New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 716620 link

Starred by 1 user
Status: Fixed
Owner:
vapier@chromium.org
Closed: May 2017
Cc:
warx@chromium.org
steve...@chromium.org
patricia@chromium.org
dchan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

security_SandboxedServices failure on amd64-generic-asan vmtest: gdbus running as root

Project Member Reported by michae...@chromium.org, Apr 28 2017 
This looks similar to  issue 658777 .

Builder: https://build.chromium.org/p/chromiumos/builders/amd64-generic-asan

Failing builds:
https://build.chromium.org/p/chromiumos/builders/amd64-generic-asan/builds/19590
https://build.chromium.org/p/chromiumos/builders/amd64-generic-asan/builds/19589

Logs: https://pantheon.corp.google.com/storage/browser/chromeos-image-archive/amd64-generic-asan/R60-9504.0.0-b19590/vm_test_results_1/smoke_suite/test_harness/all/SimpleTestVerify/1_autotest_tests/results-29-security_SandboxedServices/debug/

snippet from client.0.DEBUG:

04/28 12:29:01.824 DEBUG|             utils:0202| Running 'scanelf -qF'%s#F' -gs __asan_init `which debugd`'
04/28 12:29:01.878 DEBUG|              asan:0026| running_on_asan(): symbol: '__asan_init', _ASAN_SYMBOL: '__asan_init'
04/28 12:29:01.879 INFO |security_Sandboxed:0225| ASAN image detected -> skipping seccomp checks
04/28 12:29:01.890 WARNI|security_Sandboxed:0308| Stale baselines: set(['cromo', 'warn_collector', 'tpm_managerd', 'daisydog', 'attestationd', 'brcm_patchram_p', 'tlsdated', 'easy_unlock', 'sslh-fork', 'thermal.sh', 'timberslide', 'tlsdated-setter', 'wimax-manager', 'esif_ufd', 'netfilter-queue', 'arc-networkd', 'X', 'mtpd', 'tcsd', 'arc-obb-mounter', 'lid_touchpad_he'])
04/28 12:29:01.896 WARNI|security_Sandboxed:0311| New services: set(['gdbus', 'webservd', 'apmanager', 'conntrackd', 'peerd', 'nacl_helper_non', 'avahi-daemon'])
04/28 12:29:01.908 ERROR|security_Sandboxed:0322| New services are not allowed to run as root, but these are: ['gdbus']
04/28 12:29:01.915 ERROR|security_Sandboxed:0326| Failed sandboxing: ['gdbus']
04/28 12:29:01.924 DEBUG|              test:0389| Test failed due to One or more processes failed sandboxing. Exception log follows the after_iteration_hooks.
04/28 12:29:01.925 DEBUG|              test:0392| starting after_iteration_hooks
04/28 12:29:01.934 DEBUG|             utils:0202| Running 'logger "autotest finished iteration /usr/local/autotest/results/default/security_SandboxedServices/sysinfo/iteration.1"'
04/28 12:29:01.947 DEBUG|              test:0395| after_iteration_hooks completed
04/28 12:29:01.948 WARNI|              test:0615| The test failed with the following exception
Traceback (most recent call last):
  File "/usr/local/autotest/common_lib/test.py", line 609, in _exec
    _call_test_function(self.execute, *p_args, **p_dargs)
  File "/usr/local/autotest/common_lib/test.py", line 817, in _call_test_function
    return func(*args, **dargs)
  File "/usr/local/autotest/common_lib/test.py", line 470, in execute
    dargs)
  File "/usr/local/autotest/common_lib/test.py", line 347, in _call_run_once_with_retry
    postprocess_profiled_run, args, dargs)
  File "/usr/local/autotest/common_lib/test.py", line 380, in _call_run_once
    self.run_once(*args, **dargs)
  File "/usr/local/autotest/tests/security_SandboxedServices/security_SandboxedServices.py", line 327, in run_once
    raise error.TestFail("One or more processes failed sandboxing")
TestFail: One or more processes failed sandboxing

Mike, are you the right owner for this?

Comment 1 Deleted

Comment 2 Deleted

Comment 3 by vapier@chromium.org, May 1 2017

Summary: security_SandboxedServices failure on amd64-generic-asan vmtest: gdbus running as root (was: security_Sandboxed failure on amd64-generic-asan vmtest )
pretty sure this is a flake of sorts.  here's the process that's being rejected:
23119     1 gdbus                            root             root             root             root             4026531839 4026531840 4026531960 4026531836 4026531837 4026531838 gdbus wait --system --timeout 30 org.chromium.Buffet

this is from the init script:
# Wait for daemon to claim its D-Bus name before transitioning to started.
post-start exec gdbus wait --system --timeout 30 org.chromium.Buffet

so we're going to just wait for it to run and then exit.  if the autotest happens to run in that window, it fails.

i'll see if we can run gdbus as the buffet user too.  then we wouldn't have to try and whitelist this.
Project Member

Comment 4 by bugdroid1@chromium.org, May 13 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/b8874877fd2da9d4e9abd76f5c194318fd3b2375

commit b8874877fd2da9d4e9abd76f5c194318fd3b2375
Author: Mike Frysinger <vapier@chromium.org>
Date: Sat May 13 08:04:44 2017

buffet: launch gdbus as non-root

BUG= chromium:716620 
TEST=precq passes

Change-Id: Icbcad52c579096e0b2420eb2b1818baf43ab3abf
Reviewed-on: https://chromium-review.googlesource.com/492906
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Eric Caruso <ejcaruso@chromium.org>

[modify] https://crrev.com/b8874877fd2da9d4e9abd76f5c194318fd3b2375/buffet/etc/init/buffet.conf

Comment 5 by vapier@chromium.org, May 13 2017

Status: Fixed (was: Assigned)

Comment 6 by dchan@chromium.org, Aug 1 2017

Labels: VerifyIn-61

Comment 7 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Comment 8 by vapier@chromium.org, Jun 21 2018

Status: Fixed (was: Archived)

Sign in to add a comment