From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adam Richter Subject: [Bisected] CONFIG_AUDIT in linux-3.14-rc1+ breaking Linux Containers? Date: Fri, 14 Feb 2014 14:56:22 -0800 (PST) Message-ID: <1392418582.19695.YahooMailNeo@web160606.mail.bf1.yahoo.com> Reply-To: Adam Richter Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6556812738073631633==" Return-path: Received: from mx1.redhat.com (ext-mx15.extmail.prod.ext.phx2.redhat.com [10.5.110.20]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s1EMuPIj003892 for ; Fri, 14 Feb 2014 17:56:25 -0500 Received: from nm49.bullet.mail.bf1.yahoo.com (nm49.bullet.mail.bf1.yahoo.com [216.109.114.65]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s1EMuNGJ026493 for ; Fri, 14 Feb 2014 17:56:23 -0500 References: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============6556812738073631633== Content-Type: multipart/alternative; boundary="1874956439-1637489722-1392418582=:19695" --1874956439-1637489722-1392418582=:19695 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hi.=0A=0A=0AIf I take an Ubuntu 13.10-amd64 system and install an Ubuntu 13= .04-i386 Linux Container, it works fine with kernel.org kernel releases thr= ough Linux-3.13, but, for Linux-13.14-rc1 and beyond, I cannot login with "= lxc-console".=A0 In that case, if I try to log in as "ubuntu" with the corr= ect password, it quickly tell me the login was incorrect, and prompts me wi= th a new "login:" prompt, but without the delay that occurs if I type in th= e wrong password.=A0 I haven't bothered breaking into the "linux container"= , but, looking at its log files from the outside as it runs, I see some PAM= errors about "operation not permitted."=0A=0AI have reproduced this proble= m with the following container configurations, all on an =0AUbuntu 13.10-am= d64 hosts ("amd64" is Ubuntu's terminology, not my jibing Intel):=0A=0AUbun= tu 13.04-i386=0AUbuntu 13.10-i386=0AUbuntu 13.10-amd64=0A=0AI have also rep= roduced this with a kernel built from git://git.infradead.org/users/eparis/= audit.git yesterday (Ubuntu 13.10-amd64 hosting an Ubuntu=0A 13.04-i386 con= tainer).=0A=0AI have also tried disabling CONFIG_AUDIT{SYSCALL,_WATCH,_TREE= } and CONFIG_KVM_MMU_AUDIT from linux-3.14-rc2-x86_64 and still observed th= e same problem.=0A=0ADoing a "git bisect" on Linus's public tree brought me= to the following change (Ubuntu 13.10-x86_64 hosting an Ubuntu 13.04-i386= =0A container):=0A=0A33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb is the first = bad commit=0Acommit 33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb=0AAuthor: Rich= ard Guy Briggs =0ADate:=A0=A0 Tue Jul 16 13:18:45 2013 -040= 0=0A=0A=A0=A0=A0 audit: listen in all network namespaces=0A=A0=A0=A0 =0A=A0= =A0=A0 Convert audit from only=0A listening in init_net to use register_per= net_subsys()=0A=A0=A0=A0 to dynamically manage the netlink socket list.=0A= =A0=A0=A0 =0A=A0=A0=A0 Signed-off-by: Richard Guy Briggs = =0A=A0=A0=A0 Signed-off-by: Eric Paris =0A=0A:040000 040= 000 3c5f63118d5fe9b5a4f0a6dd828249979a10ffa0 c8feaa4fd9bc260cde3bb703ff20ae= 6938fabe6a M=A0=A0=A0 kernel=0A=0AFor those of you who are not used to usin= g Linux Containers, here are some commands that should reproduce the bug, a= lthough I am going from memory rather than copying from my command history.= =0A=0A% sudo lxc-create -t ubuntu -n myubuntu13.04 -- --release raring --ar= ch i386=0A# ^^ This takes a while.=A0 It installs a Linux distribution in a= directory.=0A=0A% sudo lxc-start -n myubuntu13.04 -d=0A% sudo lxc-console= =0A -n myubuntu13.04=0A...Try to log in as "ubuntu" with password "ubuntu".= =A0 When you'd done, do q to disconnect the session.=0A% sudo lxc-s= top -n myubuntu13.04=0A# This next command basically does "rm -rf" on the c= ontainer's directory tree.=0A% sudo lxc-destroy -n myubuntu13.04=0A=0AIn th= e above example, change "raring" to "saucy" if you want Ubuntu 13.10.=A0 Yo= u can change i386 to amd64 to try 64-bit.=A0 "myubuntu13.04" is just a name= , which you can change to whatever you want.=A0 The Fedora container templa= te shipped with Ubuntu 13.10 does not install for me, otherwise I would hav= e tested that too.=0A=0AI am not yet sure if this is really a kernel bug or= if this is a case of a valid change in Linux kernel behavior exposing a bu= g elsewhere (for example, Ubuntu's PAM configuration).=A0 I am not a Linux = Audit developer.=A0 I am hoping that, if this is a Linux Audit bug, you fol= ks will be able to take it from here, but I'm happy to try to help as best = I=0A can.=0A=0AThanks in advance for any help with this.=0A=0AAdam --1874956439-1637489722-1392418582=:19695 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
Hi.

