grsecurity forums

[fbeader]

Hello,

I am trying to get LXC user namespaces working on kernel 3.14.5 with the grsecurity patcheset, but am kinda stuck with the following error: "newuidmap: Target 22477 is owned by a different user". It seems newuidmap expects the process /proc dir to be owned by the user, but instead it is owned by root as is evident from "pw->pw_uid != st.st_uid: 5000 != 0" (these printfs were added by me to the newuidmap code as strace doesen't work).

I have already disabled the -EPERM return as per viewtopic.php?f=3&t=3929&p=13905&hilit=lxc#p13904 which gets me past the unshare error.
I've also disabled the three things mentioned here (through sysctl): https://blog.flameeyes.eu/2012/04/hard-containers

distro: Gentoo hardened,
kernel: hardened-sources-3.14.5-r2 with the -EPERM commented out
The same container works on a 3.13 non-grsec machine.

Is there anything else I have to turn on/off or is the problem somewhere else (perhaps in shadow)?



output of lxc-start -l DEBUG -o /tmp/lxctest.log -n lxctest -f lxctest.conf :

opentty: Open of /dev/pts/2 sucessfull.
newuidmap: Target 22477 is owned by a different user
path: /proc/22477/
getuid() != pw->pw_uid: 5000 != 5000
getgid() != pw->pw_gid: 5000 != 5000
pw->pw_uid != st.st_uid: 5000 != 0
pw->pw_gid != st.st_gid: 5000 != 5000
error mapping child
Running do_child
setgid: Invalid argument
setgid(0) returned -1
out of do_child
lxc-start: Failed to chown in loop: /dev/pts/7
lxc-start: Failed to shift tty into container
lxc-start: failed to initialize the container
lxc-start: The container failed to start.
lxc-start: Additional information can be obtained by setting the --logfile and --log-priority options.


/tmp/lxctest.log:

lxc-start 1407705495.794 INFO lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1407705495.794 WARN lxc_log - lxc_log_init called with log already initialized
lxc-start 1407705495.794 INFO lxc_confile - read uid map: type u nsid 0 hostid 65536 range 65536
lxc-start 1407705495.794 INFO lxc_confile - read uid map: type g nsid 0 hostid 65536 range 65536
lxc-start 1407705495.795 INFO lxc_confile - read uid map: type u nsid 0 hostid 65536 range 65536
lxc-start 1407705495.795 INFO lxc_confile - read uid map: type g nsid 0 hostid 65536 range 65536
lxc-start 1407705495.797 INFO lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1407705495.797 DEBUG lxc_conf - allocated pty '/dev/pts/7' (5/6)
lxc-start 1407705495.797 INFO lxc_conf - tty's configured
lxc-start 1407705495.797 DEBUG lxc_start - sigchild handler set
lxc-start 1407705495.797 DEBUG lxc_console - opening /dev/tty for console peer
lxc-start 1407705495.797 INFO lxc_caps - Last supported cap was 34
lxc-start 1407705495.797 DEBUG lxc_console - using '/dev/tty' as console
lxc-start 1407705495.797 DEBUG lxc_console - 22475 got SIGWINCH fd 11
lxc-start 1407705495.797 DEBUG lxc_console - set winsz dstfd:8 cols:177 rows:61
lxc-start 1407705495.797 INFO lxc_conf - Still here
lxc-start 1407705495.846 INFO lxc_utils - child 22476 didn't exit with status 0, but 255.
lxc-start 1407705495.846 ERROR lxc_conf - Failed to chown in loop: /dev/pts/7
lxc-start 1407705495.846 ERROR lxc_start - Failed to shift tty into container
lxc-start 1407705495.846 INFO lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1407705495.846 ERROR lxc_start - failed to initialize the container
lxc-start 1407705495.846 ERROR lxc_start_ui - The container failed to start.
lxc-start 1407705495.846 ERROR lxc_start_ui - Additional information can be obtained by setting the --logfile and --log-priority options.



grsec exec log:

[41499.006030] grsec: From 10.0.0.8: exec of /home/lxcmain/lxc-install/bin/lxc-start (lxc-start -l DEBUG -o /tmp/lxctest.log -n lxctest -f lxctest.conf ) by /home/lxcmain/lxc-in
stall/bin/lxc-start[bash:22475] uid/euid:5000/5000 gid/egid:5000/5000, parent /bin/bash[bash:2639] uid/euid:5000/5000 gid/egid:5000/5000
[41499.010745] grsec: From 10.0.0.8: exec of /home/lxcmain/lxc-install/bin/lxc-usernsexec (lxc-usernsexec -m u:0:65536:1 -m u:5000:5000:1 -m g:0:5000:1 -- chown 0 /dev/pts/7 ) b
y /home/lxcmain/lxc-install/bin/lxc-usernsexec[lxc-start:22476] uid/euid:5000/5000 gid/egid:5000/5000, parent /home/lxcmain/lxc-install/bin/lxc-start[lxc-start:22475] uid/euid:5
000/5000 gid/egid:5000/5000
[41499.012368] grsec: From 10.0.0.8: exec of /bin/bash (sh -c newuidmap 22477 0 65536 1 5000 5000 1 ) by /bin/bash[lxc-usernsexec:22478] uid/euid:5000/0 gid/egid:5000/5000, par
ent /home/lxcmain/lxc-install/bin/lxc-usernsexec[lxc-usernsexec:22476] uid/euid:5000/0 gid/egid:5000/5000
[41499.014444] grsec: From 10.0.0.8: exec of /usr/bin/newuidmap (newuidmap 22477 0 65536 1 5000 5000 1 ) by /usr/bin/newuidmap[sh:22478] uid/euid:5000/5000 gid/egid:5000/5000, parent /home/lxcmain/lxc-install/bin/lxc-usernsexec[lxc-usernsexec:22476] uid/euid:5000/0 gid/egid:5000/5000


