Related
I am using reqwest in rust to do a simple POST action:
let client = reqwest::blocking::Client::new();
let file = File::open("somefile");
let res = client
.post("http://127.0.0.1:5001/api/v0/add")
.body(file)
.send()?;
I got 400 response. So I used wireshark to check the request sent by reqwest. Interestingly, there was none. All I got was the 400 response.
So I used strace, and compared with cURL.
For cURL, I got:
socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP) = 3
socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 5
setsockopt(5, SOL_TCP, TCP_NODELAY, [1], 4) = 0
setsockopt(5, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
setsockopt(5, SOL_TCP, TCP_KEEPIDLE, [60], 4) = 0
setsockopt(5, SOL_TCP, TCP_KEEPINTVL, [60], 4) = 0
connect(5, {sa_family=AF_INET, sin_port=htons(5001), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress)
getsockopt(5, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
getpeername(5, {sa_family=AF_INET, sin_port=htons(5001), sin_addr=inet_addr("127.0.0.1")}, [128 => 16]) = 0
getsockname(5, {sa_family=AF_INET, sin_port=htons(59784), sin_addr=inet_addr("127.0.0.1")}, [128 => 16]) = 0
sendto(5, "POST /api/v0/add HTTP/1.1\r\nHost: 127.0.0.1:5001\r\nUser-Agent: curl/7.80.0\r\nAccept: */*\r\nContent-Length: 1720244\r\nContent-Type: multipart/form-data; boundary=------------------------dfd2b9478efb2b2d\r\nExpect: 100-continue\r\n\r\n", 222, MSG_NOSIGNAL, NULL, 0) = 222
recvfrom(5, "HTTP/1.1 100 Continue\r\n\r\n", 102400, 0, NULL, NULL) = 25
and more after.
But for my app, I got:
socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, IPPROTO_TCP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(5001), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress)
getsockopt(7, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
setsockopt(7, SOL_TCP, TCP_NODELAY, [0], 4) = 0
getpeername(7, {sa_family=AF_INET, sin_port=htons(5001), sin_addr=inet_addr("127.0.0.1")}, [128 => 16]) = 0
recvfrom(7, "HTTP/1.1 400 Bad Request\r\nContent-Type: text/plain; charset=utf-8\r\nVary: Origin\r\nX-Content-Type-Options: nosniff\r\nDate: Sat, 04 Dec 2021 13:02:05 GMT\r\nContent-Length: 33\r\n\r\nfile argument 'path' is required\n", 8192, 0, NULL, NULL) = 206
recvfrom(7, 0x7f923c0f0e00, 8192, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable)
So why is there no sendto call?
The strace calls are the same: strace -f -e trace=network -s 10000 $cmd.
Vim stuck on opening file. That's the ouput with strace. Anyone could advise here?
strace vim test.py
....
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{"l\0\v\0\0\0\22\0\20\0\0\0", 12}, {"", 0}, {"MIT-MAGIC-COOKIE-1", 18}, {"\0\0", 2}, {"\231\r\1\377\"\0025\371\232\264nj%:\32\277", 16}, {"", 0}], 6) = 48
recvfrom(3, 0x2bec270, 8, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=3, events=POLLIN}], 1, -1
I suffered from this and dig into it a little.
Here comes my log.
