From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adam Richter Subject: Re: [Bisected] CONFIG_AUDIT in linux-3.14-rc1+ breaking Linux Containers? Date: Fri, 14 Feb 2014 15:01:16 -0800 (PST) Message-ID: <1392418876.27690.YahooMailNeo@web160601.mail.bf1.yahoo.com> References: <1392418582.19695.YahooMailNeo@web160606.mail.bf1.yahoo.com> Reply-To: Adam Richter Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3692314434949938062==" Return-path: Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.19]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s1EN1MXu013258 for ; Fri, 14 Feb 2014 18:01:22 -0500 Received: from nm41-vm3.bullet.mail.bf1.yahoo.com (nm41-vm3.bullet.mail.bf1.yahoo.com [216.109.114.158]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s1EN1HrY008666 for ; Fri, 14 Feb 2014 18:01:17 -0500 In-Reply-To: <1392418582.19695.YahooMailNeo@web160606.mail.bf1.yahoo.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============3692314434949938062== Content-Type: multipart/alternative; boundary="1737431079-2077875514-1392418876=:27690" --1737431079-2077875514-1392418876=:27690 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ugh!=A0 I proofread that message, really, but I overlooked the subject line= which I meant to rephrase.=A0 There is no CONFIG_AUDIT option in x86-64 th= at I'm aware of, but the message I sent is a bug that seems to bisect down = to a change related to linux-audit.=0A=0ASorry for the misleading subject l= ine.=0A=0AAdam Richter=0A=0A=0A=0A=0A=0AOn Friday, February 14, 2014 2:56 P= M, Adam Richter wrote:=0A =0AHi.=0A=0A=0AIf I = take an Ubuntu 13.10-amd64 system and install an Ubuntu 13.04-i386 Linux Co= ntainer, it works fine with kernel.org kernel releases through Linux-3.13, = but, for Linux-13.14-rc1 and beyond, I cannot login with "lxc-console".=A0 = In that case, if I try to log in as "ubuntu" with the correct password, it = quickly tell me the login was incorrect, and prompts me with a new "login:"= prompt, but without the delay that occurs if I type in the wrong password.= =A0 I haven't bothered breaking into the "linux container", but, looking at= its log files from the outside as it runs, I see some PAM errors about "op= eration not permitted."=0A=0AI have reproduced this problem with the follow= ing container configurations, all on an =0AUbuntu 13.10-amd64 hosts ("amd64= " is Ubuntu's terminology, not my jibing Intel):=0A=0AUbuntu 13.04-i386=0AU= buntu 13.10-i386=0AUbuntu 13.10-amd64=0A=0AI have also reproduced this with= a kernel built from git://git.infradead.org/users/eparis/audit.git yesterd= ay (Ubuntu 13.10-amd64 hosting an Ubuntu=0A 13.04-i386 container).=0A=0AI h= ave also tried disabling CONFIG_AUDIT{SYSCALL,_WATCH,_TREE} and CONFIG_KVM_= MMU_AUDIT from linux-3.14-rc2-x86_64 and still observed the same problem.= =0A=0ADoing a "git bisect" on Linus's public tree brought me to the followi= ng change (Ubuntu 13.10-x86_64 hosting an Ubuntu 13.04-i386=0A container):= =0A=0A33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb is the first bad commit=0Aco= mmit 33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb=0AAuthor: Richard Guy Briggs = =0ADate:=A0=A0 Tue Jul 16 13:18:45 2013 -0400=0A=0A=A0=A0= =A0 audit: listen in all network namespaces=0A=A0=A0=A0 =0A=A0=A0=A0 Conver= t audit from only=0A listening in init_net to use register_pernet_subsys()= =0A=A0=A0=A0 to dynamically manage the netlink socket list.=0A=A0=A0=A0 =0A= =A0=A0=A0 Signed-off-by: Richard Guy Briggs =0A=A0=A0=A0 Si= gned-off-by: Eric Paris =0A=0A:040000 040000 3c5f63118d5= fe9b5a4f0a6dd828249979a10ffa0 c8feaa4fd9bc260cde3bb703ff20ae6938fabe6a M=A0= =A0=A0 kernel=0A=0AFor those of you who are not used to using Linux Contain= ers, here are some commands that should reproduce the bug, although I am go= ing from memory rather than copying from my command history.=0A=0A% sudo lx= c-create -t ubuntu -n myubuntu13.04 -- --release raring --arch i386=0A# ^^ = This takes a while.=A0 It installs a Linux distribution in a directory.=0A= =0A% sudo lxc-start -n myubuntu13.04 -d=0A% sudo lxc-console=0A -n myubuntu= 13.04=0A...Try to log in as "ubuntu" with password "ubuntu".=A0 When you'd = done, do q to disconnect the session.=0A% sudo lxc-stop -n myubuntu= 13.04=0A# This next command basically does "rm -rf" on the container's dire= ctory tree.=0A% sudo lxc-destroy -n myubuntu13.04=0A=0AIn the above example= , change "raring" to "saucy" if you want Ubuntu 13.10.=A0 You can change i3= 86 to amd64 to try 64-bit.=A0 "myubuntu13.04" is just a name, which you can= change to whatever you want.=A0 The Fedora container template shipped with= Ubuntu 13.10 does not install for me, otherwise I would have tested that t= oo.=0A=0AI am not yet sure if this is really a kernel bug or if this is a c= ase of a valid change in Linux kernel behavior exposing a bug elsewhere (fo= r example, Ubuntu's PAM configuration).=A0 I am not a Linux Audit developer= .=A0 I am hoping that, if this is a Linux Audit bug, you folks will be able= to take it from here,=0A but I'm happy to try to help as best I=0A can.=0A= =0AThanks in advance for any help with this.=0A=0AAdam --1737431079-2077875514-1392418876=:27690 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
Ugh!  I proofread that message, really, but I overlooked= the subject line which I meant to rephrase.  There is no CONFIG_AUDIT= option in x86-64 that I'm aware of, but the message I sent is a bug that s= eems to bisect down to a change related to linux-audit.

