Regression tools broken, pass tests that fail on vanilla
Posted: Thu Jan 08, 2004 2:20 pm
I'm using a 2.6 kernel that I've done a few hacks to, and I'm finding that:
icedisc regression # ./full_test.sh
Testing dmesg restriction... : FAILED
Testing kill out of chroot... : FAILED
Testing denied double chroot... : PASSED
Testing denied sysctl in chroot... : PASSED
Testing denied shared memory attach out of chroot... : FAILED
Testing denied ioperm... : FAILED
Testing denied iopl... : FAILED
Testing denied mknod in chroot... : FAILED
Testing randomized PIDs... : FAILED
Testing denied ptrace out of chroot... : PASSED
Testing denied nice raise in chroot... : FAILED
Testing denied priority raise in chroot... : FAILED
Testing chdir("/") on chroot... : PASSED
Testing denied shared memory attach out of chroot (as non-root)... : FAILED
Testing denied dangerous capabilities in chroot... : FAILED
Testing denied dangerous capabilities on children in chroot... : FAILED
Testing denied fchmod +s in chroot... : FAILED
Testing denied chmod +s in chroot... : FAILED
Testing denied connect to abstract unix domain socket out of chroot... : FAILED
Testing denied write of /dev/mem... : FAILED
Testing denied mmap write of /dev/kmem... : FAILED
Testing denied open of /dev/port... : FAILED
./full_test.sh: line 17: 4180 Segmentation fault ./memkmemport_test
Testing hardlink restrictions... : FAILED
Testing symlink restrictions... : FAILED
Testing denied fchdir out of chroot... : PASSED
The following tests may freeze: fifo_test
-----
About here i killed it (after 5 minutes), so the fifo_test doesn't work on 2.6.
Now, I stole/modified the fchdir code from grsec and that tested out right, as well as the chroot_chroot test. I should and do pass those (and should and do fail on a kernel with just pax in it).
My problem is that it's passing the ptrace and sysctl tests:
Testing denied sysctl in chroot... : PASSED
Testing denied ptrace out of chroot... : PASSED
I didn't do anything to the kernel to fix these. Moreover,
icedisc regression # chroot /
icedisc / # cat /proc/sys/vm/swappiness
60
icedisc / # echo 70 > /proc/sys/vm/swappiness
icedisc / # cat /proc/sys/vm/swappiness
70
icedisc / # exit
exit
icedisc regression # cat /proc/sys/vm/swappiness
70
icedisc regression #
---
It appears that not only do I PASS the sysctl test, but I fail it as well. It says I pass but I clearly failed right? I'm guessing that it's denying the sysctl(2) call but i'm not sure.
I have no way to verify the ptrace() test but I suspect it may be inaccurate as well; however, this is 2.6, and there may be changes between it and 2.4 that would reflect this.
Testing denied write of /dev/mem... : FAILED
Testing denied mmap write of /dev/kmem... : FAILED
Testing denied open of /dev/port... : FAILED
./full_test.sh: line 17: 4180 Segmentation fault ./memkmemport_test
Segfaulting binaries are bad. There's worse news. I ran this over a ssh, but going to the physical console reveals a problem in the kernel:
icebox regression # ./memkmemport_test
Testing denied write of /dev/mem... : FAILED
Testing denied mmap write of /dev/kmem... : FAILED
Testing denied open of /dev/port... : FAILED
<1>Unable to handle kernel NULL pointer dereference at virtual address
00000000
printing eip:
c0387645
*pde = 00000000
Oops: 0002 [#3]
CPU: 0
EIP: 0060:[<c0387645>] Tainted: PF
EFLAGS: 00010246
eax: 00000000 ebx: 00000004 ecx: 00000004 edx: 00000000
esi: 080487eb edi: 00000000 ebp: 080487ef esp: d0f55e80
ds: 007b es: 007b ss: 0068
Process memkmemport_tes (pid: 7355, threadinfo=d0f54000 task=dbdd0c80)
Stack: 00000004 00000004 efd516c0 c02b7523 ef5aa9c0 00000004 00000000 c02b6a48
00000000 080487eb 00000004 e69cd140 c02b6dd0 00000004 e69cd160 080487eb
c02b6e39 e69cd140 00000000 00000000 080487eb 00000004 e69cd160 e69cd140
Call Trace: [<c02b7523>] [<c02b6a48>] [<c02b6dd0>] [<c02b6e39>]
[<c02b6dd0>] [<c01ed0e8>] [<c01ed212>] [<c019d417>] [<c019d42f>]
Code: f3 aa 58 59 e9 fc 4c f0 ff b8 f2 ff ff ff e9 b3 9e f0 ff b8
Segmentation fault
I should send the oops to the LKML, I'm doing so now.
Check your work, just to make sure.
