Public bug reported: On armhf only, the expected value for vm.max_map_count does not match what is expected. No drop-in is shown that conflicts with procps's defaults (see test output below).
However, since armhf autopkgtests run in containers, not all sysctls are writable from the container anyway (including vm.max_map_count). Hence, this test should either be xfail, or the sysctl-defaults test should have isolation-machine instead 522s autopkgtest [21:13:52]: test sysctl-defaults: /usr/lib/systemd/systemd-sysctl --cat-config && pytest debian/tests/test_sysctl_defaults.py 522s autopkgtest [21:13:52]: test sysctl-defaults: [----------------------- 524s # /usr/lib/sysctl.d/10-apparmor.conf 524s # AppArmor restrictions of unprivileged user namespaces 524s 524s # Allows to restrict the use of unprivileged user namespaces to applications 524s # which have an AppArmor profile loaded which specifies the userns 524s # permission. All other applications (whether confined by AppArmor or not) will 524s # be denied the use of unprivileged user namespaces. 524s # 524s # See 524s # https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction 524s # https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined 524s # 524s # If it is desired to disable this restriction, it is preferable to create an 524s # additional file named /etc/sysctl.d/20-apparmor.conf which will override this 524s # current file and sets this value to 0 rather than editing this current file 524s kernel.apparmor_restrict_unprivileged_userns = 1 524s kernel.apparmor_restrict_unprivileged_unconfined = 1 524s 524s # /usr/lib/sysctl.d/10-coredump-debian.conf 524s kernel.core_pattern=core 524s 524s # /usr/lib/sysctl.d/55-bufferbloat.conf 524s # The Fair Queue CoDel packet scheduler is an across the board improvement to 524s # the default pfifo_fast qdisc. It reduces bottleneck delays, provides accurate 524s # RTT estimates to elephant TCP flows, and still allows shorter (sparser) flows 524s # like DNS, ARP, SYN, routing, etc packets priority access. For technical 524s # details, refer to https://www.bufferbloat.net/projects/codel/wiki/ 524s # 524s # To fight bufferbloat, set it as the default qdisc in Ubuntu. 524s -net.core.default_qdisc = fq_codel 524s 524s # /usr/lib/sysctl.d/55-console-messages.conf 524s 524s # the following stops low-level messages on console 524s kernel.printk = 4 4 1 7 524s 524s # /usr/lib/sysctl.d/55-ipv6-privacy.conf 524s # IPv6 Privacy Extensions (RFC 4941) 524s # --- 524s # IPv6 typically uses a device's MAC address when choosing an IPv6 address 524s # to use in autoconfiguration. Privacy extensions allow using a randomly 524s # generated IPv6 address, which increases privacy. 524s # 524s # Acceptable values: 524s # 0 - don’t use privacy extensions. 524s # 1 - generate privacy addresses 524s # 2 - prefer privacy addresses and use them over the normal addresses. 524s net.ipv6.conf.all.use_tempaddr = 2 524s net.ipv6.conf.default.use_tempaddr = 2 524s 524s # /usr/lib/sysctl.d/55-kernel-hardening.conf 524s # These settings are specific to hardening the kernel itself from attack 524s # from userspace, rather than protecting userspace from other malicious 524s # userspace things. 524s # 524s # 524s # When an attacker is trying to exploit the local kernel, it is often 524s # helpful to be able to examine where in memory the kernel, modules, 524s # and data structures live. As such, kernel addresses should be treated 524s # as sensitive information. 524s # 524s # Many files and interfaces contain these addresses (e.g. /proc/kallsyms, 524s # /proc/modules, etc), and this setting can censor the addresses. A value 524s # of "0" allows all users to see the kernel addresses. A value of "1" 524s # limits visibility to the root user, and "2" blocks even the root user. 524s kernel.kptr_restrict = 1 524s 524s # Access to the kernel log buffer can be especially useful for an attacker 524s # attempting to exploit the local kernel, as kernel addresses and detailed 524s # call traces are frequently found in kernel oops messages. Setting 524s # dmesg_restrict to "0" allows all users to view the kernel log buffer, 524s # and setting it to "1" restricts access to those with CAP_SYSLOG. 524s # 524s # dmesg_restrict defaults to 1 via CONFIG_SECURITY_DMESG_RESTRICT, only 524s # uncomment the following line to disable. 524s # kernel.dmesg_restrict = 0 524s 524s # /usr/lib/sysctl.d/55-magic-sysrq.conf 524s # The magic SysRq key enables certain keyboard combinations to be 524s # interpreted by the kernel to help with debugging. The kernel will respond 524s # to these keys regardless of the current running applications. 524s # 524s # In general, the magic SysRq key is not needed for the average Ubuntu 524s # system, and having it enabled by default can lead to security issues on 524s # the console such as being able to dump memory or to kill arbitrary 524s # processes including the running screen lock. 524s # 524s # Here is the list of possible values: 524s # 0 - disable sysrq completely 524s # 1 - enable all functions of sysrq 524s # >1 - enable certain functions by adding up the following values: 524s # 2 - enable control of console logging level 524s # 4 - enable control of keyboard (SAK, unraw) 524s # 8 - enable debugging dumps of processes etc. 524s # 16 - enable sync command 524s # 32 - enable remount read-only 524s # 64 - enable signalling of processes (term, kill, oom-kill) 524s # 128 - allow reboot/poweroff 524s # 256 - allow nicing of all RT tasks 524s # 524s # For example, to enable both control of console logging level and 524s # debugging dumps of processes: kernel.sysrq = 10 524s # 524s kernel.sysrq = 176 524s 524s # /usr/lib/sysctl.d/55-map-count.conf 524s # Increase the number of virtual memory areas that one process may request 524s # https://bugs.launchpad.net/ubuntu/+source/procps/+bug/2057792 524s vm.max_map_count=1048576 524s 524s # /usr/lib/sysctl.d/55-network-security.conf 524s 524s # Turn on Source Address Verification in all interfaces to 524s # prevent some spoofing attacks. 524s net.ipv4.conf.default.rp_filter=2 524s net.ipv4.conf.all.rp_filter=2 524s 524s 524s # /usr/lib/sysctl.d/55-ptrace.conf 524s # The PTRACE system is used for debugging. With it, a single user process 524s # can attach to any other dumpable process owned by the same user. In the 524s # case of malicious software, it is possible to use PTRACE to access 524s # credentials that exist in memory (re-using existing SSH connections, 524s # extracting GPG agent information, etc). 524s # 524s # A PTRACE scope of "0" is the more permissive mode. A scope of "1" limits 524s # PTRACE only to direct child processes (e.g. "gdb name-of-program" and 524s # "strace -f name-of-program" work, but gdb's "attach" and "strace -fp $PID" 524s # do not). The PTRACE scope is ignored when a user has CAP_SYS_PTRACE, so 524s # "sudo strace -fp $PID" will work as before. For more details see: 524s # https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace 524s # 524s # For applications launching crash handlers that need PTRACE, exceptions can 524s # be registered by the debugee by declaring in the segfault handler 524s # specifically which process will be using PTRACE on the debugee: 524s # prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0); 524s # 524s # In general, PTRACE is not needed for the average running Ubuntu system. 524s # To that end, the default is to set the PTRACE scope to "1". This value 524s # may not be appropriate for developers or servers with only admin accounts. 524s kernel.yama.ptrace_scope = 1 524s 524s # /usr/lib/sysctl.d/55-zeropage.conf 524s # Protect the zero page of memory from userspace mmap to prevent kernel 524s # NULL-dereference attacks against potential future kernel security 524s # vulnerabilities. (Added in kernel 2.6.23.) 524s # 524s # While this default is built into the Ubuntu kernel, there is no way to 524s # restore the kernel default if the value is changed during runtime; for 524s # example via package removal (e.g. wine, dosemu). Therefore, this value 524s # is reset to the secure default each time the sysctl values are loaded. 524s # 524s # ARM-specific default: 524s vm.mmap_min_addr = 32768 524s 524s # /etc/sysctl.d/99-cloudimg-ipv6.conf 524s # Written by the Cloud Image build process 524s # See https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1068756 524s net.ipv6.conf.all.use_tempaddr = 0 524s net.ipv6.conf.default.use_tempaddr = 0 524s ============================= test session starts ============================== 524s platform linux -- Python 3.13.5, pytest-8.3.5, pluggy-1.5.0 524s rootdir: /tmp/autopkgtest.pViuEe/build.TqH/src 524s plugins: typeguard-4.4.2 524s collected 11 items 524s 524s debian/tests/test_sysctl_defaults.py s.xx..F.... [100%] 524s 524s =================================== FAILURES =================================== 524s ________________ test_sysctl_defaults[vm.max_map_count-1048576] ________________ 524s 524s key = 'vm.max_map_count', expected = '1048576' 524s 524s @pytest.mark.parametrize("key, expected", expected_sysctl_defaults()) 524s def test_sysctl_defaults(key, expected): 524s # If the sysctl key does not exist, skip the test. 524s if not os.path.exists(f'/proc/sys/{key}'.replace('.', '/')): 524s pytest.skip(f'{key} does not exist on this system, ignoring') 524s 524s actual = subprocess.check_output(['sysctl', '-n', key]) 524s actual = actual.decode().strip() 524s actual = ' '.join(actual.split()) 524s 524s # Due to LP: #1068756, cloud images ship /etc/sysctl.d/cloudimg-ipv6.conf 524s # which overrides procps's defaults for net.ipv6.conf.{all,default}.use_tempaddr. 524s # 524s # If that override exists, expect a failure for those settings. 524s if ( 524s os.path.exists('/etc/sysctl.d/99-cloudimg-ipv6.conf') and 524s key in ( 524s 'net.ipv6.conf.all.use_tempaddr', 524s 'net.ipv6.conf.default.use_tempaddr', 524s ) 524s ): 524s pytest.xfail( 524s f'/etc/systctl.d/99-cloudimg-ipv6.conf overrides {key}' 524s ) 524s 524s > assert actual == expected 524s E AssertionError: assert '65530' == '1048576' 524s E 524s E - 1048576 524s E + 65530 524s 524s debian/tests/test_sysctl_defaults.py:75: AssertionError 524s =========================== short test summary info ============================ 524s FAILED debian/tests/test_sysctl_defaults.py::test_sysctl_defaults[vm.max_map_count-1048576] 524s ============== 1 failed, 7 passed, 1 skipped, 2 xfailed in 0.10s =============== 524s autopkgtest [21:13:54]: test sysctl-defaults: -----------------------] ** Affects: procps (Ubuntu) Importance: High Assignee: Nick Rosbrook (enr0n) Status: Triaged ** Tags: dcr-incoming ** Changed in: procps (Ubuntu) Importance: Undecided => High ** Changed in: procps (Ubuntu) Assignee: (unassigned) => Nick Rosbrook (enr0n) ** Changed in: procps (Ubuntu) Status: New => Triaged ** Tags added: dcr-incoming -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/2115346 Title: test-sysctl-defaults fails on armhf Status in procps package in Ubuntu: Triaged Bug description: On armhf only, the expected value for vm.max_map_count does not match what is expected. No drop-in is shown that conflicts with procps's defaults (see test output below). However, since armhf autopkgtests run in containers, not all sysctls are writable from the container anyway (including vm.max_map_count). Hence, this test should either be xfail, or the sysctl-defaults test should have isolation-machine instead 522s autopkgtest [21:13:52]: test sysctl-defaults: /usr/lib/systemd/systemd-sysctl --cat-config && pytest debian/tests/test_sysctl_defaults.py 522s autopkgtest [21:13:52]: test sysctl-defaults: [----------------------- 524s # /usr/lib/sysctl.d/10-apparmor.conf 524s # AppArmor restrictions of unprivileged user namespaces 524s 524s # Allows to restrict the use of unprivileged user namespaces to applications 524s # which have an AppArmor profile loaded which specifies the userns 524s # permission. All other applications (whether confined by AppArmor or not) will 524s # be denied the use of unprivileged user namespaces. 524s # 524s # See 524s # https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction 524s # https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined 524s # 524s # If it is desired to disable this restriction, it is preferable to create an 524s # additional file named /etc/sysctl.d/20-apparmor.conf which will override this 524s # current file and sets this value to 0 rather than editing this current file 524s kernel.apparmor_restrict_unprivileged_userns = 1 524s kernel.apparmor_restrict_unprivileged_unconfined = 1 524s 524s # /usr/lib/sysctl.d/10-coredump-debian.conf 524s kernel.core_pattern=core 524s 524s # /usr/lib/sysctl.d/55-bufferbloat.conf 524s # The Fair Queue CoDel packet scheduler is an across the board improvement to 524s # the default pfifo_fast qdisc. It reduces bottleneck delays, provides accurate 524s # RTT estimates to elephant TCP flows, and still allows shorter (sparser) flows 524s # like DNS, ARP, SYN, routing, etc packets priority access. For technical 524s # details, refer to https://www.bufferbloat.net/projects/codel/wiki/ 524s # 524s # To fight bufferbloat, set it as the default qdisc in Ubuntu. 