09:46:07.386053 socket(AF_INET6, SOCK_STREAM|SOCK_CLOEXEC, IPPROTO_TCP) = 3
09:46:07.386078 setsockopt(3, SOL_TCP, TCP_NODELAY, [1], 4) = 0
09:46:07.386102 setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
09:46:07.386125 connect(3, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = 0
09:46:07.386225 getpeername(3, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, [124->28]) = 0
09:46:07.386258 uname({sysname="Linux", nodename="localhost.localdomain", ...}) = 0
09:46:07.386324 access("/root/.Xauthority", R_OK) = 0
09:46:07.386385 openat(AT_FDCWD, "/root/.Xauthority", O_RDONLY) = 4
09:46:07.386414 fstat(4, {st_mode=S_IFREG|0600, st_size=469, ...}) = 0
09:46:07.386439 read(4, "\1\0\0\25localhost.localdomain\0\00216\0\22M"..., 4096) = 469
09:46:07.386548 close(4) = 0
09:46:07.386611 getsockname(3, {sa_family=AF_INET6, sin6_port=htons(49466), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, [124->28]) = 0
09:46:07.386688 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR)
09:46:07.386773 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
09:46:07.386831 fcntl(3, F_SETFD, FD_CLOEXEC) = 0
09:46:07.386853 poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
09:46:07.386968 writev(3, [{iov_base="l\0\v\0\0\0\22\0\20\0\0\0", iov_len=12}, {iov_base="", iov_len=0}, {iov_base="MIT-MAGIC-COOKIE-1", iov_len=18}, {iov_base="\0\0", iov_len=2}, {iov_base="yD\310A\20\2\202\33\232\242~/\351E\260\336", iov_len=16}, {iov_base="", iov_len=0}], 6) = 48
09:46:07.387053 recvfrom(3, 0x561e505ded90, 8, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable)
09:46:07.387081 poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
09:46:09.393095 recvfrom(3, "\1\0\v\0\0\0\362\0", 8, 0, NULL, NULL) = 8
09:46:09.393186 recvfrom(3, "\277B\241\3\0\0\200\0\377\377\37\0\0\1\0\0\16\0\377\377\1\7\0\0 \10\377\20\377\202\0"..., 968, 0, NULL, NULL) = 968
09:46:09.393266 poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1
<<===========type enter when it stucks.
) = 1 ([{fd=3, revents=POLLOUT}])
09:46:09.393314 writev(3, [{iov_base="b\0\5\0\f\0\0\0BIG-REQUESTS", iov_len=20}], 1) = 20
And I gdb it and find the source(https://github.com/stapelberg/libxcb/blob/master/src/xcb_in.c#L267).
And the sad message is there is no issue and it is just waiting for data from xserver.
The workaround will be disable the xterm.
I like the +xterm_clipboard feature so I have to bear it.
I have a strange problem I cannot solve on my own:
Using Delphi 10.3 Rio Enterprise, on Linux (I tried fresh installs of Ubuntu 16.04 and Ubuntu 18.04 Desktop and Ubuntu 18.04 Server with GUI in VMWare Player 15) PAServer crashes with I/O Error 11 every time I start debugging. I can pull the SDK and Delphi deploys all files correctly. But trying to run ends with the crash and Delphi complaining that GDB Server is no longer available. I can run the program on the Linux host by starting it manually (of course without debugging).
It does not depend on the user in Linux, it also happens as root. Also, a non graphic appliation crashes even on non GUI Ubuntu server, always with IO Error 11.
Debugging with PAServer works well on OSX, Android and Windows. I of course tried a dead simple one form project without content with the same results.
I traced the Delphi PAClient with ProcMon, no evidence on that side. Then I tracked the Linux process with strace, which gave me this output:
write(1, "Starting Platform Assistant Serv"..., 49Starting Platform Assistant Server on port 64211
) = 49
write(1, "\n", 1
) = 1
write(1, "Type ? for available commands\n", 30Type ? for available commands
) = 30
socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 5
close(5) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 5
getsockopt(5, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
getsockopt(5, SOL_TCP, TCP_NODELAY, [0], [4]) = 0
setsockopt(5, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(5, SOL_SOCKET, SO_REUSEPORT, [1], 4) = 0
bind(5, {sa_family=AF_INET, sin_port=htons(64211), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
getsockname(5, {sa_family=AF_INET, sin_port=htons(64211), sin_addr=inet_addr("0.0.0.0")}, [16]) = 0
setsockopt(5, SOL_TCP, TCP_NODELAY, [1], 4) = 0
socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 6
getsockopt(6, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
getsockopt(6, SOL_TCP, TCP_NODELAY, [0], [4]) = 0
setsockopt(6, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(6, SOL_SOCKET, SO_REUSEPORT, [1], 4) = 0
bind(6, {sa_family=AF_INET6, sin6_port=htons(64211), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
getsockname(6, {sa_family=AF_INET6, sin6_port=htons(64211), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
setsockopt(6, SOL_TCP, TCP_NODELAY, [1], 4) = 0
listen(5, 15) = 0
mmap(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f8ab39f9000
mprotect(0x7f8ab39f9000, 4096, PROT_NONE) = 0
clone(child_stack=0x7f8ab41f8ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f8ab41f99d0, tls=0x7f8ab41f9700, child_tidptr=0x7f8ab41f99d0) = 28987
sched_getparam(28987, [0]) = 0
sched_getscheduler(28987) = 0 (SCHED_OTHER)
listen(6, 15) = 0
mmap(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f8ab31f8000
mprotect(0x7f8ab31f8000, 4096, PROT_NONE) = 0
clone(child_stack=0x7f8ab39f7ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f8ab39f89d0, tls=0x7f8ab39f8700, child_tidptr=0x7f8ab39f89d0) = 28988
sched_getparam(28988, [0]) = 0
sched_getscheduler(28988) = 0 (SCHED_OTHER)
brk(0x1f55000) = 0x1f55000
brk(0x1f76000) = 0x1f76000
brk(0x1f97000) = 0x1f97000
brk(0x1fba000) = 0x1fba000
brk(0x1fdb000) = 0x1fdb000
mmap(NULL, 200704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8ab82b8000
mmap(NULL, 200704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8ab8287000
write(1, ">", 1>) = 1
read(0, 0xe0bf90, 128) = -1 EAGAIN (Resource temporarily unavailable)
read(0, 0xe0bf90, 128) = -1 EAGAIN (Resource temporarily unavailable)
shutdown(5, SHUT_WR) = 0
close(5) = 0
select(4, [3], NULL, NULL, {1, 0}) = 1 (in [3], left {0, 999997})
ioctl(3, FIONREAD, [1]) = 0
read(3, "\0", 1) = 1
select(4, [3], NULL, NULL, {1, 0}) = 1 (in [3], left {0, 817727})
ioctl(3, FIONREAD, [1]) = 0
read(3, "\0", 1) = 1
select(4, [3], NULL, NULL, {1, 0}) = 1 (in [3], left {0, 999997})
ioctl(3, FIONREAD, [1]) = 0
read(3, "\0", 1) = 1
shutdown(6, SHUT_WR) = 0
close(6) = 0
select(4, [3], NULL, NULL, {1, 0}) = 1 (in [3], left {0, 974854})
ioctl(3, FIONREAD, [1]) = 0
read(3, "\0", 1) = 1
shutdown(7, SHUT_WR) = 0
close(7) = 0
shutdown(8, SHUT_WR) = 0
close(8) = 0
select(0, NULL, NULL, NULL, {0, 500000}) = 0 (Timeout)
write(1, "EInOutError: I/O error 11\n", 26EInOutError: I/O error 11
) = 26
Thanks in advance for help!
Please check
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1813873
Ubuntu kernel 4.15.0-44 introduced this trouble, and Ubuntu will fix this trouble on next kernel update, Mar 4th.
Completely revised answer.
It doesn't seem to be related to vmWare Player 15 but somehow to Ubuntu, 16 as well as 18. In all non Linux OS debugging works and also in Rhedhat 7 and the Debian Stretch.
In Debian 9 I had to use the sdk generated with the Ubuntu machine as some files were missing when generated in Debian. May be easy to solve but the other SDK does its job.
I'm on a Linux System and recently enabled SELinux in permissive and enforcing mode.
While executing the login command in a shell with correct username and password I get a "Permission denied" error message on execve() system call.
Debugging all system calls with strace leads to the following output.
...
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x400a3000
set_tls(0x400a2d90) = 0
mprotect(0x40201000, 8192, PROT_READ) = 0
mprotect(0x40364000, 4096, PROT_READ) = 0
mprotect(0x402e4000, 4096, PROT_READ) = 0
mprotect(0x402b8000, 4096, PROT_READ) = 0
mprotect(0x4021d000, 4096, PROT_READ) = 0
mprotect(0x400aa000, 4096, PROT_READ) = 0
munmap(0x4009e000, 9811) = 0
statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
stat64("/sys/fs/selinux", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
brk(NULL) = 0x907000
brk(0x928000) = 0x928000
access("/etc/selinux/config", F_OK) = 0
getuid32() = 0
geteuid32() = 0
open("/dev/null", O_RDWR) = 3
close(3) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
rt_sigaction(SIGALRM, {sa_handler=0x400b76ed, sa_mask=[ALRM], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x4013cae1}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
setitimer(ITIMER_REAL, {it_interval={tv_sec=0, tv_usec=0}, it_value={tv_sec=60, tv_usec=0}}, {it_interval={tv_sec=0, tv_usec=0}, it_value={tv_sec=0, tv_usec=0}}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
fstat64(0, {st_mode=S_IFCHR|0622, st_rdev=makedev(136, 1), ...}) = 0
readlink("/proc/self/fd/0", "/dev/pts/1", 126) = 10
stat64("/dev/pts/1", {st_mode=S_IFCHR|0622, st_rdev=makedev(136, 1), ...}) = 0
ioctl(0, TCFLSH, TCIFLUSH) = 0
uname({sysname="Linux", nodename="node", ...}) = 0
fstat64(1, {st_mode=S_IFCHR|0622, st_rdev=makedev(136, 1), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4009e000
write(1, "node login: ", node login: ) = 12
fstat64(0, {st_mode=S_IFCHR|0622, st_rdev=makedev(136, 1), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4009f000
read(0,
"\n", 1024) = 5
open("/etc/passwd", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=63, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x400a0000
read(3, ""..., 1024) = 63
close(3) = 0
munmap(0x400a0000, 4096) = 0
open("/etc/securetty", O_RDONLY) = -1 ENOENT (No such file or directory)
ioctl(0, TCFLSH, TCIFLUSH) = 0
write(1, "Password: ", 10Password: ) = 10
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon -echo ...}) = 0
rt_sigaction(SIGINT, {sa_handler=0x400f43b9, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x4013cae1}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x4013cae1}, NULL, 8) = 0
ioctl(0, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon echo ...}) = 0
write(1, "\n", 1
) = 1
open("/proc/sys/crypto/fips_enabled", O_RDONLY) = -1 ENOENT (No such file or directory)
setitimer(ITIMER_REAL, {it_interval={tv_sec=0, tv_usec=0}, it_value={tv_sec=0, tv_usec=0}}, {it_interval={tv_sec=0, tv_usec=0}, it_value={tv_sec=57, tv_usec=707306}}) = 0
open("/etc/selinux/config", O_RDONLY|O_CLOEXEC) = 3
fcntl64(3, F_GETFD) = 0x1 (flags FD_CLOEXEC)
fstat64(3, {st_mode=S_IFREG|0644, st_size=586, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x400a0000
read(3, "# This file controls the state o"..., 1024) = 586
read(3, "", 1024) = 0
close(3) = 0
munmap(0x400a0000, 4096) = 0
open("/proc/thread-self/attr/current", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
gettid() = 970
open("/proc/self/task/970/attr/current", O_RDONLY|O_CLOEXEC) = 3
read(3, "system_u:system_r:init_t\0", 4095) = 25
close(3) = 0
access("/var/run/setrans/.setrans-unix", F_OK) = -1 ENOENT (No such file or directory)
open("/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3
write(3, "system_u:system_r:init_t root", 29) = 29
read(3, "5\0root:staff_r:shutdown_t\0root:s"..., 4095) = 127
close(3) = 0
open("/etc/selinux/refpolicy/contexts/users/root", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=630, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x400a0000
read(3, "system_r:crond_t\tunconfined_r:un"..., 1024) = 630
read(3, "", 1024) = 0
close(3) = 0
munmap(0x400a0000, 4096) = 0
open("/etc/selinux/refpolicy/contexts/default_contexts", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=951, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x400a0000
read(3, "system_r:crond_t\tuser_r:user_t s"..., 1024) = 951
read(3, "", 1024) = 0
close(3) = 0
munmap(0x400a0000, 4096) = 0
open("/etc/selinux/refpolicy/contexts/failsafe_context", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=18, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x400a0000
read(3, "sysadm_r:sysadm_t\n", 1024) = 18
close(3) = 0
munmap(0x400a0000, 4096) = 0
open("/sys/fs/selinux/context", O_RDWR|O_CLOEXEC) = 3
write(3, "root:sysadm_r:sysadm_t\0", 23) = 23
close(3) = 0
getxattr("/dev/pts/1", "security.selinux", "system_u:object_r:devpts_t", 255) = 27
open("/sys/fs/selinux/relabel", O_RDWR|O_CLOEXEC) = 3
write(3, "root:sysadm_r:sysadm_t system_u:"..., 52) = 52
read(3, "root:object_r:devpts_t\0", 4095) = 23
close(3) = 0
setxattr("/dev/pts/1", "security.selinux", "root:object_r:devpts_t", 23, 0) = 0
fchown32(0, 0, 0) = 0
fchmod(0, 0600) = 0
open("/etc/group", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=10, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x400a0000
read(3, "root:x:0:\n", 1024) = 10
read(3, "", 1024) = 0
close(3) = 0
munmap(0x400a0000, 4096) = 0
setgroups32(1, [0]) = 0
setgid32(0) = 0
setuid32(0) = 0
chdir("/root") = 0
access(".hushlogin", F_OK) = -1 ENOENT (No such file or directory)
open("/etc/motd", O_RDONLY) = -1 ENOENT (No such file or directory)
gettimeofday({tv_sec=1542874616, tv_usec=399369}, NULL) = 0
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=2309, ...}) = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=2309, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x400a0000
read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\10\0\0\0\0"..., 1024) = 1024
_llseek(3, 1257, [2281], SEEK_CUR) = 0
read(3, "\nCET-1CEST,M3.5.0,M10.5.0/3\n", 1024) = 28
close(3) = 0
munmap(0x400a0000, 4096) = 0
getpid() = 970
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket)
close(3) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
send(3, "<38>Nov 22 09:16:56 login[970]: "..., 54, MSG_NOSIGNAL) = 54
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[INT], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x4013cae1}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x4013cae1}, 8) = 0
open("/proc/thread-self/attr/exec", O_RDWR|O_CLOEXEC) = -1 ENOENT (No such file or directory)
gettid() = 970
open("/proc/self/task/970/attr/exec", O_RDWR|O_CLOEXEC) = 4
write(4, "root:sysadm_r:sysadm_t\0", 23) = 23
close(4) = 0
execve("/bin/sh", ["-sh"], 0x907b30 /* 6 vars */) = -1 EACCES (Permission denied)
write(2, "login: can't execute '/bin/sh': "..., 50login: can't execute '/bin/sh': Permission denied
) = 50
exit_group(1) = ?
+++ exited with 1 +++
The error message disappears with disabled SELinux and the login command succeeds. See output below.
...
send(3, "<38>Nov 23 16:25:16 login[883]: "..., 54, MSG_NOSIGNAL) = 54
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[INT], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x400fcae1}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x400fcae1}, 8) = 0
execve("/bin/sh", ["-sh"], 0x32a3d0 /* 6 vars */) = 0
brk(NULL) = 0x1e14000
...
Another test trying to run ssh in a specific context will also lead to a "Permission denied" message.
~ # runcon system_u:system_r:sshd_t /usr/sbin/sshd
runcon: can't execute '/usr/sbin/sshd': Permission denied
~ # strace runcon system_u:system_r:sshd_t /usr/sbin/sshd
execve("/usr/bin/runcon", ["runcon", "system_u:system_r:sshd_t", "/usr/sbin/sshd"], 0xbea60de8 /* 12 vars */) = 0
brk(NULL) = 0x120b000
uname({sysname="Linux", nodename="node", ...}) = 0
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x400cb000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=9811, ...}) = 0
mmap2(NULL, 9811, PROT_READ, MAP_PRIVATE, 3, 0) = 0x400cd000
close(3) = 0
...
various lib loading with no error
...
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x400d2000
set_tls(0x400d1d90) = 0
mprotect(0x40230000, 8192, PROT_READ) = 0
mprotect(0x40393000, 4096, PROT_READ) = 0
mprotect(0x40313000, 4096, PROT_READ) = 0
mprotect(0x402e7000, 4096, PROT_READ) = 0
mprotect(0x4024c000, 4096, PROT_READ) = 0
mprotect(0x400d9000, 4096, PROT_READ) = 0
munmap(0x400cd000, 9811) = 0
statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
stat64("/sys/fs/selinux", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
brk(NULL) = 0x120b000
brk(0x122c000) = 0x122c000
access("/etc/selinux/config", F_OK) = 0
access("/var/run/setrans/.setrans-unix", F_OK) = -1 ENOENT (No such file or directory)
open("/sys/fs/selinux/context", O_RDWR|O_CLOEXEC) = 3
write(3, "system_u:system_r:sshd_t\0", 25) = 25
close(3) = 0
open("/proc/thread-self/attr/exec", O_RDWR|O_CLOEXEC) = -1 ENOENT (No such file or directory)
gettid() = 976
open("/proc/self/task/976/attr/exec", O_RDWR|O_CLOEXEC) = 3
write(3, "system_u:system_r:sshd_t\0", 25) = 25
close(3) = 0
execve("/usr/sbin/sshd", ["/usr/sbin/sshd"], 0xbec8dde4 /* 12 vars */) = -1 EACCES (Permission denied)
write(2, "runcon: can't execute '/usr/sbin"..., 58runcon: can't execute '/usr/sbin/sshd': Permission denied
) = 58
exit_group(126) = ?
+++ exited with 126 +++
How can I get this error resolved while SELinux is enabled?
Edit:
After investigating the sys_execve() implementation the error should occur in function do_open_exec() (https://elixir.bootlin.com/linux/v3.18/source/fs/exec.c#L750).
I'm not sure which file access triggers the error.
Found a solution to this problem.
My root partition was mounted with nosuid flag. As mentioned in this blog post https://danwalsh.livejournal.com/68723.html, the process couldn't change its domain.
Mounting the partition without nosuid solved this problem.
When I to run strace on dig (strace dig google.com), there are no sendto or recvfrom syscalls as you would expect for a DNS query. dig is definitely performing network requests: I can see the queries in Wireshark. strace is capturing the socket and close syscalls, though. The full trace is available at https://pastebin.com/aU816wLq, but I pasted the relevant section below:
futex(0x7f3e959bbe34, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f3e959bbf80, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f3e963f9290, FUTEX_WAKE_PRIVATE, 2147483647) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
close(3) = 0
socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 3
getsockname(3, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
close(3) = 0
socket(PF_LOCAL, SOCK_STREAM, 0) = 3
close(3) = 0
futex(0x7f3e959bc3ac, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f3e959bbf08, FUTEX_WAKE_PRIVATE, 2147483647) = 0
mmap(NULL, 266240, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3e965c8000
mmap(NULL, 8392704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f3e9028f000
mprotect(0x7f3e9028f000, 4096, PROT_NONE) = 0
clone(child_stack=0x7f3e90a8efb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f3e90a8f9d0, tls=0x7f3e90a8f700, child_tidptr=0x7f3e90a8f9d0) = 3083
mmap(NULL, 8392704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f3e8fa8e000
mprotect(0x7f3e8fa8e000, 4096, PROT_NONE) = 0
clone(child_stack=0x7f3e9028dfb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f3e9028e9d0, tls=0x7f3e9028e700, child_tidptr=0x7f3e9028e9d0) = 3084
brk(0x55fd6e9cd000) = 0x55fd6e9cd000
pipe([3, 4]) = 0
fcntl(3, F_GETFL) = 0 (flags O_RDONLY)
fcntl(3, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
epoll_create(64) = 5
epoll_ctl(5, EPOLL_CTL_ADD, 3, {EPOLLIN, {u32=3, u64=3}}) = 0
mmap(NULL, 8392704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f3e8f28d000
mprotect(0x7f3e8f28d000, 4096, PROT_NONE) = 0
clone(child_stack=0x7f3e8fa8cfb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f3e8fa8d9d0, tls=0x7f3e8fa8d700, child_tidptr=0x7f3e8fa8d9d0) = 3085
open("/usr/share/locale/en_US.UTF-8/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libdst.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
futex(0x7f3e963f9b20, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f3e963f9b24, FUTEX_WAKE_PRIVATE, 2147483647) = 0
brk(0x55fd6e9ee000) = 0x55fd6e9ee000
open("/usr/lib/ssl/openssl.cnf", O_RDONLY) = 6
fstat(6, {st_mode=S_IFREG|0644, st_size=10835, ...}) = 0
read(6, "#\n# OpenSSL example configuratio"..., 4096) = 4096
read(6, "Netscape crash on BMPStrings or "..., 4096) = 4096
read(6, " this to avoid interpreting an e"..., 4096) = 2643
read(6, "", 4096) = 0
close(6) = 0
futex(0x7f3e94c480a8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so", O_RDONLY|O_CLOEXEC) = 6
read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220T\0\0\0\0\0\0"..., 832) = 832
fstat(6, {st_mode=S_IFREG|0644, st_size=93280, ...}) = 0
mmap(NULL, 2188320, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f3e8f076000
mprotect(0x7f3e8f08b000, 2093056, PROT_NONE) = 0
mmap(0x7f3e8f28a000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x14000) = 0x7f3e8f28a000
close(6) = 0
mprotect(0x7f3e8f28a000, 4096, PROT_READ) = 0
open("/home/ubuntu-user/.digrc", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/resolv.conf", O_RDONLY) = 6
fstat(6, {st_mode=S_IFREG|0644, st_size=208, ...}) = 0
read(6, "# Dynamic resolv.conf(5) file fo"..., 4096) = 208
read(6, "", 4096) = 0
close(6) = 0
getppid() = 3080
rt_sigaction(SIGHUP, {0x7f3e957899e0, ~[RTMIN RT_1], SA_RESTORER, 0x7f3e9553f390}, NULL, 8) = 0
rt_sigsuspend([], 8) = ? ERESTARTNOHAND (To be restarted if no handler)
--- SIGTERM {si_signo=SIGTERM, si_code=SI_TKILL, si_pid=3082, si_uid=1000} ---
rt_sigreturn({mask=[HUP INT TERM]}) = -1 EINTR (Interrupted system call)
futex(0x55fd6df085a0, FUTEX_WAIT_PRIVATE, 2, NULL) = 0
futex(0x55fd6df085a0, FUTEX_WAKE_PRIVATE, 1) = 0
futex(0x7f3e90a8f9d0, FUTEX_WAIT, 3083, NULL) = 0
write(4, "\0\0\0\0\377\377\377\377", 8) = 8
epoll_ctl(5, EPOLL_CTL_DEL, 3, 0x7fff8ed49d10) = 0
close(5) = 0
close(3) = 0
close(4) = 0
futex(0x7f3e965cf07c, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x7f3e965cf078, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1
futex(0x7f3e965cf028, FUTEX_WAKE_PRIVATE, 1) = 1
munmap(0x7f3e8f076000, 2188320) = 0
munmap(0x7f3e965c8000, 266240) = 0
write(1, "\n; <<>> DiG 9.10.3-P4-Ubuntu <<>"..., 484) = 484
exit_group(0) = ?
+++ exited with 0 +++
I see clone syscalls there. Is dig forking and handling the DNS query in another process?
Versions:
strace -- version 4.11
DiG 9.10.3-P4-Ubuntu
Linux ubuntu 4.4.0-71-generic #92-Ubuntu SMP Fri Mar 24 12:59:01 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
The dig process is creating threads. Use strace -f to follow them.