New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 682811 link

Starred by 1 user
Status: Verified
Owner:
ihf@chromium.org
Closed: Jan 2017
Cc:
kerrnel@chromium.org
adlr@chromium.org
keta...@chromium.org
achuith@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug



Sign in to add a comment

Update imageloader permissions in platform_FilePerms

Project Member Reported by kerrnel@chromium.org, Jan 19 2017 
adlr@ noticed the following failure in the PFQ:

01/19 05:20:30.931 ERROR|platform_FilePerms:0330| [/etc/mtab] "/run/imageloader/PepperFlashPlayer" is missing options "set(['mode=755'])"

ImageLoader indeed mounts things as read-only, so 0755 should never be the mode. This means platform_FilePerms likely needs to be updated. For the next day or two, until I update it, let's disable platform_ImageLoaderServer to avoid blocking the PFQ.

Comment 2 by ihf@chromium.org, Jan 19 2017 

To be clear, I want to fix this test. Looking at pfq for context.

Comment 3 by kerrnel@chromium.org, Jan 19 2017 

If you look at verity_mounter.cc (https://cs.corp.google.com/chromeos_internal/src/platform/imageloader/verity_mounter.cc), it doesn't pass any mode= string to the mount() system call. Should imageloader be passing that information through?

Comment 4 by kerrnel@chromium.org, Jan 19 2017 

If I recall correctly, since this is a squashfs image, you cannot pass a mode= string through the mount, because the mode is going to be fixed (it's a read only image).

Comment 5 by ihf@chromium.org, Jan 19 2017 

Just to be clear, as component updates are enabled in 2985 the problem is not strictly with platform_ImageLoaderServer. Disabling it may reduce the flakes, but as components are still downloaded independently of the test, it won't make them disappear. So the fix needs to be in platform_FilePerms.

Comment 6 by kerrnel@chromium.org, Jan 19 2017 

That is a good point. I just wanted to temporarily clear the flakes because of the timezone difference. If this can wait for me to fix platform_FilePerms and post a fix by the end of day Syndey time, I'm happy to do it.

Comment 7 by ihf@chromium.org, Jan 19 2017 

I am in the process to do the fix.

Thinking a bit more about your change, it will do nothing as platform_FilePerms runs before platform_ImageLoaderServer. So this is strictly coming from Chrome.

Comment 8 by kerrnel@chromium.org, Jan 19 2017 

I see. Thank you for handling this Ilja. I will be back online in a couple hours to provide any help as needed.

Comment 9 by ihf@chromium.org, Jan 19 2017

Cc: -ihf@chromium.org kerrnel@chromium.org
Owner: ihf@chromium.org
Status: Started (was: Assigned)
Summary: Update imageloader permissions in platform_FilePerms (was: Disable platform_ImageLoaderServer until platform_FilePerms is updated)
If I understand this right we should check for 555 but not read it from mtab. I am disabling the check for now from platform_FilePerms as it isn't right. This should unbreak cq/pfq etc.
https://chromium-review.googlesource.com/430203


localhost ~ # stat  /run/imageloader/PepperFlashPlayer
  File: '/run/imageloader/PepperFlashPlayer'
  Size: 76        	Blocks: 0          IO Block: 4096   directory
Device: fe02h/65026d	Inode: 3           Links: 2
Access: (0555/dr-xr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: u:object_r:unlabeled:s0
Access: 2017-01-18 23:42:21.000000000 -0800
Modify: 2017-01-18 23:42:21.000000000 -0800
Change: 2017-01-18 23:42:21.000000000 -0800
 Birth: -

localhost ~ # grep Pepper /etc/mtab 
/dev/mapper/068D4214B37C5D935BC3CCCE590739299406945E3CD013F9C904400067FD5351 /run/imageloader/PepperFlashPlayer squashfs ro,seclabel,nosuid,nodev,relatime 0 0

Comment 10 by ihf@chromium.org, Jan 19 2017

Cc: achuith@chromium.org
achuith fyi

Comment 11 by achuith@chromium.org, Jan 19 2017 

Is this the same failure:
https://uberchromegw.corp.google.com/i/chromeos/builders/daisy_skate-chrome-pfq/builds/3369

One of the recent PFQ breaks.

Comment 12 by ihf@chromium.org, Jan 19 2017 

I get 502 errors trying to read the logs, but presumably the same.
Project Member

Comment 13 by bugdroid1@chromium.org, Jan 19 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/91232bf9da144a060225c27c6fbec5610cb42194

commit 91232bf9da144a060225c27c6fbec5610cb42194
Author: Ilja H. Friedel <ihf@chromium.org>
Date: Thu Jan 19 22:32:27 2017

platform_FilePerms: remove permission check from imageloader.

/run/imageloader/PepperFlashPlayer is created once Chrome downloads
a new component update from Omaha.

BUG= chromium:682811 
TEST=Ran locally on samus.

Change-Id: Iee1c03266913014a5dc1aa59679f5c7e60cacc81
Reviewed-on: https://chromium-review.googlesource.com/430203
Tested-by: Ilja H. Friedel <ihf@chromium.org>
Trybot-Ready: Ilja H. Friedel <ihf@chromium.org>
Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>

[modify] https://crrev.com/91232bf9da144a060225c27c6fbec5610cb42194/client/site_tests/platform_FilePerms/platform_FilePerms.py

Comment 14 by khmel@chromium.org, Jan 19 2017 

Just for reference: https://luci-milo.appspot.com/buildbot/chromeos/peach_pit-chrome-pfq/3016 failing the same reason

01/18 20:02:44.119 ERROR|platform_FilePerms:0330| [/etc/mtab] "/run/imageloader/PepperFlashPlayer" is missing options "set(['mode=755'])"

Comment 15 by ihf@chromium.org, Jan 19 2017 

Hopefully fixed on the next run.

Comment 16 by kerrnel@chromium.org, Jan 20 2017 

I did not realize platform_FilePerms was checking the PepperFlashPlayer mount. This raises a good point: we are going to add support to mount arbitrary components, so hardcoding the mount points won't scale over time.

I think the "right" fix for the long term is for me to have that test enforce a certain set of rules against any mount point under /run/imageloader. What do you think?

Thanks again for fixing this.

Comment 17 by ihf@chromium.org, Jan 23 2017

Status: Verified (was: Started)
No more failures.

Sign in to add a comment