Sorry for th= e misleading subject line.

Adam Richter



On Friday, February 14, 2014 2:56 PM= , Adam Richter <adam_richter2004@yahoo.com> wrote:
=
<= div id=3D"yiv8499788577yui_3_13_0_ym1_1_1392355765282_4172">
Hi.

If I take an Ubuntu 13.10-amd64 system an= d install an Ubuntu 13.04-i386 Linux=0A Container, it works fine with kerne= l.org kernel releases through Linux-3.13, but, for Linux-13.14-rc1 and beyo= nd, I cannot login with "lxc-console".  In that case, if I try to log = in as "ubuntu" with the correct password, it quickly tell me the login was = incorrect, and prompts me with a new "login:" prompt, but without the delay= that occurs if I type in the wrong password.  I haven't bothered brea= king into the "linux container", but, looking at its log files from the out= side as it runs, I see some PAM errors about "operation not permitted."
=
I have reproduced this problem with the following container configurati= ons, all on an
Ubuntu 13.10-amd64 hosts ("amd64" is Ubuntu's terminolog= y, not my jibing Intel):

Ubuntu 13.04-i386
Ubuntu 13.10-i386
U= buntu 13.10-amd64

I have also reproduced this with a kernel built fr= om git://git.infradead.org/users/eparis/audit.git yesterday (Ubuntu 13.10-a= md64 hosting an Ubuntu=0A 13.04-i386 container).

I have also tried d= isabling CONFIG_AUDIT{SYSCALL,_WATCH,_TREE} and CONFIG_KVM_MMU_AUDIT from l= inux-3.14-rc2-x86_64 and still observed the same problem.

Doing a "g= it bisect" on Linus's public tree brought me to the following change (Ubunt= u 13.10-x86_64 hosting an Ubuntu 13.04-i386=0A container):

33faba7fa= 7f2288d2f8aaea95958b2c97bf9ebfb is the first bad commit
commit 33faba7fa= 7f2288d2f8aaea95958b2c97bf9ebfb
Author: Richard Guy Briggs <rgb@redha= t.com>
Date:   Tue Jul 16 13:18:45 2013 -0400

 =    audit: listen in all network namespaces
    =
    Convert audit from only=0A listening in init_net to = use register_pernet_subsys()
    to dynamically manage th= e netlink socket list.
   
    Signed-= off-by: Richard Guy Briggs <rgb@redhat.com>
    Sig= ned-off-by: Eric Paris <eparis@redhat.com>

:040000 040000 3c5f= 63118d5fe9b5a4f0a6dd828249979a10ffa0 c8feaa4fd9bc260cde3bb703ff20ae6938fabe= 6a M    kernel

For those of you who are not used to u= sing Linux Containers, here are some commands that should reproduce the bug= , although I am going from memory rather than copying from my command histo= ry.

% sudo lxc-create -t ubuntu -n myubuntu13.04 -- --release raring= --arch i386
# ^^ This takes a while.  It installs a Linux distribu= tion in a directory.

% sudo lxc-start -n myubuntu13.04 -d
% sudo = lxc-console=0A -n myubuntu13.04
...Try to log in as "ubuntu" with passwo= rd "ubuntu".  When you'd done, do <ctrl-A>q to disconnect the se= ssion.
% sudo lxc-stop -n myubuntu13.04
# This next command basically= does "rm -rf" on the container's directory tree.
% sudo lxc-destroy -n = myubuntu13.04

In the above example, change "raring" to "saucy" if yo= u want Ubuntu 13.10.  You can change i386 to amd64 to try 64-bit. = ; "myubuntu13.04" is just a name, which you can change to whatever you want= .  The Fedora container template shipped with Ubuntu 13.10 does not in= stall for me, otherwise I would have tested that too.

I am not yet s= ure if this is really a kernel bug or if this is a case of a valid change i= n Linux kernel behavior exposing a bug elsewhere (for example, Ubuntu's PAM= configuration).  I am not a Linux Audit developer.  I am hoping = that, if this is a Linux Audit bug, you folks will be able to take it from = here,=0A but I'm happy to try to help as best I=0A can.

Thanks in ad= vance for any help with this.

Adam


<= /div>


--1737431079-2077875514-1392418876=:27690-- --===============3692314434949938062== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3692314434949938062==--