Re: [gentoo-hardened] linux32 chroot issue - gentoo-hardened

From:	Alexander Tiurin <alexanderyt@×××××.com>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] linux32 chroot issue
Date:	Sat, 22 Feb 2014 15:32:20
Message-Id:	`20140222193310.65d5f74a@gmail.com`
In Reply to:	Re: [gentoo-hardened] linux32 chroot issue by "Anthony G. Basile"

1

On Sat, 22 Feb 2014 09:20:11 -0500

2

"Anthony G. Basile" <basile@××××××××××××××.edu> wrote:

3

4

> On 02/21/2014 05:48 PM, Alexander Tiurin wrote:

5

> > hi!

6

> >

7

> > emerge  return  errors during build of any atoms in linux32 chroot only.

8

> >

9

> >   (null)*(null) (null)ACCESS DENIED(null):  open_wr:      /dev/tty

10

> >   (null)*(null) (null)ACCESS DENIED(null):  open_wr:      /dev/null

11

> >

12

> > The full log http://pastebin.com/4An1ajY0

13

> >

14

> > stat /dev/{null,tty}

15

> >    File: '/dev/null'

16

> >    Size: 0               Blocks: 0          IO Block: 4096   character

17

> > special file

18

> > Device: 5h/5d   Inode: 1028        Links: 1     Device type: 1,3

19

> > Access: (0666/crw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)

20

> >

21

> >    File: '/dev/tty'

22

> >    Size: 0               Blocks: 0          IO Block: 4096   character

23

> > special file

24

> > Device: 5h/5d   Inode: 1035        Links: 1     Device type: 5,0

25

> > Access: (0666/crw-rw-rw-)  Uid: (    0/    root)   Gid: (    5/     tty)

26

> >

27

> > Kernel 3.11.7-hardened-r1

28

> > Kernel config

29

> > zcat /proc/config.gz | grep -i -e grkern -e pax

30

> > http://pastebin.com/ka63Jf98

31

> >

32

> > emerge --info

33

> > http://pastebin.com/WJ7BRXCA

34

> >

35

> >

36

> > In x86_64 chroot all works fine. Also, with hardened-sources-3.2.52-r3

37

> > linux32 chroot works fine too.

38

> > Please suggest any solution.

39

> >

40

>

41

>

42

> There's not enough context to really nail it, but start by trying this:

43

>

44

> for i in /proc/sys/kernel/grsecurity/chroot_* ; do

45

>    echo 0 > $i

46

> done

47

48

49

This action does not solve the issue.

50

51

52

>

53

> Also, can you give my your `df -a` so I can see what is mounted in the

54

> chroot.  Run that from *outside* the chroot.

55

>

56

>

57

58

/mnt/2gb/stage4x86_hard_2 is a targeted chroot.

59

60

61

Filesystem                         1K-blocks      Used  Available Use% Mounted on

62

rootfs                               1998672    995724     881708  54% /

63

proc                                       0         0          0    - /proc

64

udev                                   10240         8      10232   1% /dev

65

devpts                                     0         0          0    - /dev/pts

66

sysfs                                      0         0          0    - /sys

67

/dev/dm-3                            1998672    995724     881708  54% /

68

tmpfs                                 816264       608     815656   1% /run

69

mqueue                                     0         0          0    - /dev/mqueue

70

shm                                  4081312       416    4080896   1% /dev/shm

71

securityfs                                 0         0          0    - /sys/kernel/security

72

debugfs                                    0         0          0    - /sys/kernel/debug

73

configfs                                   0         0          0    - /sys/kernel/config

74

cgroup_root                            10240         0      10240   0% /sys/fs/cgroup

75

fusectl                                    0         0          0    - /sys/fs/fuse/connections

76

openrc                                     0         0          0    - /sys/fs/cgroup/openrc

77

cpuset                                     0         0          0    - /sys/fs/cgroup/cpuset

78

cpu                                        0         0          0    - /sys/fs/cgroup/cpu

79

cpuacct                                    0         0          0    - /sys/fs/cgroup/cpuacct

80

/dev/mapper/main-grdesk.usr         15350768   6390764    8157188  44% /usr

81

/dev/mapper/main-grdesk.var         10190136    407304    9242160   5% /var

82

/dev/mapper/main-grdeskhome        175329968  92906552   74521844  56% /home

83

/dev/mapper/main-stage4.2hard       10190136   5597264    4052200  59% /var/local/stage4.2hard

84

/dev/mapper/main-stage4.3hard       10141624   7837812    1765600  82% /var/local/stage4.3hard

85

/dev/mapper/main-hardened_desktop   20511356  11343344    8941916  56% /var/local/hardened_desktop

86

none                                       0         0          0    - /var/local/hardened_desktop/proc

87

/dev                                   10240         8      10232   1% /var/local/hardened_desktop/dev

88

/sys                                       0         0          0    - /var/local/hardened_desktop/sys

89

/dev/pts                                   0         0          0    - /var/local/hardened_desktop/dev/pts

90

/dev/shm                             4081312       416    4080896   1% /var/local/hardened_desktop/dev/shm

91

/dev/mapper/2gb-2gb               1952559608 307011736 1645547872  16% /mnt/2gb

92

none                                       0         0          0    - /mnt/2gb/stage4x86_hard_2/proc

93

/dev                                   10240         8      10232   1% /mnt/2gb/stage4x86_hard_2/dev

94

/sys                                       0         0          0    - /mnt/2gb/stage4x86_hard_2/sys

95

/dev/pts                                   0         0          0    - /mnt/2gb/stage4x86_hard_2/dev/pts

96

/dev/shm                             4081312       416    4080896   1% /mnt/2gb/stage4x86_hard_2/dev/shm

Gentoo Archives: gentoo-hardened

Replies

1	On Sat, 22 Feb 2014 09:20:11 -0500
2	"Anthony G. Basile" <basile@××××××××××××××.edu> wrote:
3
4	> On 02/21/2014 05:48 PM, Alexander Tiurin wrote:
5	> > hi!
6	> >
7	> > emerge return errors during build of any atoms in linux32 chroot only.
8	> >
9	> > (null)*(null) (null)ACCESS DENIED(null): open_wr: /dev/tty
10	> > (null)*(null) (null)ACCESS DENIED(null): open_wr: /dev/null
11	> >
12	> > The full log http://pastebin.com/4An1ajY0
13	> >
14	> > stat /dev/{null,tty}
15	> > File: '/dev/null'
16	> > Size: 0 Blocks: 0 IO Block: 4096 character
17	> > special file
18	> > Device: 5h/5d Inode: 1028 Links: 1 Device type: 1,3
19	> > Access: (0666/crw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root)
20	> >
21	> > File: '/dev/tty'
22	> > Size: 0 Blocks: 0 IO Block: 4096 character
23	> > special file
24	> > Device: 5h/5d Inode: 1035 Links: 1 Device type: 5,0
25	> > Access: (0666/crw-rw-rw-) Uid: ( 0/ root) Gid: ( 5/ tty)
26	> >
27	> > Kernel 3.11.7-hardened-r1
28	> > Kernel config
29	> > zcat /proc/config.gz \| grep -i -e grkern -e pax
30	> > http://pastebin.com/ka63Jf98
31	> >
32	> > emerge --info
33	> > http://pastebin.com/WJ7BRXCA
34	> >
35	> >
36	> > In x86_64 chroot all works fine. Also, with hardened-sources-3.2.52-r3
37	> > linux32 chroot works fine too.
38	> > Please suggest any solution.
39	> >
40	>
41	>
42	> There's not enough context to really nail it, but start by trying this:
43	>
44	> for i in /proc/sys/kernel/grsecurity/chroot_* ; do
45	> echo 0 > $i
46	> done
47
48
49	This action does not solve the issue.
50
51
52	>
53	> Also, can you give my your `df -a` so I can see what is mounted in the
54	> chroot. Run that from outside the chroot.
55	>
56	>
57
58	/mnt/2gb/stage4x86_hard_2 is a targeted chroot.
59
60
61	Filesystem 1K-blocks Used Available Use% Mounted on
62	rootfs 1998672 995724 881708 54% /
63	proc 0 0 0 - /proc
64	udev 10240 8 10232 1% /dev
65	devpts 0 0 0 - /dev/pts
66	sysfs 0 0 0 - /sys
67	/dev/dm-3 1998672 995724 881708 54% /
68	tmpfs 816264 608 815656 1% /run
69	mqueue 0 0 0 - /dev/mqueue
70	shm 4081312 416 4080896 1% /dev/shm
71	securityfs 0 0 0 - /sys/kernel/security
72	debugfs 0 0 0 - /sys/kernel/debug
73	configfs 0 0 0 - /sys/kernel/config
74	cgroup_root 10240 0 10240 0% /sys/fs/cgroup
75	fusectl 0 0 0 - /sys/fs/fuse/connections
76	openrc 0 0 0 - /sys/fs/cgroup/openrc
77	cpuset 0 0 0 - /sys/fs/cgroup/cpuset
78	cpu 0 0 0 - /sys/fs/cgroup/cpu
79	cpuacct 0 0 0 - /sys/fs/cgroup/cpuacct
80	/dev/mapper/main-grdesk.usr 15350768 6390764 8157188 44% /usr
81	/dev/mapper/main-grdesk.var 10190136 407304 9242160 5% /var
82	/dev/mapper/main-grdeskhome 175329968 92906552 74521844 56% /home
83	/dev/mapper/main-stage4.2hard 10190136 5597264 4052200 59% /var/local/stage4.2hard
84	/dev/mapper/main-stage4.3hard 10141624 7837812 1765600 82% /var/local/stage4.3hard
85	/dev/mapper/main-hardened_desktop 20511356 11343344 8941916 56% /var/local/hardened_desktop
86	none 0 0 0 - /var/local/hardened_desktop/proc
87	/dev 10240 8 10232 1% /var/local/hardened_desktop/dev
88	/sys 0 0 0 - /var/local/hardened_desktop/sys
89	/dev/pts 0 0 0 - /var/local/hardened_desktop/dev/pts
90	/dev/shm 4081312 416 4080896 1% /var/local/hardened_desktop/dev/shm
91	/dev/mapper/2gb-2gb 1952559608 307011736 1645547872 16% /mnt/2gb
92	none 0 0 0 - /mnt/2gb/stage4x86_hard_2/proc
93	/dev 10240 8 10232 1% /mnt/2gb/stage4x86_hard_2/dev
94	/sys 0 0 0 - /mnt/2gb/stage4x86_hard_2/sys
95	/dev/pts 0 0 0 - /mnt/2gb/stage4x86_hard_2/dev/pts
96	/dev/shm 4081312 416 4080896 1% /mnt/2gb/stage4x86_hard_2/dev/shm