ghc_ticker not checking return code?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ghc_ticker not checking return code?

Jon Fairbairn
I’ve just been rebuilding something I wrote ages ago, using
stack with lts-11.6 (so that I can use a recent Conduit).

Part (not a part I was modifying) of the code runs as a CGI
script, and I was horrified to find that when run by httpd it
soaked up CPU like nobody’s business without producing any
output. Running it at the command line worked fine, so I traced
the problem via audit:

type=AVC msg=audit(1529223103.790:1705516): avc:  denied  { read } for  pid=36764 comm="ghc_ticker" path="[timerfd]" dev=anon_inodefs ino=4597 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=AVC msg=audit(1529223103.790:1705517): avc:  denied  { read } for  pid=36764 comm="ghc_ticker" path="[timerfd]" dev=anon_inodefs ino=4597 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file

The solution is to add an audit rule to allow that, but surely
ghc_ticker shouldn’t be trying again so fast when whatever it is
trying to do isn’t permitted?

I don’t know what component ghc_ticker belongs to, so where
should I report the problem?

--
Jón Fairbairn                                 [hidden email]

_______________________________________________
Haskell-Cafe mailing list
To (un)subscribe, modify options or view archives go to:
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
Only members subscribed via the mailman list are allowed to post.
Reply | Threaded
Open this post in threaded view
|

Re: ghc_ticker not checking return code?

Brandon Allbery
I'd suspect it's mishandling the error return from a read(). Or not handling, but if the error it gets back is for some reason EAGAIN then it's kinda difficult to handle this sanely except by adding extra instrumentation to catch the loop.

On Sun, Jun 17, 2018 at 5:28 AM Jon Fairbairn <[hidden email]> wrote:
I’ve just been rebuilding something I wrote ages ago, using
stack with lts-11.6 (so that I can use a recent Conduit).

Part (not a part I was modifying) of the code runs as a CGI
script, and I was horrified to find that when run by httpd it
soaked up CPU like nobody’s business without producing any
output. Running it at the command line worked fine, so I traced
the problem via audit:

type=AVC msg=audit(1529223103.790:1705516): avc:  denied  { read } for  pid=36764 comm="ghc_ticker" path="[timerfd]" dev=anon_inodefs ino=4597 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=AVC msg=audit(1529223103.790:1705517): avc:  denied  { read } for  pid=36764 comm="ghc_ticker" path="[timerfd]" dev=anon_inodefs ino=4597 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file

The solution is to add an audit rule to allow that, but surely
ghc_ticker shouldn’t be trying again so fast when whatever it is
trying to do isn’t permitted?

I don’t know what component ghc_ticker belongs to, so where
should I report the problem?

--
Jón Fairbairn                                 [hidden email]

_______________________________________________
Haskell-Cafe mailing list
To (un)subscribe, modify options or view archives go to:
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
Only members subscribed via the mailman list are allowed to post.


--
brandon s allbery kf8nh                               sine nomine associates
[hidden email]                                  [hidden email]
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net

_______________________________________________
Haskell-Cafe mailing list
To (un)subscribe, modify options or view archives go to:
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
Only members subscribed via the mailman list are allowed to post.
Reply | Threaded
Open this post in threaded view
|

Re: ghc_ticker not checking return code?

Jon Fairbairn
Brandon Allbery <[hidden email]> writes:

> I'd suspect it's mishandling the error return from a read(). Or not
> handling, but if the error it gets back is for some reason EAGAIN then it's
> kinda difficult to handle this sanely except by adding extra
> instrumentation to catch the loop.

If a selinux denial is producing EAGAIN, something is very
wrong. I doubt that that’s what’s happening. If I knew where to
go I could create a ticket…


_______________________________________________
Haskell-Cafe mailing list
To (un)subscribe, modify options or view archives go to:
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
Only members subscribed via the mailman list are allowed to post.
Reply | Threaded
Open this post in threaded view
|

Re: ghc_ticker not checking return code?

Brandon Allbery
Yeh, that was why "for some reason" — in that case I'd blame the audit framework, not the program.

ghc_ticker is an internal thread of the ghc runtime, so you want the ghc Trac, rts component. https://ghc.haskell.org/trac/ghc/newticket?type=bug (you will need to create an account).

On Mon, Jun 18, 2018 at 4:48 AM Jon Fairbairn <[hidden email]> wrote:
Brandon Allbery <[hidden email]> writes:

> I'd suspect it's mishandling the error return from a read(). Or not
> handling, but if the error it gets back is for some reason EAGAIN then it's
> kinda difficult to handle this sanely except by adding extra
> instrumentation to catch the loop.

If a selinux denial is producing EAGAIN, something is very
wrong. I doubt that that’s what’s happening. If I knew where to
go I could create a ticket…


_______________________________________________
Haskell-Cafe mailing list
To (un)subscribe, modify options or view archives go to:
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
Only members subscribed via the mailman list are allowed to post.


--
brandon s allbery kf8nh                               sine nomine associates
[hidden email]                                  [hidden email]
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net

_______________________________________________
Haskell-Cafe mailing list
To (un)subscribe, modify options or view archives go to:
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
Only members subscribed via the mailman list are allowed to post.