debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #02795
[Bug 2115346] [NEW] test-sysctl-defaults fails on armhf
Public bug reported:
On armhf only, the expected value for vm.max_map_count does not match
what is expected. No drop-in is shown that conflicts with procps's
defaults (see test output below).
However, since armhf autopkgtests run in containers, not all sysctls are
writable from the container anyway (including vm.max_map_count). Hence,
this test should either be xfail, or the sysctl-defaults test should
have isolation-machine instead
522s autopkgtest [21:13:52]: test sysctl-defaults: /usr/lib/systemd/systemd-sysctl --cat-config && pytest debian/tests/test_sysctl_defaults.py
522s autopkgtest [21:13:52]: test sysctl-defaults: [-----------------------
524s # /usr/lib/sysctl.d/10-apparmor.conf
524s # AppArmor restrictions of unprivileged user namespaces
524s
524s # Allows to restrict the use of unprivileged user namespaces to applications
524s # which have an AppArmor profile loaded which specifies the userns
524s # permission. All other applications (whether confined by AppArmor or not) will
524s # be denied the use of unprivileged user namespaces.
524s #
524s # See
524s # https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
524s # https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
524s #
524s # If it is desired to disable this restriction, it is preferable to create an
524s # additional file named /etc/sysctl.d/20-apparmor.conf which will override this
524s # current file and sets this value to 0 rather than editing this current file
524s kernel.apparmor_restrict_unprivileged_userns = 1
524s kernel.apparmor_restrict_unprivileged_unconfined = 1
524s
524s # /usr/lib/sysctl.d/10-coredump-debian.conf
524s kernel.core_pattern=core
524s
524s # /usr/lib/sysctl.d/55-bufferbloat.conf
524s # The Fair Queue CoDel packet scheduler is an across the board improvement to
524s # the default pfifo_fast qdisc. It reduces bottleneck delays, provides accurate
524s # RTT estimates to elephant TCP flows, and still allows shorter (sparser) flows
524s # like DNS, ARP, SYN, routing, etc packets priority access. For technical
524s # details, refer to https://www.bufferbloat.net/projects/codel/wiki/
524s #
524s # To fight bufferbloat, set it as the default qdisc in Ubuntu.
524s -net.core.default_qdisc = fq_codel
524s
524s # /usr/lib/sysctl.d/55-console-messages.conf
524s
524s # the following stops low-level messages on console
524s kernel.printk = 4 4 1 7
524s
524s # /usr/lib/sysctl.d/55-ipv6-privacy.conf
524s # IPv6 Privacy Extensions (RFC 4941)
524s # ---
524s # IPv6 typically uses a device's MAC address when choosing an IPv6 address
524s # to use in autoconfiguration. Privacy extensions allow using a randomly
524s # generated IPv6 address, which increases privacy.
524s #
524s # Acceptable values:
524s # 0 - don’t use privacy extensions.
524s # 1 - generate privacy addresses
524s # 2 - prefer privacy addresses and use them over the normal addresses.
524s net.ipv6.conf.all.use_tempaddr = 2
524s net.ipv6.conf.default.use_tempaddr = 2
524s
524s # /usr/lib/sysctl.d/55-kernel-hardening.conf
524s # These settings are specific to hardening the kernel itself from attack
524s # from userspace, rather than protecting userspace from other malicious
524s # userspace things.
524s #
524s #
524s # When an attacker is trying to exploit the local kernel, it is often
524s # helpful to be able to examine where in memory the kernel, modules,
524s # and data structures live. As such, kernel addresses should be treated
524s # as sensitive information.
524s #
524s # Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
524s # /proc/modules, etc), and this setting can censor the addresses. A value
524s # of "0" allows all users to see the kernel addresses. A value of "1"
524s # limits visibility to the root user, and "2" blocks even the root user.
524s kernel.kptr_restrict = 1
524s
524s # Access to the kernel log buffer can be especially useful for an attacker
524s # attempting to exploit the local kernel, as kernel addresses and detailed
524s # call traces are frequently found in kernel oops messages. Setting
524s # dmesg_restrict to "0" allows all users to view the kernel log buffer,
524s # and setting it to "1" restricts access to those with CAP_SYSLOG.
524s #
524s # dmesg_restrict defaults to 1 via CONFIG_SECURITY_DMESG_RESTRICT, only
524s # uncomment the following line to disable.
524s # kernel.dmesg_restrict = 0
524s
524s # /usr/lib/sysctl.d/55-magic-sysrq.conf
524s # The magic SysRq key enables certain keyboard combinations to be
524s # interpreted by the kernel to help with debugging. The kernel will respond
524s # to these keys regardless of the current running applications.
524s #
524s # In general, the magic SysRq key is not needed for the average Ubuntu
524s # system, and having it enabled by default can lead to security issues on
524s # the console such as being able to dump memory or to kill arbitrary
524s # processes including the running screen lock.
524s #
524s # Here is the list of possible values:
524s # 0 - disable sysrq completely
524s # 1 - enable all functions of sysrq
524s # >1 - enable certain functions by adding up the following values:
524s # 2 - enable control of console logging level
524s # 4 - enable control of keyboard (SAK, unraw)
524s # 8 - enable debugging dumps of processes etc.
524s # 16 - enable sync command
524s # 32 - enable remount read-only
524s # 64 - enable signalling of processes (term, kill, oom-kill)
524s # 128 - allow reboot/poweroff
524s # 256 - allow nicing of all RT tasks
524s #
524s # For example, to enable both control of console logging level and
524s # debugging dumps of processes: kernel.sysrq = 10
524s #
524s kernel.sysrq = 176
524s
524s # /usr/lib/sysctl.d/55-map-count.conf
524s # Increase the number of virtual memory areas that one process may request
524s # https://bugs.launchpad.net/ubuntu/+source/procps/+bug/2057792
524s vm.max_map_count=1048576
524s
524s # /usr/lib/sysctl.d/55-network-security.conf
524s
524s # Turn on Source Address Verification in all interfaces to
524s # prevent some spoofing attacks.
524s net.ipv4.conf.default.rp_filter=2
524s net.ipv4.conf.all.rp_filter=2
524s
524s
524s # /usr/lib/sysctl.d/55-ptrace.conf
524s # The PTRACE system is used for debugging. With it, a single user process
524s # can attach to any other dumpable process owned by the same user. In the
524s # case of malicious software, it is possible to use PTRACE to access
524s # credentials that exist in memory (re-using existing SSH connections,
524s # extracting GPG agent information, etc).
524s #
524s # A PTRACE scope of "0" is the more permissive mode. A scope of "1" limits
524s # PTRACE only to direct child processes (e.g. "gdb name-of-program" and
524s # "strace -f name-of-program" work, but gdb's "attach" and "strace -fp $PID"
524s # do not). The PTRACE scope is ignored when a user has CAP_SYS_PTRACE, so
524s # "sudo strace -fp $PID" will work as before. For more details see:
524s # https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace
524s #
524s # For applications launching crash handlers that need PTRACE, exceptions can
524s # be registered by the debugee by declaring in the segfault handler
524s # specifically which process will be using PTRACE on the debugee:
524s # prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0);
524s #
524s # In general, PTRACE is not needed for the average running Ubuntu system.
524s # To that end, the default is to set the PTRACE scope to "1". This value
524s # may not be appropriate for developers or servers with only admin accounts.
524s kernel.yama.ptrace_scope = 1
524s
524s # /usr/lib/sysctl.d/55-zeropage.conf
524s # Protect the zero page of memory from userspace mmap to prevent kernel
524s # NULL-dereference attacks against potential future kernel security
524s # vulnerabilities. (Added in kernel 2.6.23.)
524s #
524s # While this default is built into the Ubuntu kernel, there is no way to
524s # restore the kernel default if the value is changed during runtime; for
524s # example via package removal (e.g. wine, dosemu). Therefore, this value
524s # is reset to the secure default each time the sysctl values are loaded.
524s #
524s # ARM-specific default:
524s vm.mmap_min_addr = 32768
524s
524s # /etc/sysctl.d/99-cloudimg-ipv6.conf
524s # Written by the Cloud Image build process
524s # See https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1068756
524s net.ipv6.conf.all.use_tempaddr = 0
524s net.ipv6.conf.default.use_tempaddr = 0
524s ============================= test session starts ==============================
524s platform linux -- Python 3.13.5, pytest-8.3.5, pluggy-1.5.0
524s rootdir: /tmp/autopkgtest.pViuEe/build.TqH/src
524s plugins: typeguard-4.4.2
524s collected 11 items
524s
524s debian/tests/test_sysctl_defaults.py s.xx..F.... [100%]
524s
524s =================================== FAILURES ===================================
524s ________________ test_sysctl_defaults[vm.max_map_count-1048576] ________________
524s
524s key = 'vm.max_map_count', expected = '1048576'
524s
524s @pytest.mark.parametrize("key, expected", expected_sysctl_defaults())
524s def test_sysctl_defaults(key, expected):
524s # If the sysctl key does not exist, skip the test.
524s if not os.path.exists(f'/proc/sys/{key}'.replace('.', '/')):
524s pytest.skip(f'{key} does not exist on this system, ignoring')
524s
524s actual = subprocess.check_output(['sysctl', '-n', key])
524s actual = actual.decode().strip()
524s actual = ' '.join(actual.split())
524s
524s # Due to LP: #1068756, cloud images ship /etc/sysctl.d/cloudimg-ipv6.conf
524s # which overrides procps's defaults for net.ipv6.conf.{all,default}.use_tempaddr.
524s #
524s # If that override exists, expect a failure for those settings.
524s if (
524s os.path.exists('/etc/sysctl.d/99-cloudimg-ipv6.conf') and
524s key in (
524s 'net.ipv6.conf.all.use_tempaddr',
524s 'net.ipv6.conf.default.use_tempaddr',
524s )
524s ):
524s pytest.xfail(
524s f'/etc/systctl.d/99-cloudimg-ipv6.conf overrides {key}'
524s )
524s
524s > assert actual == expected
524s E AssertionError: assert '65530' == '1048576'
524s E
524s E - 1048576
524s E + 65530
524s
524s debian/tests/test_sysctl_defaults.py:75: AssertionError
524s =========================== short test summary info ============================
524s FAILED debian/tests/test_sysctl_defaults.py::test_sysctl_defaults[vm.max_map_count-1048576]
524s ============== 1 failed, 7 passed, 1 skipped, 2 xfailed in 0.10s ===============
524s autopkgtest [21:13:54]: test sysctl-defaults: -----------------------]
** Affects: procps (Ubuntu)
Importance: High
Assignee: Nick Rosbrook (enr0n)
Status: Triaged
** Tags: dcr-incoming
** Changed in: procps (Ubuntu)
Importance: Undecided => High
** Changed in: procps (Ubuntu)
Assignee: (unassigned) => Nick Rosbrook (enr0n)
** Changed in: procps (Ubuntu)
Status: New => Triaged
** Tags added: dcr-incoming
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/2115346
Title:
test-sysctl-defaults fails on armhf
Status in procps package in Ubuntu:
Triaged
Bug description:
On armhf only, the expected value for vm.max_map_count does not match
what is expected. No drop-in is shown that conflicts with procps's
defaults (see test output below).
However, since armhf autopkgtests run in containers, not all sysctls
are writable from the container anyway (including vm.max_map_count).
Hence, this test should either be xfail, or the sysctl-defaults test
should have isolation-machine instead
522s autopkgtest [21:13:52]: test sysctl-defaults: /usr/lib/systemd/systemd-sysctl --cat-config && pytest debian/tests/test_sysctl_defaults.py
522s autopkgtest [21:13:52]: test sysctl-defaults: [-----------------------
524s # /usr/lib/sysctl.d/10-apparmor.conf
524s # AppArmor restrictions of unprivileged user namespaces
524s
524s # Allows to restrict the use of unprivileged user namespaces to applications
524s # which have an AppArmor profile loaded which specifies the userns
524s # permission. All other applications (whether confined by AppArmor or not) will
524s # be denied the use of unprivileged user namespaces.
524s #
524s # See
524s # https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
524s # https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
524s #
524s # If it is desired to disable this restriction, it is preferable to create an
524s # additional file named /etc/sysctl.d/20-apparmor.conf which will override this
524s # current file and sets this value to 0 rather than editing this current file
524s kernel.apparmor_restrict_unprivileged_userns = 1
524s kernel.apparmor_restrict_unprivileged_unconfined = 1
524s
524s # /usr/lib/sysctl.d/10-coredump-debian.conf
524s kernel.core_pattern=core
524s
524s # /usr/lib/sysctl.d/55-bufferbloat.conf
524s # The Fair Queue CoDel packet scheduler is an across the board improvement to
524s # the default pfifo_fast qdisc. It reduces bottleneck delays, provides accurate
524s # RTT estimates to elephant TCP flows, and still allows shorter (sparser) flows
524s # like DNS, ARP, SYN, routing, etc packets priority access. For technical
524s # details, refer to https://www.bufferbloat.net/projects/codel/wiki/
524s #
524s # To fight bufferbloat, set it as the default qdisc in Ubuntu.
524s -net.core.default_qdisc = fq_codel
524s
524s # /usr/lib/sysctl.d/55-console-messages.conf
524s
524s # the following stops low-level messages on console
524s kernel.printk = 4 4 1 7
524s
524s # /usr/lib/sysctl.d/55-ipv6-privacy.conf
524s # IPv6 Privacy Extensions (RFC 4941)
524s # ---
524s # IPv6 typically uses a device's MAC address when choosing an IPv6 address
524s # to use in autoconfiguration. Privacy extensions allow using a randomly
524s # generated IPv6 address, which increases privacy.
524s #
524s # Acceptable values:
524s # 0 - don’t use privacy extensions.
524s # 1 - generate privacy addresses
524s # 2 - prefer privacy addresses and use them over the normal addresses.
524s net.ipv6.conf.all.use_tempaddr = 2
524s net.ipv6.conf.default.use_tempaddr = 2
524s
524s # /usr/lib/sysctl.d/55-kernel-hardening.conf
524s # These settings are specific to hardening the kernel itself from attack
524s # from userspace, rather than protecting userspace from other malicious
524s # userspace things.
524s #
524s #
524s # When an attacker is trying to exploit the local kernel, it is often
524s # helpful to be able to examine where in memory the kernel, modules,
524s # and data structures live. As such, kernel addresses should be treated
524s # as sensitive information.
524s #
524s # Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
524s # /proc/modules, etc), and this setting can censor the addresses. A value
524s # of "0" allows all users to see the kernel addresses. A value of "1"
524s # limits visibility to the root user, and "2" blocks even the root user.
524s kernel.kptr_restrict = 1
524s
524s # Access to the kernel log buffer can be especially useful for an attacker
524s # attempting to exploit the local kernel, as kernel addresses and detailed
524s # call traces are frequently found in kernel oops messages. Setting
524s # dmesg_restrict to "0" allows all users to view the kernel log buffer,
524s # and setting it to "1" restricts access to those with CAP_SYSLOG.
524s #
524s # dmesg_restrict defaults to 1 via CONFIG_SECURITY_DMESG_RESTRICT, only
524s # uncomment the following line to disable.
524s # kernel.dmesg_restrict = 0
524s
524s # /usr/lib/sysctl.d/55-magic-sysrq.conf
524s # The magic SysRq key enables certain keyboard combinations to be
524s # interpreted by the kernel to help with debugging. The kernel will respond
524s # to these keys regardless of the current running applications.
524s #
524s # In general, the magic SysRq key is not needed for the average Ubuntu
524s # system, and having it enabled by default can lead to security issues on
524s # the console such as being able to dump memory or to kill arbitrary
524s # processes including the running screen lock.
524s #
524s # Here is the list of possible values:
524s # 0 - disable sysrq completely
524s # 1 - enable all functions of sysrq
524s # >1 - enable certain functions by adding up the following values:
524s # 2 - enable control of console logging level
524s # 4 - enable control of keyboard (SAK, unraw)
524s # 8 - enable debugging dumps of processes etc.
524s # 16 - enable sync command
524s # 32 - enable remount read-only
524s # 64 - enable signalling of processes (term, kill, oom-kill)
524s # 128 - allow reboot/poweroff
524s # 256 - allow nicing of all RT tasks
524s #
524s # For example, to enable both control of console logging level and
524s # debugging dumps of processes: kernel.sysrq = 10
524s #
524s kernel.sysrq = 176
524s
524s # /usr/lib/sysctl.d/55-map-count.conf
524s # Increase the number of virtual memory areas that one process may request
524s # https://bugs.launchpad.net/ubuntu/+source/procps/+bug/2057792
524s vm.max_map_count=1048576
524s
524s # /usr/lib/sysctl.d/55-network-security.conf
524s
524s # Turn on Source Address Verification in all interfaces to
524s # prevent some spoofing attacks.
524s net.ipv4.conf.default.rp_filter=2
524s net.ipv4.conf.all.rp_filter=2
524s
524s
524s # /usr/lib/sysctl.d/55-ptrace.conf
524s # The PTRACE system is used for debugging. With it, a single user process
524s # can attach to any other dumpable process owned by the same user. In the
524s # case of malicious software, it is possible to use PTRACE to access
524s # credentials that exist in memory (re-using existing SSH connections,
524s # extracting GPG agent information, etc).
524s #
524s # A PTRACE scope of "0" is the more permissive mode. A scope of "1" limits
524s # PTRACE only to direct child processes (e.g. "gdb name-of-program" and
524s # "strace -f name-of-program" work, but gdb's "attach" and "strace -fp $PID"
524s # do not). The PTRACE scope is ignored when a user has CAP_SYS_PTRACE, so
524s # "sudo strace -fp $PID" will work as before. For more details see:
524s # https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace
524s #
524s # For applications launching crash handlers that need PTRACE, exceptions can
524s # be registered by the debugee by declaring in the segfault handler
524s # specifically which process will be using PTRACE on the debugee:
524s # prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0);
524s #
524s # In general, PTRACE is not needed for the average running Ubuntu system.
524s # To that end, the default is to set the PTRACE scope to "1". This value
524s # may not be appropriate for developers or servers with only admin accounts.
524s kernel.yama.ptrace_scope = 1
524s
524s # /usr/lib/sysctl.d/55-zeropage.conf
524s # Protect the zero page of memory from userspace mmap to prevent kernel
524s # NULL-dereference attacks against potential future kernel security
524s # vulnerabilities. (Added in kernel 2.6.23.)
524s #
524s # While this default is built into the Ubuntu kernel, there is no way to
524s # restore the kernel default if the value is changed during runtime; for
524s # example via package removal (e.g. wine, dosemu). Therefore, this value
524s # is reset to the secure default each time the sysctl values are loaded.
524s #
524s # ARM-specific default:
524s vm.mmap_min_addr = 32768
524s
524s # /etc/sysctl.d/99-cloudimg-ipv6.conf
524s # Written by the Cloud Image build process
524s # See https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1068756
524s net.ipv6.conf.all.use_tempaddr = 0
524s net.ipv6.conf.default.use_tempaddr = 0
524s ============================= test session starts ==============================
524s platform linux -- Python 3.13.5, pytest-8.3.5, pluggy-1.5.0
524s rootdir: /tmp/autopkgtest.pViuEe/build.TqH/src
524s plugins: typeguard-4.4.2
524s collected 11 items
524s
524s debian/tests/test_sysctl_defaults.py s.xx..F.... [100%]
524s
524s =================================== FAILURES ===================================
524s ________________ test_sysctl_defaults[vm.max_map_count-1048576] ________________
524s
524s key = 'vm.max_map_count', expected = '1048576'
524s
524s @pytest.mark.parametrize("key, expected", expected_sysctl_defaults())
524s def test_sysctl_defaults(key, expected):
524s # If the sysctl key does not exist, skip the test.
524s if not os.path.exists(f'/proc/sys/{key}'.replace('.', '/')):
524s pytest.skip(f'{key} does not exist on this system, ignoring')
524s
524s actual = subprocess.check_output(['sysctl', '-n', key])
524s actual = actual.decode().strip()
524s actual = ' '.join(actual.split())
524s
524s # Due to LP: #1068756, cloud images ship /etc/sysctl.d/cloudimg-ipv6.conf
524s # which overrides procps's defaults for net.ipv6.conf.{all,default}.use_tempaddr.
524s #
524s # If that override exists, expect a failure for those settings.
524s if (
524s os.path.exists('/etc/sysctl.d/99-cloudimg-ipv6.conf') and
524s key in (
524s 'net.ipv6.conf.all.use_tempaddr',
524s 'net.ipv6.conf.default.use_tempaddr',
524s )
524s ):
524s pytest.xfail(
524s f'/etc/systctl.d/99-cloudimg-ipv6.conf overrides {key}'
524s )
524s
524s > assert actual == expected
524s E AssertionError: assert '65530' == '1048576'
524s E
524s E - 1048576
524s E + 65530
524s
524s debian/tests/test_sysctl_defaults.py:75: AssertionError
524s =========================== short test summary info ============================
524s FAILED debian/tests/test_sysctl_defaults.py::test_sysctl_defaults[vm.max_map_count-1048576]
524s ============== 1 failed, 7 passed, 1 skipped, 2 xfailed in 0.10s ===============
524s autopkgtest [21:13:54]: test sysctl-defaults: -----------------------]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/2115346/+subscriptions
Follow ups
