pyflame build fails with hardened profile or kernel.yama.ptrace_scope = 1

[ivan]

Issue description

pyflame fails to build if there are ptrace scope restrictions (e.g. when using the hardened profile.)

Steps to reproduce

1. Add boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 0 1; to configuration (or add <nixpkgs/nixos/modules/profiles/hardened.nix> to imports)

2. nixos-rebuild switch --upgrade

3. If already built, modify something in ./pkgs/development/tools/profiling/pyflame/default.nix to change the hash

4. nix-env -iA pyflame

5. Observe build failure on failing tests:

Log

unpacking sources
unpacking source archive /nix/store/a6nhgw33vbnlyj3klmfwlbni8xj4a9kg-source
source root is source
patching sources
patching script interpreter paths in .
./autogen.sh: interpreter directive changed from "/bin/sh" to "/nix/store/can00lfiynqkbsdkkmgp6qg8p8w92cxa-bash-4.4-p23/bin/sh"
./docs/generate-man.sh: interpreter directive changed from "/bin/bash" to "/nix/store/can00lfiynqkbsdkkmgp6qg8p8w92cxa-bash-4.4-p23/bin/bash"
./runtests.sh: interpreter directive changed from "/bin/bash" to "/nix/store/can00lfiynqkbsdkkmgp6qg8p8w92cxa-bash-4.4-p23/bin/bash"
./tests/sleep.sh: interpreter directive changed from "/bin/sh" to "/nix/store/can00lfiynqkbsdkkmgp6qg8p8w92cxa-bash-4.4-p23/bin/sh"
./utils/flame-chart-json: interpreter directive changed from "/usr/bin/env python" to "/nix/store/wyxx6va0xl9yh90i6nlxv0ml985dl3r5-python3-3.6.7/bin/python"
substituteStream(): WARNING: pattern '#!usr/bin/env python' doesn't match anything in file 'utils/flame-chart-json'
autoreconfPhase
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: configure.ac: creating directory build-aux
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: copying file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
autoreconf: running: /nix/store/m3y6w8ixm9hwppycdsv604ghgq1753wx-autoconf-2.69/bin/autoconf --force
autoreconf: running: /nix/store/m3y6w8ixm9hwppycdsv604ghgq1753wx-autoconf-2.69/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:45: installing 'build-aux/ar-lib'
configure.ac:39: installing 'build-aux/compile'
configure.ac:12: installing 'build-aux/config.guess'
configure.ac:12: installing 'build-aux/config.sub'
configure.ac:31: installing 'build-aux/install-sh'
configure.ac:31: installing 'build-aux/missing'
src/Makefile.am: installing 'build-aux/depcomp'
autoreconf: Leaving directory `.'
configuring
fixing libtool script ./build-aux/ltmain.sh
configure flags: --disable-static --disable-dependency-tracking --prefix=/nix/store/avi0pjldqp4ma382986j6126vmzp34bk-pyflame-1.6.7
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
configure: x86-64 system, threads will be supported
checking for a BSD-compatible install... /nix/store/0q4i5ll9gxs6giq7kqkniww934j9j8dk-coreutils-8.30/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /nix/store/0q4i5ll9gxs6giq7kqkniww934j9j8dk-coreutils-8.30/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of g++... none
checking for gawk... (cached) gawk
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... none
checking how to run the C preprocessor... gcc -E
checking whether ln -s works... yes
checking whether make sets $(MAKE)... (cached) yes
checking the archiver (ar) interface... ar
checking how to print strings... printf
checking for a sed that does not truncate output... /nix/store/4q0b6gz1yvb4bdzfcbyicz3vmlq05nxa-gnused-4.5/bin/sed
checking for grep that handles long lines and -e... /nix/store/zzzq8a9af192wfsi7lvf0mndpc8ykp4q-gnugrep-3.1/bin/grep
checking for egrep... /nix/store/zzzq8a9af192wfsi7lvf0mndpc8ykp4q-gnugrep-3.1/bin/grep -E
checking for fgrep... /nix/store/zzzq8a9af192wfsi7lvf0mndpc8ykp4q-gnugrep-3.1/bin/grep -F
checking for ld used by gcc... ld
checking if the linker (ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... nm
checking the name lister (nm) interface... BSD nm
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
checking for ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse nm output from gcc object... ok
checking for sysroot... no
checking for a working dd... /nix/store/0q4i5ll9gxs6giq7kqkniww934j9j8dk-coreutils-8.30/bin/dd
checking how to truncate binary pipes... /nix/store/0q4i5ll9gxs6giq7kqkniww934j9j8dk-coreutils-8.30/bin/dd bs=4096 count=1
./configure: line 7798: /usr/bin/file: No such file or directory
checking for mt... no
checking if : is a manifest tool... no
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (ld) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking how to run the C++ preprocessor... g++ -E
checking for ld used by g++... ld
checking if the linker (ld) is GNU ld... yes
checking whether the g++ linker (ld) supports shared libraries... yes
checking for g++ option to produce PIC... -fPIC -DPIC
checking if g++ PIC flag -fPIC -DPIC works... yes
checking if g++ static flag -static works... no
checking if g++ supports -c -o file.o... yes
checking if g++ supports -c -o file.o... (cached) yes
checking whether the g++ linker (ld) supports shared libraries... yes
checking dynamic linker characteristics... (cached) GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking linux/ptrace.h usability... yes
checking linux/ptrace.h presence... yes
checking for linux/ptrace.h... yes
checking whether C++ compiler accepts "-std=c++11"... yes
checking whether C++ compiler accepts -Wall... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking for stdbool.h that conforms to C99... no
checking for _Bool... no
checking for inline... inline
checking for pid_t... yes
checking for size_t... yes
checking for ssize_t... yes
checking for uint16_t... yes
checking for uint8_t... yes
checking vfork.h usability... no
checking vfork.h presence... no
checking for vfork.h... no
checking for fork... yes
checking for vfork... yes
checking for working fork... yes
checking for working vfork... (cached) yes
checking whether lstat correctly handles trailing slash... yes
checking for stdlib.h... (cached) yes
checking for unistd.h... (cached) yes
checking for sys/param.h... yes
checking for getpagesize... yes
checking for working mmap... yes
checking for getpagesize... (cached) yes
checking for memmove... yes
checking for munmap... yes
checking for strerror... yes
checking for strtol... yes
checking for strtoul... yes
checking for pkg-config... /nix/store/p5p53ar0pr73xgad40ksmvalqffdx1l5-pkg-config-0.29.2/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for python2... yes
checking for python-3.4... no
checking for python-3.5... yes
checking for python-3.6... yes
configure: Found at least one copy of Python.h
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating src/config.h
config.status: executing depfiles commands
config.status: executing libtool commands

