New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SecComp on Raspbian #6

Open
lgierth opened this Issue Mar 8, 2015 · 14 comments

Comments

Projects
None yet
8 participants
@lgierth
Member

lgierth commented Mar 8, 2015

@lgierth commented on 13 May 2014

I'll have a stack dump as soon as I find the GDB command... need to also compile an OpenWRT with GDB.

root@OpenWrt:~# /etc/init.d/cjdns start
1399952811 INFO cjdroute2.c:541 Cjdns ARM 32-bit LittleEndian linux +seccomp
1399952811 INFO cjdroute2.c:545 Checking for running instance...
1399952811 DEBUG AdminClient.c:349 Connecting to [127.0.0.1:11234]
1399952811 DEBUG UDPAddrInterface.c:289 Bound to address [0.0.0.0:57446]
1399952811 INFO cjdroute2.c:571 Forking angel to background.
1399952811 DEBUG Pipe.c:135 Buffering a message
1399952811 INFO RandomSeed.c:42 Attempting to seed random number generator
1399952811 INFO RandomSeed.c:50 Trying random seed [/dev/urandom] Success
1399952811 INFO RandomSeed.c:56 Trying random seed [sysctl(RANDOM_UUID) (Linux)] Failed
1399952811 INFO RandomSeed.c:50 Trying random seed [/proc/sys/kernel/random/uuid (Linux)] Success
1399952811 INFO RandomSeed.c:64 Seeding random number generator succeeded with [2] sources
1399952811 DEBUG Pipe.c:232 Pipe [/tmp/cjdns_pipe_client-angel-pt8g5nzbcztuyn1bl9knk14j51jw3t] established connection
1399952811 DEBUG Pipe.c:254 Sending buffered message
1399952811 DEBUG AngelInit.c:180 Getting pre-configuration from client
1399952811 DEBUG Pipe.c:232 Pipe [/tmp/cjdns_pipe_client-angel-pt8g5nzbcztuyn1bl9knk14j51jw3t] established connection
1399952811 DEBUG AngelInit.c:184 Finished getting pre-configuration from client
1399952811 INFO AngelInit.c:215 Initializing core [/usr/sbin/cjdroute]
1399952811 DEBUG AngelInit.c:219 Sending pre-configuration to core.
1399952811 DEBUG Pipe.c:135 Buffering a message
1399952811 INFO RandomSeed.c:42 Attempting to seed random number generator
1399952811 INFO RandomSeed.c:50 Trying random seed [/dev/urandom] Success
1399952811 INFO RandomSeed.c:56 Trying random seed [sysctl(RANDOM_UUID) (Linux)] Failed
1399952811 INFO RandomSeed.c:50 Trying random seed [/proc/sys/kernel/random/uuid (Linux)] Success
1399952811 INFO RandomSeed.c:64 Seeding random number generator succeeded with [2] sources
1399952811 INFO LibuvEntropyProvider.c:59 Taking clock samples every [1000]ms for random generator
1399952811 DEBUG Pipe.c:232 Pipe [/tmp/cjdns_pipe_69rhp4cspxhwgx9yt16v7hxcx063qu] established connection
1399952811 DEBUG Pipe.c:254 Sending buffered message
1399952811 DEBUG Pipe.c:232 Pipe [/tmp/cjdns_pipe_69rhp4cspxhwgx9yt16v7hxcx063qu] established connection
1399952811 DEBUG UDPAddrInterface.c:250 Binding to address [127.0.0.1:11234]
1399952811 DEBUG UDPAddrInterface.c:289 Bound to address [127.0.0.1:11234]
1399952811 DEBUG Hermes.c:180 Sending [64] bytes to angel [d5:error4:none5:admind4:bind15:127.0.0.1:11234e4:txid8:00000000e].
1399952811 DEBUG AdminClient.c:349 Connecting to [127.0.0.1:11234]
1399952811 DEBUG UDPAddrInterface.c:289 Bound to address [0.0.0.0:42717]
1399952811 INFO Configurator.c:126 Checking authorized password 0.
1399952811 INFO Configurator.c:147 Adding authorized password #[0] for user [password [0]].
1399952811 CRITICAL Configurator.c:103 Got error [Seccomp.c:296 prctl(PR_SET_SECCOMP) -> [Invalid argument]] calling [Security_dropPermissions]
1399952811 CRITICAL Configurator.c:54 enable Log_LEVEL=KEYS to see message content.
1399952812 INFO Angel.c:43 Got request to exit
1399952817 CRITICAL Configurator.c:66 Failed to stop the core.
1399952817 CRITICAL Configurator.c:68 Aborting.

@cjdelisle commented on 13 May 2014

probably kernel version is too old but you still have seccomp header files. uname -a

@lgierth commented on 17 May 2014

Haven't found the time to look into this yet, meanwhile I'm disabling SecComp as a workaround: Seccomp_NO=1 ./do

@lgierth commented on 24 Sep 2014

Collecting possibly useful findings:

  • lkml: ARM seccomp filters and EABI/OABI
  • lkml: ARM audit, seccomp, etc are broken wrt OABI syscalls (follow-up of ^)
  • lkddb: CONFIG_OABI_COMPAT

@lgierth commented 21 days ago

Some progress in OpenWrt:

@lgierth lgierth added the bug label Mar 8, 2015

lgierth added a commit that referenced this issue Mar 13, 2015

Squashed 'doc/' changes from 0eac5ce..a46efbb
a46efbb links: add n2n protocol
0ec192c less words, more understanding, right?
08eeb1d gitboria is canonical repo, in bugs/policy
741a44f Merge pull request #6 from Erkan-Yilmaz/patch-2
33ac334 typo
5c6587c policy.md : typo
e0edc9d policy.md : begin detailing our administrative policy for hyperboria/*
097e9af README.md : notes on getting involved
23e1819 security.md : answer Erkan's question about the security of hosting cjdns on a vps
9975217 README.md : scope of this project
106710a README.md : a more descriptive readme
a75e0a1 index.md : let's keep old bug reports around so we can show our progress
f89648b reporting.md : initial guidelines for reporting bugs, someone else keep working on this plz
ba318ad Fix broken links on faq/general
f4efa9b Explain `lo` route in anatomy.md document
5adb7e7 Fix tip about running cjdroute as non-root user
ce2d0e3 license: #documentation agreed on cc-by, see old topic
3cf255b license: unless otherwise noted!
7d0e1a3 license: update to cc-by-sa 4.0, was 3.0
1e4d549 linked to the two new windows-related documents
42723a3 Added build-on-windows.md based on instructions sent to me by CultureSpy in exchange for peering
911d6fe notes/windows-firewall.md : securing your windows box, courtesy of cspy
1830276 LICENCE.txt : Creative Commons Attribution 3.0
66e107c LEGAL.md : we have a license now, yay!
b6c2cea cjdns/upcoming/iface-h.md : notes on a new pattern which will appear throughout the codebase.
e4e412d bugs/connectTo-overflow.md : detailed report on the connectTo-overflow bug.
22ae743 gsoc: move from en/notes/ to notes/
b0a0aa0 gsoc: add freifunk, dns, continuous simulations
69cfac1 achievements: 40 to 43
8e96ba0 faq/glossary.md : added 'wobsite' with relative link.
7ce9545 faq/glossary.md : added 'blag'
87c0ec2 en/notes/gsoc.md : adding draft, at larsg's request
ca2c7bc Merge branch 'master' of gitboria.com:projectmeshnet/documentation
cc55b31 achievements.md : these questions will be on the Hypeborian citizenship exam. Pay attention

git-subtree-dir: doc
git-subtree-split: a46efbb660bd368520311179d2774ac3c2c4c987

lgierth added a commit that referenced this issue Apr 14, 2015

Squashed 'doc/' changes from 0eac5ce..286e8fb
286e8fb doppleganger.md : what happens when two nodes have the same address?
53559ac index.md : point to distro quirks
42faaa5 wanted.md : point to new distro-quirks.md
38b1161 distro-quirks : OSX doesn't autopeer over ethernet, cjd and Arceliar commented why
170421e index: improve the table of contents
27e33eb readme: update subtree-merge instructions
29641fd cleanup: remove SmartOS and open-indiana docs
38e3bc6 Merge commit 'eecdf2493ed63690650d015ae9f331014e520493' into crashey
720fb2c Report firewall problem on loopback interface
3fb58e4 general.md typo, grammar, and language
7807350 Merge pull request #7 from willeponken/patch-1
c639125 Shorewall and VPN gateway using cjdns' iptunnel
2d56fa5 wanted.md : added OS specific quirks to wanted.md
429a2d1 README.md : fix these links too
fe330ae index.md : fix these links too
3de1bff wanted.md : oops, fix that link
686a5ec reporting.md : ask about which distro is in use
137e432 README.md : link to policy.md and reporting.md
83e69fa wanted.md : push some more notes to the wanted section
b9e40b3 wanted.md : link to bugs directory
7bf45fc index.md : index the bugs directory
808f12d empty commit to trigger post-receive hook
655ed26 iptunnel: fix indentation
0946a40 nyc.md : add links to nycmesh.net because they have a good site
6eee1ae faq: add chapter about EAGAIN red herring
8c3a32a faq: strip whitespace
056822e security.md : clarified misleading statements
ffdf6e9 cleanup: remove order-of-linking/compilation docs
24b3674 cleanup: remove data_structures docs
0315c99 index: update it slightly
d850ff2 cleanup: remove SmartOS and open-indiana docs
bc5de67 readme: add sections for committers and cjdns.git/doc merges
87d160a readme: update cjdns url, link prose-for-programmers
101f82d security.md : update to address cjd's concerns
0834941 functions: update Iface.h doc
2aa1cae Revert "cjdns: remove outdated upcoming/iface-h"
e5cca0d cjdns: remove outdated upcoming/iface-h
4ba0206 license: add CC-BY info to readme
33d30f6 license: remove LEGAL.md
1a6eda0 docs: remove resetAfterInactivitySeconds, pidFile, version
347eb3b Revert "doc: remove doc/ in preparation for git subtree-add"
a46efbb links: add n2n protocol
0ec192c less words, more understanding, right?
08eeb1d gitboria is canonical repo, in bugs/policy
741a44f Merge pull request #6 from Erkan-Yilmaz/patch-2
33ac334 typo
5c6587c policy.md : typo
e0edc9d policy.md : begin detailing our administrative policy for hyperboria/*
097e9af README.md : notes on getting involved
23e1819 security.md : answer Erkan's question about the security of hosting cjdns on a vps
9975217 README.md : scope of this project
106710a README.md : a more descriptive readme
a75e0a1 index.md : let's keep old bug reports around so we can show our progress
8cdc311 docs: remove resetAfterInactivitySeconds, pidFile, version
ac71b44 Revert "doc: remove doc/ in preparation for git subtree-add"
f89648b reporting.md : initial guidelines for reporting bugs, someone else keep working on this plz
ba318ad Fix broken links on faq/general
f4efa9b Explain `lo` route in anatomy.md document
5adb7e7 Fix tip about running cjdroute as non-root user
ce2d0e3 license: #documentation agreed on cc-by, see old topic
3cf255b license: unless otherwise noted!
7d0e1a3 license: update to cc-by-sa 4.0, was 3.0
1e4d549 linked to the two new windows-related documents
42723a3 Added build-on-windows.md based on instructions sent to me by CultureSpy in exchange for peering
911d6fe notes/windows-firewall.md : securing your windows box, courtesy of cspy
1830276 LICENCE.txt : Creative Commons Attribution 3.0
66e107c LEGAL.md : we have a license now, yay!
b6c2cea cjdns/upcoming/iface-h.md : notes on a new pattern which will appear throughout the codebase.
e4e412d bugs/connectTo-overflow.md : detailed report on the connectTo-overflow bug.
22ae743 gsoc: move from en/notes/ to notes/
b0a0aa0 gsoc: add freifunk, dns, continuous simulations
69cfac1 achievements: 40 to 43
8e96ba0 faq/glossary.md : added 'wobsite' with relative link.
7ce9545 faq/glossary.md : added 'blag'
87c0ec2 en/notes/gsoc.md : adding draft, at larsg's request
ca2c7bc Merge branch 'master' of gitboria.com:projectmeshnet/documentation
cc55b31 achievements.md : these questions will be on the Hypeborian citizenship exam. Pay attention

git-subtree-dir: doc
git-subtree-split: 286e8fb0efba710327f30d848008a5033e80f311
@viric

This comment has been minimized.

viric commented Apr 28, 2015

Fwiw, I disable seccomp on arm. So I'll keep an eye on this.

@dangowrt

This comment has been minimized.

dangowrt commented May 17, 2015

Fixed by dc63fc7 and b8e4baa

@dangowrt dangowrt closed this May 17, 2015

@Shnatsel

This comment has been minimized.

Shnatsel commented Nov 28, 2015

This bug is back as of cjdns master, commit 13189fd

Fails for me with very similar errors on Raspberry Pi 2, Jessie image:

1448739768 CRITICAL Configurator.c:107 Got error [Seccomp.c:357 prctl(PR_SET_SECCOMP) -> [Invalid argument]

uname -a output:

Linux raspberrypi 4.1.12-v7+ #824 SMP PREEMPT Wed Oct 28 16:46:35 GMT 2015 armv7l GNU/Linux
@Shnatsel

This comment has been minimized.

Shnatsel commented Nov 28, 2015

Needs confirmation from someone else though - my RPi can be messed up without me knowing it.

@lgierth lgierth reopened this Nov 28, 2015

@lgierth

This comment has been minimized.

Member

lgierth commented Nov 28, 2015

@Shnatsel can you have a look whether the kernel was built with OABI_COMPAT?

@Shnatsel

This comment has been minimized.

@Kubuxu

This comment has been minimized.

Kubuxu commented Dec 5, 2015

There is CONFIG_SECCOMP=y but no CONFIG_SECCOMP_FILTER=y which might be a cause of a problem.

Someone wants to play kernel recompilation?

@koalalorenzo

This comment has been minimized.

koalalorenzo commented Dec 6, 2015

I am planning to recompile the kernel during the next week! Is there any reason to report this to the Raspbian community?

@Kubuxu

This comment has been minimized.

Kubuxu commented Dec 6, 2015

It is feature regression from RPi1 kernel AFAIK. it is hardly used feature so: 1. they might have forgot it, 2. removed it deliberate, It is worth asking.

@dangowrt dangowrt changed the title from SecComp on ARM to SecComp on Raspbian Dec 13, 2015

@dangowrt

This comment has been minimized.

dangowrt commented Dec 13, 2015

This seems to be an issue specific to the semi-proptrietary RaspberryPi kernel which ships with raspbian rather than being a problem having anything to do with ARM in general.
The same hardware runs cjdns with seccomp e.g. using http://downloads.openwrt.org/snapshots/trunk/brcm2708/generic/ instead of Raspbian.
I thus renamed the issue to reflect that.

@Kubuxu

This comment has been minimized.

Kubuxu commented Jan 19, 2016

Here is the kernel config: https://github.com/raspberrypi/linux/blob/rpi-4.1.y/arch/arm/configs/bcm2709_defconfig

There is CONFIG_SECCOMP=y but no CONFIG_SECCOMP_FILTER=y which might be a cause of a problem.

Would be worth for someone having RPi2 to recompile Raspbian's kernel to include the second flag and check if it works, if it does then it should be reported to Raspbian's dev team.

For now the workaround is to disable seccomp and tests using: NO_TEST=1 Seccomp_NO=1 ./do

@perguth

This comment has been minimized.

perguth commented Feb 5, 2017

Problem still persists with RaspberryPi 3 B: Linux raspberrypi 4.4.38-v7+ #938 SMP Thu Dec 15 15:22:21 GMT 2016 armv7l GNU/Linux.

Using NO_TEST=1 Seccomp_NO=1 ./do it works.

@ansuz

This comment has been minimized.

Member

ansuz commented Feb 6, 2017

@pguth, consider making a PR to https://github.com/cjdelisle/cjdns/tree/master/doc/install for a raspbian guide.

@perguth

This comment has been minimized.

perguth commented Feb 11, 2017

@ansuz Ok, did that: cjdelisle#1028

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment