iotop-0.2.1-1 doesn't work

[breun]

I've installed iotop-0.2.1-1 from the atomic repo on both CentOS 4 and 5, but neither of them works.

CentOS 4:

# iotop
Traceback (most recent call last):
File "/usr/bin/iotop", line 9, in ?
from iotop.ui import main
File "/usr/lib/python2.3/site-packages/iotop/ui.py", line 11, in ?
from iotop.data import find_uids, TaskStatsNetlink, ProcessList
File "/usr/lib/python2.3/site-packages/iotop/data.py", line 9, in ?
from netlink import Connection, NETLINK_GENERIC, U32Attr, NLM_F_REQUEST
File "/usr/lib/python2.3/site-packages/iotop/netlink.py", line 13, in ?
_dummysock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, 0)
AttributeError: 'module' object has no attribute 'AF_NETLINK'

CentOS 5:

# iotop
This is neither python 2.5 nor is the _netlink C module available!
To run an uninstalled copy of iotop,
launch iotop.py in the top directory

[scott]

yeah, it needs a newer python. still trying to come up a solution there

[breun]

CentOS 5.6 comes with iotop support: https://twitter.com/CentOS/status/57929058289328128

I tried it on a plain CentOS 5.6 installation with the package from EPEL (iotop-0.4.1-2.el5) and indeed, it works!

But trying to run iotop on CentOS 5.6 + ASL I get a segmentation fault. /var/log/messages says:

Code: Select all

Apr 13 08:46:24 hostname kernel: grsec: From 212.123.179.58: denied RWX mprotect of /lib64/ld-2.5.so by /usr/bin/iotop[iotop:9454] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9351] uid/euid:0/0 gid/egid:0/0
Apr 13 08:46:24 hostname kernel: iotop[9454]: segfault at 7064fd690da0 ip 00007064fd47b9ec sp 00007fff5c169410 error 7 in ld-2.5.so[7064fd475000+1c000]

As per http://www.atomicorp.com/wiki/index.php ... X_mprotect I tried this:

Code: Select all

# chpax -m /usr/bin/iotop
/usr/bin/iotop: Unknown file type (passed)
# iotop
Segmentation fault

What does the 'Unknown file type (passed)' message mean? Apparently PAX is still blocking this:

Code: Select all

Apr 13 08:49:37 hostname kernel: grsec: From 212.123.179.58: denied RWX mprotect of /lib64/ld-2.5.so by /usr/bin/iotop[iotop:9836] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9351] uid/euid:0/0 gid/egid:0/0
Apr 13 08:49:37 zaza kernel: iotop[9836]: segfault at 6248c405dda0 ip 00006248c3e489ec sp 00007fffa52e8410 error 7 in ld-2.5.so[6248c3e42000+1c000]

Any more ideas to get iotop working on a machine with ASL?

[mikeshinn]

What does the 'Unknown file type (passed)' message mean? Apparently PAX is still blocking this:

iotop is a python script if memory serves, so its not iptop thats trying to do bad things on your system but rather python itself. If python is configured to require mprotect, go file a bug report with the maintainer of python - thats a really bad idea to allow python to do that. Stack smash own your box city there.

[breun]

Hm, yes, iotop is a Python script. To confirm this I ran chpax -m /usr/bin/python and tried again. Indeed the segmentation fault no longer occurs, but apparently iotop still doesn't work with the ASL kernel even if mprotect() is not restricted to /usr/bin/python:

Code: Select all

# chpax -m /usr/bin/python
[zaza.lemonbit.com ~]# iotop
Traceback (most recent call last):
  File "/usr/bin/iotop", line 16, in ?
    main()
  File "/usr/lib/python2.4/site-packages/iotop/ui.py", line 565, in main
    main_loop()
  File "/usr/lib/python2.4/site-packages/iotop/ui.py", line 555, in <lambda>
    main_loop = lambda: run_iotop(options)
  File "/usr/lib/python2.4/site-packages/iotop/ui.py", line 470, in run_iotop
    return curses.wrapper(run_iotop_window, options)
  File "/usr/lib64/python2.4/curses/wrapper.py", line 44, in wrapper
    return func(stdscr, *args, **kwds)
  File "/usr/lib/python2.4/site-packages/iotop/ui.py", line 462, in run_iotop_window
    process_list = ProcessList(taskstats_connection, options)
  File "/usr/lib/python2.4/site-packages/iotop/data.py", line 375, in __init__
    raise exc
OSError: Netlink error: Invalid argument (22)

I don't mind filing a bug report with Python (though I doubt that will be fixed soon), but apparently getting that fixed still won't make iotop work with ASL.

P.S.1 What exactly would I need to tell the Python guys in the bug report? "Don't use mprotect()"?
P.S.2 Yes, I ran chpax -M /usr/bin/python after this test.

[mikeshinn]

OSError: Netlink error: Invalid argument (22)

If thats the only error you get, then thats this bug:

https://bugzilla.redhat.com/show_bug.cgi?id=557062

P.S.1 What exactly would I need to tell the Python guys in the bug report? "Don't use mprotect()"?

God yes. mprotect is bad.

[breun]

OSError: Netlink error: Invalid argument (22)

If thats the only error you get, then thats this bug:

https://bugzilla.redhat.com/show_bug.cgi?id=557062

I don't really understand what's the bug here. iotop works fine on the CentOS 5.6 kernel, but it throws the error above when run on the ASL kernel (with mprotect() not restricted for /usr/bin/python).

[scott]

Basically you've just discovered that iotop does something that is potentially exploitable. The default kernel doesn't have the capability to detect that like the ASL one does.

[breun]

Sure, but apparently there is another reason why iotop does not work with the ASL kernel, because I get another error after allowing Python to use mprotect().

[breun]

I filed a bug report with Python for using mprotect(): http://bugs.python.org/issue11912

Any idea why iotop still doesn't work when I allow Python to use mprotect()?

[breun]

I filed a bug report with Python for using mprotect(): http://bugs.python.org/issue11912

I got a comment pretty quickly saying there is no sign of mprotect() in the whole Python source tree. Who is wrong here? Is grsecurity seeing ghosts? Could something else be calling mprotect()? Or must it be Python?

[breun]

I noticed iotop requires python-ctypes, which gives Python access to C libraries. And according to the Python guy:

glibc's `dlopen()` can call `mprotect()`, which is used for loading C extensions.

I don't really know who to blame now. I think I'll just ask the author of iotop if he knows whether iotop is doing mprotect.

[BruceLee]

Hi breun,

what do you think about this? I know it's not doing exactly the same as iotop does but maybe it's useful for you.
http://collectl.sourceforge.net/

[mikeshinn]

I don't really know who to blame now. I think I'll just ask the author of iotop if he knows whether iotop is doing mprotect.

The kernel won't lie, if it says mprotect is being used, it is.

[breun]

I e-mailed the author of iotop, but he says iotop isn't using mprotect. And the Python devs say they same thing. How do I tell who's wrong?