From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adam Richter Subject: Re: [Bisected] CONFIG_AUDIT in linux-3.14-rc1+ breaking Linux Containers? Date: Mon, 17 Feb 2014 18:17:48 -0800 (PST) Message-ID: <1392689868.69226.YahooMailNeo@web160601.mail.bf1.yahoo.com> References: <1392418582.19695.YahooMailNeo@web160606.mail.bf1.yahoo.com> <1392663707.2165.3.camel@flatline.rdu.redhat.com> Reply-To: Adam Richter Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9027121334859544838==" Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s1I2HpW2021622 for ; Mon, 17 Feb 2014 21:17:51 -0500 Received: from nm28.bullet.mail.bf1.yahoo.com (nm28.bullet.mail.bf1.yahoo.com [98.139.212.187]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s1I2HmXw030008 for ; Mon, 17 Feb 2014 21:17:49 -0500 In-Reply-To: <1392663707.2165.3.camel@flatline.rdu.redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============9027121334859544838== Content-Type: multipart/alternative; boundary="1737431079-1392805011-1392689868=:69226" --1737431079-1392805011-1392689868=:69226 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hi, Eric.=0A=0AThank you for your detailed reply.=A0 I confirm that adding = "audit=3D0" to the boot arguments to my linux-3.14-rc2-x86_64 kernel runnin= g Ubuntu 13.10-x86_64 allowed me to log into an Ubuntu 13.04-i386 container= .=A0 Thank you for providing this work around, and please feel free to let = me know if there is anything else you'd like me to try.=0A=0AAdam Richter= =0A=0A=0A=0A=0A=0AOn Monday, February 17, 2014 11:02 AM, Eric Paris wrote:=0A =0Aboot with audit=3D0 on the command line and it wi= ll work.=0A=0AThe basic problem is that before this patch, trying to connec= t to the=0Akernel audit infrastructure when setting up a separate network n= amespace=0Areturned EOPNOTSUPP or some such thing which told the pam stack = that=0Aaudit was not compiled into the kernel.=0A=0AThis patch means that t= he kernel audit is actually listening in the=0Anetwork namespace.=A0 But, m= ostly likely, it is now rejecting the pam=0Amodule request because the new = container is in a new pid namespace.=A0 We=0Ashould have patches to allow t= hat in the next kernel release.=0A=0ALet me know if booting with audit=3D0 = gets you login in a container=0Aback...=0A=0A=0AOn Fri, 2014-02-14 at 14:56= -0800, Adam Richter wrote:=0A> Hi.=0A> =0A> =0A> =0A> If I take an Ubuntu = 13.10-amd64 system and install an Ubuntu=0A> 13.04-i386 Linux Container, it= works fine with kernel.org kernel=0A> releases through Linux-3.13, but, fo= r Linux-13.14-rc1 and beyond, I=0A> cannot login with "lxc-console".=A0 In = that case, if I try to log in as=0A> "ubuntu" with the correct password, it= quickly tell me the login was=0A> incorrect, and prompts me with a new "lo= gin:" prompt, but without the=0A> delay that occurs if I type in the wrong = password.=A0 I haven't bothered=0A> breaking into the "linux container", bu= t, looking at its log files=0A> from the outside as it runs, I see some PAM= errors about "operation=0A> not permitted."