* Re: [Bugme-new] [Bug 10748] New: dhclient fails to run; capabilities error [not found] <bug-10748-10286@http.bugzilla.kernel.org/> @ 2008-05-19 18:28 ` Andrew Morton 2008-05-20 13:48 ` Amit Shah 2008-05-20 13:49 ` Serge E. Hallyn 0 siblings, 2 replies; 8+ messages in thread From: Andrew Morton @ 2008-05-19 18:28 UTC (permalink / raw) To: netdev Cc: bugme-daemon, shahamit, Serge E. Hallyn, Andrew Morgan, Stephen Smalley (switched to email. Please respond via emailed reply-to-all, not via the bugzilla web interface). On Mon, 19 May 2008 06:25:00 -0700 (PDT) bugme-daemon@bugzilla.kernel.org wrote: > http://bugzilla.kernel.org/show_bug.cgi?id=10748 > > Summary: dhclient fails to run; capabilities error > Product: Networking > Version: 2.5 > KernelVersion: 2.6.26-rc2 > Platform: All > OS/Version: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: IPV4 > AssignedTo: shemminger@linux-foundation.org > ReportedBy: shahamit@gmail.com > > > Latest working kernel version: 2.6.25 > Earliest failing kernel version: 2.6.26-rc1 > Distribution: Kubuntu Hardy > Hardware Environment: AMD > Software Environment: > Problem Description: On a default Kubuntu Hardy install, I fetched the git tree > from Linus; compiled and installed the kernel. This persists even with > 2.6.26-rc2+ (commit f26a3988917913b3d11b2bd741601a2c64ab9204) > > If this isn't known, I'll bisect and report the bad commit > > Steps to reproduce: 'sudo dhclient eth2' returns > > drop_privileges: could not keep capabilities: Invalid argument > > eth2 is an e1000e card. > > whoa, weird. Could you please run `sudo strace -f dhclient eth2' and send us the last page or so of output? ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Bugme-new] [Bug 10748] New: dhclient fails to run; capabilities error 2008-05-19 18:28 ` [Bugme-new] [Bug 10748] New: dhclient fails to run; capabilities error Andrew Morton @ 2008-05-20 13:48 ` Amit Shah 2008-05-20 13:49 ` Serge E. Hallyn 1 sibling, 0 replies; 8+ messages in thread From: Amit Shah @ 2008-05-20 13:48 UTC (permalink / raw) To: Andrew Morton Cc: netdev, bugme-daemon, Serge E. Hallyn, Andrew Morgan, Stephen Smalley On Mon, May 19, 2008 at 11:58 PM, Andrew Morton <akpm@linux-foundation.org> wrote: > whoa, weird. Could you please run `sudo strace -f dhclient eth2' and send us > the last page or so of output? > Sorry, I should've done that earlier. 9311 open("/var/lib/dhcp3/dhclient.leases", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4 9311 chown("/var/lib/dhcp3/dhclient.leases", 100, 4294967295) = 0 9311 fstat(4, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 9311 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc511e8f000 9311 write(4, "lease {\n interface \"eth0\";\n fi"..., 531) = 531 9311 open("/var/run/dhclient.pid", O_WRONLY|O_CREAT|O_TRUNC, 0644) = 5 9311 fcntl(5, F_GETFL) = 0x8001 (flags O_WRONLY|O_LARGEFILE) 9311 fstat(5, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 9311 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc511e8e000 9311 lseek(5, 0, SEEK_CUR) = 0 9311 open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 6 9311 lseek(6, 0, SEEK_CUR) = 0 9311 fstat(6, {st_mode=S_IFREG|0644, st_size=1558, ...}) = 0 9311 mmap(NULL, 1558, PROT_READ, MAP_SHARED, 6, 0) = 0x7fc511e8d000 9311 lseek(6, 1558, SEEK_SET) = 1558 9311 munmap(0x7fc511e8d000, 1558) = 0 9311 close(6) = 0 9311 socket(PF_FILE, SOCK_STREAM, 0) = 6 9311 fcntl(6, F_SETFL, O_RDWR|O_NONBLOCK) = 0 9311 connect(6, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) 9311 close(6) = 0 9311 socket(PF_FILE, SOCK_STREAM, 0) = 6 9311 fcntl(6, F_SETFL, O_RDWR|O_NONBLOCK) = 0 9311 connect(6, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) 9311 close(6) = 0 9311 open("/etc/group", O_RDONLY|0x80000 /* O_??? */) = 6 9311 lseek(6, 0, SEEK_CUR) = 0 9311 fstat(6, {st_mode=S_IFREG|0644, st_size=923, ...}) = 0 9311 mmap(NULL, 923, PROT_READ, MAP_SHARED, 6, 0) = 0x7fc511e8d000 9311 lseek(6, 923, SEEK_SET) = 923 9311 munmap(0x7fc511e8d000, 923) = 0 9311 close(6) = 0 9311 prctl(0x8, 0x1, 0, 0, 0) = -1 EINVAL (Invalid argument) 9311 dup(2) = 6 9311 fcntl(6, F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE) 9311 fstat(6, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 2), ...