弁財天

ゴフマン「専門家を信じるのではなく、自分自身で考えて判断せよ」

error: unpacking of archive failed on file /usr/bin/ping;568b6a9d: cpio: cap_set_file update1

k2_cl(HTC One SV/Android 4.1.2)にLinuxDeployでFedora22を導入して httpd-2.4.12とjava-1.8.0-openjdkとtomcat-7.0.59と roller-5.1.2とpostgresql-9.4.1を導入して評価ちうであーる。 perl-CGIとperl-JSON-PPとperl-DBD-Pgも。

このk2_clなんて800Mしかメモリがないがmkswapしてswaponで2Gのスワップ領域を足してやると、そこそこのサーバになってしまうのだ。おそろしい時代になったものだ。

[root@localhost ~]# dnf install iputils
Last metadata expiration check performed 1 day, 21:17:19 ago on Sun Jan  3 18:45:28 2016.
Dependencies resolved.
================================================================================
 Package       Arch          Version               Repository              Size
================================================================================
Installing:
 iputils       armv7hl       20140519-4.fc22       fedora-22-armhfp       163 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 163 k
Installed size: 372 k
Is this ok [y/N]: y
Downloading Packages:
iputils-20140519-4.fc22.armv7hl.rpm              77 kB/s | 163 kB     00:02    
--------------------------------------------------------------------------------
Total                                            77 kB/s | 163 kB     00:02     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : iputils-20140519-4.fc22.armv7hl                             1/1 
Error unpacking rpm package iputils-20140519-4.fc22.armv7hl
warning: Unable to get systemd shutdown inhibition lock
error: unpacking of archive failed on file /usr/bin/ping;568b6a9d: cpio: cap_set_file
iputils-20140519-4.fc22.armv7hl was supposed to be installed but is not!
  Verifying   : iputils-20140519-4.fc22.armv7hl                             1/1 

Installed:
  iputils.armv7hl 20140519-4.fc22                                               

Complete!
[root@localhost ~]#

error: unpacking of archive failed on file /usr/bin/ping;568b6a9d: cpio: cap_set_file iputils-20140519-4.fc22.armv7hl was supposed to be installed but is not!

なにこれ?

[root@localhost ~]# wget https://dl.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/
iputils-20140519-4. 100%[=====================>] 162.50K   121KB/s   in 1.3s   

2016-01-05 16:30:47 (121 KB/s) - ‘iputils-20140519-4.fc22.armv7hl.rpm’ saved [166404/166404]

[root@localhost ~]#
wgetはできる。

[root@localhost ~]# rpm -ivh iputils-20140519-4.fc22.armv7hl.rpm
warning: iputils-20140519-4.fc22.armv7hl.rpm: Header V3 RSA/SHA256 Signature, key ID 8e1431d5: NOKEY
warning: Unable to get systemd shutdown inhibition lock
Preparing...                          ################################# [100%]
Updating / installing...
   1:iputils-20140519-4.fc22          ################################# [100%]
error: unpacking of archive failed on file /usr/bin/ping;568b7133: cpio: cap_set_file
error: iputils-20140519-4.fc22.armv7hl: install failed
[root@localhost ~]# 
rpm -ivh がcpio: cap_set_fileで失敗する。

なにかセキュリティなのかすら?

じゃぁ、rpm2cpioで抽出展開したら?

[root@localhost ~]# cd /
[root@localhost /]# rpm2cpio /root/iputils-20140519-4.fc22.armv7hl.rpm|cpio -id
753 blocks
[root@localhost /]# 
おろ?でけたぞ。
[root@localhost /]# ping -c 1 192.168.x.1
PING 192.168.x.1 (192.168.x.1) 56(84) bytes of data.
64 bytes from 192.168.x.1: icmp_seq=1 ttl=64 time=288 ms

--- 192.168.11.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 288.357/288.357/288.357/0.000 ms
[root@localhost /]# 
あら。動いたわ。なんだったのかすら。

How do I get an Android Process running with the CAP_NET_ADMIN capability

In various searches I have made on this topic I have found hints that the capability should be applied. eg, from http://elinux.org/Android_Security

#define             GID     Capability
AID_NET_BT_ADMIN    3001    Can create an RFCOMM, SCO, or L2CAPP Bluetooth socket
AID_NET_BT          3002    Can create a Bluetooth socket
AID_INET            3003    Can create IPv4 or IPv6 socket
AID_NET_RAW         3004    Can create certain kinds of IPv4 sockets??
AID_NET_ADMIN*      3005    Allow CAP_NET_ADMIN permissions for process 

Unfortunately, this doesn't seem to apply to my system.

/etc/groupのaid_inetみたいな細工があるのか。

Docker, trusted builds, and Fedora 20
We seem to have lost CAP_SET_FILE #5928
何か試みたけど失敗して撤退?

[android@localhost ~]$ id
uid=5000(android) gid=5000(android) groups=5000(android),1000(aid_system),1001(aid_radio),1002(aid_bluetooth),1003(aid_graphics),1004(aid_input),1005(aid_audio),1006(aid_camera),1007(aid_log),1008(aid_compass),1009(aid_mount),1010(aid_wifi),1011(aid_adb),1012(aid_install),1013(aid_media),1014(aid_dhcp),1015(aid_sdcard_rw),1016(aid_vpn),1017(aid_keystore),1018(aid_usb),1019(aid_drm),1020(aid_available),1021(aid_gps),1023(aid_media_rw),1024(aid_mtp),1026(aid_drmrpc),1027(aid_nfc),1028(aid_sdcard_r),1029(aid_clat),1030(aid_loop_radio),1031(aid_media_drm),1032(aid_package_info),1033(aid_sdcard_pics),1034(aid_sdcard_av),1035(aid_sdcard_all),1036(aid_logd),1037(aid_shared_relro),2000(aid_shell),2001(aid_cache),2002(aid_diag),3001(aid_net_bt_admin),3002(aid_net_bt),3003(aid_inet),3004(aid_net_raw),3005(aid_net_admin),3006(aid_net_bw_stats),3007(aid_net_bw_acct),3008(aid_net_bt_stack)
[android@localhost ~]$ 
なにこの所属グループは?w

android-4.1/include/linux/android_aid.h

/* AIDs that the kernel treats differently */
#define AID_OBSOLETE_000 KGIDT_INIT(3001)  /* was NET_BT_ADMIN */
#define AID_OBSOLETE_001 KGIDT_INIT(3002)  /* was NET_BT */
#define AID_INET         KGIDT_INIT(3003)
#define AID_NET_RAW      KGIDT_INIT(3004)
#define AID_NET_ADMIN    KGIDT_INIT(3005)
#define AID_NET_BW_STATS KGIDT_INIT(3006)  /* read bandwidth statistics */
#define AID_NET_BW_ACCT  KGIDT_INIT(3007)  /* change bandwidth statistics accounting */

AndroidからLinuxDeployを起動して ext4にフォーマットしたMicroSDカードをマウント。 そこに2Gのスワップ領域を追加してswapon。 postgres、tomcat、apacheを起動していく。

起動は、/sdcard/gscripts/deploy_start.sh

#/system/bin/sh

cd /storage/sdcard0/gscripts
D=/data/data/ru.meefik.linuxdeploy/files/bin

${D}/linuxdeploy start

mount|grep /data/local/linux/opt
if [ "$?" = 1 ]; then
	sh mount_ext4.sh
fi

${D}/linuxdeploy shell swapon /opt/swap.img
${D}/linuxdeploy shell -u postgres /opt/postgres/bin/postgres_start.sh
${D}/linuxdeploy shell -u tomcat /opt/tomcat/bin/tomcat_bg.sh
${D}/linuxdeploy shell /opt/apache/bin/apache_start.sh
停止は、/sdcard/gscripts/deploy_stop.sh
#/system/bin/sh

D=/data/data/ru.meefik.linuxdeploy/files/bin

${D}/linuxdeploy shell /opt/apache/bin/apache_stop.sh
${D}/linuxdeploy shell -u tomcat /opt/tomcat/bin/tomcat_stop.sh
${D}/linuxdeploy shell -u postgres /opt/postgres/bin/postgres_stop.sh
${D}/linuxdeploy shell swapoff /opt/swap.img

mount|grep /data/local/linux/opt
if [ "$?" = 0 ]; then
  busybox umount /data/local/linux/opt
fi

${D}/linuxdeploy stop
みたいな。

何かカーネルに細工があってsystemctlが使えない。

[root@localhost ~]# systemctl start httpd.service
Running in chroot, ignoring request.
[root@localhost ~]# 
なのでapache/tomcat/postgres毎に起動停止シェルを作成。 apacheとtomcatとpostgresユーザーを作成。 /etc/passwd
apache:x:48:48:Apache:/opt/apache:/bin/bash
tomcat:x:91:91:Apache Tomcat:/opt/tomcat:/bin/bash
postgres:x:26:26:PostgreSQL Server:/opt/postgres:/bin/bash
/etc/groupのaid_inetにapache,tomcat,postgresを追加。
aid_inet:x:3003:android,root,dbus,apache,tomcat,postgres
apache:x:48:
tomcat:x:91:
postgres:x:26:

postgresql起動。

#!/bin/sh
pg_ctl -D /opt/postgres/pgsql -l /opt/postgres/logfile start
postgresql停止。
#!/bin/sh
pg_ctl -D /opt/postgres/pgsql -l /opt/postgres/logfile stop

tomcat バックグランド起動

#!/bin/sh
sh /opt/tomcat/bin/tomcat_start.sh &
tomcat フォアグランド起動
#!/bin/sh

#export JAVA_OPTS="-Xmx800m"
/usr/libexec/tomcat/server start &
tomcat バックグランド停止
#!/bin/sh

/usr/libexec/tomcat/server stop
ps auxww|grep "/usr/share/tomcat"|grep -v grep
ps auxww|grep "/usr/share/tomcat"|grep -v grep|awk '{print $2}'

httpdサーバ起動

#!/bin/sh
apachectl -k start
httpdサーバ停止
#!/bin/sh
apachectl -k stop
tomcatの起動に8分も時間がかかる。起動するとそこそこのレスポンスで正常に動作する。

cgi-binに配置したPerlのCGIスクリプトは MaxMind::DB::Readerは無理だったけど、 perl-CGIとperl-JSON-PPとperl-DBD-Pgもdatatablesの画面で問題なく動作。

LinuxDeployのFedora22環境でtomcat用の証明書をkeytoolで作成することができなかった。keytoolが暴走してしまうのだ。 しかし別のインテル系で作成した証明書を配置することで Tomcatで鍵長256ビットのTLS_RSA_WITH_AES_256_CBC_SHAでTLS1.2の接続ができたし、Apache HTTPDServerで鍵長256ビットのTLS_ECDHE_RSA_WITH_AES_256_CBC_SHAでTLS1.2の接続ができた。

これがデュアルコアの1.2GHzのCPU(Snapdragon)、800MバイトのメモリーのAndroid4.1.2で動作確認できたことに注目して欲しい。

投稿されたコメント:

コメント
コメントは無効になっています。