=0A> =0A> I have reproduced thi= s problem with the following container=0A> configurations, all on an =0A> U= buntu 13.10-amd64 hosts ("amd64" is Ubuntu's terminology, not my=0A> jibing= Intel):=0A> =0A> Ubuntu 13.04-i386=0A> Ubuntu 13.10-i386=0A> Ubuntu 13.10-= amd64=0A> =0A> I have also reproduced this with a kernel built from=0A> git= ://git.infradead.org/users/eparis/audit.git yesterday (Ubuntu=0A> 13.10-amd= 64 hosting an Ubuntu 13.04-i386 container).=0A> =0A> I have also tried disa= bling CONFIG_AUDIT{SYSCALL,_WATCH,_TREE} and=0A> CONFIG_KVM_MMU_AUDIT from = linux-3.14-rc2-x86_64 and still observed the=0A> same problem.=0A> =0A> Doi= ng a "git bisect" on Linus's public tree brought me to the=0A> following ch= ange (Ubuntu 13.10-x86_64 hosting an Ubuntu 13.04-i386=0A> container):=0A> = =0A> 33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb is the first bad commit=0A> c= ommit 33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb=0A> Author: Richard Guy Brig= gs =0A> Date:=A0 Tue Jul 16 13:18:45 2013 -0400=0A> =0A>= =A0 =A0 audit: listen in all network namespaces=0A>=A0 =A0 =0A>=A0 =A0 Co= nvert audit from only listening in init_net to use=0A> register_pernet_subs= ys()=0A>=A0 =A0 to dynamically manage the netlink socket list.=0A>=A0 =A0 = =0A>=A0 =A0 Signed-off-by: Richard Guy Briggs =0A>=A0 =A0 = Signed-off-by: Eric Paris =0A> =0A> :040000 040000 3c5f= 63118d5fe9b5a4f0a6dd828249979a10ffa0=0A> c8feaa4fd9bc260cde3bb703ff20ae6938= fabe6a M=A0 =A0 kernel=0A> =0A> For those of you who are not used to using = Linux Containers, here are=0A> some commands that should reproduce the bug,= although I am going from=0A> memory rather than copying from my command hi= story.=0A> =0A> % sudo lxc-create -t ubuntu -n myubuntu13.04 -- --release r= aring=0A> --arch i386=0A> # ^^ This takes a while.=A0 It installs a Linux d= istribution in a=0A> directory.=0A> =0A> % sudo lxc-start -n myubuntu13.04 = -d=0A> % sudo lxc-console -n myubuntu13.04=0A> ...Try to log in as "ubuntu"= with password "ubuntu".=A0 When you'd done,=0A> do q to disconnect= the session.=0A> % sudo lxc-stop -n myubuntu13.04=0A> # This next command = basically does "rm -rf" on the container's=0A> directory tree.=0A> % sudo l= xc-destroy -n myubuntu13.04=0A> =0A> In the above example, change "raring" = to "saucy" if you want Ubuntu=0A> 13.10.=A0 You can change i386 to amd64 to= try 64-bit.=A0 "myubuntu13.04"=0A> is just a name, which you can change to= whatever you want.=A0 The Fedora=0A> container template shipped with Ubunt= u 13.10 does not install for me,=0A> otherwise I would have tested that too= .=0A> =0A> I am not yet sure if this is really a kernel bug or if this is a= case=0A> of a valid change in Linux kernel behavior exposing a bug elsewhe= re=0A> (for example, Ubuntu's PAM configuration).=A0 I am not a Linux Audit= =0A> developer.=A0 I am hoping that, if this is a Linux Audit bug, you folk= s=0A> will be able to take it from here, but I'm happy to try to help as=0A= > best I can.=0A> =0A> Thanks in advance for any help with this.=0A> =0A> A= dam=0A> =0A> =0A> =0A> --=0A> Linux-audit mailing list=0A> Linux-audit@redh= at.com=0A> https://www.redhat.com/mailman/listinfo/linux-audit --1737431079-1392805011-1392689868=:69226 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
Hi, Eric.