}) = 0 9311 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc511e8d000 9311 lseek(6, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) 9311 write(6, "drop_privileges: could not keep "..., 63) = 63 9311 close(6) = 0 9311 munmap(0x7fc511e8d000, 4096) = 0 9311 exit_group(-1) = ? -- Amit Shah http://www.amitshah.net/ ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Bugme-new] [Bug 10748] New: dhclient fails to run; capabilities error 2008-05-19 18:28 ` [Bugme-new] [Bug 10748] New: dhclient fails to run; capabilities error Andrew Morton 2008-05-20 13:48 ` Amit Shah @ 2008-05-20 13:49 ` Serge E. Hallyn 2008-05-20 13:38 ` Stephen Smalley 1 sibling, 1 reply; 8+ messages in thread From: Serge E. Hallyn @ 2008-05-20 13:49 UTC (permalink / raw) To: Andrew Morton Cc: netdev, bugme-daemon, shahamit, Serge E. Hallyn, Andrew Morgan, Stephen Smalley Quoting Andrew Morton (akpm@linux-foundation.org): > (switched to email. Please respond via emailed reply-to-all, not via the > bugzilla web interface). > > On Mon, 19 May 2008 06:25:00 -0700 (PDT) bugme-daemon@bugzilla.kernel.org wrote: > > > http://bugzilla.kernel.org/show_bug.cgi?id=10748 > > > > Summary: dhclient fails to run; capabilities error > > Product: Networking > > Version: 2.5 > > KernelVersion: 2.6.26-rc2 > > Platform: All > > OS/Version: Linux > > Tree: Mainline > > Status: NEW > > Severity: normal > > Priority: P1 > > Component: IPV4 > > AssignedTo: shemminger@linux-foundation.org > > ReportedBy: shahamit@gmail.com > > > > > > Latest working kernel version: 2.6.25 > > Earliest failing kernel version: 2.6.26-rc1 > > Distribution: Kubuntu Hardy > > Hardware Environment: AMD > > Software Environment: > > Problem Description: On a default Kubuntu Hardy install, I fetched the git tree > > from Linus; compiled and installed the kernel. This persists even with > > 2.6.26-rc2+ (commit f26a3988917913b3d11b2bd741601a2c64ab9204) > > > > If this isn't known, I'll bisect and report the bad commit > > > > Steps to reproduce: 'sudo dhclient eth2' returns > > > > drop_privileges: could not keep capabilities: Invalid argument > > > > eth2 is an e1000e card. > > > > > > whoa, weird. Could you please run `sudo strace -f dhclient eth2' and send us > the last page or so of output? Also, please send your .config, or at least the result of grep SECURITY .config thanks, -serge ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Bugme-new] [Bug 10748] New: dhclient fails to run; capabilities error 2008-05-20 13:49 ` Serge E. Hallyn @ 2008-05-20 13:38 ` Stephen Smalley 2008-05-20 13:58 ` Stephen Smalley 0 siblings, 1 reply; 8+ messages in thread From: Stephen Smalley @ 2008-05-20 13:38 UTC (permalink / raw) To: Serge E. Hallyn Cc: Andrew Morton, netdev, bugme-daemon, shahamit, Andrew Morgan On Tue, 2008-05-20 at 08:49 -0500, Serge E. Hallyn wrote: > Quoting Andrew Morton (akpm@linux-foundation.org): > > (switched to email. Please respond via emailed reply-to-all, not via the > > bugzilla web interface). > > > > On Mon, 19 May 2008 06:25:00 -0700 (PDT) bugme-daemon@bugzilla.kernel.org wrote: > > > > > http://bugzilla.kernel.org/show_bug.cgi?id=10748 > > > > > > Summary: dhclient fails to run; capabilities error > > > Product: Networking > > > Version: 2.5 > > > KernelVersion: 2.6.26-rc2 > > > Platform: All > > > OS/Version: Linux > > > Tree: Mainline > > > Status: NEW > > > Severity: normal > > > Priority: P1 > > > Component: IPV4 > > > AssignedTo: shemminger@linux-foundation.org > > > ReportedBy: shahamit@gmail.com > > > > > > > > > Latest working kernel version: 2.6.25 > > > Earliest failing kernel version: 2.6.26-rc1 > > > Distribution: Kubuntu Hardy > > > Hardware Environment: AMD > > > Software Environment: > > > Problem Description: On a default Kubuntu Hardy install, I fetched the git tree > > > from Linus; compiled and installed the kernel. This persists even with > > > 2.6.26-rc2+ (commit f26a3988917913b3d11b2bd741601a2c64ab9204) > > > > > > If this isn't known, I'll bisect and report the bad commit > > > > > > Steps to reproduce: 'sudo dhclient eth2' returns > > > > > > drop_privileges: could not keep capabilities: Invalid argument > > > > > > eth2 is an e1000e card. > > > > > > > > > > whoa, weird. Could you please run `sudo strace -f dhclient eth2' and send us > > the last page or so of output? > > Also, please send your .config, or at least the result of > grep SECURITY .config His .config was attached to the bugzilla. CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_NETWORK_XFRM is not set # CONFIG_SECURITY_CAPABILITIES is not set CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=0 # CONFIG_SECURITY_SELINUX is not set Which means that he is using the dummy security module. And it appears that a prior commit moved KEEPCAPS handling from core prctl() to cap_task_prctl(), but didn't replicate it in the dummy_task_prctl(). The dummy module really needs to die. -- Stephen Smalley National Security Agency ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Bugme-new] [Bug 10748] New: dhclient fails to run; capabilities error 2008-05-20 13:38 ` Stephen Smalley @ 2008-05-20 13:58 ` Stephen Smalley 2008-05-20 14:07 ` Amit Shah 0 siblings, 1 reply; 8+ messages in thread From: Stephen Smalley @ 2008-05-20 13:58 UTC (permalink / raw) To: Serge E. Hallyn Cc: Andrew Morton, netdev, bugme-daemon, shahamit, Andrew Morgan On Tue, 2008-05-20 at 09:38 -0400, Stephen Smalley wrote: > On Tue, 2008-05-20 at 08:49 -0500, Serge E. Hallyn wrote: > > Quoting Andrew Morton (akpm@linux-foundation.org): > > > (switched to email. Please respond via emailed reply-to-all, not via the > > > bugzilla web interface). > > > > > > On Mon, 19 May 2008 06:25:00 -0700 (PDT) bugme-daemon@bugzilla.kernel.org wrote: > > > > > > > http://bugzilla.kernel.org/show_bug.cgi?id=10748 > > > > > > > > Summary: dhclient fails to run; capabilities error > > > > Product: Networking > > > > Version: 2.5 > > > > KernelVersion: 2.6.26-rc2 > > > > Platform: All > > > > OS/Version: Linux > > > > Tree: Mainline > > > > Status: NEW > > > > Severity: normal > > > > Priority: P1 > > > > Component: IPV4 > > > > AssignedTo: shemminger@linux-foundation.org > > > > ReportedBy: shahamit@gmail.com > > > > > > > > > > > > Latest working kernel version: 2.6.25 > > > > Earliest failing kernel version: 2.6.26-rc1 > > > > Distribution: Kubuntu Hardy > > > > Hardware Environment: AMD > > > > Software Environment: > > > > Problem Description: On a default Kubuntu Hardy install, I fetched the git tree > > > > from Linus; compiled and installed the kernel. This persists even with > > > > 2.6.26-rc2+ (commit f26a3988917913b3d11b2bd741601a2c64ab9204) > > > > > > > > If this isn't known, I'll bisect and report the bad commit > > > > > > > > Steps to reproduce: 'sudo dhclient eth2' returns > > > > > > > > drop_privileges: could not keep capabilities: Invalid argument > > > > > > > > eth2 is an e1000e card. > > > > > > > > > > > > > > whoa, weird. Could you please run `sudo strace -f dhclient eth2' and send us > > > the last page or so of output? > > > > Also, please send your .config, or at least the result of > > grep SECURITY .config > > His .config was attached to the bugzilla. > CONFIG_SECURITY=y > CONFIG_SECURITY_NETWORK=y > # CONFIG_SECURITY_NETWORK_XFRM is not set > # CONFIG_SECURITY_CAPABILITIES is not set > CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=0 > # CONFIG_SECURITY_SELINUX is not set > > Which means that he is using the dummy security module. > And it appears that a prior commit moved KEEPCAPS handling from > core prctl() to cap_task_prctl(), but didn't replicate it in > the dummy_task_prctl(). > > The dummy module really needs to die. Question for the bug reporter: did you really mean to build a kernel without capabilities support? Surprise! They don't really work when disabled. -- Stephen Smalley National Security Agency ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Bugme-new] [Bug 10748] New: dhclient fails to run; capabilities error 2008-05-20 13:58 ` Stephen Smalley @ 2008-05-20 14:07 ` Amit Shah 2008-05-20 14:45 ` Stephen Smalley 0 siblings, 1 reply; 8+ messages in thread From: Amit Shah @ 2008-05-20 14:07 UTC (permalink / raw) To: Stephen Smalley Cc: Serge E. Hallyn, Andrew Morton, netdev, bugme-daemon, Andrew Morgan On Tue, May 20, 2008 at 7:28 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > On Tue, 2008-05-20 at 09:38 -0400, Stephen Smalley wrote: >> Which means that he is using the dummy security module. >> And it appears that a prior commit moved KEEPCAPS handling from >> core prctl() to cap_task_prctl(), but didn't replicate it in >> the dummy_task_prctl(). >> >> The dummy module really needs to die. > > Question for the bug reporter: did you really mean to build a kernel > without capabilities support? Surprise! They don't really work when > disabled. No; I was just trying out some random configs. This config worked till .25 properly though. -- Amit Shah http://www.amitshah.net/ ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Bugme-new] [Bug 10748] New: dhclient fails to run; capabilities error 2008-05-20 14:07 ` Amit Shah @ 2008-05-20 14:45 ` Stephen Smalley 2008-05-20 15:06 ` Stephen Smalley 0 siblings, 1 reply; 8+ messages in thread From: Stephen Smalley @ 2008-05-20 14:45 UTC (permalink / raw) To: Amit Shah Cc: Serge E. Hallyn, Andrew Morton, netdev, bugme-daemon, Andrew Morgan On Tue, 2008-05-20 at 19:37 +0530, Amit Shah wrote: > On Tue, May 20, 2008 at 7:28 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > > > On Tue, 2008-05-20 at 09:38 -0400, Stephen Smalley wrote: > >> Which means that he is using the dummy security module. > >> And it appears that a prior commit moved KEEPCAPS handling from > >> core prctl() to cap_task_prctl(), but didn't replicate it in > >> the dummy_task_prctl(). > >> > >> The dummy module really needs to die. > > > > Question for the bug reporter: did you really mean to build a kernel > > without capabilities support? Surprise! They don't really work when > > disabled. > > No; I was just trying out some random configs. This config worked till > .25 properly though. The dummy module is generally in the untenable position of having to lie to userspace or break the existing capability-related system call interface. It should just go away, and make capability the default module (w/ stubs for the rest of the LSM hooks as with dummy). Then CONFIG_SECURITY=n will yield the same result as CONFIG_SECURITY=y w/o any further options. -- Stephen Smalley National Security Agency ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Bugme-new] [Bug 10748] New: dhclient fails to run; capabilities error 2008-05-20 14:45 ` Stephen Smalley @ 2008-05-20 15:06 ` Stephen Smalley 0 siblings, 0 replies; 8+ messages in thread From: Stephen Smalley @ 2008-05-20 15:06 UTC (permalink / raw) To: Amit Shah Cc: Serge E. Hallyn, Andrew Morton, netdev, bugme-daemon, Andrew Morgan, lsm, Chris Wright On Tue, 2008-05-20 at 10:45 -0400, Stephen Smalley wrote: > On Tue, 2008-05-20 at 19:37 +0530, Amit Shah wrote: > > On Tue, May 20, 2008 at 7:28 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > > > > > On Tue, 2008-05-20 at 09:38 -0400, Stephen Smalley wrote: > > >> Which means that he is using the dummy security module. > > >> And it appears that a prior commit moved KEEPCAPS handling from > > >> core prctl() to cap_task_prctl(), but didn't replicate it in > > >> the dummy_task_prctl(). > > >> > > >> The dummy module really needs to die. > > > > > > Question for the bug reporter: did you really mean to build a kernel > > > without capabilities support? Surprise! They don't really work when > > > disabled. > > > > No; I was just trying out some random configs. This config worked till > > .25 properly though. > > The dummy module is generally in the untenable position of having to lie > to userspace or break the existing capability-related system call > interface. It should just go away, and make capability the default > module (w/ stubs for the rest of the LSM hooks as with dummy). Then > CONFIG_SECURITY=n will yield the same result as CONFIG_SECURITY=y w/o > any further options. (cc Chris Wright and linux-security-module list) s/same result/same user-visible behavior/ -- Stephen Smalley National Security Agency ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2008-05-20 15:06 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <bug-10748-10286@http.bugzilla.kernel.org/>
2008-05-19 18:28 ` [Bugme-new] [Bug 10748] New: dhclient fails to run; capabilities error Andrew Morton
2008-05-20 13:48 ` Amit Shah
2008-05-20 13:49 ` Serge E. Hallyn
2008-05-20 13:38 ` Stephen Smalley
2008-05-20 13:58 ` Stephen Smalley
2008-05-20 14:07 ` Amit Shah
2008-05-20 14:45 ` Stephen Smalley
2008-05-20 15:06 ` Stephen Smalley
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).