I guess I'm experiencing similar issue as bug 254914 with kde-base/printer-applet-9999 from kde-testing overlay. Basically cmake invokes symlink(const char*, const char*) function, and then sets executable bit for that file (it's python script btw). As symlink target is absolute path, chmod will point outside of image dir (causing sandbox violation). Would it be possible to simulate "fakeroot" for symlinks, and when symlink target is absolute path - append image dir prefix for any operation on that file, so that: Original invocation: chmod("/some/file") wrapped: if "/some/file" is symlink with absolute target chmod(/var/tmp/_path_to_image_dir/some/file") (Btw, where I can find some quickstart docs with sandbox debugging? Especially how to use 'emerge' with own tweaked sandbox etc) Log: -- Installing: /var/tmp/portage/kde-base/printer-applet-9999/image/usr/kde/live/share/apps/printer-applet/debug.py -- Symlinking /var/tmp/portage/kde-base/printer-applet-9999/image///usr/kde/live/bin/printer-applet to /var/tmp/portage/kde-base/printer-applet-9999/image///usr/kde/live/share/apps/printer-applet/printer-applet.py ACCESS DENIED fchmodat: /usr/kde/live/share/apps/printer-applet/printer-applet.py chmod: changing permissions of `/usr/kde/live/share/apps/printer-applet/printer-applet.py': Brak dostępu -- Installing: /var/tmp/portage/kde-base/printer-applet-9999/image/usr/kde/live/share/autostart/printer-applet.desktop >>> Completed installing printer-applet-9999 into /var/tmp/portage/kde-base/printer-applet-9999/image/ --------------------------- ACCESS VIOLATION SUMMARY --------------------------- LOG FILE "/var/log/sandbox/sandbox-520.log" VERSION 1.0 FORMAT: F - Function called FORMAT: S - Access Status FORMAT: P - Path as passed to function FORMAT: A - Absolute Path (not canonical) FORMAT: R - Canonical Path FORMAT: C - Command Line F: fchmodat S: deny P: /usr/kde/live/share/apps/printer-applet/printer-applet.py A: /usr/kde/live/share/apps/printer-applet/printer-applet.py R: /usr/kde/live/share/apps/printer-applet/printer-applet.py C: chmod a+x /usr/kde/live/share/apps/printer-applet/printer-applet.py ------------------------------------------------------------------------------- emerge --info: Portage 2.2_rc30 (default/linux/amd64/2008.0/no-multilib, gcc-4.3.3, glibc-2.9_p20081201-r2, 2.6.27-gentoo-r8 x86_64) ================================================================= System uname: Linux-2.6.27-gentoo-r8-x86_64-Intel-R-_Pentium-R-_4_CPU_3.20GHz-with-gentoo-2.0.0 Timestamp of tree: Sun, 19 Apr 2009 01:45:02 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.0_p17-r1 dev-java/java-config: 2.1.7 dev-lang/python: 2.6.2 dev-util/ccache: 2.4-r8 dev-util/cmake: 2.6.3-r1 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.4.3-r2 sys-apps/sandbox: 1.9 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.28-r1 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O2 -pipe -msse3 -ftree-vectorize" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/live/env /usr/kde/live/share/config /usr/kde/live/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=nocona -O2 -pipe -msse3 -ftree-vectorize" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://ftp.vectranet.pl/gentoo http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="pl_PL.utf8" LC_ALL="pl_PL.utf8" LDFLAGS="-Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/kde-testing /usr/local/portage/qting-edge /usr/local/portage/new-gcj-overlay /usr/local/portage/reavertm" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="7zip X a52 aac accessibility ace acpi additions alsa amd64 archive autoipd bash-completion bittorrent branding bzip2 cdaudio cddb chm cli clucene colordiff cracklib crypt cups curl dbus designer-plugin dirac divx dri dv dvd dvdr dvdread dynamic exif exiv2 ffmpeg flac fontconfig ftp gadu gd gif glibc-omitfp gnokii gphoto2 hal history iconv inotify isdnlog java6 javascript jpeg kde kdeenablefinal kdehiddenvisibility kdeprefix kdexdeltas kickoff libgadu lm_sensors lzma lzo mad mbox midi mng mp3 mplayermudflap ncurses no-net2 nolvm1 nonfsv4 nptl nptlonly nsplugin ogg openmp pam pch pcre pdf pg-intdatetime plasma png pppd qt-copy qt3support quicktime rar rdesktop readline reiserfs rtc session sha512 smssndfile sockets spell spl srt sse sse2 ssl svg symlink sysfs theora threads threadsonly tiff toolkit-scroll-bars truetype unicode urandom usb utempter vhosts vnc vorbis webkit x264 xattr xcomposite xorg xpm xscreensaver xv xvid xvmc zeroconf zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87xca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rateroute share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magicnegotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Uhm, please reassign this to sandbox team. Mike asked me to file separate bug report.
@reavertm: dude you can wrangle yourself ;]
if cmake is doing what you say (symlink(); chown();), then cmake is broken. not a bug in sandbox. FTFM: chmod() changes the permissions of the file specified whose pathname is given in path, which is dereferenced if it is a symbolic link. permissions make no sense on a symlink, thus there is no "lchmod" type of function
err, typo in my comment ... should read "chmod", not "chown"
