getrandom() syscall returning EPERM make the system unusable.

[iwings]

BPO	27955
Nosy	@ncoghlan, @vstinner, @tiran
PRs	[Do Not Merge] Convert Misc/NEWS so that it is managed by towncrier #552
Files	random.diff

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2016-09-20.20:56:29.585>
created_at = <Date 2016-09-05.13:25:37.693>
labels = ['type-bug', '3.7']
title = 'getrandom() syscall returning EPERM make the system unusable.'
updated_at = <Date 2017-03-31.16:36:06.996>
user = 'https://bugs.python.org/iwings'

bugs.python.org fields:

activity = <Date 2017-03-31.16:36:06.996>
actor = 'dstufft'
assignee = 'none'
closed = True
closed_date = <Date 2016-09-20.20:56:29.585>
closer = 'vstinner'
components = []
creation = <Date 2016-09-05.13:25:37.693>
creator = 'iwings'
dependencies = []
files = ['44371']
hgrepos = []
issue_num = 27955
keywords = ['patch']
message_count = 7.0
messages = ['274399', '274401', '274404', '274405', '274744', '277064', '277065']
nosy_count = 5.0
nosy_names = ['ncoghlan', 'vstinner', 'christian.heimes', 'python-dev', 'iwings']
pr_nums = ['552']
priority = 'normal'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue27955'
versions = ['Python 3.5', 'Python 3.6', 'Python 3.7']

[iwings]

On QNAP's Linux Station (lxc based virtual environment), getrandom() syscall returns EPERM not ENOSYS when it's not available.

(HOST) uname -a
Linux ******-NAS 3.12.6 #1 SMP Thu Sep 1 00:57:44 CST 2016 x86_64 unknown

(HOST) /lib64/libc-2.19.so
GNU C Library (Ubuntu EGLIBC 2.19-0ubuntu6.6) stable release version 2.19, by Roland McGrath et al.

(LXC) uname -a
Linux ubuntu_1604 3.12.6 #1 SMP Thu Sep 1 00:57:44 CST 2016 x86_64 x86_64 x86_64 GNU/Linux

(LXC) /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.

(LXC)
long n = syscall(SYS_getrandom, buffer, sizeof(buffer), flags);
printf("SYS_getrandom: %ld (%d)\n", n, errno);
=> 
SYS_getrandom: -1 (1)

Proper fall back to /dev/urandom is not happening in this case, so most python app calling getrandom function fails. This includes apt, command-not-found etc.

[tiran]

Did you open a bug with your vendor, too? QNAP is clearly violating Kernel APIs. getrandom() is not suppose to fail with EPERM. Valid errnos are EINVAL, EFAULT, EAGAIN and EINTR. http://man7.org/linux/man-pages/man2/getrandom.2.html

[iwings]

I did not report this to QNAP yet. but there's already a thread on their forum.
https://forum.qnap.com/viewtopic.php?t=124650 (registration required)

• ENOSYS is not listed in that man page, but it occurs.
• EPERM is not listed in that man page, but it can be returned if seccomp filters getrandom() syscall for example.

So preparing for these return values are meaningful not only for QNAP users.

[vstinner]

I'm ok to fallback on read /dev/urandom device when getrandom() is
blocked by a stupid security policy :-)

[ncoghlan]

With bpo-27778 implemented, there's also the question of how os.getrandom() will react to security policies that restrict access to the getrandom syscalls (vs just not having it available in the kernel).

[python-dev]

New changeset 41e9e711b9b5 by Victor Stinner in branch '3.5':
Cleanup random.c
https://hg.python.org/cpython/rev/41e9e711b9b5

New changeset ddc54f08bdfa by Victor Stinner in branch '3.5':
Catch EPERM error in py_getrandom()
https://hg.python.org/cpython/rev/ddc54f08bdfa

New changeset 27d05bb6f832 by Victor Stinner in branch '3.6':
(Merge 3.5) Catch EPERM error in py_getrandom()
https://hg.python.org/cpython/rev/27d05bb6f832

[vstinner]

I modified Python 3.5, 3.6 and 3.7 to fall back on reading /dev/urandom when getrandom() syscall fails with EPERM.

Thanks for the bug report iwings!

Note: Python 2.7 does not use getrandom() and so is not impacted.

Christian:

Did you open a bug with your vendor, too? QNAP is clearly violating Kernel APIs. getrandom() is not suppose to fail with EPERM.

I don't know if it can be seen as a violation of the Kernel API, but at least, it doesn't seem to be something smart to block getrandom() syscall. getrandom() was designed to enhance the security of applications ;-)

Nick:

With bpo-27778 implemented, there's also the question of how os.getrandom() will react to security policies that restrict access to the getrandom syscalls (vs just not having it available in the kernel).

This is no question: os.getrandom() of Python 3.6 is a thin wrapper on the syscall. If the syscall fails, the Python function raises an exception ;-) OSError(EPERM) on this case.