Options used to compile and link:

  with threads        = yes
  with Python 2.6/7   = yes
  with Python 3.4/5   = yes
  with Python 3.6+    = yes

  CXX                 = g++
  CXXFLAGS            = -g -O2 -std=c++11 -Wall

building
build flags: SHELL=/nix/store/can00lfiynqkbsdkkmgp6qg8p8w92cxa-bash-4.4-p23/bin/bash
Making all in src
make[1]: Entering directory '/build/source/src'
make  all-am
make[2]: Entering directory '/build/source/src'
  CXX      aslr.o
  CXX      frame.o
  CXX      thread.o
  CXX      namespace.o
  CXX      posix.o
  CXX      prober.o
  CXX      ptrace.o
  CXX      pyflame.o
  CXX      pyfrob.o
  CXX      symbol.o
  CXX      libfrob26_la-frob26.lo
  CXXLD    libfrob26.la
ar: `u' modifier ignored since `D' is the default (see `U')
  CXX      libfrob34_la-frob34.lo
  CXXLD    libfrob34.la
ar: `u' modifier ignored since `D' is the default (see `U')
  CXX      libfrob36_la-frob36.lo
  CXXLD    libfrob36.la
ar: `u' modifier ignored since `D' is the default (see `U')
  CXXLD    pyflame
make[2]: Leaving directory '/build/source/src'
make[1]: Leaving directory '/build/source/src'
make[1]: Entering directory '/build/source'
make[1]: Nothing to be done for 'all-am'.
make[1]: Leaving directory '/build/source'
running tests
++ PYMAJORVERSION=3
++ PATH=/nix/store/0q4i5ll9gxs6giq7kqkniww934j9j8dk-coreutils-8.30/bin
++ PYTHONPATH=
++ /nix/store/z9aywnzjp5rsnqdyqrqc4sh4vv5dvilj-python3.6-pytest-3.9.3/bin/pytest tests/
============================= test session starts ==============================
platform linux -- Python 3.6.7, pytest-3.9.3, py-1.7.0, pluggy-0.8.0
rootdir: /build/source, inifile:
collected 37 items

tests/test_end_to_end.py s.FFFFF...FsFF..........s....FF....FF           [100%]

