Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 206678 - sandbox: multilib error - "libsandbox: Can't resolve getcwd: (null)"
Summary: sandbox: multilib error - "libsandbox: Can't resolve getcwd: (null)"
Status: RESOLVED DUPLICATE of bug 202765
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Sandbox (show other bugs)
Hardware: All Linux
: High blocker with 1 vote (vote)
Assignee: Sandbox Maintainers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-19 17:57 UTC by tomas charvat
Modified: 2009-10-26 13:13 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
config.log (20080430_sys_apps_at_config.log.gz,1.21 MB, application/x-gzip)
2008-04-30 23:46 UTC, Robin Johnson
Details

Note You need to log in before you can comment on or make changes to this bug.
Description tomas charvat 2008-01-19 17:57:06 UTC
Greetings ... i did post few questions about this problem in the past.

Things are like this.: If you install plain hardened-multilib gentoo, you will get working system.
Then you reboot and you will have many packages to upgrade. Glibc-2.6.1 is one of them. After compiling this package you can not emerge nothing else, because you will be getting this error message:

libsandbox: Can't resolve getcwd: (null)

At this point i found many ways how to kill my system by experimenting with FEATURES=-sandbox and so on.... 
But the only one way, which brought my system back from the land of lost souls was RECOMPILING my kernel. After recompiling my current kernel (sys-kernel/hardened-sources-2.6.23-r4) i did reboot and things start to work w/o any problem.

Here is link describing this problem
http://forums.gentoo.org/viewtopic-p-4681061-highlight-.html?sid=6f950f4bfa56abdc5087339b18f1db00#4681061


I believe, that Clear and big warning after compiling glibc, about need of recompiling kernel would save lot of time of many gentooist.
Comment 1 Stefan Kiesler 2008-01-22 22:26:10 UTC
I can confirm this bug and its solution. I just did a fresh install from releases/amd64/2007.0/stages/hardened/stage3-amd64-hardened-multilib-2007.0.tar.bz2.
During the installation, I updated / installed the following packages:

app-shells/bash-3.2_p17-r1
sys-apps/sandbox-1.2.18.1-r2
sys-apps/portage-2.1.3.19
dev-python/pycrypto-2.0.1-r6
sys-kernel/hardened-sources-2.6.23-r4
dev-util/pkgconfig-0.22
dev-libs/eventlog-0.2.5
dev-libs/glib-2.14.3
app-admin/syslog-ng-2.0.6
net-mail/mailwrapper-0.2.1
mail-mta/msmtp-1.4.7
sys-process/cronbase-0.3.2-r1
sys-process/vixie-cron-4.1-r10
net-dialup/ppp-2.4.4-r13
sys-devel/autoconf-2.61-r1
perl-core/Scalar-List-Utils-1.19
perl-core/libnet-1.21
dev-perl/Compress-Raw-Zlib-2.005
dev-perl/HTML-Tagset-3.10
virtual/perl-MIME-Base64-3.07
dev-perl/DateManip-5.44
virtual/perl-Digest-MD5-2.36
net-nds/portmap-6.0
dev-libs/libevent-1.3a
sys-apps/util-linux-2.13-r2
sys-fs/sysfsutils-2.1.0
sys-devel/bin86-0.16.17
app-admin/logrotate-3.7.2
app-admin/mcelog-0.7
app-admin/showconsole-1.08
app-portage/gentoolkit-0.2.3-r1
net-firewall/iptables-1.3.8-r2
net-misc/dhcp-3.1.0
net-misc/ntp-4.2.4_p4
sys-apps/ethtool-6
sys-apps/pciutils-2.2.7-r1
sys-apps/smartmontools-5.37
virtual/perl-Scalar-List-Utils-1.19
dev-perl/HTML-Parser-3.56
dev-perl/URI-1.35
virtual/perl-libnet-1.21
net-libs/libnfsidmap-0.19
x11-misc/read-edid-1.4.1-r1
app-misc/screen-4.0.3
www-client/links-2.1_pre28-r1
sys-boot/lilo-22.7.3-r1
dev-perl/IO-Compress-Base-2.005
dev-perl/HTML-Tree-3.23
net-fs/nfs-utils-1.1.0-r1
sys-apps/lm_sensors-2.10.4
dev-perl/IO-Compress-Zlib-2.005
dev-perl/Compress-Zlib-2.005
dev-perl/Crypt-SSLeay-0.57
dev-perl/libwww-perl-5.805
app-portage/genlop-0.30.8-r1
sys-boot/lilo-22.7.3-r1
dev-libs/openssl-0.9.8g
dev-perl/Locale-gettext-1.05
dev-util/unifdef-1.20
sys-apps/help2man-1.36.4
sys-kernel/linux-headers-2.6.23-r2
sys-devel/libtool-1.5.24
sys-apps/shadow-4.0.18.1-r1
sys-libs/pam-0.99.9.0
net-misc/openssh-4.7_p1-r1
dev-libs/expat-2.0.1
dev-libs/libxml2-2.6.30-r1
sys-libs/ncurses-5.6-r2
sys-devel/gettext-0.17
sys-devel/gcc-config-1.4.0-r4
app-misc/pax-utils-0.1.16
sys-libs/timezone-data-2007j
sys-devel/gnuconfig-20070724
sys-devel/binutils-2.18-r1
sys-libs/glibc-2.6.1

I rebooted several times in between and everything was working fine until that glibc update. At this point I did another reboot and initiated another lenghty emerge, which successfully installed:

app-admin/python-updater-0.2

but stopped while applying patches for:

sys-apps/sysvinit-2.86-r10.

"libsandbox: Can't resolve open: (null)" :-/

After simply recompiling the kernel and rebooting the error disappeared and I could successfully update world.

emerge --info (after world update):

Portage 2.1.3.19 (hardened/amd64/multilib, gcc-3.4.6, glibc-2.6.1-r0, 2.6.23-hardened-r4-final x86_64)
=================================================================
System uname: 2.6.23-hardened-r4-final x86_64 AMD Sempron(tm) Processor LE-1100
Timestamp of tree: Tue, 22 Jan 2008 20:17:01 +0000
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.10-r5
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.61-r1
sys-devel/automake:  1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -msse3 -O2 -pipe -fforce-addr"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=k8 -msse3 -O2 -pipe -fforce-addr"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/"
LANG="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="amd64 apache2 berkdb cracklib crypt hardened justify mailwrapper midi nls nptl nptlonly pam pic readline ssl symlink tcpd threads urandom vhosts xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 2 eric 2008-02-01 20:33:05 UTC
WHY IS THIS MARKED SOLVED!!!!!!!!! I still have this same problem. I tried all the solutions with hardened multilib and none of them worked for me and I could not update the system. I then reverted to a plain jane stage3 amd64 and tried hardened-sources. Same problem exists! I haven't even been able to update portage yet! It won't get beyond compiling bash before libsandbox errors of unresolved functions start flying. I noticed that the errors pop up at random different points in the compile process. It doesn't matter if i use FEATURE=-sandbox or not it blows chunks trying to compile at random spots. Can someone for the love of god REALLY fix this?!?!?!
Comment 3 tomas charvat 2008-02-01 22:55:53 UTC
(In reply to comment #2)

At the moment, when your sandbox break and stop compiling things, go and recompile your kernel. Then reboot and everything should work fine. Do not mess with -sandbox , its road to the hell.

Btw this is marked as new.... [solved] is part of subject, because we know how to get out of this problem.

I attempted to change Severity. I can imagine, that this problem drive many people crazy.

rgrds
tomas

Comment 4 eric 2008-02-02 15:43:19 UTC
I have recompiled my kernel (from the userland that seems to be broken). I tried loosening the PaX and grsecurity settings even. I have tried with hardened and default-linux profiles. I have a very generic install without hardly any customization besides the CFLAGS and some minor USE flags for later package installations. I have tried everything and this just does not want to compile anything. I'm not even running this in a virtual machine! It's running on the bare metal (an HP bl20p g3 blade). None of the solutions I have read for this problem fix it!
Comment 5 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2008-02-02 18:26:36 UTC
This bug isn't limited to Hardened.
Comment 6 tomas charvat 2008-02-02 18:55:54 UTC
(In reply to comment #4)
> I have recompiled my kernel (from the userland that seems to be broken). I
> tried loosening the PaX and grsecurity settings even. I have tried with
> hardened and default-linux profiles. I have a very generic install without
> hardly any customization besides the CFLAGS and some minor USE flags for later
> package installations. I have tried everything and this just does not want to
> compile anything. I'm not even running this in a virtual machine! It's running
> on the bare metal (an HP bl20p g3 blade). None of the solutions I have read for
> this problem fix it!
> 

If you unpack stage3, compile kernel and then reboot, you will have working system. Then emerge --sync, emerge glibc -uD 
when glibc is finished, try to recompile your current kernel, install it and reboot. 

Then try emerge system -u

Tell me if it fixed your problem or not.
Comment 7 Daniel G 2008-02-02 22:28:00 UTC
Interesting that the solution here is to rebuild the kernel.
Twice I installed a new glibc, and both times my solution was to recompile sandbox itself with the FEATURES=-sandbox option (so that it doesn't crash when trying to compile itself).
Both times it worked.
By the way: it happens to a great many people, some of which would like this answer to be better documented, not just in the bugzilla.
Comment 8 tomas charvat 2008-02-02 23:13:13 UTC
(In reply to comment #7)
> Interesting that the solution here is to rebuild the kernel.
> Twice I installed a new glibc, and both times my solution was to recompile
> sandbox itself with the FEATURES=-sandbox option (so that it doesn't crash when
> trying to compile itself).
> Both times it worked.
> By the way: it happens to a great many people, some of which would like this
> answer to be better documented, not just in the bugzilla.
> 

It might be depend on arch and "version" of gentoo. I found this to be the only way, how to fix Hardened-multilib. Recompiling sandbox with -sandbox didnt help over there.... actualy ... it did help... but later something alway got broken and after few compilation attempts i ended with porked system :)

Soooo what exactly were you installing, that FEATURES=-sandbox emerge sandbox fixed your problem ?
Comment 9 eric 2008-02-05 16:26:46 UTC
(In reply to comment #6)
> (In reply to comment #4)
> > I have recompiled my kernel (from the userland that seems to be broken). I
> > tried loosening the PaX and grsecurity settings even. I have tried with
> > hardened and default-linux profiles. I have a very generic install without
> > hardly any customization besides the CFLAGS and some minor USE flags for later
> > package installations. I have tried everything and this just does not want to
> > compile anything. I'm not even running this in a virtual machine! It's running
> > on the bare metal (an HP bl20p g3 blade). None of the solutions I have read for
> > this problem fix it!
> > 
> 
> If you unpack stage3, compile kernel and then reboot, you will have working
> system. Then emerge --sync, emerge glibc -uD 
> when glibc is finished, try to recompile your current kernel, install it and
> reboot. 
> 
> Then try emerge system -u
> 
> Tell me if it fixed your problem or not.
> 

It did work oddly enough. Last time I did this instead of doing emerge -uD glibc first I tried to emerge portage. That broke immediately trying to compile the new bash. This time when I did emerge -uD glibc it still updated bash and portage but didn't seem to break at all during the compilation. After updating glibc I then recompiled the kernel and rebooted. I was able to successfully emerge -uDav world afterwards. Once everything was working great I updated the CFLAGS and USE flags and was able to successfully emerge -euDav world. I am now compiling apps and everything appears to be working smooth as normal. Thanks Tomas. I'm still wondering why an emerge portage would fail and an emerge -uD glibc wouldn't even though they both updated bash and portage.
Comment 10 Xavian-Anderson Macpherson 2008-02-07 21:31:16 UTC
(In reply to comment #7)
> Interesting that the solution here is to rebuild the kernel.
> Twice I installed a new glibc, and both times my solution was to recompile
> sandbox itself with the FEATURES=-sandbox option (so that it doesn't crash when
> trying to compile itself).
> Both times it worked.
> By the way: it happens to a great many people, some of which would like this
> answer to be better documented, not just in the bugzilla.
> 

I am only guessing here, that if you're running in a chroot within another system, none of the "solutions (recompiling the kernel)" mentioned here will be of any help to you. I am running hardened multilib stage3 Gentoo AMD64 within a chroot from Slamd64-current. I have tried numerous times to run "emerge portage", and each attempt has failed on errors from sandbox-1.2.18.1-r2.

It seems I am better off to just stop wasting my time trying to get this to work, because I don't think this problem will ever go away. And don't be so foolish as to tell me to recompile the kernel, when in fact I can't run anything within Gentoo. It seems from these posts, you have to compile with Gentoo.

Shingoshi

I thought I should include this information as well:

starbase64 / # FEATURES="-sandbox -usersandbox" emerge -av sandbox

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     U ] sys-apps/sandbox-1.2.18.1-r2 [1.2.17] 0 kB

Total: 1 package (1 upgrade), Size of downloads: 0 kB

Would you like to merge these packages? [Yes/No] Yes

>>> Emerging (1 of 1) sys-apps/sandbox-1.2.18.1-r2 to /
 * sandbox-1.2.18.1.tar.bz2 RMD160 ;-) ...                                                                                                                                  [ ok ]
 * sandbox-1.2.18.1.tar.bz2 SHA1 ;-) ...                                                                                                                                    [ ok ]
 * sandbox-1.2.18.1.tar.bz2 SHA256 ;-) ...                                                                                                                                  [ ok ]
 * sandbox-1.2.18.1.tar.bz2 size ;-) ...                                                                                                                                    [ ok ]
 * checking ebuild checksums ;-) ...                                                                                                                                        [ ok ]
 * checking auxfile checksums ;-) ...                                                                                                                                       [ ok ]
 * checking miscfile checksums ;-) ...                                                                                                                                      [ ok ]
 * checking sandbox-1.2.18.1.tar.bz2 ;-) ...                                                                                                                                [ ok ]
>>> Unpacking source...
>>> Unpacking sandbox-1.2.18.1.tar.bz2 to /var/tmp/portage/sys-apps/sandbox-1.2.18.1-r2/work
 * Applying sandbox-1.2.18.1-open-normal-fail.patch ...                                                                                                                     [ ok ]
 * Applying sandbox-1.2.18.1-open-cloexec.patch ...                                                                                                                         [ ok ]
>>> Source unpacked.
>>> Compiling source in /var/tmp/portage/sys-apps/sandbox-1.2.18.1-r2/work/sandbox-1.2.18.1 ...
 * If configure fails with a 'cannot run C compiled programs' error, try this:
 * FEATURES=-sandbox emerge sandbox
 * Configuring sandbox for ABI=x86...
 * econf: updating sandbox-1.2.18.1/config.guess with /usr/share/gnuconfig/config.guess
 * econf: updating sandbox-1.2.18.1/config.sub with /usr/share/gnuconfig/config.sub
../sandbox-1.2.18.1//configure --prefix=/usr --host=i686-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib32 --enable-multilib --build=i686-pc-linux-gnu
checking for a BSD-compatible install... /bin/install -c
checking whether build environment is sane... yes
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for i686-pc-linux-gnu-gcc... no
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... configure: error: cannot run C compiled programs.
If you meant to cross compile, use `--host'.
See `config.log' for more details.

!!! Please attach the following file when filing a report to bugs.gentoo.org:
!!! /var/tmp/portage/sys-apps/sandbox-1.2.18.1-r2/work/build-x86-x86_64-pc-linux-gnu/config.log

!!! ERROR: sys-apps/sandbox-1.2.18.1-r2 failed.
Call stack:
  ebuild.sh, line 1614:   Called dyn_compile
  ebuild.sh, line 971:   Called qa_call 'src_compile'
  environment, line 3346:   Called src_compile
  sandbox-1.2.18.1-r2.ebuild, line 87:   Called econf '--libdir=/usr/lib32' '--enable-multilib'
  ebuild.sh, line 577:   Called die

!!! econf failed
!!! If you need support, post the topmost build error, and the call stack if relevant.
!!! A complete build log is located at '/var/tmp/portage/sys-apps/sandbox-1.2.18.1-r2/temp/build.log'.

If I say no to the upgrade, emerge simply bails out:

starbase64 / # FEATURES="-sandbox -usersandbox" emerge -av sandbox

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     U ] sys-apps/sandbox-1.2.18.1-r2 [1.2.17] 0 kB

Total: 1 package (1 upgrade), Size of downloads: 0 kB

Would you like to merge these packages? [Yes/No] No

Quitting.


Shingoshi

Comment 11 tomas charvat 2008-02-09 22:32:31 UTC
Shingoshi i dunno what to say... but... do it exactly as i mentioned on 2008-02-02 18:55:54 in this bug report.

I said already, that trying to fix system with FEATURES="-sandbox" is way to destroy your system. So.... once more again... 
Stage3 installation, DON NOT UPGRADE anything, compile kernel, reboot into your new installation, upgrade system by using emerge glibc -uD , when it stop/break , recompile your kernel,install it, reboot into newly compiled krnl and continue with emerge --resume or emerge world -uD

bst rgds 
tomas
Comment 12 kusi 2008-02-29 10:21:56 UTC
I can confirm the solution in #6 for amd64-2007.0 profile
Comment 13 Joel Cunningham 2008-03-24 18:25:02 UTC
Recompiling the kernel doesn't fix this for me!!!!! :(

This problem appeared when I upgraded from kernels 2.6.18-hardened to 2.6.23-hardened-r7 (both used genkernel) and that's all I changed.  Does anyone understand what's causing this error to happen?

rampage ~ # emerge --info
Portage 2.1.4.4 (hardened/amd64, gcc-4.1.1, glibc-2.4-r4, 2.6.23-hardened-r7 x86_64)
=================================================================
System uname: 2.6.23-hardened-r7 x86_64 Dual-Core AMD Opteron(tm) Processor 2210
Timestamp of tree: Wed, 12 Mar 2008 07:00:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.3 [disabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.31-r3
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.3
sys-apps/baselayout: 1.12.6
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=opteron -fomit-frame-pointer -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=opteron -fomit-frame-pointer -pipe"
DISTDIR="/common/admin/linux/gentoo/distfiles/"
FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo http://mirror.clarkson.edu/pub/distributions/gentoo/ http://mirrors.tds.net/gentoo http://gentoo.seren.com/gentoo ftp://ftp.ussg.iu.edu/pub/linux/gentoo"
LINGUAS="en"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage-cis /usr/local/portage/safesync"
SYNC="rsync://portage.cis.ksu.edu/portage-current"
USE="amd64 apache2 berkdb cdr cracklib crypt cups doc dvd gb gd gdbm gif gpm hardened imagemagick imlib ipv6 jabber java jikes jpeg justify kerberos ldap leim libgda libwww maildir mcal midi mule ncurses nls nptl nptlonly objc odbc pam perl pic plotutils png python quicktime readline rpc samba spell ssl symlink tcpd tetex tiff truetype unicode urandom usb wmf xml xml2 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 14 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-03-29 03:13:39 UTC
As another point of reference, the Gentoo infrastructure boxes have started to hit this now. Kernel is 2.6.23-hardened-r7-infra4. I'm trying various upgrade bits to see if I can trace the problem.
Comment 15 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-03-30 16:04:31 UTC
In my earlier testing, I did 'make clean && make' in my kernel again, and that didn't do anything.

But solar helped me find the real cause of this - I really owe him some beer now. For everybody here, go and turn OFF CONFIG_PAX_EMUTRAMP. If you compiled _anything_ while you had that on, you are strongly advised to recompile everything  (with portage+gcc+binutils from a known good machine). My box had no ebuild.sh at one point because of this.
Comment 16 Mike Doty (RETIRED) gentoo-dev 2008-03-30 16:47:18 UTC
this isn't just hardened related, I had problems like this moving to 2.6.24-gentoo(-r??) on a regular amd64 box.
Comment 17 Joel Cunningham 2008-03-31 13:53:32 UTC
"For everybody here, go and turn OFF CONFIG_PAX_EMUTRAMP."

Neither of my kernels exhibiting this behavior, have PAX enabled.
Comment 18 Joel Cunningham 2008-03-31 16:11:46 UTC
Switching to gentoo-sources-2.6.23-r9 on both affected boxes remedied the problem.  Since these are servers, messing around with why hardened didn't work isn't an option.
Comment 19 Gordon Malm (RETIRED) gentoo-dev 2008-03-31 23:56:16 UTC
(In reply to comment #17)
> "For everybody here, go and turn OFF CONFIG_PAX_EMUTRAMP."
> 
> Neither of my kernels exhibiting this behavior, have PAX enabled.
> 

Could you clarify this for me?  You are saying that you experienced the multilib/libsandbox problem while the machine was running on a hardened-sources kernel w/o CONFIG_PAX_EMUTRAMP enabled, correct?
Comment 20 Joel Cunningham 2008-04-01 00:04:47 UTC
That's correct.  What I was saying is that CONFIG_PAX was not set, which of course would mean CONFIG_PAX_EMUTRAMP was disabled as well.

Symbol: PAX_EMUTRAMP [=n]
...
   Depends on: PAX && (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86)
Comment 21 kfm 2008-04-04 13:31:26 UTC
Changing the summary because (a) it's not as useful as it could be for users searching bugzilla in lieu of the matter (b) it clearly isn't accurate to suggest that PAX_EMUTRAMP is the only cause (although it certainly seems to serve as a potential trigger).

As it hasn't specifically been mentioned yet, I'd like to point out that the point at which it fails is at line 210 in libsandbox.c where it apparently fails to resolve the address of the symbol for the getcwd() function (while using dlysm() to do so).

Could anyone experiecing this problem please run emerge in the following manner:

LD_DEBUG=all emerge <package> 2>&1 | tee libsandbox-error.log

I'm hoping that the information contained in such a log may provide some clues.
Comment 22 kfm 2008-04-11 12:18:43 UTC
It seems that this bug is on a fast track to nowhere. If we are to have any hope of getting to the bottom of it then I would recommend the following:

* Affected users do _not_ resort to ill-advised hacks to try and fix the 
  sandbox (FEATURES="-sandbox") and end up making things worse. 

* Rather, affected users supply information that could be useful in 
  trying to get a handle on the problem: attach `emerge --info` output, 
  /usr/src/linux/.config and `qlist -ICv` output to bug as well as the 
  'LD_DEBUG' output according to the suggestion in Comment 21. 

* Sandbox maintainers take a view on what could potentially cause this 
  (especially in lieu of the fact that some users who do not use hardened
  systems have apparently been affected). Thus far they have remained
  silent which is not entirely helpful.

* Affected users who have confirmed that hardened-sources-2.6.23* 
  triggers the problem, where gentoo-sources (or any other set of sources) 
  does not, try hardened-sources-2.6.24, importing the prior .config with
  `make oldconfig` in order to see if the problem persists.
Comment 23 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-04-30 23:46:50 UTC
Created attachment 151479 [details]
config.log

config.log from trying to "LD_DEBUG=all emerge sys-apps/at", showing the "libsandbox: Can't resolve *" errors.

25MB uncompressed, so gzip'd for posting here. I can't test new kernels easily however.

The machine is a gentoo infra box. I have tried taking binpkgs of known good portage, sandbox, glibc, binutils from another machine, and checked that they existed on the system identically. I'm exploring that route now.

The box does use PAX, but PAX_EMUTRAMP is disabled.

Portage 2.1.4.4 (hardened/amd64/multilib, gcc-3.4.6, glibc-2.5-r4, 2.6.23-hardened-r7-infra6 x86_64)
=================================================================
System uname: 2.6.23-hardened-r7-infra6 x86_64 Dual Core AMD Opteron(tm) Processor 280
Timestamp of tree: Wed, 30 Apr 2008 02:15:23 +0000
app-shells/bash:     3.2_p17
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/dev.d /etc/env.d /etc/gconf /etc/init.d /etc/revdep-rebuild /etc/scsi_id.config /etc/terminfo /etc/udev /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.osuosl.org/"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://portage.infra.gentoo.org/infra-portage/"
USE="amd64 apache2 berkdb bzip2 cracklib crypt gdbm hardened jpeg justify libwww maildir midi ncurses nptl nptlonly pam perl pic png python readline snmp ssl tcpd urandom vhosts xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 24 solar (RETIRED) gentoo-dev 2008-05-01 05:48:24 UTC
Not sure if this is the right fix but it keeps redtail happy.

--- src/libsandbox.c	2008-05-01 05:25:23.000000000 +0000
+++ src/libsandbox.c	2008-05-01 05:27:05.000000000 +0000
@@ -204,6 +204,8 @@
 		libc_handle = RTLD_NEXT;
 #endif
 	}
+	if (libc_handle == -1UL)
+		libc_handle = dlopen(LIBC_VERSION, RTLD_LAZY);
 
 	if (NULL == symver)
 		symaddr = dlsym(libc_handle, symname);
Comment 25 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-06-22 00:28:38 UTC
Here is a revised patch that applies to the current stable sandbox and fixes the issue for other infra boxes.

The trick seems to be that RTLD_NEXT may be present, but invalid sometimes.

diff -Nuar sandbox-1.2.18.1.orig/src/libsandbox.c sandbox-1.2.18.1/src/libsandbox.c
--- sandbox-1.2.18.1.orig/src/libsandbox.c	2008-06-22 00:11:04.000000000 +0000
+++ sandbox-1.2.18.1/src/libsandbox.c	2008-06-22 00:16:38.000000000 +0000
@@ -192,17 +192,16 @@
 {
 	void *symaddr = NULL;
 
+#if defined(USE_RTLD_NEXT)
+        libc_handle = RTLD_NEXT;
+#endif
-	if (NULL == libc_handle) {
+	if (NULL == libc_handle || -1UL == libc_handle) {
-#if !defined(USE_RTLD_NEXT)
 		libc_handle = dlopen(LIBC_VERSION, RTLD_LAZY);
-		if (!libc_handle) {
+		if (!libc_handle || -1UL == libc_handle) {
 			fprintf(stderr, "libsandbox:  Can't dlopen libc: %s\n",
 				dlerror());
 			exit(EXIT_FAILURE);
 		}
-#else
-		libc_handle = RTLD_NEXT;
-#endif
 	}
 
 	if (NULL == symver)
Comment 26 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-06-27 16:46:11 UTC
sandbox-1.2.18.1-r3 contains a patch that SHOULD fix this.
I'm closing as test-request, and if anybody runs into it with the new sandbox definitely built correctly (build on a known-good box if you have to, then rebuild on your broken machine) - please reopen this!
Comment 27 SpanKY gentoo-dev 2009-10-26 07:06:18 UTC
this is actually a dupe, and the change added to sandbox incorrect.  it changed the behavior to always ignore RTLD_NEXT for everyone and to dlopen() the C library on every symbol lookup (thus leaking handles that were never dlclose()ed).

ive rewritten the code to do things dynamically at runtime

http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commitdiff;h=180958291462f38154916103a6a4bdeb852e6cc3
Comment 28 SpanKY gentoo-dev 2009-10-26 07:07:34 UTC

*** This bug has been marked as a duplicate of bug 202765 ***