settings:

CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set
CONFIG_GRKERNSEC_PROC_GID=10
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
# CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
# CONFIG_GRKERNSEC_RANDSTRUCT is not set
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
# CONFIG_GRKERNSEC_NO_RBAC is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
# CONFIG_GRKERNSEC_PROC_USERGROUP is not set
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_CHROOT_INITRD is not set
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=65550
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_ALL_GID=65534
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=65534
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=65534
# CONFIG_GRKERNSEC_DENYUSB is not set
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6


CONFIG_PAX_KERNEXEC_PLUGIN=y
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_MPROTECT_COMPAT=y
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_STACKLEAK is not set
# CONFIG_PAX_MEMORY_STRUCTLEAK is not set
# CONFIG_PAX_MEMORY_UDEREF is not set
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
# CONFIG_PAX_LATENT_ENTROPY is not set



kernel.grsecurity.audit_chdir = 1
kernel.grsecurity.audit_gid = 5000
kernel.grsecurity.audit_group = 1
kernel.grsecurity.audit_mount = 1
kernel.grsecurity.audit_ptrace = 1
kernel.grsecurity.chroot_caps = 0
kernel.grsecurity.chroot_deny_chmod = 1
kernel.grsecurity.chroot_deny_chroot = 1
kernel.grsecurity.chroot_deny_fchdir = 1
kernel.grsecurity.chroot_deny_mknod = 1
kernel.grsecurity.chroot_deny_mount = 0
kernel.grsecurity.chroot_deny_pivot = 0
kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_execlog = 1
kernel.grsecurity.chroot_findtask = 1
kernel.grsecurity.chroot_restrict_nice = 1
kernel.grsecurity.consistent_setxid = 1
kernel.grsecurity.deter_bruteforce = 1
kernel.grsecurity.dmesg = 1
kernel.grsecurity.exec_logging = 1
kernel.grsecurity.fifo_restrictions = 1
kernel.grsecurity.forkfail_logging = 1
kernel.grsecurity.grsec_lock = 0
kernel.grsecurity.harden_ipc = 1
kernel.grsecurity.harden_ptrace = 0
kernel.grsecurity.ip_blackhole = 1
kernel.grsecurity.lastack_retries = 4
kernel.grsecurity.linking_restrictions = 1
kernel.grsecurity.ptrace_readexec = 0
kernel.grsecurity.resource_logging = 1
kernel.grsecurity.rwxmap_logging = 1
kernel.grsecurity.signal_logging = 1
kernel.grsecurity.socket_all = 1
kernel.grsecurity.socket_all_gid = 65534
kernel.grsecurity.socket_client = 1
kernel.grsecurity.socket_client_gid = 65534
kernel.grsecurity.socket_server = 1
kernel.grsecurity.socket_server_gid = 65534
kernel.grsecurity.timechange_logging = 1


kernel.pax.softmode = 1



Thank you,
Fedja

[spender]

Hi,

Your kernel config is incorrect -- you have CONFIG_GRKERNSEC_PROC enabled but neither CONFIG_GRKERNSEC_PROC_USER or CONFIG_GRKERNSEC_PROC_USERGROUP. Please enable one of the two and see if the problem persists. There's nothing in grsecurity though that should be changing the owner of /proc entries, at most it would change the group.

-Brad

[fbeader]

Your kernel config is incorrect -- you have CONFIG_GRKERNSEC_PROC enabled but neither CONFIG_GRKERNSEC_PROC_USER or CONFIG_GRKERNSEC_PROC_USERGROUP. Please enable one of the two and see if the problem persists. There's nothing in grsecurity though that should be changing the owner of /proc entries, at most it would change the group.

My first kernel had all three of those options enabled, but it would have not worked anyway, because the third one chowns all /proc entries to that gid (or so I have observed).
Next I tried a kernel with all three disabled and the container still didn't boot.
And then I went all the way and booted a normal kernel, that wasn't patched with grsecurity. Still no dice.

It sure looks like grsec isn't at fault here.

A day later and an unrelated system that had nothing to do with grsecurity stopped running these VMs too. Meh.

Fedja