Mailing List Archive: linux32 chroot issue

linux32 chroot issue

alexanderyt at gmail

Feb 21, 2014, 2:48 PM

Post #1 of 6 (3995 views)

hi!

emerge return errors during build of any atoms in linux32 chroot only.

(null)*(null) (null)ACCESS DENIED(null): open_wr: /dev/tty
(null)*(null) (null)ACCESS DENIED(null): open_wr: /dev/null

The full log http://pastebin.com/4An1ajY0

stat /dev/{null,tty}
File: '/dev/null'
Size: 0 Blocks: 0 IO Block: 4096 character
special file
Device: 5h/5d Inode: 1028 Links: 1 Device type: 1,3
Access: (0666/crw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root)

File: '/dev/tty'
Size: 0 Blocks: 0 IO Block: 4096 character
special file
Device: 5h/5d Inode: 1035 Links: 1 Device type: 5,0
Access: (0666/crw-rw-rw-) Uid: ( 0/ root) Gid: ( 5/ tty)

Kernel 3.11.7-hardened-r1
Kernel config
zcat /proc/config.gz | grep -i -e grkern -e pax
http://pastebin.com/ka63Jf98

emerge --info
http://pastebin.com/WJ7BRXCA

In x86_64 chroot all works fine. Also, with hardened-sources-3.2.52-r3
linux32 chroot works fine too.
Please suggest any solution.

Re: linux32 chroot issue [ In reply to ]

basile at opensource

Feb 22, 2014, 6:20 AM

Post #2 of 6 (3909 views)

On 02/21/2014 05:48 PM, Alexander Tiurin wrote:
> hi!
>
> emerge return errors during build of any atoms in linux32 chroot only.
>
> (null)*(null) (null)ACCESS DENIED(null): open_wr: /dev/tty
> (null)*(null) (null)ACCESS DENIED(null): open_wr: /dev/null
>
> The full log http://pastebin.com/4An1ajY0
>
> stat /dev/{null,tty}
> File: '/dev/null'
> Size: 0 Blocks: 0 IO Block: 4096 character
> special file
> Device: 5h/5d Inode: 1028 Links: 1 Device type: 1,3
> Access: (0666/crw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root)
>
> File: '/dev/tty'
> Size: 0 Blocks: 0 IO Block: 4096 character
> special file
> Device: 5h/5d Inode: 1035 Links: 1 Device type: 5,0
> Access: (0666/crw-rw-rw-) Uid: ( 0/ root) Gid: ( 5/ tty)
>
> Kernel 3.11.7-hardened-r1
> Kernel config
> zcat /proc/config.gz | grep -i -e grkern -e pax
> http://pastebin.com/ka63Jf98
>
> emerge --info
> http://pastebin.com/WJ7BRXCA
>
>
> In x86_64 chroot all works fine. Also, with hardened-sources-3.2.52-r3
> linux32 chroot works fine too.
> Please suggest any solution.
>

There's not enough context to really nail it, but start by trying this:

for i in /proc/sys/kernel/grsecurity/chroot_* ; do
echo 0 > $i
done

Also, can you give my your `df -a` so I can see what is mounted in the
chroot. Run that from *outside* the chroot.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

Re: linux32 chroot issue [ In reply to ]

alexanderyt at gmail

Feb 22, 2014, 7:33 AM

Post #3 of 6 (3904 views)

On Sat, 22 Feb 2014 09:20:11 -0500
"Anthony G. Basile" <basile@opensource.dyc.edu> wrote:

> On 02/21/2014 05:48 PM, Alexander Tiurin wrote:
> > hi!
> >
> > emerge return errors during build of any atoms in linux32 chroot only.
> >
> > (null)*(null) (null)ACCESS DENIED(null): open_wr: /dev/tty
> > (null)*(null) (null)ACCESS DENIED(null): open_wr: /dev/null
> >
> > The full log http://pastebin.com/4An1ajY0
> >
> > stat /dev/{null,tty}
> > File: '/dev/null'
> > Size: 0 Blocks: 0 IO Block: 4096 character
> > special file
> > Device: 5h/5d Inode: 1028 Links: 1 Device type: 1,3
> > Access: (0666/crw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root)
> >
> > File: '/dev/tty'
> > Size: 0 Blocks: 0 IO Block: 4096 character
> > special file
> > Device: 5h/5d Inode: 1035 Links: 1 Device type: 5,0
> > Access: (0666/crw-rw-rw-) Uid: ( 0/ root) Gid: ( 5/ tty)
> >
> > Kernel 3.11.7-hardened-r1
> > Kernel config
> > zcat /proc/config.gz | grep -i -e grkern -e pax
> > http://pastebin.com/ka63Jf98
> >
> > emerge --info
> > http://pastebin.com/WJ7BRXCA
> >
> >
> > In x86_64 chroot all works fine. Also, with hardened-sources-3.2.52-r3
> > linux32 chroot works fine too.
> > Please suggest any solution.
> >
>
>
> There's not enough context to really nail it, but start by trying this:
>
> for i in /proc/sys/kernel/grsecurity/chroot_* ; do
> echo 0 > $i
> done

This action does not solve the issue.

>
> Also, can you give my your `df -a` so I can see what is mounted in the
> chroot. Run that from *outside* the chroot.
>
>

/mnt/2gb/stage4x86_hard_2 is a targeted chroot.

Filesystem 1K-blocks Used Available Use% Mounted on
rootfs 1998672 995724 881708 54% /
proc 0 0 0 - /proc
udev 10240 8 10232 1% /dev
devpts 0 0 0 - /dev/pts
sysfs 0 0 0 - /sys
/dev/dm-3 1998672 995724 881708 54% /
tmpfs 816264 608 815656 1% /run
mqueue 0 0 0 - /dev/mqueue
shm 4081312 416 4080896 1% /dev/shm
securityfs 0 0 0 - /sys/kernel/security
debugfs 0 0 0 - /sys/kernel/debug
configfs 0 0 0 - /sys/kernel/config
cgroup_root 10240 0 10240 0% /sys/fs/cgroup
fusectl 0 0 0 - /sys/fs/fuse/connections
openrc 0 0 0 - /sys/fs/cgroup/openrc
cpuset 0 0 0 - /sys/fs/cgroup/cpuset
cpu 0 0 0 - /sys/fs/cgroup/cpu
cpuacct 0 0 0 - /sys/fs/cgroup/cpuacct
/dev/mapper/main-grdesk.usr 15350768 6390764 8157188 44% /usr
/dev/mapper/main-grdesk.var 10190136 407304 9242160 5% /var
/dev/mapper/main-grdeskhome 175329968 92906552 74521844 56% /home
/dev/mapper/main-stage4.2hard 10190136 5597264 4052200 59% /var/local/stage4.2hard
/dev/mapper/main-stage4.3hard 10141624 7837812 1765600 82% /var/local/stage4.3hard
/dev/mapper/main-hardened_desktop 20511356 11343344 8941916 56% /var/local/hardened_desktop
none 0 0 0 - /var/local/hardened_desktop/proc
/dev 10240 8 10232 1% /var/local/hardened_desktop/dev
/sys 0 0 0 - /var/local/hardened_desktop/sys
/dev/pts 0 0 0 - /var/local/hardened_desktop/dev/pts
/dev/shm 4081312 416 4080896 1% /var/local/hardened_desktop/dev/shm
/dev/mapper/2gb-2gb 1952559608 307011736 1645547872 16% /mnt/2gb
none 0 0 0 - /mnt/2gb/stage4x86_hard_2/proc
/dev 10240 8 10232 1% /mnt/2gb/stage4x86_hard_2/dev
/sys 0 0 0 - /mnt/2gb/stage4x86_hard_2/sys
/dev/pts 0 0 0 - /mnt/2gb/stage4x86_hard_2/dev/pts
/dev/shm 4081312 416 4080896 1% /mnt/2gb/stage4x86_hard_2/dev/shm

Re: linux32 chroot issue [ In reply to ]

alexanderyt at gmail

Feb 26, 2014, 10:09 AM

Post #4 of 6 (3896 views)

I tried to reproduce this issue on another hardware (core2quad instead core i7). emerge works fine. No errors detected.
Kernel, kernel config and enviroment is equal.
That's odd.

Re: linux32 chroot issue [ In reply to ]

basile at opensource

Feb 27, 2014, 5:31 AM

Post #5 of 6 (3893 views)

On 02/26/2014 01:09 PM, Alexander Tiurin wrote:
> I tried to reproduce this issue on another hardware (core2quad instead core i7). emerge works fine. No errors detected.
> Kernel, kernel config and enviroment is equal.
> That's odd.
>
Okay. Thanks for getting back because I was at a loss to help you. If
you figure out what *is* different let us know.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

Re: linux32 chroot issue [ In reply to ]

alexanderyt at gmail

Mar 24, 2014, 9:53 AM

Post #6 of 6 (3842 views)

On 27.02.2014 17:31, Anthony G. Basile wrote:
> On 02/26/2014 01:09 PM, Alexander Tiurin wrote:
>> I tried to reproduce this issue on another hardware (core2quad instead
>> core i7). emerge works fine. No errors detected.
>> Kernel, kernel config and enviroment is equal.
>> That's odd.
>>
> Okay. Thanks for getting back because I was at a loss to help you. If
> you figure out what *is* different let us know.
>

I upgraded kernel up to 3.13.2-hardened-r3, and portage return error:

ACCESS DENIED mkdir: /var
(line 2035 in http://pastebin.com/nsCV06Ca)

emerge proftp without debug info. Now no errors as ACCESS DENIED
/dev/{tty,null}

>>> Verifying ebuild manifests
>>> Emerging (1 of 1) net-ftp/proftpd-1.3.4c
>>> Failed to emerge net-ftp/proftpd-1.3.4c, Log file:
>>> '/var/log/portage/net-ftp:proftpd-1.3.4c:20140324-160939.log'
>>> Jobs: 0 of 1 complete, 1 failed Load avg: 1.59,
1.34, 1.46
* Package: net-ftp/proftpd-1.3.4c
* Repository: gentoo
* Maintainer: bernd@lommerzheim.com
voyageur@gentoo.org,slyfox@gentoo.org,net-ftp@gentoo.org,proxy-maint@gentoo.org
* USE: acl caps elibc_glibc kernel_linux ncurses nls pam pcre
tcpd userland_GNU x86
* FEATURES: sandbox
ACCESS DENIED mkdir: /var
install: cannot change permissions of
‘/var/tmp/portage/net-ftp/proftpd-1.3.4c/work’: No such file or directory
* ERROR: net-ftp/proftpd-1.3.4c failed (unpack phase):
* Failed to create dir '/var/tmp/portage/net-ftp/proftpd-1.3.4c/work'
*
* Call stack:
* ebuild.sh, line 708: Called ebuild_main 'unpack'
* phase-functions.sh, line 955: Called dyn_unpack
* phase-functions.sh, line 243: Called die
* The specific snippet of code:
* install -m${PORTAGE_WORKDIR_MODE:-0700} -d "${WORKDIR}"
|| die "Failed to create dir '${WORKDIR}'"
*
* If you need support, post the output of `emerge --info
'=net-ftp/proftpd-1.3.4c'`,
* the complete build log and the output of `emerge -pqv
'=net-ftp/proftpd-1.3.4c'`.
* The complete build log is located at
'/var/log/portage/net-ftp:proftpd-1.3.4c:20140324-160939.log'.
* For convenience, a symlink to the build log is located at
'/var/tmp/portage/net-ftp/proftpd-1.3.4c/temp/build.log'.
* The ebuild environment file is located at
'/var/tmp/portage/net-ftp/proftpd-1.3.4c/temp/environment'.
* Working directory: '/var/tmp/portage/net-ftp/proftpd-1.3.4c'
* S: '/var/tmp/portage/net-ftp/proftpd-1.3.4c/work/proftpd-1.3.4c'
--------------------------- ACCESS VIOLATION SUMMARY
---------------------------
LOG FILE "/var/log/sandbox/sandbox-13354.log"

VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: mkdir
S: deny
P: /var
A: /var
R: /var
C: install -m0700 -d /var tmp/portage/net-ftp/proftpd-1.3.4c/work

I changed step by step grsec kernel config options, but it not worked
for me. Maybe I missed something.