524s -net.core.default_qdisc = fq_codel 524s 524s # /usr/lib/sysctl.d/55-console-messages.conf 524s 524s # the following stops low-level messages on console 524s kernel.printk = 4 4 1 7 524s 524s # /usr/lib/sysctl.d/55-ipv6-privacy.conf 524s # IPv6 Privacy Extensions (RFC 4941) 524s # --- 524s # IPv6 typically uses a device's MAC address when choosing an IPv6 address 524s # to use in autoconfiguration. Privacy extensions allow using a randomly 524s # generated IPv6 address, which increases privacy. 524s # 524s # Acceptable values: 524s # 0 - don’t use privacy extensions. 524s # 1 - generate privacy addresses 524s # 2 - prefer privacy addresses and use them over the normal addresses. 524s net.ipv6.conf.all.use_tempaddr = 2 524s net.ipv6.conf.default.use_tempaddr = 2 524s 524s # /usr/lib/sysctl.d/55-kernel-hardening.conf 524s # These settings are specific to hardening the kernel itself from attack 524s # from userspace, rather than protecting userspace from other malicious 524s # userspace things. 524s # 524s # 524s # When an attacker is trying to exploit the local kernel, it is often 524s # helpful to be able to examine where in memory the kernel, modules, 524s # and data structures live. As such, kernel addresses should be treated 524s # as sensitive information. 524s # 524s # Many files and interfaces contain these addresses (e.g. /proc/kallsyms, 524s # /proc/modules, etc), and this setting can censor the addresses. A value 524s # of "0" allows all users to see the kernel addresses. A value of "1" 524s # limits visibility to the root user, and "2" blocks even the root user. 524s kernel.kptr_restrict = 1 524s 524s # Access to the kernel log buffer can be especially useful for an attacker 524s # attempting to exploit the local kernel, as kernel addresses and detailed 524s # call traces are frequently found in kernel oops messages. Setting 524s # dmesg_restrict to "0" allows all users to view the kernel log buffer, 524s # and setting it to "1" restricts access to those with CAP_SYSLOG. 524s # 524s # dmesg_restrict defaults to 1 via CONFIG_SECURITY_DMESG_RESTRICT, only 524s # uncomment the following line to disable. 524s # kernel.dmesg_restrict = 0 524s 524s # /usr/lib/sysctl.d/55-magic-sysrq.conf 524s # The magic SysRq key enables certain keyboard combinations to be 524s # interpreted by the kernel to help with debugging. The kernel will respond 524s # to these keys regardless of the current running applications. 524s # 524s # In general, the magic SysRq key is not needed for the average Ubuntu 524s # system, and having it enabled by default can lead to security issues on 524s # the console such as being able to dump memory or to kill arbitrary 524s # processes including the running screen lock. 524s # 524s # Here is the list of possible values: 524s # 0 - disable sysrq completely 524s # 1 - enable all functions of sysrq 524s # >1 - enable certain functions by adding up the following values: 524s # 2 - enable control of console logging level 524s # 4 - enable control of keyboard (SAK, unraw) 524s # 8 - enable debugging dumps of processes etc. 524s # 16 - enable sync command 524s # 32 - enable remount read-only 524s # 64 - enable signalling of processes (term, kill, oom-kill) 524s # 128 - allow reboot/poweroff 524s # 256 - allow nicing of all RT tasks 524s # 524s # For example, to enable both control of console logging level and 524s # debugging dumps of processes: kernel.sysrq = 10 524s # 524s kernel.sysrq = 176 524s 524s # /usr/lib/sysctl.d/55-map-count.conf 524s # Increase the number of virtual memory areas that one process may request 524s # https://bugs.launchpad.net/ubuntu/+source/procps/+bug/2057792 524s vm.max_map_count=1048576 524s 524s # /usr/lib/sysctl.d/55-network-security.conf 524s 524s # Turn on Source Address Verification in all interfaces to 524s # prevent some spoofing attacks. 524s net.ipv4.conf.default.rp_filter=2 524s net.ipv4.conf.all.rp_filter=2 524s 524s 524s # /usr/lib/sysctl.d/55-ptrace.conf 524s # The PTRACE system is used for debugging. With it, a single user process 524s # can attach to any other dumpable process owned by the same user. In the 524s # case of malicious software, it is possible to use PTRACE to access 524s # credentials that exist in memory (re-using existing SSH connections, 524s # extracting GPG agent information, etc). 524s # 524s # A PTRACE scope of "0" is the more permissive mode. A scope of "1" limits 524s # PTRACE only to direct child processes (e.g. "gdb name-of-program" and 524s # "strace -f name-of-program" work, but gdb's "attach" and "strace -fp $PID" 524s # do not). The PTRACE scope is ignored when a user has CAP_SYS_PTRACE, so 524s # "sudo strace -fp $PID" will work as before. For more details see: 524s # https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace 524s # 524s # For applications launching crash handlers that need PTRACE, exceptions can 524s # be registered by the debugee by declaring in the segfault handler 524s # specifically which process will be using PTRACE on the debugee: 524s # prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0); 524s # 524s # In general, PTRACE is not needed for the average running Ubuntu system. 524s # To that end, the default is to set the PTRACE scope to "1". This value 524s # may not be appropriate for developers or servers with only admin accounts. 524s kernel.yama.ptrace_scope = 1 524s 524s # /usr/lib/sysctl.d/55-zeropage.conf 524s # Protect the zero page of memory from userspace mmap to prevent kernel 524s # NULL-dereference attacks against potential future kernel security 524s # vulnerabilities. (Added in kernel 2.6.23.) 524s # 524s # While this default is built into the Ubuntu kernel, there is no way to 524s # restore the kernel default if the value is changed during runtime; for 524s # example via package removal (e.g. wine, dosemu). Therefore, this value 524s # is reset to the secure default each time the sysctl values are loaded. 524s # 524s # ARM-specific default: 524s vm.mmap_min_addr = 32768 524s 524s # /etc/sysctl.d/99-cloudimg-ipv6.conf 524s # Written by the Cloud Image build process 524s # See https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1068756 524s net.ipv6.conf.all.use_tempaddr = 0 524s net.ipv6.conf.default.use_tempaddr = 0 524s ============================= test session starts ============================== 524s platform linux -- Python 3.13.5, pytest-8.3.5, pluggy-1.5.0 524s rootdir: /tmp/autopkgtest.pViuEe/build.TqH/src 524s plugins: typeguard-4.4.2 524s collected 11 items 524s 524s debian/tests/test_sysctl_defaults.py s.xx..F.... [100%] 524s 524s =================================== FAILURES =================================== 524s ________________ test_sysctl_defaults[vm.max_map_count-1048576] ________________ 524s 524s key = 'vm.max_map_count', expected = '1048576' 524s 524s @pytest.mark.parametrize("key, expected", expected_sysctl_defaults()) 524s def test_sysctl_defaults(key, expected): 524s # If the sysctl key does not exist, skip the test. 524s if not os.path.exists(f'/proc/sys/{key}'.replace('.', '/')): 524s pytest.skip(f'{key} does not exist on this system, ignoring') 524s 524s actual = subprocess.check_output(['sysctl', '-n', key]) 524s actual = actual.decode().strip() 524s actual = ' '.join(actual.split()) 524s 524s # Due to LP: #1068756, cloud images ship /etc/sysctl.d/cloudimg-ipv6.conf 524s # which overrides procps's defaults for net.ipv6.conf.{all,default}.use_tempaddr. 524s # 524s # If that override exists, expect a failure for those settings. 524s if ( 524s os.path.exists('/etc/sysctl.d/99-cloudimg-ipv6.conf') and 524s key in ( 524s 'net.ipv6.conf.all.use_tempaddr', 524s 'net.ipv6.conf.default.use_tempaddr', 524s ) 524s ): 524s pytest.xfail( 524s f'/etc/systctl.d/99-cloudimg-ipv6.conf overrides {key}' 524s ) 524s 524s > assert actual == expected 524s E AssertionError: assert '65530' == '1048576' 524s E 524s E - 1048576 524s E + 65530 524s 524s debian/tests/test_sysctl_defaults.py:75: AssertionError 524s =========================== short test summary info ============================ 524s FAILED debian/tests/test_sysctl_defaults.py::test_sysctl_defaults[vm.max_map_count-1048576] 524s ============== 1 failed, 7 passed, 1 skipped, 2 xfailed in 0.10s =============== 524s autopkgtest [21:13:54]: test sysctl-defaults: -----------------------] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/procps/+bug/2115346/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
