-
-
Notifications
You must be signed in to change notification settings - Fork 31.7k
getrandom() syscall returning EPERM make the system unusable. #72142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
On QNAP's Linux Station (lxc based virtual environment), getrandom() syscall returns EPERM not ENOSYS when it's not available. (HOST) uname -a (HOST) /lib64/libc-2.19.so (LXC) uname -a (LXC) /lib/x86_64-linux-gnu/libc.so.6 (LXC)
long n = syscall(SYS_getrandom, buffer, sizeof(buffer), flags);
printf("SYS_getrandom: %ld (%d)\n", n, errno);
=>
SYS_getrandom: -1 (1) Proper fall back to /dev/urandom is not happening in this case, so most python app calling getrandom function fails. This includes apt, command-not-found etc. |
Did you open a bug with your vendor, too? QNAP is clearly violating Kernel APIs. getrandom() is not suppose to fail with EPERM. Valid errnos are EINVAL, EFAULT, EAGAIN and EINTR. http://man7.org/linux/man-pages/man2/getrandom.2.html |
I did not report this to QNAP yet. but there's already a thread on their forum.
So preparing for these return values are meaningful not only for QNAP users. |
I'm ok to fallback on read /dev/urandom device when getrandom() is |
With bpo-27778 implemented, there's also the question of how os.getrandom() will react to security policies that restrict access to the getrandom syscalls (vs just not having it available in the kernel). |
New changeset 41e9e711b9b5 by Victor Stinner in branch '3.5': New changeset ddc54f08bdfa by Victor Stinner in branch '3.5': New changeset 27d05bb6f832 by Victor Stinner in branch '3.6': |
I modified Python 3.5, 3.6 and 3.7 to fall back on reading /dev/urandom when getrandom() syscall fails with EPERM. Thanks for the bug report iwings! Note: Python 2.7 does not use getrandom() and so is not impacted. Christian:
I don't know if it can be seen as a violation of the Kernel API, but at least, it doesn't seem to be something smart to block getrandom() syscall. getrandom() was designed to enhance the security of applications ;-) Nick:
This is no question: os.getrandom() of Python 3.6 is a thin wrapper on the syscall. If the syscall fails, the Python function raises an exception ;-) OSError(EPERM) on this case. |
Misc/NEWS
so that it is managed by towncrier #552Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: