config_security_file_capabilities (__main__.KernelSecurityTest)
CONFIG_SECURITY_FILE_CAPABILITIES enabled ... (skipped: only Intrepid through Lucid) ok
test_073_config_security_smack (__main__.KernelSecurityTest)
CONFIG_SECURITY_SMACK enabled ... ok
test_074_config_security_default_mmap_min_addr (__main__.KernelSecurityTest)
CONFIG_DEFAULT...

Read more...

Steve Beattie (sbeattie) wrote :

So it seems like in oneiric, init's effective capability set no longer has cap_setpcap dropped (/sbin/getpcaps 1is returning "=ep" rather than the expected "=ep cap_setpcap-e"). Kees will have to answer whether that's an expected change in behavior.

Changed in linux (Ubuntu):
status: New → Confirmed
Andy Whitcroft (apw) wrote :

I seem to remember this being discussed at Rally, that this might be that cap_setpcap is no longer present.

Kees Cook (kees) wrote :

It looks like this is an intentional change.

Serge Hallyn (serge-hallyn) wrote :

It is intentional:

commit ffa8e59df047d57e812a04f7d6baf6a25c652c0c
Author: Eric Paris <email address hidden>
Date: Fri Apr 1 17:08:34 2011 -0400

    capabilities: do not drop CAP_SETPCAP from the initial task

    In olden' days of yore CAP_SETPCAP had special meaning for the init task.
    We actually have code to make sure that CAP_SETPCAP wasn't in pE of things
    using the init_cred. But CAP_SETPCAP isn't so special any more and we
    don't have a reason to special case dropping it for init or kthreads....

    Signed-off-by: Eric Paris <email address hidden>
    Acked-by: Andrew G. Morgan <email address hidden>
    Signed-off-by: James Morris <email address hidden>

I really appreciate checking, as changes like this *should* be scary :)

Kees Cook (kees) wrote :

I take it back... there's no mention of it in the commt:

commit a3232d2fa2e3cbab3e76d91cdae5890fee8a4034
Author: Eric Paris <email address hidden>
Date: Fri Apr 1 17:08:45 2011 -0400

    capabilities: delete all CAP_INIT macros

    The CAP_INIT macros of INH, BSET, and EFF made sense at one point in time,
    but now days they aren't helping. Just open code the logic in the
    init_cred.

    Signed-off-by: Eric Paris <email address hidden>
    Acked-by: David Howells <email address hidden>
    Signed-off-by: James Morris <email address hidden>

Kees Cook (kees) wrote :

Ah, nevermind, Serge is right. I found the wrong commit. Heh. :)

Kees Cook (kees) on 2011-07-19
Changed in linux (Ubuntu):
assignee: nobody → Kees Cook (kees)
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers