Issue 615409 link

Starred by 1 user

Issue metadata

Status:	Archived
Owner:	----
Closed:	Jun 2016
Cc:	snanda@chromium.org dgreid@chromium.org █ uekawa@chromium.org semenzato@chromium.org rickyz@chromium.org █ waihong@chromium.org █ bhthompson@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	1
Type:	Bug
VerifyIn-53 VerifyIn-54 VerifyIn-55 VerifyIn-56 VerifyIn-57 VerifyIn-58 VerifyIn-59 VerifyIn-60 VerifyIn-61

Multiple security/network service related failures in veyron_minnie

Reported by jrbarnette@chromium.org, May 27 2016

Issue description

The veyron_minnie canary recently started failing multiple
BVT tests.  Here's the first instance:
    https://uberchromegw.corp.google.com/i/chromeos/builders/veyron_minnie-release/builds/58

The canary just hasn't been the same since.

The failures are too numerous to list here, but the common theme
seems to be one or more new packages and/or services got installed, and
various security related checks are detecting those services as not
whitelisted for the system.

Some of the failures specifically list content under /opt/google/containers/android,
and I note that the first failures start with the arrival of this CL
which claims to enable cheets specifically for veyron_minnie:
    https://chrome-internal-review.googlesource.com/#/c/260037/

There *could* be more than one bug here, but ya gots to start
somewheres.

Comment 1 by bhthompson@chromium.org, May 27 2016

Cc: uekawa@chromium.org semenzato@chromium.org rickyz@chromium.org dgreid@chromium.org snanda@chromium.org

+folks for security and network bits

...
platform_FilePerms                      [ FAILED ]
platform_FilePerms                        FAIL: Found 5 permission errors
platform_FilePerms                        retry_count: 1
platform_OSLimits                       [ FAILED ]
platform_OSLimits                         FAIL: Found incorrect values: sched_rt_runtime_us
platform_OSLimits                         retry_count: 1
security_NetworkListeners               [ FAILED ]
security_NetworkListeners                 FAIL: Baseline mismatch
security_NetworkListeners                 retry_count: 2
security_SuidBinaries.suid              [ FAILED ]
security_SuidBinaries.suid                FAIL: New suid binaries: /opt/google/containers/android/rootfs/root/system/xbin/su, /opt/google/containers/android/rootfs/root/system/xbin/librank, /opt/google/containers/android/rootfs/root/system/xbin/procrank, /opt/google/containers/android/rootfs/root/system/xbin/procmem
security_SuidBinaries.suid                retry_count: 2
security_SuidBinaries.sgid              [ FAILED ]
security_SuidBinaries.sgid                FAIL: New sgid binaries: /opt/google/containers/android/rootfs/root/system/xbin/librank, /opt/google/containers/android/rootfs/root/system/xbin/procrank, /opt/google/containers/android/rootfs/root/system/xbin/procmem
security_SuidBinaries.sgid                retry_count: 2
..


platform_FilePerms was last fixed by https://buganizer.corp.google.com/u/0/issues/24975501
platform_OSLimits was last fixed by https://buganizer.corp.google.com/u/0/issues/24974865
security_NetworkListeners may be fixed by https://buganizer.corp.google.com/u/0/issues/28473688 ?
security_SuidBinaries.suid may be new
security_SuidBinaries.sgid may be new

Should we break these into individual bugs or are these quick enough to tackle all at once here?

Whom is the best owner?

Comment 2 by bhthompson@chromium.org, May 27 2016

Filed this internally at https://buganizer.corp.google.com/u/0/issues/29003204 to get more eyes.

Comment 3 by norvez@chromium.org, Jun 27 2016

Status: Fixed (was: Available)

Tests are passing now
https://uberchromegw.corp.google.com/i/chromeos/builders/veyron_minnie-release/builds/155

Comment 4 by patricia@chromium.org, Jul 1 2016

Labels: VerifyIn-53

Comment 5 by patricia@chromium.org, Aug 29 2016

Labels: VerifyIn-54

Comment 6 by dchan@chromium.org, Oct 7 2016

Labels: VerifyIn-55

Comment 7 by dchan@google.com, Nov 19 2016

Labels: VerifyIn-56

Comment 8 by dchan@google.com, Jan 21 2017

Labels: VerifyIn-57

Comment 9 by dchan@google.com, Mar 4 2017

Labels: VerifyIn-58

Comment 10 by dchan@google.com, Apr 17 2017

Labels: VerifyIn-59

Comment 11 by dchan@google.com, May 30 2017

Labels: VerifyIn-60

Comment 12 by dchan@chromium.org, Aug 1 2017

Labels: VerifyIn-61

Comment 13 by dchan@chromium.org, Oct 14 2017

Status: Archived (was: Fixed)

►

Issue 615409 link

Issue metadata

Multiple security/network service related failures in veyron_minnie

Issue description

Comment 1 by bhthompson@chromium.org, May 27 2016

Comment 1 Deleted

Comment 2 by bhthompson@chromium.org, May 27 2016

Comment 2 Deleted

Comment 3 by norvez@chromium.org, Jun 27 2016

Comment 3 Deleted

Comment 4 by patricia@chromium.org, Jul 1 2016

Comment 4 Deleted

Comment 5 by patricia@chromium.org, Aug 29 2016

Comment 5 Deleted

Comment 6 by dchan@chromium.org, Oct 7 2016

Comment 6 Deleted

Comment 7 by dchan@google.com, Nov 19 2016

Comment 7 Deleted

Comment 8 by dchan@google.com, Jan 21 2017

Comment 8 Deleted

Comment 9 by dchan@google.com, Mar 4 2017

Comment 9 Deleted

Comment 10 by dchan@google.com, Apr 17 2017

Comment 10 Deleted

Comment 11 by dchan@google.com, May 30 2017

Comment 11 Deleted

Comment 12 by dchan@chromium.org, Aug 1 2017

Comment 12 Deleted

Comment 13 by dchan@chromium.org, Oct 14 2017

Comment 13 Deleted

Sign in to add a comment