138344 2006-06-28 05:25 0000 OpenSSL broken sandbox support on all versions 2006-10-22 04:37:03 0000 1 1 1 Unclassified Gentoo/Alt FreeBSD unspecified All FreeBSD RESOLVED FIXED P2 normal --- 1 unledev+b.g.o@gmail.com bsd@gentoo.org azarah@gentoo.org vapier@gentoo.org unledev+b.g.o@gmail.com 2006-06-28 05:25:20 0000 OpenSSL accesses /dev/crypto on BSDs, which is incorrectly marked as predicted access in src_test (and it contains a typo) in all versions on portage tree. Testing FreeBSD patch for sandbox revealed this inconsistency, causing access denied violations. Steps to reproduce: 1. Apply FreeBSD experimental patches to sandbox (http://unleashed.amule.org/soc) 2. Enable FEATURES="sandbox" 3. emerge openssl Actual results: Sandbox denies accesses to /dev/crypto and errors out preventing OpenSSL from emerging. Expected results: Sandbox denies accesses to /dev/crypto _but_ as they're predicted all goes fine and OpenSSL gets emerged. Proposed patch to follow. unledev+b.g.o@gmail.com 2006-06-28 05:26:55 0000 Created an attachment (id=90353) Patch to fix addpredict in OpenSSL ebuilds This patch should apply to all versions and fixes the problem for 0.9.7j specifically. flameeyes@gentoo.org 2006-06-28 05:33:13 0000 Last time we decided it was up to sandbox allow access to /dev/crypto, it's just a conditional to add to the code. unledev+b.g.o@gmail.com 2006-06-28 06:07:05 0000 Woops, okay, didn't have info on that topic. I'll patch sandbox to always autopredict access to /dev/crypto and include it on my tree. Thanks. Now change the request to kill that add_predict line which is wrong anyways. azarah@gentoo.org 2006-07-08 02:33:41 0000 As its only a FreeBSD issue, it really should only add the predict for FreeBSD, and I do not want to hardcode any more path's. For the access that stuff builing or using OpenSSL during build need, it should add a /etc/sandbox.d/ file that allows/predict's this. I know its not yet in an unmasked or stable release of sandbox, but then aparently all versions sandbox still have issues on BSD. azarah@gentoo.org 2006-07-08 02:34:23 0000 (In reply to comment #4) > For the access that stuff > builing or using OpenSSL during build need, it should add a /etc/sandbox.d/ > file that allows/predict's this. PS, only installed on FreeBSD as well ... vapier@gentoo.org 2006-07-08 07:55:39 0000 yeah i dont think this is something to add to sandbox last i heard this was only an issue in src_test unledev+b.g.o@gmail.com 2006-07-08 12:24:36 0000 Looks like this only applies to OpenSSL on BSD and I haven't found any other ebuild requiring /dev/crypto to be predicted. If that is the case, why not apply the proposed patch and be done with it (which, btw, doesn't predict /dev/crypto under src_test)? If not, I guess I should patch sandbox to install a file under /etc/sandbox.d when built for G/FBSD (which looks to me as too much for just one ebuild ATM). Would that be okay? azarah@gentoo.org 2006-07-08 14:41:43 0000 (In reply to comment #7) > Looks like this only applies to OpenSSL on BSD and I haven't found any other > ebuild requiring /dev/crypto to be predicted. If that is the case, why not > apply the proposed patch and be done with it (which, btw, doesn't predict > /dev/crypto under src_test)? > Agreed, if its only needed for OpenSSL to build, there is no reason for it to be in /etc/sandbox.d/. Just fix the ebuild. vapier@gentoo.org 2006-07-14 22:34:53 0000 i'm not inclined to apply patches that look broken to me /dev/crypto is used only at runtime, not at compile time ... so why is addpredict needed anywhere but src_test ? unledev+b.g.o@gmail.com 2006-07-15 22:39:46 0000 (In reply to comment #9) > i'm not inclined to apply patches that look broken to me > > /dev/crypto is used only at runtime, not at compile time ... so why is > addpredict needed anywhere but src_test ? Because actual sandbox violations happen in src_compile and src_install but not in src_test. Fact is those two stages enter a "Doing certs" phase in which they try to write to /dev/crypto. If this is expected behaviour or not, I don't know. Maintainers may have something to say about this. flameeyes@gentoo.org 2006-10-22 04:37:03 0000 Okay, so since freebsd-lib-6.2_beta2 I'm now installing a sandbox configuration file, that allows access to /dev/crypto, which means this bug can be closed. 90353 2006-06-28 05:26 0000 Patch to fix addpredict in OpenSSL ebuilds openssl-0.9.7j-fix-sandbox-bsd.patch text/plain LS0tIG9wZW5zc2wtMC45LjdqLmVidWlsZAkyMDA2LTA2LTI4IDA1OjM1OjQ1ICswMDAwCisrKyBv cGVuc3NsLTAuOS43ai5lYnVpbGQJMjAwNi0wNi0yOCAxMjoxNjowNCArMDAwMApAQCAtMTA0LDYg KzEwNCw5IEBACiAJCXNoYXJlZCB0aHJlYWRzIFwKIAkJfHwgZGllICJDb25maWd1cmUgZmFpbGVk IgogCisJIyBtYWtlIHN1cmUgc2FuZGJveCBkb2VzbnQgZGllIG9uICpCU0QKKwlhZGRwcmVkaWN0 IC9kZXYvY3J5cHRvCisKIAllbWFrZSBcCiAJCUNDPSIkKHRjLWdldENDKSIgTUFLRURFUFBST0c9 IiQodGMtZ2V0Q0MpIiBcCiAJCUFSPSIkKHRjLWdldEFSKSByIiBcCkBAIC0xMTcsMTMgKzEyMCwx MyBAQAogfQogCiBzcmNfdGVzdCgpIHsKLQkjIG1ha2Ugc3VyZSBzYW5kYm94IGRvZXNudCBkaWUg b24gKkJTRAotCWFkZF9wcmVkaWN0IC9kZXYvY3J5cHRvCi0KIAltYWtlIHRlc3QgfHwgZGllICJt YWtlIHRlc3QgZmFpbGVkIgogfQogCiBzcmNfaW5zdGFsbCgpIHsKKwkjIG1ha2Ugc3VyZSBzYW5k Ym94IGRvZXNudCBkaWUgb24gKkJTRAorCWFkZHByZWRpY3QgL2Rldi9jcnlwdG8KKwogCW1ha2Ug SU5TVEFMTF9QUkVGSVg9IiR7RH0iIE1BTkRJUj0vdXNyL3NoYXJlL21hbiBpbnN0YWxsIHx8IGRp ZQogCWRvZG9jIENIQU5HRVMqIEZBUSBORVdTIFJFQURNRQogCWRvZG9jIGRvYy8qLnR4dAo=