Also, some of these test programs don't compile -fPIC. This is trivial but should be fixed at some point.
icedisc regression # ./full_test.sh
Testing dmesg restriction... : FAILED
Testing kill out of chroot... : FAILED
Testing denied double chroot... : PASSED
Testing denied sysctl in chroot... : PASSED
Testing denied shared memory attach out of chroot... : FAILED
Testing denied ioperm... : FAILED
Testing denied iopl... : FAILED
Testing denied mknod in chroot... : FAILED
Testing randomized PIDs... : FAILED
Testing denied ptrace out of chroot... : PASSED
Testing denied nice raise in chroot... : FAILED
Testing denied priority raise in chroot... : FAILED
Testing chdir("/") on chroot... : PASSED
Testing denied shared memory attach out of chroot (as non-root)... : FAILED
Testing denied dangerous capabilities in chroot... : FAILED
Testing denied dangerous capabilities on children in chroot... : FAILED
Testing denied fchmod +s in chroot... : FAILED
Testing denied chmod +s in chroot... : FAILED
Testing denied connect to abstract unix domain socket out of chroot... : FAILED
Testing denied write of /dev/mem... : FAILED
Testing denied mmap write of /dev/kmem... : FAILED
Testing denied open of /dev/port... : FAILED
./full_test.sh: line 17: 4180 Segmentation fault ./memkmemport_test
Testing hardlink restrictions... : FAILED
Testing symlink restrictions... : FAILED
Testing denied fchdir out of chroot... : PASSED
The following tests may freeze: fifo_test
-----
About here i killed it (after 5 minutes), so the fifo_test doesn't work on 2.6.
Now, I stole/modified the fchdir code from grsec and that tested out right, as well as the chroot_chroot test. I should and do pass those (and should and do fail on a kernel with just pax in it).
My problem is that it's passing the ptrace and sysctl tests:
Testing denied sysctl in chroot... : PASSED
Testing denied ptrace out of chroot... : PASSED
I didn't do anything to the kernel to fix these. Moreover,
icedisc regression # chroot /
icedisc / # cat /proc/sys/vm/swappiness
60
icedisc / # echo 70 > /proc/sys/vm/swappiness
icedisc / # cat /proc/sys/vm/swappiness
70
icedisc / # exit
exit
icedisc regression # cat /proc/sys/vm/swappiness
70
icedisc regression #
---
It appears that not only do I PASS the sysctl test, but I fail it as well. It says I pass but I clearly failed right? I'm guessing that it's denying the sysctl(2) call but i'm not sure.
I have no way to verify the ptrace() test but I suspect it may be inaccurate as well; however, this is 2.6, and there may be changes between it and 2.4 that would reflect this.
Testing denied write of /dev/mem... : FAILED
Testing denied mmap write of /dev/kmem... : FAILED
Testing denied open of /dev/port... : FAILED
./full_test.sh: line 17: 4180 Segmentation fault ./memkmemport_test
Segfaulting binaries are bad. There's worse news. I ran this over a ssh, but going to the physical console reveals a problem in the kernel:
icebox regression # ./memkmemport_test
Testing denied write of /dev/mem... : FAILED
Testing denied mmap write of /dev/kmem... : FAILED
Testing denied open of /dev/port... : FAILED
<1>Unable to handle kernel NULL pointer dereference at virtual address
00000000
printing eip:
c0387645
*pde = 00000000
Oops: 0002 [#3]
CPU: 0
EIP: 0060:[<c0387645>] Tainted: PF
EFLAGS: 00010246
eax: 00000000 ebx: 00000004 ecx: 00000004 edx: 00000000
esi: 080487eb edi: 00000000 ebp: 080487ef esp: d0f55e80
ds: 007b es: 007b ss: 0068
Process memkmemport_tes (pid: 7355, threadinfo=d0f54000 task=dbdd0c80)
Stack: 00000004 00000004 efd516c0 c02b7523 ef5aa9c0 00000004 00000000 c02b6a48
00000000 080487eb 00000004 e69cd140 c02b6dd0 00000004 e69cd160 080487eb
c02b6e39 e69cd140 00000000 00000000 080487eb 00000004 e69cd160 e69cd140
Call Trace: [<c02b7523>] [<c02b6a48>] [<c02b6dd0>] [<c02b6e39>]
[<c02b6dd0>] [<c01ed0e8>] [<c01ed212>] [<c019d417>] [<c019d42f>]
Code: f3 aa 58 59 e9 fc 4c f0 ff b8 f2 ff ff ff e9 b3 9e f0 ff b8
Segmentation fault
I should send the oops to the LKML, I'm doing so now.
Check your work, just to make sure.
Also, some of these test programs don't compile -fPIC. This is trivial but should be fixed at some point.