You are not logged in.

#1 2021-03-23 10:01:22

qlem
Member
Registered: 2017-05-09
Posts: 29

[RESOLVED] Operation not permitted error

Hello,

Recent update of systemd to 247.4-2 causes some operation not permitted errors on binaries who try to reading files.

Example when I try to run dmesg with my current user:

dmesg: read kernel buffer failed: Operation not permitted

With a binary in /usr/bin

-rwxr-xr-x 1 root root 55264 22 mars  22:41 /usr/bin/qlstatus
$> qlstatus
Error reading file /home/qlem/.config/qlstatus/qlstatus.conf: Operation not permitted

Systemctl status:

$> systemctl status
● wksmitx
    State: running
     Jobs: 0 queued
   Failed: 0 units
    Since: Tue 2021-03-23 11:02:04 CET; 1min 3s ago
   CGroup: /
           ├─user.slice
           │ └─user-1000.slice
           │   ├─user@1000.service
           │   │ ├─app.slice
           │   │ │ ├─app-flatpak-com.slack.Slack-3434.scope
           │   │ │ │ ├─3434 bwrap --args 41 /app/bin/zypak-helper child - /app/extra/lib/slack/slack --type=zygote
           │   │ │ │ ├─3441 bwrap --args 39 xdg-dbus-proxy --args=41
           │   │ │ │ ├─3442 xdg-dbus-proxy --args=41
           │   │ │ │ ├─3446 bwrap --args 41 /app/bin/zypak-helper child - /app/extra/lib/slack/slack --type=zygote
           │   │ │ │ ├─3447 /app/extra/lib/slack/slack --type=zygote
           │   │ │ │ └─3512 /app/extra/lib/slack/slack --type=renderer --autoplay-policy=no-user-gesture-required --force-color-profile=srgb --field-trial-handle=13845080558085125083,8915310274478452587,131072 -->
           │   │ │ ├─xdg-permission-store.service
           │   │ │ │ └─3403 /usr/lib/xdg-permission-store
           │   │ │ ├─xdg-document-portal.service
           │   │ │ │ ├─3400 /usr/lib/xdg-document-portal
           │   │ │ │ └─3408 fusermount -o rw,nosuid,nodev,fsname=portal,auto_unmount,subtype=portal -- /run/user/1000/doc
           │   │ │ ├─pulseaudio.service
           │   │ │ │ ├─2865 /usr/bin/pulseaudio --daemonize=no --log-target=journal
           │   │ │ │ └─2901 /usr/lib/pulse/gsettings-helper
           │   │ │ ├─flatpak-session-helper.service
           │   │ │ │ ├─3394 /usr/lib/flatpak-session-helper
           │   │ │ │ ├─3398 server --sh -n /run/user/1000/.flatpak-helper/pkcs11-flatpak-3394 --provider p11-kit-trust.so pkcs11:model=p11-kit-trust?write-protected=yes
           │   │ │ │ └─3539 p11-kit-remote --provider p11-kit-trust.so pkcs11:model=p11-kit-trust?write-protected=yes
           │   │ │ ├─flatpak-portal.service
           │   │ │ │ └─3424 /usr/lib/flatpak-portal
           │   │ │ ├─at-spi-dbus-bus.service
           │   │ │ │ ├─2766 /usr/lib/at-spi-bus-launcher
           │   │ │ │ └─3413 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3
           │   │ │ ├─dbus.service
           │   │ │ │ └─2406 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
           │   │ │ └─app-flatpak-com.slack.Slack-3391.scope
           │   │ │   ├─3391 bwrap --args 40 slack
           │   │ │   ├─3415 bwrap --args 40 xdg-dbus-proxy --args=42
           │   │ │   ├─3416 xdg-dbus-proxy --args=42
           │   │ │   ├─3418 bwrap --args 40 slack
           │   │ │   ├─3419 /app/extra/lib/slack/slack -s
           │   │ │   ├─3430 /app/extra/lib/slack/slack --type=zygote --no-zygote-sandbox
           │   │ │   ├─3432 /app/extra/lib/slack/chrome-sandbox /app/extra/lib/slack/slack --type=zygote
           │   │ │   ├─3475 /app/extra/lib/slack/slack --type=gpu-process --field-trial-handle=13845080558085125083,8915310274478452587,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWi>
           │   │ │   └─3481 /app/extra/lib/slack/slack --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=13845080558085125083,8915310274478452587,131072 --enable-features=WebComp>
           │   │ └─init.scope
           │   │   ├─2292 /usr/lib/systemd/systemd --user
           │   │   └─2295 (sd-pam)
           │   └─session-1.scope
           │     ├─ 527 login -- qlem
           │     ├─2305 /bin/sh /usr/bin/startx -- -keeptty
           │     ├─2339 xinit /home/qlem/.xinitrc -- /usr/bin/X :0 -keeptty vt1 -keeptty -auth /tmp/serverauth.FOv3PrYRXh
           │     ├─2340 /usr/lib/Xorg :0 -keeptty vt1 -keeptty -auth /tmp/serverauth.FOv3PrYRXh
           │     ├─2398 dwm
           │     ├─2408 /usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh
           │     ├─2415 picom --config /home/qlem/.config/picom/picom.conf
           │     ├─2416 redshift -c /home/qlem/.config/redshift/redshift.conf
           │     ├─2417 dunst
           │     ├─2716 /usr/lib/firefox/firefox
           │     ├─2790 /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 1 -prefMapSize 235064 -parentBuildID 20210311111503 -appdir /usr/lib/firefox/browser 2716 true tab
           │     ├─2911 /usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 174 -prefMapSize 235064 -parentBuildID 20210311111503 -appdir /usr/lib/firefox/browser 2716 true tab
           │     ├─2956 /usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 6201 -prefMapSize 235064 -parentBuildID 20210311111503 -appdir /usr/lib/firefox/browser 2716 true tab
           │     ├─3046 /usr/lib/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 7060 -prefMapSize 235064 -parentBuildID 20210311111503 -appdir /usr/lib/firefox/browser 2716 true tab
           │     ├─3150 /usr/lib/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 7060 -prefMapSize 235064 -parentBuildID 20210311111503 -appdir /usr/lib/firefox/browser 2716 true tab
           │     ├─3193 /usr/lib/firefox/firefox -contentproc -childID 6 -isForBrowser -prefsLen 7060 -prefMapSize 235064 -parentBuildID 20210311111503 -appdir /usr/lib/firefox/browser 2716 true tab
           │     ├─3557 alacritty
           │     ├─3563 fish
           │     ├─3669 /bin/sh /home/qlem/.local/share/JetBrains/Toolbox/apps/WebStorm/ch-0/203.7148.54/bin/webstorm.sh
           │     ├─3711 /home/qlem/.local/share/JetBrains/Toolbox/apps/WebStorm/ch-0/203.7148.54/jbr/bin/java -classpath /home/qlem/.local/share/JetBrains/Toolbox/apps/WebStorm/ch-0/203.7148.54/lib/bootstrap.jar:>
           │     ├─3786 /home/qlem/.local/share/JetBrains/Toolbox/apps/WebStorm/ch-0/203.7148.54/bin/fsnotifier64
           │     ├─3977 systemctl status
           │     └─3978 less
           ├─init.scope
           │ └─1 /sbin/init splash
           └─system.slice
             ├─systemd-networkd.service
             │ └─339 /usr/lib/systemd/systemd-networkd
             ├─systemd-udevd.service
             │ └─335 /usr/lib/systemd/systemd-udevd
             ├─docker.service
             │ ...
             ├─polkit.service
             │ └─2836 /usr/lib/polkit-1/polkitd --no-debug
             ├─rtkit-daemon.service
             │ └─2804 /usr/lib/rtkit-daemon
             ├─iwd.service
             │ └─435 /usr/lib/iwd/iwd
             ├─systemd-journald.service
             │ └─318 /usr/lib/systemd/systemd-journald
             ├─systemd-resolved.service
             │ └─427 /usr/lib/systemd/systemd-resolved
             ├─dbus.service
             │ └─434 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
             ├─systemd-timesyncd.service
             │ └─429 /usr/lib/systemd/systemd-timesyncd
             └─systemd-logind.service
               └─436 /usr/lib/systemd/systemd-logind

When I downgrade systemd to 247.3-1 these errors disappear.

Any help is welcome.

EDIT: The error came from qlstatus itself and it is not related to systemd. The Operation not permitted error when running dmesg as non root user it is the expected behavior. See the answers bellow.

Last edited by qlem (2021-03-23 21:59:04)

Offline

#2 2021-03-23 18:46:55

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: [RESOLVED] Operation not permitted error

qlem wrote:

Example when I try to run dmesg with my current user:

dmesg: read kernel buffer failed: Operation not permitted

I think that's the expected behaviour:

% zgrep -i dmesg_restrict /proc/config.gz
CONFIG_SECURITY_DMESG_RESTRICT=y
%
qlem wrote:
$> qlstatus
Error reading file /home/qlem/.config/qlstatus/qlstatus.conf: Operation not permitted

What are the permissions for that file? And what is /usr/bin/qlstatus?

Offline

#3 2021-03-23 20:23:30

qlem
Member
Registered: 2017-05-09
Posts: 29

Re: [RESOLVED] Operation not permitted error

Yes i was wrong about dmesg.

qlstatus is a small binary I wrote in C. It's a light and modular status bar for dwm -> https://github.com/qlem/qlstatus.
The error occur in function that load settings from the config file:

$> ls -al
...
-rw-r--r--  1 qlem qlem 1,4K 14 mars  01:28 qlstatus.conf

It is the last call to getline that failed, so after having successfully processed all the lines of the file.

int         load_config_file(t_main *main, const char *file) {
    char    *line = NULL;
    size_t  size = 0;
    FILE    *stream;
    int     i = 0;
    ssize_t nb;

    if ((stream = fopen(file, "r")) == NULL) {
        fprintf(stderr, "Cannot load config file: %s\n", strerror(errno));
        return -1;
    }
    while ((nb = getline(&line, &size, stream)) != -1) {
        ++i;
        line[nb - 1] == '\n' ? line[nb - 1] = 0 : 0;
        parse_config_line(main, line, i);
        line = NULL;
        size = 0;
    }
    if (nb == -1 && errno) {
        fprintf(stderr, "Error reading file %s: %s\n", file, strerror(errno));
        exit(EXIT_FAILURE);
    }
    free(line);
    close_stream(stream, file);
    return 0;
}

Nothing magic so.

link of file on github: https://github.com/qlem/qlstatus/blob/f … fig.c#L243

Like I say, when I downgrade systemd package, my binary works fine. I am a little confused about this.

Last edited by qlem (2021-03-23 20:26:48)

Offline

#4 2021-03-23 20:41:57

ayekat
Member
Registered: 2011-01-17
Posts: 1,589

Re: [RESOLVED] Operation not permitted error

Have you verified that errno is indeed set by getline()? You don't seem to initialise errno to 0 at all, so potentially it's more an issue of reading a potentially uninitialised variable.
With the right set of compilation flags, gcc should usually complain about that.


pkgshackscfgblag

Offline

#5 2021-03-23 21:12:21

qlem
Member
Registered: 2017-05-09
Posts: 29

Re: [RESOLVED] Operation not permitted error

You got right! I missed this with the use of errno. I will fix that.

What is the right flags to get warning about this at the compilation ? My current flags are "-W -Wall -Wextra -Werror".

Thank you for your help!

Last edited by qlem (2021-03-23 21:18:23)

Offline

#6 2021-03-23 21:18:39

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [RESOLVED] Operation not permitted error

See -Wmaybe-uninitialized and -Wuninitialized.  I think you need the former in this case.

Offline

Board footer

Powered by FluxBB