On machines with crypto cards and an openssl built to support them, openssl writes to /dev/crypto very often, even for 'openssl version'. Any configure script or package testsuite that runs the openssl binary causes sandbox to kill the build. # lspci ... 06:02.0 Co-processor: Hifn Inc. 7955 Security Processor Sample sandbox error (with dev-perl/Net-SSLeay) --------------------------- ACCESS VIOLATION SUMMARY --------------------------- LOG FILE "/var/log/sandbox/sandbox-29043.log" VERSION 1.0 FORMAT: F - Function called FORMAT: S - Access Status FORMAT: P - Path as passed to function FORMAT: A - Absolute Path (not canonical) FORMAT: R - Canonical Path FORMAT: C - Command Line F: open_wr S: deny P: /dev/crypto A: /dev/crypto R: /dev/crypto C: /usr/bin/openssl version F: open_wr S: deny P: /dev/crypto A: /dev/crypto R: /dev/crypto C: /usr/bin/openssl version --------------------------------------------------------------------------------
sandbox doesnt hardcode any paths anymore. packages should use /etc/sandbox.d/.
is a predict sufficient ? or does it really need the write to succeed ?
This is a device, not a file that just gets opened with write perms and not written to. Amongst other things, there's a get_status primitive openssl writes and reads the result back on the device to check that it's usable very early during it's run.
i dont see how any of that is relevant ... it also doesnt really answer my question ...
added to 0.9.8k