always wants to restart chrooted daemons on grsecurity kernels

[jleroy]

On a fresh and up-to-date Debian 8 install, needrestart always ask to restart Postfix:

# needrestart -vvv -m a -r l 
[main] eval /etc/needrestart/needrestart.conf
[main] running in root-mode
[Core] Using UI 'NeedRestart::UI::stdio'...
[main] detected systemd
[Core] #1731 is a NeedRestart::Interp::Python
[Python] #1731: source=/usr/bin/salt-minion
[main] #2058 uses non-existing /usr/lib/postfix/pickup
[main] #2058 is a child of #2047
[main] #2066 uses non-existing /usr/lib/postfix/tlsmgr
[main] #2066 is a child of #2047
[Core] #2069 is a NeedRestart::Interp::Python
[Python] #2069: source=/usr/bin/fail2ban-server
[Core] #2074 is a NeedRestart::Interp::Python
[Python] #2074: source=/usr/bin/salt-minion
[Python] #2074: use cached file list
[Core] #2076 is a NeedRestart::Interp::Python
[Python] #2076: source=/usr/bin/salt-minion
[Python] #2076: use cached file list
[main] #2047 exe => /usr/lib/postfix/master
[main] #2047 is postfix.service
[Kernel] Linux: kernel release 4.7.0-1-grsec-amd64, kernel version #1 SMP Debian 4.7.8-1+grsec201610161720+1~bpo8+1 (2016-10-20)
[Kernel/Linux] /boot/vmlinuz-4.7.0-1-grsec-amd64 => 4.7.0-1-grsec-amd64 (corsac@debian.org) #1 SMP Debian 4.7.8-1+grsec201610161720+1~bpo8+1 (2016-10-20) [4.7.0-1-grsec-amd64]*
[Kernel/Linux] /boot/vmlinuz-3.16.0-4-amd64 => 3.16.0-4-amd64 (debian-kernel@lists.debian.org) #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) [3.16.0-4-amd64]
[Kernel/Linux] Expected linux version: 4.7.0-1-grsec-amd64
Running kernel seems to be up-to-date.
Services to be restarted:
 systemctl restart postfix.service
No containers need to be restarted.
No user sessions are running outdated binaries.

Systemd service output:

# service postfix status
● postfix.service - LSB: Postfix Mail Transport Agent
   Loaded: loaded (/etc/init.d/postfix)
  Drop-In: /run/systemd/generator/postfix.service.d
           └─50-postfix-$mail-transport-agent.conf
   Active: active (running) since Sun 2016-10-23 08:34:22 CEST; 21min ago
  Process: 2299 ExecStop=/etc/init.d/postfix stop (code=exited, status=0/SUCCESS)
  Process: 2322 ExecStart=/etc/init.d/postfix start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/postfix.service
           ├─2432 /usr/lib/postfix/master
           ├─2433 pickup -l -t unix -u -c
           └─2434 qmgr -l -t unix -u

Oct 23 08:34:22 csqr-web1-l postfix[2322]: Starting Postfix Mail Transport Agent: postfix.
Oct 23 08:34:22 csqr-web1-l systemd[1]: Started LSB: Postfix Mail Transport Agent.
Oct 23 08:34:22 csqr-web1-l postfix/master[2432]: daemon started -- version 2.11.3, configuration /etc/postfix

[jleroy]

For some reason it happens only with a grsec kernel. I use the last grsec kernel from jessie-backports:

# uname -a
Linux csqr-web3-l 4.7.0-1-grsec-amd64 #1 SMP Debian 4.7.8-1+grsec201610161720+1~bpo8+1 (2016-10-20) x86_64 GNU/Linux

[jleroy]

/proc/[PID]/map_files has been removed by the grsecurity team.
See https://grsecurity.net/changelog-test.txt, commit 2d35d5276f3feb0c053209f8c3a77b1f55f9d96b.

The files /usr/lib/postfix/pickup and /usr/lib/postfix/tlsmgr aren't available in the /proc/[PID]/root directory of child processes, only on the master process.
Maybe we should try to access files using parent PID in such cases?

[fenhl]

I have a system running Debian stable, and needrestart keeps saying it needs to restart ssh. I'm not sure if my issue is related to this.

[jleroy]

@fenhl Do you a Grsecurity kernel ? If not, this is probably a separate issue.

[fenhl]

I haven't checked, but I assume it's running the default Linux kernel.

[eigengrau]

I’m running grsec as well and I’m seeing this issue for dovecot instead. Postfix isrunning as well, but no erroneous reports pop up when I run needrestart.

[liske]

Could you please provide the output of ls -lha /proc/$PID for the reported PID using a obsolete lib?

[eigengrau]

This is the output for dovecot.

[main] #2575 uses non-existing /usr/lib/dovecot/imap-login
[main] #2575 is a child of #646
[main] #646 exe => /usr/bin/dovecot
[main] #646 is dovecot.service

Oddly, /usr/lib/dovecot/imap-login does exist and its inode hasn’t changed either.

[jleroy]

Here is the output for the child process using a non-existing directory (not the Postfix master process):

# ls -lha /proc/928/
total 0
dr-xr-x---   8 107 64044 0 Oct 31 20:06 .
dr-xr-xr-x 104   0 64044 0 Oct 31 15:08 ..
dr-xr-xr-x   2 107 64044 0 Oct 31 20:55 attr
-rw-r--r--   1   0     0 0 Oct 31 20:55 autogroup
-r--------   1   0     0 0 Oct 31 20:55 auxv
-r--r--r--   1   0     0 0 Oct 31 20:55 cgroup
-r--r--r--   1   0     0 0 Oct 31 20:06 cmdline
-rw-r--r--   1   0     0 0 Oct 31 20:55 comm
-rw-r--r--   1   0     0 0 Oct 31 20:55 coredump_filter
-r--r--r--   1   0     0 0 Oct 31 20:55 cpuset
lrwxrwxrwx   1   0     0 0 Oct 31 20:06 cwd -> /var/spool/postfix
-r--------   1   0     0 0 Oct 31 20:55 environ
lrwxrwxrwx   1   0     0 0 Oct 31 20:06 exe -> /usr/lib/postfix/pickup
dr-x------   2   0     0 0 Oct 31 20:55 fd
dr-x------   2   0     0 0 Oct 31 20:55 fdinfo
-rw-r--r--   1   0     0 0 Oct 31 20:55 gid_map
-r--------   1   0     0 0 Oct 31 20:55 io
-r--------   1   0     0 0 Oct 31 20:55 ipaddr
-r--r--r--   1   0     0 0 Oct 31 20:55 limits
-rw-r--r--   1   0     0 0 Oct 31 20:55 loginuid
-r--r--r--   1   0     0 0 Oct 31 20:06 maps
-rw-------   1   0     0 0 Oct 31 20:55 mem
-r--r--r--   1   0     0 0 Oct 31 20:55 mountinfo
-r--r--r--   1   0     0 0 Oct 31 20:55 mounts
-r--------   1   0     0 0 Oct 31 20:55 mountstats
dr-xr-xr-x   5 107 64044 0 Oct 31 20:55 net
dr-x--x--x   2   0     0 0 Oct 31 20:06 ns
-r--r--r--   1   0     0 0 Oct 31 20:55 numa_maps
-rw-r--r--   1   0     0 0 Oct 31 20:55 oom_adj
-r--r--r--   1   0     0 0 Oct 31 20:55 oom_score
-rw-r--r--   1   0     0 0 Oct 31 20:55 oom_score_adj
-r--------   1   0     0 0 Oct 31 20:55 personality
-rw-r--r--   1   0     0 0 Oct 31 20:55 projid_map
lrwxrwxrwx   1   0     0 0 Oct 31 20:06 root -> /var/spool/postfix
-rw-r--r--   1   0     0 0 Oct 31 20:55 sched
-r--r--r--   1   0     0 0 Oct 31 20:55 schedstat
-r--r--r--   1   0     0 0 Oct 31 20:55 sessionid
-rw-r--r--   1   0     0 0 Oct 31 20:55 setgroups
-r--r--r--   1   0     0 0 Oct 31 20:06 stat
-r--r--r--   1   0     0 0 Oct 31 20:55 statm
-r--r--r--   1   0     0 0 Oct 31 20:06 status
dr-xr-xr-x   3 107 64044 0 Oct 31 20:55 task
-rw-rw-rw-   1   0     0 0 Oct 31 20:55 timerslack_ns
-rw-r--r--   1   0     0 0 Oct 31 20:55 uid_map

[liske]

The bug is triggered due to the following conditions:

• grsec breaks /proc/$PID/map_files/$MADDR
• process is running in chroot => /proc/$PID/root/$PATHis not available, either

I'm going to add an option to disable the filesystem check (at least for processes with a foreign root). This breaks reliableness but it is not really needed on GNU/Linux since removed filenames (due to upgrades) are ending with (deleted).