Greetings ... i did post few questions about this problem in the past. Things are like this.: If you install plain hardened-multilib gentoo, you will get working system. Then you reboot and you will have many packages to upgrade. Glibc-2.6.1 is one of them. After compiling this package you can not emerge nothing else, because you will be getting this error message: libsandbox: Can't resolve getcwd: (null) At this point i found many ways how to kill my system by experimenting with FEATURES=-sandbox and so on.... But the only one way, which brought my system back from the land of lost souls was RECOMPILING my kernel. After recompiling my current kernel (sys-kernel/hardened-sources-2.6.23-r4) i did reboot and things start to work w/o any problem. Here is link describing this problem http://forums.gentoo.org/viewtopic-p-4681061-highlight-.html?sid=6f950f4bfa56abdc5087339b18f1db00#4681061 I believe, that Clear and big warning after compiling glibc, about need of recompiling kernel would save lot of time of many gentooist.
I can confirm this bug and its solution. I just did a fresh install from releases/amd64/2007.0/stages/hardened/stage3-amd64-hardened-multilib-2007.0.tar.bz2. During the installation, I updated / installed the following packages: app-shells/bash-3.2_p17-r1 sys-apps/sandbox-1.2.18.1-r2 sys-apps/portage-2.1.3.19 dev-python/pycrypto-2.0.1-r6 sys-kernel/hardened-sources-2.6.23-r4 dev-util/pkgconfig-0.22 dev-libs/eventlog-0.2.5 dev-libs/glib-2.14.3 app-admin/syslog-ng-2.0.6 net-mail/mailwrapper-0.2.1 mail-mta/msmtp-1.4.7 sys-process/cronbase-0.3.2-r1 sys-process/vixie-cron-4.1-r10 net-dialup/ppp-2.4.4-r13 sys-devel/autoconf-2.61-r1 perl-core/Scalar-List-Utils-1.19 perl-core/libnet-1.21 dev-perl/Compress-Raw-Zlib-2.005 dev-perl/HTML-Tagset-3.10 virtual/perl-MIME-Base64-3.07 dev-perl/DateManip-5.44 virtual/perl-Digest-MD5-2.36 net-nds/portmap-6.0 dev-libs/libevent-1.3a sys-apps/util-linux-2.13-r2 sys-fs/sysfsutils-2.1.0 sys-devel/bin86-0.16.17 app-admin/logrotate-3.7.2 app-admin/mcelog-0.7 app-admin/showconsole-1.08 app-portage/gentoolkit-0.2.3-r1 net-firewall/iptables-1.3.8-r2 net-misc/dhcp-3.1.0 net-misc/ntp-4.2.4_p4 sys-apps/ethtool-6 sys-apps/pciutils-2.2.7-r1 sys-apps/smartmontools-5.37 virtual/perl-Scalar-List-Utils-1.19 dev-perl/HTML-Parser-3.56 dev-perl/URI-1.35 virtual/perl-libnet-1.21 net-libs/libnfsidmap-0.19 x11-misc/read-edid-1.4.1-r1 app-misc/screen-4.0.3 www-client/links-2.1_pre28-r1 sys-boot/lilo-22.7.3-r1 dev-perl/IO-Compress-Base-2.005 dev-perl/HTML-Tree-3.23 net-fs/nfs-utils-1.1.0-r1 sys-apps/lm_sensors-2.10.4 dev-perl/IO-Compress-Zlib-2.005 dev-perl/Compress-Zlib-2.005 dev-perl/Crypt-SSLeay-0.57 dev-perl/libwww-perl-5.805 app-portage/genlop-0.30.8-r1 sys-boot/lilo-22.7.3-r1 dev-libs/openssl-0.9.8g dev-perl/Locale-gettext-1.05 dev-util/unifdef-1.20 sys-apps/help2man-1.36.4 sys-kernel/linux-headers-2.6.23-r2 sys-devel/libtool-1.5.24 sys-apps/shadow-4.0.18.1-r1 sys-libs/pam-0.99.9.0 net-misc/openssh-4.7_p1-r1 dev-libs/expat-2.0.1 dev-libs/libxml2-2.6.30-r1 sys-libs/ncurses-5.6-r2 sys-devel/gettext-0.17 sys-devel/gcc-config-1.4.0-r4 app-misc/pax-utils-0.1.16 sys-libs/timezone-data-2007j sys-devel/gnuconfig-20070724 sys-devel/binutils-2.18-r1 sys-libs/glibc-2.6.1 I rebooted several times in between and everything was working fine until that glibc update. At this point I did another reboot and initiated another lenghty emerge, which successfully installed: app-admin/python-updater-0.2 but stopped while applying patches for: sys-apps/sysvinit-2.86-r10. "libsandbox: Can't resolve open: (null)" :-/ After simply recompiling the kernel and rebooting the error disappeared and I could successfully update world. emerge --info (after world update): Portage 2.1.3.19 (hardened/amd64/multilib, gcc-3.4.6, glibc-2.6.1-r0, 2.6.23-hardened-r4-final x86_64) ================================================================= System uname: 2.6.23-hardened-r4-final x86_64 AMD Sempron(tm) Processor LE-1100 Timestamp of tree: Tue, 22 Jan 2008 20:17:01 +0000 app-shells/bash: 3.2_p17-r1 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.10-r5 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.61-r1 sys-devel/automake: 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.23-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -msse3 -O2 -pipe -fforce-addr" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=k8 -msse3 -O2 -pipe -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/" LANG="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="amd64 apache2 berkdb cracklib crypt hardened justify mailwrapper midi nls nptl nptlonly pam pic readline ssl symlink tcpd threads urandom vhosts xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
WHY IS THIS MARKED SOLVED!!!!!!!!! I still have this same problem. I tried all the solutions with hardened multilib and none of them worked for me and I could not update the system. I then reverted to a plain jane stage3 amd64 and tried hardened-sources. Same problem exists! I haven't even been able to update portage yet! It won't get beyond compiling bash before libsandbox errors of unresolved functions start flying. I noticed that the errors pop up at random different points in the compile process. It doesn't matter if i use FEATURE=-sandbox or not it blows chunks trying to compile at random spots. Can someone for the love of god REALLY fix this?!?!?!
(In reply to comment #2) At the moment, when your sandbox break and stop compiling things, go and recompile your kernel. Then reboot and everything should work fine. Do not mess with -sandbox , its road to the hell. Btw this is marked as new.... [solved] is part of subject, because we know how to get out of this problem. I attempted to change Severity. I can imagine, that this problem drive many people crazy. rgrds tomas
I have recompiled my kernel (from the userland that seems to be broken). I tried loosening the PaX and grsecurity settings even. I have tried with hardened and default-linux profiles. I have a very generic install without hardly any customization besides the CFLAGS and some minor USE flags for later package installations. I have tried everything and this just does not want to compile anything. I'm not even running this in a virtual machine! It's running on the bare metal (an HP bl20p g3 blade). None of the solutions I have read for this problem fix it!
This bug isn't limited to Hardened.
(In reply to comment #4) > I have recompiled my kernel (from the userland that seems to be broken). I > tried loosening the PaX and grsecurity settings even. I have tried with > hardened and default-linux profiles. I have a very generic install without > hardly any customization besides the CFLAGS and some minor USE flags for later > package installations. I have tried everything and this just does not want to > compile anything. I'm not even running this in a virtual machine! It's running > on the bare metal (an HP bl20p g3 blade). None of the solutions I have read for > this problem fix it! > If you unpack stage3, compile kernel and then reboot, you will have working system. Then emerge --sync, emerge glibc -uD when glibc is finished, try to recompile your current kernel, install it and reboot. Then try emerge system -u Tell me if it fixed your problem or not.
Interesting that the solution here is to rebuild the kernel. Twice I installed a new glibc, and both times my solution was to recompile sandbox itself with the FEATURES=-sandbox option (so that it doesn't crash when trying to compile itself). Both times it worked. By the way: it happens to a great many people, some of which would like this answer to be better documented, not just in the bugzilla.
(In reply to comment #7) > Interesting that the solution here is to rebuild the kernel. > Twice I installed a new glibc, and both times my solution was to recompile > sandbox itself with the FEATURES=-sandbox option (so that it doesn't crash when > trying to compile itself). > Both times it worked. > By the way: it happens to a great many people, some of which would like this > answer to be better documented, not just in the bugzilla. > It might be depend on arch and "version" of gentoo. I found this to be the only way, how to fix Hardened-multilib. Recompiling sandbox with -sandbox didnt help over there.... actualy ... it did help... but later something alway got broken and after few compilation attempts i ended with porked system :) Soooo what exactly were you installing, that FEATURES=-sandbox emerge sandbox fixed your problem ?
(In reply to comment #6) > (In reply to comment #4) > > I have recompiled my kernel (from the userland that seems to be broken). I > > tried loosening the PaX and grsecurity settings even. I have tried with > > hardened and default-linux profiles. I have a very generic install without > > hardly any customization besides the CFLAGS and some minor USE flags for later > > package installations. I have tried everything and this just does not want to > > compile anything. I'm not even running this in a virtual machine! It's running > > on the bare metal (an HP bl20p g3 blade). None of the solutions I have read for > > this problem fix it! > > > > If you unpack stage3, compile kernel and then reboot, you will have working > system. Then emerge --sync, emerge glibc -uD > when glibc is finished, try to recompile your current kernel, install it and > reboot. > > Then try emerge system -u > > Tell me if it fixed your problem or not. > It did work oddly enough. Last time I did this instead of doing emerge -uD glibc first I tried to emerge portage. That broke immediately trying to compile the new bash. This time when I did emerge -uD glibc it still updated bash and portage but didn't seem to break at all during the compilation. After updating glibc I then recompiled the kernel and rebooted. I was able to successfully emerge -uDav world afterwards. Once everything was working great I updated the CFLAGS and USE flags and was able to successfully emerge -euDav world. I am now compiling apps and everything appears to be working smooth as normal. Thanks Tomas. I'm still wondering why an emerge portage would fail and an emerge -uD glibc wouldn't even though they both updated bash and portage.
(In reply to comment #7) > Interesting that the solution here is to rebuild the kernel. > Twice I installed a new glibc, and both times my solution was to recompile > sandbox itself with the FEATURES=-sandbox option (so that it doesn't crash when > trying to compile itself). > Both times it worked. > By the way: it happens to a great many people, some of which would like this > answer to be better documented, not just in the bugzilla. > I am only guessing here, that if you're running in a chroot within another system, none of the "solutions (recompiling the kernel)" mentioned here will be of any help to you. I am running hardened multilib stage3 Gentoo AMD64 within a chroot from Slamd64-current. I have tried numerous times to run "emerge portage", and each attempt has failed on errors from sandbox-1.2.18.1-r2. It seems I am better off to just stop wasting my time trying to get this to work, because I don't think this problem will ever go away. And don't be so foolish as to tell me to recompile the kernel, when in fact I can't run anything within Gentoo. It seems from these posts, you have to compile with Gentoo. Shingoshi I thought I should include this information as well: starbase64 / # FEATURES="-sandbox -usersandbox" emerge -av sandbox These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild U ] sys-apps/sandbox-1.2.18.1-r2 [1.2.17] 0 kB Total: 1 package (1 upgrade), Size of downloads: 0 kB Would you like to merge these packages? [Yes/No] Yes >>> Emerging (1 of 1) sys-apps/sandbox-1.2.18.1-r2 to / * sandbox-1.2.18.1.tar.bz2 RMD160 ;-) ... [ ok ] * sandbox-1.2.18.1.tar.bz2 SHA1 ;-) ... [ ok ] * sandbox-1.2.18.1.tar.bz2 SHA256 ;-) ... [ ok ] * sandbox-1.2.18.1.tar.bz2 size ;-) ... [ ok ] * checking ebuild checksums ;-) ... [ ok ] * checking auxfile checksums ;-) ... [ ok ] * checking miscfile checksums ;-) ... [ ok ] * checking sandbox-1.2.18.1.tar.bz2 ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking sandbox-1.2.18.1.tar.bz2 to /var/tmp/portage/sys-apps/sandbox-1.2.18.1-r2/work * Applying sandbox-1.2.18.1-open-normal-fail.patch ... [ ok ] * Applying sandbox-1.2.18.1-open-cloexec.patch ... [ ok ] >>> Source unpacked. >>> Compiling source in /var/tmp/portage/sys-apps/sandbox-1.2.18.1-r2/work/sandbox-1.2.18.1 ... * If configure fails with a 'cannot run C compiled programs' error, try this: * FEATURES=-sandbox emerge sandbox * Configuring sandbox for ABI=x86... * econf: updating sandbox-1.2.18.1/config.guess with /usr/share/gnuconfig/config.guess * econf: updating sandbox-1.2.18.1/config.sub with /usr/share/gnuconfig/config.sub ../sandbox-1.2.18.1//configure --prefix=/usr --host=i686-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib32 --enable-multilib --build=i686-pc-linux-gnu checking for a BSD-compatible install... /bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for i686-pc-linux-gnu-gcc... no checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... configure: error: cannot run C compiled programs. If you meant to cross compile, use `--host'. See `config.log' for more details. !!! Please attach the following file when filing a report to bugs.gentoo.org: !!! /var/tmp/portage/sys-apps/sandbox-1.2.18.1-r2/work/build-x86-x86_64-pc-linux-gnu/config.log !!! ERROR: sys-apps/sandbox-1.2.18.1-r2 failed. Call stack: ebuild.sh, line 1614: Called dyn_compile ebuild.sh, line 971: Called qa_call 'src_compile' environment, line 3346: Called src_compile sandbox-1.2.18.1-r2.ebuild, line 87: Called econf '--libdir=/usr/lib32' '--enable-multilib' ebuild.sh, line 577: Called die !!! econf failed !!! If you need support, post the topmost build error, and the call stack if relevant. !!! A complete build log is located at '/var/tmp/portage/sys-apps/sandbox-1.2.18.1-r2/temp/build.log'. If I say no to the upgrade, emerge simply bails out: starbase64 / # FEATURES="-sandbox -usersandbox" emerge -av sandbox These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild U ] sys-apps/sandbox-1.2.18.1-r2 [1.2.17] 0 kB Total: 1 package (1 upgrade), Size of downloads: 0 kB Would you like to merge these packages? [Yes/No] No Quitting. Shingoshi
Shingoshi i dunno what to say... but... do it exactly as i mentioned on 2008-02-02 18:55:54 in this bug report. I said already, that trying to fix system with FEATURES="-sandbox" is way to destroy your system. So.... once more again... Stage3 installation, DON NOT UPGRADE anything, compile kernel, reboot into your new installation, upgrade system by using emerge glibc -uD , when it stop/break , recompile your kernel,install it, reboot into newly compiled krnl and continue with emerge --resume or emerge world -uD bst rgds tomas
I can confirm the solution in #6 for amd64-2007.0 profile
Recompiling the kernel doesn't fix this for me!!!!! :( This problem appeared when I upgraded from kernels 2.6.18-hardened to 2.6.23-hardened-r7 (both used genkernel) and that's all I changed. Does anyone understand what's causing this error to happen? rampage ~ # emerge --info Portage 2.1.4.4 (hardened/amd64, gcc-4.1.1, glibc-2.4-r4, 2.6.23-hardened-r7 x86_64) ================================================================= System uname: 2.6.23-hardened-r7 x86_64 Dual-Core AMD Opteron(tm) Processor 2210 Timestamp of tree: Wed, 12 Mar 2008 07:00:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [disabled] app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.31-r3 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.3 sys-apps/baselayout: 1.12.6 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=opteron -fomit-frame-pointer -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=opteron -fomit-frame-pointer -pipe" DISTDIR="/common/admin/linux/gentoo/distfiles/" FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo http://mirror.clarkson.edu/pub/distributions/gentoo/ http://mirrors.tds.net/gentoo http://gentoo.seren.com/gentoo ftp://ftp.ussg.iu.edu/pub/linux/gentoo" LINGUAS="en" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage-cis /usr/local/portage/safesync" SYNC="rsync://portage.cis.ksu.edu/portage-current" USE="amd64 apache2 berkdb cdr cracklib crypt cups doc dvd gb gd gdbm gif gpm hardened imagemagick imlib ipv6 jabber java jikes jpeg justify kerberos ldap leim libgda libwww maildir mcal midi mule ncurses nls nptl nptlonly objc odbc pam perl pic plotutils png python quicktime readline rpc samba spell ssl symlink tcpd tetex tiff truetype unicode urandom usb wmf xml xml2 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
As another point of reference, the Gentoo infrastructure boxes have started to hit this now. Kernel is 2.6.23-hardened-r7-infra4. I'm trying various upgrade bits to see if I can trace the problem.
In my earlier testing, I did 'make clean && make' in my kernel again, and that didn't do anything. But solar helped me find the real cause of this - I really owe him some beer now. For everybody here, go and turn OFF CONFIG_PAX_EMUTRAMP. If you compiled _anything_ while you had that on, you are strongly advised to recompile everything (with portage+gcc+binutils from a known good machine). My box had no ebuild.sh at one point because of this.
this isn't just hardened related, I had problems like this moving to 2.6.24-gentoo(-r??) on a regular amd64 box.
"For everybody here, go and turn OFF CONFIG_PAX_EMUTRAMP." Neither of my kernels exhibiting this behavior, have PAX enabled.
Switching to gentoo-sources-2.6.23-r9 on both affected boxes remedied the problem. Since these are servers, messing around with why hardened didn't work isn't an option.
(In reply to comment #17) > "For everybody here, go and turn OFF CONFIG_PAX_EMUTRAMP." > > Neither of my kernels exhibiting this behavior, have PAX enabled. > Could you clarify this for me? You are saying that you experienced the multilib/libsandbox problem while the machine was running on a hardened-sources kernel w/o CONFIG_PAX_EMUTRAMP enabled, correct?
That's correct. What I was saying is that CONFIG_PAX was not set, which of course would mean CONFIG_PAX_EMUTRAMP was disabled as well. Symbol: PAX_EMUTRAMP [=n] ... Depends on: PAX && (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86)
Changing the summary because (a) it's not as useful as it could be for users searching bugzilla in lieu of the matter (b) it clearly isn't accurate to suggest that PAX_EMUTRAMP is the only cause (although it certainly seems to serve as a potential trigger). As it hasn't specifically been mentioned yet, I'd like to point out that the point at which it fails is at line 210 in libsandbox.c where it apparently fails to resolve the address of the symbol for the getcwd() function (while using dlysm() to do so). Could anyone experiecing this problem please run emerge in the following manner: LD_DEBUG=all emerge <package> 2>&1 | tee libsandbox-error.log I'm hoping that the information contained in such a log may provide some clues.
It seems that this bug is on a fast track to nowhere. If we are to have any hope of getting to the bottom of it then I would recommend the following: * Affected users do _not_ resort to ill-advised hacks to try and fix the sandbox (FEATURES="-sandbox") and end up making things worse. * Rather, affected users supply information that could be useful in trying to get a handle on the problem: attach `emerge --info` output, /usr/src/linux/.config and `qlist -ICv` output to bug as well as the 'LD_DEBUG' output according to the suggestion in Comment 21. * Sandbox maintainers take a view on what could potentially cause this (especially in lieu of the fact that some users who do not use hardened systems have apparently been affected). Thus far they have remained silent which is not entirely helpful. * Affected users who have confirmed that hardened-sources-2.6.23* triggers the problem, where gentoo-sources (or any other set of sources) does not, try hardened-sources-2.6.24, importing the prior .config with `make oldconfig` in order to see if the problem persists.
Created attachment 151479 [details] config.log config.log from trying to "LD_DEBUG=all emerge sys-apps/at", showing the "libsandbox: Can't resolve *" errors. 25MB uncompressed, so gzip'd for posting here. I can't test new kernels easily however. The machine is a gentoo infra box. I have tried taking binpkgs of known good portage, sandbox, glibc, binutils from another machine, and checked that they existed on the system identically. I'm exploring that route now. The box does use PAX, but PAX_EMUTRAMP is disabled. Portage 2.1.4.4 (hardened/amd64/multilib, gcc-3.4.6, glibc-2.5-r4, 2.6.23-hardened-r7-infra6 x86_64) ================================================================= System uname: 2.6.23-hardened-r7-infra6 x86_64 Dual Core AMD Opteron(tm) Processor 280 Timestamp of tree: Wed, 30 Apr 2008 02:15:23 +0000 app-shells/bash: 3.2_p17 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/dev.d /etc/env.d /etc/gconf /etc/init.d /etc/revdep-rebuild /etc/scsi_id.config /etc/terminfo /etc/udev /etc/udev/rules.d" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.osuosl.org/" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://portage.infra.gentoo.org/infra-portage/" USE="amd64 apache2 berkdb bzip2 cracklib crypt gdbm hardened jpeg justify libwww maildir midi ncurses nptl nptlonly pam perl pic png python readline snmp ssl tcpd urandom vhosts xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Not sure if this is the right fix but it keeps redtail happy. --- src/libsandbox.c 2008-05-01 05:25:23.000000000 +0000 +++ src/libsandbox.c 2008-05-01 05:27:05.000000000 +0000 @@ -204,6 +204,8 @@ libc_handle = RTLD_NEXT; #endif } + if (libc_handle == -1UL) + libc_handle = dlopen(LIBC_VERSION, RTLD_LAZY); if (NULL == symver) symaddr = dlsym(libc_handle, symname);
Here is a revised patch that applies to the current stable sandbox and fixes the issue for other infra boxes. The trick seems to be that RTLD_NEXT may be present, but invalid sometimes. diff -Nuar sandbox-1.2.18.1.orig/src/libsandbox.c sandbox-1.2.18.1/src/libsandbox.c --- sandbox-1.2.18.1.orig/src/libsandbox.c 2008-06-22 00:11:04.000000000 +0000 +++ sandbox-1.2.18.1/src/libsandbox.c 2008-06-22 00:16:38.000000000 +0000 @@ -192,17 +192,16 @@ { void *symaddr = NULL; +#if defined(USE_RTLD_NEXT) + libc_handle = RTLD_NEXT; +#endif - if (NULL == libc_handle) { + if (NULL == libc_handle || -1UL == libc_handle) { -#if !defined(USE_RTLD_NEXT) libc_handle = dlopen(LIBC_VERSION, RTLD_LAZY); - if (!libc_handle) { + if (!libc_handle || -1UL == libc_handle) { fprintf(stderr, "libsandbox: Can't dlopen libc: %s\n", dlerror()); exit(EXIT_FAILURE); } -#else - libc_handle = RTLD_NEXT; -#endif } if (NULL == symver)
sandbox-1.2.18.1-r3 contains a patch that SHOULD fix this. I'm closing as test-request, and if anybody runs into it with the new sandbox definitely built correctly (build on a known-good box if you have to, then rebuild on your broken machine) - please reopen this!
this is actually a dupe, and the change added to sandbox incorrect. it changed the behavior to always ignore RTLD_NEXT for everyone and to dlopen() the C library on every symbol lookup (thus leaking handles that were never dlclose()ed). ive rewritten the code to do things dynamically at runtime http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commitdiff;h=180958291462f38154916103a6a4bdeb852e6cc3
*** This bug has been marked as a duplicate of bug 202765 ***