Page 1 of 2
iotop-0.2.1-1 doesn't work
Posted: Mon Nov 08, 2010 9:10 am
by breun
I've installed iotop-0.2.1-1 from the atomic repo on both CentOS 4 and 5, but neither of them works.
CentOS 4:
# iotop
Traceback (most recent call last):
File "/usr/bin/iotop", line 9, in ?
from iotop.ui import main
File "/usr/lib/python2.3/site-packages/iotop/ui.py", line 11, in ?
from iotop.data import find_uids, TaskStatsNetlink, ProcessList
File "/usr/lib/python2.3/site-packages/iotop/data.py", line 9, in ?
from netlink import Connection, NETLINK_GENERIC, U32Attr, NLM_F_REQUEST
File "/usr/lib/python2.3/site-packages/iotop/netlink.py", line 13, in ?
_dummysock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, 0)
AttributeError: 'module' object has no attribute 'AF_NETLINK'
CentOS 5:
# iotop
This is neither python 2.5 nor is the _netlink C module available!
To run an uninstalled copy of iotop,
launch iotop.py in the top directory
Re: iotop-0.2.1-1 doesn't work
Posted: Mon Nov 08, 2010 11:21 am
by scott
yeah, it needs a newer python. still trying to come up a solution there
Re: iotop-0.2.1-1 doesn't work
Posted: Wed Apr 13, 2011 2:53 am
by breun
CentOS 5.6 comes with iotop support:
https://twitter.com/CentOS/status/57929058289328128
I tried it on a plain CentOS 5.6 installation with the package from EPEL (iotop-0.4.1-2.el5) and indeed, it works!
But trying to run iotop on CentOS 5.6 + ASL I get a segmentation fault. /var/log/messages says:
Code: Select all
Apr 13 08:46:24 hostname kernel: grsec: From 212.123.179.58: denied RWX mprotect of /lib64/ld-2.5.so by /usr/bin/iotop[iotop:9454] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9351] uid/euid:0/0 gid/egid:0/0
Apr 13 08:46:24 hostname kernel: iotop[9454]: segfault at 7064fd690da0 ip 00007064fd47b9ec sp 00007fff5c169410 error 7 in ld-2.5.so[7064fd475000+1c000]
As per
http://www.atomicorp.com/wiki/index.php ... X_mprotect I tried this:
Code: Select all
# chpax -m /usr/bin/iotop
/usr/bin/iotop: Unknown file type (passed)
# iotop
Segmentation fault
What does the 'Unknown file type (passed)' message mean? Apparently PAX is still blocking this:
Code: Select all
Apr 13 08:49:37 hostname kernel: grsec: From 212.123.179.58: denied RWX mprotect of /lib64/ld-2.5.so by /usr/bin/iotop[iotop:9836] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9351] uid/euid:0/0 gid/egid:0/0
Apr 13 08:49:37 zaza kernel: iotop[9836]: segfault at 6248c405dda0 ip 00006248c3e489ec sp 00007fffa52e8410 error 7 in ld-2.5.so[6248c3e42000+1c000]
Any more ideas to get iotop working on a machine with ASL?
Re: iotop-0.2.1-1 doesn't work
Posted: Wed Apr 13, 2011 6:25 am
by mikeshinn
What does the 'Unknown file type (passed)' message mean? Apparently PAX is still blocking this:
iotop is a python script if memory serves, so its not iptop thats trying to do bad things on your system but rather python itself. If python is configured to require mprotect, go file a bug report with the maintainer of python - thats a really bad idea to allow python to do that. Stack smash own your box city there.