=================================== FAILURES ===================================
_________________________________ test_monitor _________________________________

dijkstra = <subprocess.Popen object at 0x7ffff1417908>

    def test_monitor(dijkstra):
        """Basic test for the monitor mode."""
        proc = subprocess.Popen(
            [path_to_pyflame(), '-p', str(dijkstra.pid)],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            universal_newlines=True)
        out, err = communicate(proc)
>       assert not err
E       AssertionError: assert not 'Failed to seize PID 5580\n'

tests/test_end_to_end.py:208: AssertionError
_________________________________ test_non_gil _________________________________

sleeper = <subprocess.Popen object at 0x7ffff1422208>

    def test_non_gil(sleeper):
        """Basic test for non-GIL/native code processes."""
        proc = subprocess.Popen(
            [path_to_pyflame(), '-p', str(sleeper.pid)],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            universal_newlines=True)
        out, err = communicate(proc)
>       assert not err
E       AssertionError: assert not 'Failed to seize PID 5582\n'

tests/test_end_to_end.py:223: AssertionError
________________________________ test_threaded _________________________________

threaded_sleeper = <subprocess.Popen object at 0x7ffff23b44e0>

    @pytest.mark.skipif(MISSING_THREADS, reason='build does not have threads')
    def test_threaded(threaded_sleeper):
        """Basic test for non-GIL/native code processes."""
        proc = subprocess.Popen(
            [path_to_pyflame(), '--threads', '-p',
             str(threaded_sleeper.pid)],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            universal_newlines=True)
        out, err = communicate(proc)
>       assert not err
E       AssertionError: assert not 'Failed to seize PID 5584\n'

tests/test_end_to_end.py:240: AssertionError
_______________________________ test_unthreaded ________________________________

threaded_busy = <subprocess.Popen object at 0x7ffff23dfe80>

    def test_unthreaded(threaded_busy):
        """Test only one process is profiled by default."""
        proc = subprocess.Popen(
            [path_to_pyflame(), '-s', '0', '-p',
             str(threaded_busy.pid)],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            universal_newlines=True)
        out, err = communicate(proc)
>       assert not err
E       AssertionError: assert not 'Failed to seize PID 5588\n'

tests/test_end_to_end.py:273: AssertionError
___________________________ test_legacy_pid_handling ___________________________

threaded_busy = <subprocess.Popen object at 0x7ffff231f860>

    def test_legacy_pid_handling(threaded_busy):
        # test PID parsing when -p is not used
        proc = subprocess.Popen(
            [path_to_pyflame(), '-s', '0',
             str(threaded_busy.pid)],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            universal_newlines=True)
        out, err = communicate(proc)
        assert err.startswith('WARNING: ')
>       assert proc.returncode == 0
E       assert 1 == 0
E        +  where 1 = <subprocess.Popen object at 0x7ffff250a240>.returncode

tests/test_end_to_end.py:289: AssertionError
______________________________ test_exclude_idle _______________________________

sleeper = <subprocess.Popen object at 0x7ffff23246a0>

    def test_exclude_idle(sleeper):
        """Basic test for idle processes."""
        proc = subprocess.Popen(
            [path_to_pyflame(), '-x', '-p',
             str(sleeper.pid)],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            universal_newlines=True)
        out, err = communicate(proc)
>       assert not err
E       AssertionError: assert not 'Failed to seize PID 5597\n'

tests/test_end_to_end.py:337: AssertionError
_______________________________ test_exit_early ________________________________

exit_early = <subprocess.Popen object at 0x7ffff146e198>

    def test_exit_early(exit_early):
        proc = subprocess.Popen(
            [path_to_pyflame(), '-s', '10', '-p',
             str(exit_early.pid)],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE)
        out, err = communicate(proc)
>       assert not err
E       AssertionError: assert not 'Failed to seize PID 5599\n'

tests/test_end_to_end.py:379: AssertionError
____________________________ test_sample_not_python ____________________________

not_python = <subprocess.Popen object at 0x7ffff2348f60>

    def test_sample_not_python(not_python):
        proc = subprocess.Popen(
            [path_to_pyflame(), '-p', str(not_python.pid)],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE)
        out, err = communicate(proc)
        assert not out
>       assert (err.startswith('Failed to locate libpython')
                or err.startswith('Target ELF file has EI_CLASS'))
E       AssertionError: assert (False or False)
E        +  where False = <built-in method startswith of str object at 0x7ffff23a5d50>('Failed to locate libpython')
E        +    where <built-in method startswith of str object at 0x7ffff23a5d50> = 'Failed to seize PID 5601\n'.startswith
E        +  and   False = <built-in method startswith of str object at 0x7ffff23a5d50>('Target ELF file has EI_CLASS')
E        +    where <built-in method startswith of str object at 0x7ffff23a5d50> = 'Failed to seize PID 5601\n'.startswith

tests/test_end_to_end.py:393: AssertionError
_______________________________ test_include_ts ________________________________

sleeper = <subprocess.Popen object at 0x7ffff2357dd8>

    def test_include_ts(sleeper):
        """Basic test for timestamp processes."""
        proc = subprocess.Popen(
            [path_to_pyflame(), '--flamechart', '-p',
             str(sleeper.pid)],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            universal_newlines=True)
        out, err = proc.communicate()
>       assert not err
E       AssertionError: assert not 'Failed to seize PID 5625\n'

tests/test_end_to_end.py:520: AssertionError
_________________________ test_include_ts_exclude_idle _________________________

sleeper = <subprocess.Popen object at 0x7ffff14e3b70>

    def test_include_ts_exclude_idle(sleeper):
        """Basic test for timestamp processes."""
        proc = subprocess.Popen(
            [path_to_pyflame(), '--flamechart', '-x', '-p',
             str(sleeper.pid)],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            universal_newlines=True)
        out, err = proc.communicate()
>       assert not err
E       AssertionError: assert not 'Failed to seize PID 5627\n'

tests/test_end_to_end.py:538: AssertionError
_______________________________ test_thread_dump _______________________________

threaded_dijkstra = <subprocess.Popen object at 0x7ffff2324a90>

    @pytest.mark.skipif(MISSING_THREADS, reason='build does not have threads')
    def test_thread_dump(threaded_dijkstra):
        time.sleep(0.5)
        proc = subprocess.Popen(
            [path_to_pyflame(), '-d', '-p',
             str(threaded_dijkstra.pid)],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE)
        out, err = communicate(proc)
>       assert not err
E       AssertionError: assert not 'Failed to seize PID 5651\n'

tests/test_end_to_end.py:610: AssertionError
_____________________________ test_no_line_numbers _____________________________

dijkstra = <subprocess.Popen object at 0x7ffff235e390>

    def test_no_line_numbers(dijkstra):
        """Basic test for --no-line-numbers"""
        proc = subprocess.Popen(
            [path_to_pyflame(), '-p',
             str(dijkstra.pid), "--no-line-numbers"],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            universal_newlines=True)
        out, err = communicate(proc)
>       assert not err
E       AssertionError: assert not 'Failed to seize PID 5657\n'

tests/test_end_to_end.py:630: AssertionError
=============== 12 failed, 22 passed, 3 skipped in 13.98 seconds ===============
+ exitHandler
+ exitCode=1
+ set +e
+ '[' -n '' ']'
+ ((  1 != 0  ))
+ runHook failureHook
++ shopt -po nounset
+ local 'oldOpts=set +o nounset'
+ set -u
+ local hookName=failureHook
+ shift
+ local 'hooksSlice=failureHooks[@]'
+ local hook
+ for hook in "_callImplicitHook 0 $hookName" ${!hooksSlice+"${!hooksSlice}"}
+ _eval '_callImplicitHook 0 failureHook'
++ type -t '_callImplicitHook 0 failureHook'
+ '[' '' = function ']'
+ set +u
+ eval '_callImplicitHook 0 failureHook'
++ _callImplicitHook 0 failureHook
++ set -u
++ local def=0
++ local hookName=failureHook
++ case "$(type -t "$hookName")" in
+++ type -t failureHook
++ '[' -z '' ']'
++ return 0
+ set -u
+ eval 'set +o nounset'
++ set +o nounset
+ return 0
+ '[' -n '' ']'
+ exit 1
builder for '/nix/store/846lhn50hbhch70ajx0wwccyrs4g7k7v-pyflame-1.6.7.drv' failed with exit code 1

Technical details

Please run nix-shell -p nix-info --run "nix-info -m" and paste the
results.

• system: "x86_64-linux"
• host os: Linux 4.19.12, NixOS, 19.03.git.2649e63 (Koi)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.1.3
• channels(root): ""
• nixpkgs: /var/nixpkgs

[ivan]

#59814 doesn't fix this problem because the pyflame build's tests still fail on a NixOS with the hardened profile enabled:

E       AssertionError: assert not 'Failed to seize PID 5906: Operation not permitted\n'