Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get error ASLR disable failed: EPERM: Operation not permitted when executing cargo tarpaulin -v #146

Closed
new-commer opened this issue Sep 6, 2018 · 10 comments
Closed

Get error ASLR disable failed: EPERM: Operation not permitted when executing cargo tarpaulin -v #146

new-commer opened this issue Sep 6, 2018 · 10 comments

Comments

@new-commer
Copy link

new-commer commented Sep 6, 2018
edited
Loading

I use root user , and get the error ASLR disable failed: EPERM: Operation not permitted when executing cargo tarpaulin -v. And i tried sudo cargo tarpaulin -v , it prompt cargo command not found
So i tried sudo -s cargo tarpaulin -v , it also prompt ASLR disable failed: EPERM: Operation not permitted .How can i resolve it ?
@xd009642
Copy link
Owner

xd009642 commented Sep 6, 2018

So what environment are you running in? A CI server (if so which one) or your personal machine? This issue is a duplicate of #77 so you may find help there. ASLR is a security measure to stop malicious processes inspecting the memory or altering the execution of a process (including arbitrary code execution). So you may need to change a security rule via seccomp to allow tarpaulin to disable ASLR.

As for how to do that I'm not sure but maybe running tarpaulin with setarch -R will work

@new-commer
Copy link
Author

new-commer commented Sep 7, 2018
edited
Loading

Yeah it run in docker started by gitlab-ci runner . And i have seen issue #77 .
My CI server is not travis-ci , and the workaround for #77 do not fit gitlab-ci
Is there any workaround (such as modify .gitlab-ci.yml) ?

@new-commer
Copy link
Author

new-commer commented Sep 7, 2018
edited
Loading

BTW , why Tarpaulin can run in personal machine(centos system ) , just use normal user ( the user have no authority to disable ALSR). And it can not work in docker , even though use root user ?

@xd009642
Copy link
Owner

xd009642 commented Sep 7, 2018

Because the user does have authority to disable ALSR by default, it's just things like docker or CI servers add some extra security restrictions to keep the systems and other users safe. If you're running docker the docker section of the readme might be helpful https://github.com/xd009642/tarpaulin#docker

@xd009642
Copy link
Owner

@new-commer Have you tried the method in the docker section of the readme? And has it solved your issue?

@new-commer
Copy link
Author

new-commer commented Sep 13, 2018
edited
Loading

@xd009642 Thanks for your help . We have tried and it works . And we're trying to do that in gitlab-ci now . If no one is familiar with gitlab-ci here, I will investigate it myself. Now I will close this issue .

@vicamo vicamo mentioned this issue Dec 13, 2018
Closed
@adinapoli-mndc adinapoli-mndc mentioned this issue Aug 29, 2019
Closed
@gdesmott
Copy link

gdesmott commented Nov 5, 2019

@new-commer : did you find any way to make this work with gitlab-ci? I'm hitting the same problem.

@xd009642
Copy link
Owner

xd009642 commented Nov 5, 2019 via email

@ThibsG
Copy link

ThibsG commented Nov 15, 2019
edited
Loading

Hi, just to help if someone is experiencing same issue using a custom built image for the runner.

You can also add security_opt option to your runner configuration file /etc/gitlab-runner/config.toml:

[[runners]]
  [runners.docker]
    security_opt = ["seccomp:unconfined"]

Then restart gitlab-runner service in order to reload configuration.

Note that as said in other issues this option can also be used when running a container by hand:
$ docker run --rm -it --security-opt seccomp=unconfined ...

It could be interesting to add this to a Wiki/FAQ page.

@rye
Copy link
Contributor

rye commented Nov 15, 2019
edited
Loading

Just to provide more background for people in situations where seccomp=unconfined is too liberal, one can also use a modified seccomp profile. Per the Docker documentation on seccomp, a number of syscalls are restricted through the default seccomp policy, including the personality syscall which is how tarpaulin and other tools that require ASLR to be disabled can request so. (Edit: This is the reason why the default configuration doesn't allow tarpaulin to work.)

Docker's built-in default seccomp policy does allow the use of the personality syscall in certain cases, but only with the arguments 0x8, 0x2_0000, 0x2_0008, and 0xffff_ffff (GET_PERSONA), apparently.

The current method of disabling ASLR does not match one of the requested values, so is rejected by the kernel:

tarpaulin/src/process_handling/linux.rs

Lines 35 to 43 in c5e8e09

fn disable_aslr() -> nix::Result<i32> {
match personality(GET_PERSONA) {
Ok(p) => match personality(i64::from(p) | ADDR_NO_RANDOMIZE) {
ok @ Ok(_) => ok,
err @ Err(..) => err,
},
err @ Err(..) => err,
}
}

All of this is to say that one could add the object

{
  "names": [
    "personality"
  ],
  "action": "SCMP_ACT_ALLOW",
  "args": [
    {
      "index": 0,
      "value": 262144,
      "valueTwo": 0,
      "op": "SCMP_CMP_EQ"
    }
  ],
  "comment": "Enable personality(ADDR_NO_RANDOMIZE) syscall",
  "includes": {},
  "excludes": {}
}

to the syscalls key in their seccomp JSON file to allow ASLR disables to succeed. (If the persona is somehow different than just 0, the "value" might need tuning.)

@TriplEight TriplEight mentioned this issue Apr 28, 2020
Closed
@MichaelAquilina MichaelAquilina mentioned this issue May 19, 2020
Closed
@woshilapin woshilapin mentioned this issue Jun 29, 2021
Merged
@ueno ueno mentioned this issue Jul 8, 2021
Merged
@cdunster cdunster mentioned this issue Jan 3, 2022
Closed
@buzztaiki buzztaiki mentioned this issue Jun 1, 2022
Closed
@rusty-snake rusty-snake mentioned this issue May 1, 2023
Open
@tomaszklak tomaszklak mentioned this issue Oct 3, 2023
Merged
3 tasks
tomaszklak added a commit to NordSecurity/libtelio that referenced this issue Oct 4, 2023
@tomaszklak
Add tarpaulin based code coverage job
11f0fec 
This is a port from previous version of CI and uses the same command as
previously.

There might seem to be multiple other and better ways to do it but they
are all broken in some ways.

We could use the action https://github.com/actions-rs/tarpaulin but
that one is no longer maintained. The last version of tarpaulin it works
with is 0.22 from October 2022 and the fix is still not merged in after
multiple months: actions-rs/tarpaulin#23 .
Additionally there are discussions to deprecate this action:
actions-rs/tarpaulin#6

Alternatively we could have used the 'official' docker image of
tarpaulin: https://hub.docker.com/r/xd009642/tarpaulin . This will not
work since when github action runs in a docker, the container is not
started with enough privileges which causes tarpaulin to crash, see as
an example of this here:
xd009642/tarpaulin#146
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gdesmott @rye @xd009642 @ThibsG @new-commer