Thank you for your detailed reply.  I c= onfirm that adding "audit=3D0" to the boot arguments to my linux-3.14-rc2-x= 86_64 kernel running Ubuntu 13.10-x86_64 allowed me to log into an Ubuntu 1= 3.04-i386 container.  Thank you for providing this work around, and pl= ease feel free to let me know if there is anything else you'd like me to tr= y.

Adam Richter



On Monday, February 17, 2014 11:02 A= M, Eric Paris <eparis@redhat.com> wrote:
boot with audit=3D0 on the command line and it will work.
The basic problem is that before this p= atch, trying to connect to the
kernel audit infrastructur= e when setting up a separate network namespace
returned E= OPNOTSUPP or some such thing which told the pam stack that
audit was not compiled into the kernel.

This patch means that the kernel audit is actually listening in the
network namespace.  But, mostly likely, it is now rejec= ting the pam
module request because the new container is = in a new pid namespace.  We
should have patches to a= llow that in the next kernel release.

= Let me know if booting with audit=3D0 gets you login in a container
back...

On Fri, 2014-02-14 at 14:56 -0800, Adam Richter wrote:
> Hi.
>
>
>
> If I take an Ubuntu 13.10-amd64 system an= d install an Ubuntu
> 13.04-i386 Linux Container, it w= orks fine with kernel.org kernel
> releases through Li= nux-3.13, but, for Linux-13.14-rc1 and beyond, I
> can= not login with "lxc-console".  In that case, if I try to log in as
> "ubuntu" with the correct password, it quickly tell me = the login was
> incorrect, and prompts me with a new "= login:" prompt, but without the
> delay that occurs if= I type in the wrong password.  I haven't bothered
&= gt; breaking into the "linux container", but, looking at its log files
> from the outside as it runs, I see some PAM errors about "operation
> not permitted."
>
> I ha= ve reproduced this problem with the following container
&= gt; configurations, all on an
> Ubuntu 13.10-amd64 ho= sts ("amd64" is Ubuntu's terminology, not my
> jibing = Intel):
>
> Ubuntu 13.04-i386> Ubuntu 13.10-i386
> Ubuntu 13.10-= amd64
>
> I have also reproduced= this with a kernel built from
> git://git.infradead.o= rg/users/eparis/audit.git yesterday (Ubuntu
> 13.10-am= d64 hosting an Ubuntu 13.04-i386 container).
>
> I have also tried disabling CONFIG_AUDIT{SYSCALL,_WATCH,_T= REE} and
> CONFIG_KVM_MMU_AUDIT from linux-3.14-rc2-x8= 6_64 and still observed the
> same problem.
>
> Doing a "git bisect" on Linus's public tree brought me to th= e
> following change (Ubuntu 13.10-x86_64 hosting an U= buntu 13.04-i386
> container):
> =
> 33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb is the fir= st bad commit
> commit 33faba7fa7f2288d2f8aaea95958b2c= 97bf9ebfb
> Author: Richard Guy Briggs <rgb= @redhat.com>
> Date:  Tue Jul 16 13:18:45= 2013 -0400
>
>    au= dit: listen in all network namespaces
>    =
>    Convert audit from only listening in = init_net to use
> register_pernet_subsys()
>    to dynamically manage the netlink socket list.
>  &= nbsp;
>    Signed-off-by: Richard Guy Bri= ggs <rgb@redhat.com>
>    = Signed-off-by: Eric Paris <eparis@redhat.com>
>
> :040000 040000 3c5f63118d5fe9b5a= 4f0a6dd828249979a10ffa0
> c8feaa4fd9bc260cde3bb703ff20= ae6938fabe6a M    kernel
>
> For those of you who are not used to using Linux Containers, here ar= e
> some commands that should reproduce the bug, altho= ugh I am going from
> memory rather than copying from = my command history.
>
> % sudo l= xc-create -t ubuntu -n myubuntu13.04 -- --release raring
> --arch i386
> # ^^ This takes a while.  It installs a Linux distri= bution in a
> directory.
>
> % sudo lxc-start -n myubuntu13.04 -d
&g= t; % sudo lxc-console -n myubuntu13.04
> ...Try to log= in as "ubuntu" with password "ubuntu".  When you'd done,
> do <ctrl-A>q to disconnect the session.
= > % sudo lxc-stop -n myubuntu13.04
> # This next co= mmand basically does "rm -rf" on the container's
> dir= ectory tree.
> % sudo lxc-destroy -n myubuntu13.04
>
> In the above example, change "r= aring" to "saucy" if you want Ubuntu
> 13.10.  Yo= u can change i386 to amd64 to try 64-bit.  "myubuntu13.04"
> is just a name, which you can change to whatever you want.  The Fedora
> container template shipped with Ubuntu 13.10 does not instal= l for me,
> otherwise I would have tested that too.>
> I am not yet sure if this is r= eally a kernel bug or if this is a case
> of a valid c= hange in Linux kernel behavior exposing a bug elsewhere
&= gt; (for example, Ubuntu's PAM configuration).  I am not a Linux Audit=
> developer.  I am hoping that, if this is a Lin= ux Audit bug, you folks
> will be able to take it from= here, but I'm happy to try to help as
> best I can.>
> Thanks in advance for any hel= p with this.
>
> Adam
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit




<= /div>
--1737431079-1392805011-1392689868=:69226-- --===============9027121334859544838== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============9027121334859544838==--