Re: iotop-0.2.1-1 doesn't work
Posted: Wed Apr 13, 2011 7:02 am
by breun
Hm, yes, iotop is a Python script. To confirm this I ran
chpax -m /usr/bin/python and tried again. Indeed the segmentation fault no longer occurs, but apparently iotop still doesn't work with the ASL kernel even if mprotect() is not restricted to /usr/bin/python:
Code: Select all
# chpax -m /usr/bin/python
[zaza.lemonbit.com ~]# iotop
Traceback (most recent call last):
File "/usr/bin/iotop", line 16, in ?
main()
File "/usr/lib/python2.4/site-packages/iotop/ui.py", line 565, in main
main_loop()
File "/usr/lib/python2.4/site-packages/iotop/ui.py", line 555, in <lambda>
main_loop = lambda: run_iotop(options)
File "/usr/lib/python2.4/site-packages/iotop/ui.py", line 470, in run_iotop
return curses.wrapper(run_iotop_window, options)
File "/usr/lib64/python2.4/curses/wrapper.py", line 44, in wrapper
return func(stdscr, *args, **kwds)
File "/usr/lib/python2.4/site-packages/iotop/ui.py", line 462, in run_iotop_window
process_list = ProcessList(taskstats_connection, options)
File "/usr/lib/python2.4/site-packages/iotop/data.py", line 375, in __init__
raise exc
OSError: Netlink error: Invalid argument (22)
I don't mind filing a bug report with Python (though I doubt that will be fixed soon), but apparently getting that fixed still won't make iotop work with ASL.
P.S.1 What exactly would I need to tell the Python guys in the bug report? "Don't use mprotect()"?
P.S.2 Yes, I ran
chpax -M /usr/bin/python after this test.
Re: iotop-0.2.1-1 doesn't work
Posted: Wed Apr 13, 2011 7:09 am
by mikeshinn
OSError: Netlink error: Invalid argument (22)
If thats the only error you get, then thats this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=557062
P.S.1 What exactly would I need to tell the Python guys in the bug report? "Don't use mprotect()"?
God yes. mprotect is bad.
Re: iotop-0.2.1-1 doesn't work
Posted: Wed Apr 13, 2011 7:41 am
by breun
I don't really understand what's the bug here. iotop works fine on the CentOS 5.6 kernel, but it throws the error above when run on the ASL kernel (with mprotect() not restricted for /usr/bin/python).
Re: iotop-0.2.1-1 doesn't work
Posted: Wed Apr 13, 2011 8:50 am
by scott
Basically you've just discovered that iotop does something that is potentially exploitable. The default kernel doesn't have the capability to detect that like the ASL one does.
Re: iotop-0.2.1-1 doesn't work
Posted: Wed Apr 13, 2011 8:55 am
by breun
Sure, but apparently there is another reason why iotop does not work with the ASL kernel, because I get another error after allowing Python to use mprotect().
Re: iotop-0.2.1-1 doesn't work
Posted: Sat Apr 23, 2011 7:42 pm
by breun
I filed a bug report with Python for using mprotect():
http://bugs.python.org/issue11912
Any idea why iotop still doesn't work when I allow Python to use mprotect()?
Re: iotop-0.2.1-1 doesn't work
Posted: Sat Apr 23, 2011 8:02 pm
by breun
I got a comment pretty quickly saying there is no sign of mprotect() in the whole Python source tree. Who is wrong here? Is grsecurity seeing ghosts? Could something else be calling mprotect()? Or must it be Python?
Re: iotop-0.2.1-1 doesn't work
Posted: Sun Apr 24, 2011 3:05 am
by breun
I noticed iotop requires python-ctypes, which gives Python access to C libraries. And according to the Python guy:
glibc's `dlopen()` can call `mprotect()`, which is used for loading C extensions.
I don't really know who to blame now. I think I'll just ask the author of iotop if he knows whether iotop is doing mprotect.
Re: iotop-0.2.1-1 doesn't work
Posted: Sun Apr 24, 2011 5:46 am
by BruceLee
Hi breun,
what do you think about this? I know it's not doing exactly the same as iotop does but maybe it's useful for you.
http://collectl.sourceforge.net/
Re: iotop-0.2.1-1 doesn't work
Posted: Sun Apr 24, 2011 2:44 pm
by mikeshinn
I don't really know who to blame now. I think I'll just ask the author of iotop if he knows whether iotop is doing mprotect.
The kernel won't lie, if it says mprotect is being used, it is.
Re: iotop-0.2.1-1 doesn't work
Posted: Sun Apr 24, 2011 6:58 pm
by breun
I e-mailed the author of iotop, but he says iotop isn't using mprotect. And the Python devs say they same thing. How do I tell who's wrong?