Bug#959500: misleading 'You need to be root' when Linux is in Lockdown mode

To: 959500@bugs.debian.org
Subject: Bug#959500: misleading 'You need to be root' when Linux is in Lockdown mode
From: John Scott <jscott@posteo.net>
Date: Thu, 07 May 2020 15:05:39 -0400
Message-id: <[🔎] 2571844.VMNYPuaz6x@t450>
Reply-to: John Scott <jscott@posteo.net>, 959500@bugs.debian.org
In-reply-to: <[🔎] 4459239f9004c2d5b12e0a7daef2baf1@phys.ethz.ch>
References: <[🔎] 4459239f9004c2d5b12e0a7daef2baf1@phys.ethz.ch> <[🔎] 158847631869.43114.11117877011574111432.reportbug@T450>

Control: tags -1 + upstream

On Tuesday, May 5, 2020 7:07:39 AM EDT Gürkan Myczko wrote:
> The error message:
> ERROR: Could not get I/O privileges (Operation not permitted).
> to me and #flashrom is not misleading at all.

I had overlooked that part and fixated on the last line about root.
However 'You need to be root' sounds too strong IMHO especially since
that's not what's really necesarry. Maybe a message more like
  E: Unable to acquire the dpkg frontend lock, are you root?
would be fitting.

Thanks for giving me the gumption to try strace. With it I got the attached
output showing iopl() is throwing the error. Its man page says
ERRORS
  EPERM  The calling process has insufficient privilege to call iopl();
    the CAP_SYS_RAWIO capability is required to raise the I/O privilege level
    above its current value.
So maybe root isn't necessary in general.

With gdb the problem seems to be at
#0  rget_io_perms () at ../hwaccess.c:119
#1  0x000055555559fbab in internal_init () at ../internal.c:213
#2  0x00005555555b706a in programmer_init (prog=PROGRAMMER_INTERNAL, param=0x0) at ../flashrom.c:555
#3  0x00005555555ccffe in main (argc=5, argv=0x7fffffffe608) at ../cli_classic.c:459

int rget_io_perms(void)
{
#if IS_X86 && !(defined(__DJGPP__) || defined(__LIBPAYLOAD__))
#if defined (__sun)
        if (sysi86(SI86V86, V86SC_IOPL, PS_IOPL) != 0) {
#elif USE_DEV_IO
        if ((io_fd = open("/dev/io", O_RDWR)) < 0) {
#elif USE_IOPERM
        if (ioperm(0, 65536, 1) != 0) {
#elif USE_IOPL
        if (iopl(3) != 0) {
#endif
                msg_perr("ERROR: Could not get I/O privileges (%s).\n", strerror(errno));
                msg_perr("You need to be root.\n");


I was pointed to it by the Linux commit [1], that on my system I can read
/sys/kernel/security/lockdown as root which says
none [integrity] confidentiality

I hope this can provide a check comparable to the OpenBSD and NetBSD ones
there.

If you have Linux 5.4+ you might be able to boot with lockdown=integrity
(EFI/Secure Boot not necessary) and reproduce this way.

Please let me know if you'd be helped by any more details. I hope this can be
solved cleanly.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aefcf2f4

execve("/usr/sbin/flashrom", ["flashrom", "--programmer", "internal", "-r", "woo"], 0x7ffebadd4dc0 /* 20 vars */) = 0
brk(NULL)                               = 0x564f5f7a9000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=197499, ...}) = 0
mmap(NULL, 197499, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fc50c0ba000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libusb-1.0.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260G\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=109552, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc50c0b8000
mmap(NULL, 112016, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc50c09c000
mmap(0x7fc50c0a0000, 57344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7fc50c0a0000
mmap(0x7fc50c0ae000, 32768, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12000) = 0x7fc50c0ae000
mmap(0x7fc50c0b6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19000) = 0x7fc50c0b6000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpci.so.3", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P5\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=60024, ...}) = 0
mmap(NULL, 62096, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc50c08c000
mprotect(0x7fc50c08f000, 45056, PROT_NONE) = 0
mmap(0x7fc50c08f000, 28672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7fc50c08f000
mmap(0x7fc50c096000, 12288, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7fc50c096000
mmap(0x7fc50c09a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x7fc50c09a000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libftdi1.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2004\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=59872, ...}) = 0
mmap(NULL, 62024, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc50c07c000
mmap(0x7fc50c07f000, 32768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7fc50c07f000
mmap(0x7fc50c087000, 12288, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7fc50c087000
mmap(0x7fc50c08a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x7fc50c08a000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 o\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1831600, ...}) = 0
mmap(NULL, 1844568, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc50beb9000
mmap(0x7fc50bede000, 1351680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7fc50bede000
mmap(0x7fc50c028000, 303104, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16f000) = 0x7fc50c028000
mmap(0x7fc50c072000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b8000) = 0x7fc50c072000
mmap(0x7fc50c078000, 13656, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fc50c078000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libudev.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@X\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=174272, ...}) = 0
mmap(NULL, 178440, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc50be8d000
mmap(0x7fc50be92000, 110592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7fc50be92000
mmap(0x7fc50bead000, 40960, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x20000) = 0x7fc50bead000
mmap(0x7fc50beb7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x29000) = 0x7fc50beb7000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`|\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=146912, ...}) = 0
mmap(NULL, 132256, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc50be6c000
mmap(0x7fc50be73000, 61440, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x7fc50be73000
mmap(0x7fc50be82000, 20480, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7fc50be82000
mmap(0x7fc50be87000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a000) = 0x7fc50be87000
mmap(0x7fc50be89000, 13472, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fc50be89000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0203\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=113088, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc50be6a000
mmap(NULL, 115088, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc50be4d000
mprotect(0x7fc50be50000, 98304, PROT_NONE) = 0
mmap(0x7fc50be50000, 69632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7fc50be50000
mmap(0x7fc50be61000, 24576, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14000) = 0x7fc50be61000
mmap(0x7fc50be68000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a000) = 0x7fc50be68000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300C\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=84808, ...}) = 0
mmap(NULL, 96896, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc50be35000
mprotect(0x7fc50be39000, 65536, PROT_NONE) = 0
mmap(0x7fc50be39000, 49152, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7fc50be39000
mmap(0x7fc50be45000, 12288, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10000) = 0x7fc50be45000
mmap(0x7fc50be49000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13000) = 0x7fc50be49000
mmap(0x7fc50be4b000, 6784, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fc50be4b000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc50be33000
arch_prctl(ARCH_SET_FS, 0x7fc50be33b80) = 0
mprotect(0x7fc50c072000, 12288, PROT_READ) = 0
mprotect(0x7fc50be49000, 4096, PROT_READ) = 0
mprotect(0x7fc50be68000, 4096, PROT_READ) = 0
mprotect(0x7fc50be87000, 4096, PROT_READ) = 0
mprotect(0x7fc50beb7000, 4096, PROT_READ) = 0
mprotect(0x7fc50c0b6000, 4096, PROT_READ) = 0
mprotect(0x7fc50c08a000, 4096, PROT_READ) = 0
mprotect(0x7fc50c09a000, 4096, PROT_READ) = 0
mprotect(0x564f5ef2c000, 339968, PROT_READ) = 0
mprotect(0x7fc50c113000, 4096, PROT_READ) = 0
munmap(0x7fc50c0ba000, 197499)          = 0
set_tid_address(0x7fc50be33e50)         = 14154
set_robust_list(0x7fc50be33e60, 24)     = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7fc50be736b0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7fc50be80110}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7fc50be73750, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fc50be80110}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0x4), ...}) = 0
brk(NULL)                               = 0x564f5f7a9000
brk(0x564f5f7ca000)                     = 0x564f5f7ca000
write(1, "flashrom v1.2", 13)           = 13
uname({sysname="Linux", nodename="T450", ...}) = 0
write(1, " on Linux 5.6.0-1-amd64 (x86_64)", 32) = 32
write(1, "\n", 1)                       = 1
write(1, "flashrom is free software, get t"..., 71) = 71
write(1, "\n", 1)                       = 1
clock_getres(CLOCK_MONOTONIC, {tv_sec=0, tv_nsec=1}) = 0
write(1, "Using clock_gettime for delay lo"..., 66) = 66
iopl(3)                                 = -1 EPERM (Operation not permitted)
write(2, "ERROR: Could not get I/O privile"..., 63) = 63
write(2, "You need to be root.\n", 21)  = 21
write(2, "Error: Programmer initialization"..., 41) = 41
exit_group(1)                           = ?
+++ exited with 1 +++

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Bug#959500: misleading 'You need to be root' when Linux is in Lockdown mode
  - From: Gürkan Myczko <gurkan@phys.ethz.ch>
- Bug#959500: misleading 'You need to be root' when Linux is in Lockdown mode
  - From: John Scott <jscott@posteo.net>

Prev by Date: Processed: Re: misleading 'You need to be root' when Linux is in Lockdown mode
Next by Date: Problems with BIOS boot partition
Previous by thread: Processed: Re: misleading 'You need to be root' when Linux is in Lockdown mode
Next by thread: Problems with BIOS boot partition
Index(es):
- Date
- Thread