QA Regression Testing

kernel security test failures on Trusty arm64

Bug #1630000 reported by Brad Figg on 2016-10-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QA Regression Testing	Invalid	Undecided	Unassigned

Bug Description

While trying to run the kernel security tests on the latest Trusty SRU kernel (3.13.0-97.144):

utils:0153| [stderr] test_000_make (__main__.KernelSecurityTest)
utils:0153| [stderr] Prepare to build helper tools ... ok
utils:0153| [stderr] test_010_proc_maps (__main__.KernelSecurityTest)
utils:0153| [stderr] /proc/$pid/maps is correctly protected (CVE-2013-2929) ... ok
utils:0153| [stderr] test_020_aslr_00_proc (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR enabled ... ok
utils:0153| [stderr] test_020_aslr_dapper_stack (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR of stack ... FAIL
utils:0153| [stderr] test_021_aslr_dapper_libs (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR of libs ... FAIL
utils:0153| [stderr] test_021_aslr_dapper_mmap (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR of mmap ... FAIL
utils:0153| [stderr] test_022_aslr_hardy_text (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR of text ... FAIL
utils:0153| [stderr] test_022_aslr_hardy_vdso (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR of vdso ... FAIL
utils:0153| [stderr] test_022_aslr_intrepid_brk (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR of brk ... FAIL
utils:0153| [stderr] test_023_aslr_wily_pie (__main__.KernelSecurityTest)
utils:0153| [stderr] ASLR of text vs libs ... ok
utils:0153| [stderr] test_025_kaslr (__main__.KernelSecurityTest)
utils:0153| [stderr] kernel ASLR enabled ... ok
utils:0153| [stderr] test_030_mmap_min (__main__.KernelSecurityTest)
utils:0153| [stderr] Low memory allocation respects mmap_min_addr ... ok
utils:0153| [stderr] test_031_apparmor (__main__.KernelSecurityTest)
utils:0153| [stderr] AppArmor loaded ... ok
utils:0153| [stderr] test_031_seccomp (__main__.KernelSecurityTest)
utils:0153| [stderr] PR_SET_SECCOMP works ... ok
utils:0153| [stderr] test_032_dev_kmem (__main__.KernelSecurityTest)
utils:0153| [stderr] /dev/kmem not available ... ok
utils:0153| [stderr] test_033_syn_cookies (__main__.KernelSecurityTest)
utils:0153| [stderr] SYN cookies is enabled ... ok
utils:0153| [stderr] test_040_pcaps (__main__.KernelSecurityTest)
utils:0153| [stderr] init's CAPABILITY list is clean ... ok
utils:0153| [stderr] test_050_personality (__main__.KernelSecurityTest)
utils:0153| [stderr] init missing READ_IMPLIES_EXEC ... FAIL
utils:0153| [stderr] test_060_nx (__main__.KernelSecurityTest)
utils:0153| [stderr] NX bit is working ... ok
utils:0153| [stderr] test_061_guard_page (__main__.KernelSecurityTest)
utils:0153| [stderr] Userspace stack guard page exists (CVE-2010-2240) ... ok
utils:0153| [stderr] test_070_config_brk (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_COMPAT_BRK disabled ... ok
utils:0153| [stderr] test_070_config_devkmem (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_DEVKMEM disabled ... ok
utils:0153| [stderr] test_070_config_seccomp (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SECCOMP enabled ... ok
utils:0153| [stderr] test_070_config_security (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SECURITY enabled ... ok
utils:0153| [stderr] test_070_config_security_selinux (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SECURITY_SELINUX enabled ... ok
utils:0153| [stderr] test_070_config_syn_cookies (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SYN_COOKIES enabled ... ok
utils:0153| [stderr] test_072_config_compat_vdso (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_COMPAT_VDSO disabled ... ok
utils:0153| [stderr] test_072_config_debug_rodata (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_DEBUG_RODATA enabled ... FAIL
utils:0153| [stderr] test_072_config_debug_set_module_ronx (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_DEBUG_SET_MODULE_RONX enabled ... ok
utils:0153| [stderr] test_072_config_security_apparmor (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SECURITY_APPARMOR enabled ... ok
utils:0153| [stderr] test_072_config_strict_devmem (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_STRICT_DEVMEM enabled ... ok
utils:0153| [stderr] test_072_strict_devmem (__main__.KernelSecurityTest)
utils:0153| [stderr] /dev/mem unreadable for kernel memory ... FAIL
utils:0153| [stderr] test_073_config_security_file_capabilities (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SECURITY_FILE_CAPABILITIES enabled ... ok
utils:0153| [stderr] test_073_config_security_smack (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SECURITY_SMACK enabled ... ok
utils:0153| [stderr] test_073_config_security_tomoyo (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_SECURITY_TOMOYO enabled ... ok
utils:0153| [stderr] test_074_config_security_default_mmap_min_addr (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_DEFAULT_MMAP_MIN_ADDR ... ok
utils:0153| [stderr] test_075_config_stack_protector (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_CC_STACKPROTECTOR set ... FAIL
utils:0153| [stderr] test_076_config_security_acl_ext3 (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_EXT3_FS_SECURITY set (LP: #1295948) ... ok
utils:0153| [stderr] test_076_config_security_acl_ext4 (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_EXT4_FS_SECURITY set (LP: #1295948) ... ok
utils:0153| [stderr] test_077_config_security_ecryptfs (__main__.KernelSecurityTest)
utils:0153| [stderr] CONFIG_ECRYPT_FS is set ... ok
utils:0153| [stderr] test_077_config_security_ipsec (__main__.KernelSecurityTest)
utils:0153| [stderr] Config options for IPsec ... ok
utils:0153| [stderr] test_082_stack_guard_kernel (__main__.KernelSecurityTest)
utils:0153| [stderr] Kernel stack guard ... FAIL
utils:0153| [stderr] test_090_module_blocking (__main__.KernelSecurityTest)
utils:0153| [stderr] Sysctl to disable module loading exists ... ok
utils:0153| [stderr] test_091_symlink_following_in_sticky_directories (__main__.KernelSecurityTest)
utils:0153| [stderr] Symlinks not followable across differing uids in sticky directories ... ok
utils:0153| [stderr] test_092_hardlink_restriction (__main__.KernelSecurityTest)
utils:0153| [stderr] Hardlink disallowed for unreadable/unwritable sources ... ok
utils:0153| [stderr] test_093_ptrace_restriction (__main__.KernelSecurityTest)
utils:0153| [stderr] ptrace allowed only on children or declared processes ... ok
utils:0153| [stderr] test_093_ptrace_restriction_extras (__main__.KernelSecurityTest)
utils:0153| [stderr] ptrace from thread on tracee that used prctl(PR_SET_PTRACER) ... ok
utils:0153| [stderr] test_093_ptrace_restriction_parent_via_thread (__main__.KernelSecurityTest)
utils:0153| [stderr] prctl(PR_SET_PTRACER) works from threads (LP: #729839) ... ok
utils:0153| [stderr] test_094_rare_net_autoload (__main__.KernelSecurityTest)
utils:0153| [stderr] rare network modules do not autoload ... ok
utils:0153| [stderr] test_095_kernel_symbols_acl (__main__.KernelSecurityTest)
utils:0153| [stderr] /proc/sys/kernel/kptr_restrict is enabled ... ok
utils:0153| [stderr] test_095_kernel_symbols_missing (__main__.KernelSecurityTest)
utils:0153| [stderr] kernel addresses in kallsyms and modules are zeroed out ... ok
utils:0153| [stderr] test_096_boot_symbols_unreadable (__main__.KernelSecurityTest)
utils:0153| [stderr] kernel addresses in /boot are not world readable ... ok
utils:0153| [stderr] test_096_proc_entries_unreadable (__main__.KernelSecurityTest)
utils:0153| [stderr] sensitive files in /proc are not world readable ... ok
utils:0153| [stderr] test_100_keep_acpi_method_disabled (__main__.KernelSecurityTest)
utils:0153| [stderr] /sys/kernel/debug/acpi/custom_method stays disabled ... ok
utils:0153| [stderr] test_101_proc_fd_leaks (__main__.KernelSecurityTest)
utils:0153| [stderr] /proc/$pid/ DAC bypass on setuid (CVE-2011-1020) ... ok
utils:0153| [stderr] test_110_seccomp_filter (__main__.KernelSecurityTest)
utils:0153| [stderr] seccomp_filter works ... ok
utils:0153| [stderr] test_120_smep_works (__main__.KernelSecurityTest)
utils:0153| [stderr] SMEP works ... ok
utils:0153| [stderr] test_130_kexec_disabled_00_proc (__main__.KernelSecurityTest)
utils:0153| [stderr] kexec_disabled sysctl supported ... ok
utils:0153| [stderr] test_140_kernel_modules_not_tainted (__main__.KernelSecurityTest)
utils:0153| [stderr] kernel modules are not marked with a taint flag (especially 'E' for TAINT_UNSIGNED_MODULE) ... FAIL
utils:0153| [stderr] test_150_privileged_user_namespaces (__main__.KernelSecurityTest)
utils:0153| [stderr] test whether user namespaces work at all (with root) ... ok
utils:0153| [stderr] test_150_sysctl_disables_unpriv_userns (__main__.KernelSecurityTest)
utils:0153| [stderr] unprivileged_userns_clone sysctl supported ... ok
utils:0153| [stderr] test_150_unprivileged_user_namespaces (__main__.KernelSecurityTest)
utils:0153| [stderr] test whether user namespaces work as unprivileged user ... ok
utils:0153| [stderr] test_151_sysctl_disables_bpf_unpriv_userns (__main__.KernelSecurityTest)
utils:0153| [stderr] unprivileged_bpf_disabled sysctl supported ... ok
utils:0153| [stderr] test_152_sysctl_disables_apparmor_unpriv_userns (__main__.KernelSecurityTest)
utils:0153| [stderr] unprivileged_userns_apparmor_policy sysctl supported ... ok

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2017-03-03:

In this cycle (3.13.0-111.158), the failed test cases is a bit different:

test_021_aslr_dapper_libs (__main__.KernelSecurityTest)
ASLR of libs ... FAIL
test_021_aslr_dapper_mmap (__main__.KernelSecurityTest)
ASLR of mmap ... FAIL
test_022_aslr_hardy_vdso (__main__.KernelSecurityTest)
ASLR of vdso ... FAIL
test_050_personality (__main__.KernelSecurityTest)
init missing READ_IMPLIES_EXEC ... FAIL
test_072_config_debug_rodata (__main__.KernelSecurityTest)
CONFIG_DEBUG_RODATA enabled ... FAIL
test_072_strict_devmem (__main__.KernelSecurityTest)
/dev/mem unreadable for kernel memory ... FAIL
test_075_config_stack_protector (__main__.KernelSecurityTest)
CONFIG_CC_STACKPROTECTOR set ... FAIL
test_082_stack_guard_kernel (__main__.KernelSecurityTest)
Kernel stack guard ... FAIL
test_140_kernel_modules_not_tainted (__main__.KernelSecurityTest)
kernel modules are not marked with a taint flag (especially 'E' for TAINT_UNSIGNED_MODULE) ... FAIL

Full log: http://pastebin.ubuntu.com/24099998/

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2018-08-10:

Closing this bug as all the failures have been addressed individually.

Changed in qa-regression-testing:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.