From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184]) by sourceware.org (Postfix) with ESMTPS id A1C0F386F0F9 for ; Mon, 27 Jun 2022 09:50:20 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A1C0F386F0F9 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org Received: from tarox.wildebeest.org (83-87-18-245.cable.dynamic.v4.ziggo.nl [83.87.18.245]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id 80D8C30005B6; Mon, 27 Jun 2022 11:50:19 +0200 (CEST) Received: by tarox.wildebeest.org (Postfix, from userid 1000) id 3996B4000C41; Mon, 27 Jun 2022 11:50:19 +0200 (CEST) Message-ID: <6fae45d84c7a5cd7e88aab3898c5597809742422.camel@klomp.org> Subject: Re: [PATCH 2/4] tst-pkey.c: Handle no permission to alloc memory protection keys From: Mark Wielaard To: Florian Weimer Cc: libc-alpha@sourceware.org Date: Mon, 27 Jun 2022 11:50:19 +0200 In-Reply-To: <87letjnmz6.fsf@mid.deneb.enyo.de> References: <20220626205915.33201-1-mark@klomp.org> <20220626205915.33201-3-mark@klomp.org> <87letjnmz6.fsf@mid.deneb.enyo.de> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Evolution 3.28.5 (3.28.5-10.el7) Mime-Version: 1.0 X-Spam-Status: No, score=-11.8 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2022 09:50:22 -0000 Hi Florian, On Sun, 2022-06-26 at 23:17 +0200, Florian Weimer wrote: > * Mark Wielaard: >=20 > > pkey_alloc might fail with errno EPERM if there is no permission > > to allocate memory protection keys. Use FAIL_UNSUPPORTED in that > > case. > > --- > > sysdeps/unix/sysv/linux/tst-pkey.c | 3 +++ > > 1 file changed, 3 insertions(+) > >=20 > > diff --git a/sysdeps/unix/sysv/linux/tst-pkey.c > > b/sysdeps/unix/sysv/linux/tst-pkey.c > > index df51f695bc..48a20fa3e0 100644 > > --- a/sysdeps/unix/sysv/linux/tst-pkey.c > > +++ b/sysdeps/unix/sysv/linux/tst-pkey.c > > @@ -203,6 +203,9 @@ do_test (void) > > FAIL_UNSUPPORTED > > ("no keys available or kernel does not support memory" > > " protection keys"); > > + if (errno =3D=3D EPERM) > > + FAIL_UNSUPPORTED > > + ("no permission to alloc memory protection keys"); > > FAIL_EXIT1 ("pkey_alloc: %m"); > > } > > TEST_COMPARE (pkey_get (keys[0]), 0); >=20 > It's rather weird to restrict access to a hardening tool. Is this in > a container, and is the container tool reasonably up to date? They > should all have switchted to ENOSYS for reducing the system call > profile. It is reasonably up to date. This is a container based on Fedora 36 packages running under Fedora CoreOS stable (36.20220605.3.0, Release Date: Jun 20, 2022) with moby-engine20.10.16. You are thinking of the fix to set errno to ENOSYS for syscalls that are "unknown". That is a syscall number higher than any syscall number mentioned in the seccomp filter. But the pkey calls are simply not mentioned in the default seccomp filter. And newer syscalls are listed. So this (EPERM) is the default errno returned in such cases till the pkey calls are in the default seccomp profile. https://github.com/moby/moby/issues/43481 https://github.com/moby/moby/issues/42871 In general I think if we detect pkey_alloc fails we should not try to test and/or FAIL the pkey tests but simply mark it as UNSUPPORTED. Whether we believe the errno value really should be ENOSYS, ENOSPC or EINVAL. It isn't really that helpful to explicitly FAIL on EPERM. Sadly this issue will be with us for a long time. Cheers, Mark