If I take an Ubu= ntu 13.10-amd64 system and install an Ubuntu 13.04-i386 Linux=0A Container,= it works fine with kernel.org kernel releases through Linux-3.13, but, for= Linux-13.14-rc1 and beyond, I cannot login with "lxc-console".  In th= at case, if I try to log in as "ubuntu" with the correct password, it quick= ly tell me the login was incorrect, and prompts me with a new "login:" prom= pt, but without the delay that occurs if I type in the wrong password. = ; I haven't bothered breaking into the "linux container", but, looking at i= ts log files from the outside as it runs, I see some PAM errors about "oper= ation not permitted."

I have reproduced this problem with the follow= ing container configurations, all on an
Ubuntu 13.10-amd64 hosts ("amd6= 4" is Ubuntu's terminology, not my jibing Intel):

Ubuntu 13.04-i386<= br>Ubuntu 13.10-i386
Ubuntu 13.10-amd64

I have also reproduced th= is with a kernel built from git://git.infradead.org/users/eparis/audit.git = yesterday (Ubuntu 13.10-amd64 hosting an Ubuntu=0A 13.04-i386 container).
I have also tried disabling CONFIG_AUDIT{SYSCALL,_WATCH,_TREE} and CO= NFIG_KVM_MMU_AUDIT from linux-3.14-rc2-x86_64 and still observed the same p= roblem.

Doing a "git bisect" on Linus's public tree brought me to th= e following change (Ubuntu 13.10-x86_64 hosting an Ubuntu 13.04-i386=0A con= tainer):

33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb is the first bad c= ommit
commit 33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb
Author: Richard= Guy Briggs <rgb@redhat.com>
Date:   Tue Jul 16 13:18:45= 2013 -0400

    audit: listen in all network namespac= es
   
    Convert audit from only=0A = listening in init_net to use register_pernet_subsys()
   = to dynamically manage the netlink socket list.
   
&= nbsp;   Signed-off-by: Richard Guy Briggs <rgb@redhat.com><= br>    Signed-off-by: Eric Paris <eparis@redhat.com>
:040000 040000 3c5f63118d5fe9b5a4f0a6dd828249979a10ffa0 c8feaa4fd9bc2= 60cde3bb703ff20ae6938fabe6a M    kernel

For those of = you who are not used to using Linux Containers, here are some commands that= should reproduce the bug, although I am going from memory rather than copy= ing from my command history.

% sudo lxc-create -t ubuntu -n myubuntu= 13.04 -- --release raring --arch i386
# ^^ This takes a while.  It = installs a Linux distribution in a directory.

% sudo lxc-start -n my= ubuntu13.04 -d
% sudo lxc-console=0A -n myubuntu13.04
...Try to log i= n as "ubuntu" with password "ubuntu".  When you'd done, do <ctrl-A&= gt;q to disconnect the session.
% sudo lxc-stop -n myubuntu13.04
# Th= is next command basically does "rm -rf" on the container's directory tree.<= br>% sudo lxc-destroy -n myubuntu13.04

In the above example, change = "raring" to "saucy" if you want Ubuntu 13.10.  You can change i386 to = amd64 to try 64-bit.  "myubuntu13.04" is just a name, which you can ch= ange to whatever you want.  The Fedora container template shipped with= Ubuntu 13.10 does not install for me, otherwise I would have tested that t= oo.

I am not yet sure if this is really a kernel bug or if this is a= case of a valid change in Linux kernel behavior exposing a bug elsewhere (= for example, Ubuntu's PAM configuration).  I am not a Linux Audit deve= loper.  I am hoping that, if this is a Linux Audit bug, you folks will= be able to take it from here, but I'm happy to try to help as best I=0A can.

Thanks in advance fo= r any help with this.

Adam


=
--1874956439-1637489722-1392418582=:19695-- --===============6556812738073631633== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============6556812738073631633==--