Created attachment 371138 [details] build.log emerge dev-lang/R yields a * ------------------- ACCESS VIOLATION SUMMARY -------------------- * LOG FILE: "/var/log/sandbox/sandbox-29865.log" * ... (see attached file) # emerge -info Portage 2.2.7 (default/linux/amd64/13.0, gcc-4.7.3, glibc-2.17, 3.10.25-gentoo x86_64) ================================================================= System uname: Linux-3.10.25-gentoo-x86_64-Intel-R-_Atom-TM-_CPU_C2750_@_2.40GHz-with-gentoo-2.2 KiB Mem: 16427564 total, 13723172 free KiB Swap: 20971516 total, 20971516 free Timestamp of tree: Sat, 22 Feb 2014 14:15:01 +0000 ld GNU ld (GNU Binutils) 2.23.2 app-shells/bash: 4.2_p45 dev-lang/python: 2.7.5-r3, 3.3.2-r2 dev-util/cmake: 2.8.11.2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.69 sys-devel/automake: 1.12.6, 1.13.4 sys-devel/binutils: 2.23.2 sys-devel/gcc: 4.7.3-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.9 (virtual/os-headers) sys-libs/glibc: 2.17 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="rsync://de-mirror.org/gentoo/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ rsync://ftp.halifax.rwth-aachen.de/gentoo/ ftp://ftp.halifax.rwth-aachen.de/gentoo/ http://ftp.halifax.rwth-aachen.de/gentoo/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j9" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="acl acpi alsa amd64 bzip2 cdb cli cracklib crypt cxx dbm fortran gdbm git gzip hddtemp iconv idn imap ipv6 lzma maildir mmap mmx modules multilib ncurses nls nptl nptlonly openmp pam pcre readline sasl session sse sse2 sse3 sse4_1 ssl ssse3 tcpd unicode usb zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
*** Bug 512784 has been marked as a duplicate of this bug. ***
*** Bug 512758 has been marked as a duplicate of this bug. ***
Created attachment 378580 [details] /var/log/sandbox/sandbox-6749.log
I can confirm this bug for net-dns/libidn-1.28 here. The end of emerge output: (null)*(null) --------------------------- ACCESS VIOLATION SUMMARY --------------------------- (null)*(null) LOG FILE: "/var/log/sandbox/sandbox-6749.log" (null)*(null) VERSION 1.0 FORMAT: F - Function called FORMAT: S - Access Status FORMAT: P - Path as passed to function FORMAT: A - Absolute Path (not canonical) FORMAT: R - Canonical Path FORMAT: C - Command Line F: open_wr S: deny P: /proc/self/coredump_filter A: /proc/self/coredump_filter R: /proc/8090/coredump_filter C: javac -d ../../../../../../../java/src/main/java -source 1.5 -target 1.5 CombiningClass.java Composition.java DecompositionKeys.java DecompositionMappings.java IDNA.java IDNAException.java NFKC.java Punycode.java PunycodeException.java RangeSet.java RFC3454.java Stringprep.java StringprepException.java F: open_wr S: deny P: /proc/self/coredump_filter A: /proc/self/coredump_filter R: /proc/8130/coredump_filter C: javac -d ../../../../java/src/util/java -classpath ../../../../java/src/main/java -source 1.5 -target 1.5 GenerateRFC3454.java GenerateNFKC.java TestIDNA.java TestNFKC.java F: open_wr S: deny P: /proc/self/coredump_filter A: /proc/self/coredump_filter R: /proc/8150/coredump_filter C: jar cf libidn-1.28.jar -C ./src/main/java gnu/inet/encoding/CombiningClass.class -C ./src/main/java gnu/inet/encoding/Composition.class -C ./src/main/java gnu/inet/encoding/DecompositionKeys.class -C ./src/main/java gnu/inet/encoding/DecompositionMappings.class -C ./src/main/java gnu/inet/encoding/IDNA.class -C ./src/main/java gnu/inet/encoding/IDNAException.class -C ./src/main/java gnu/inet/encoding/NFKC.class -C ./src/main/java gnu/inet/encoding/Punycode.class -C ./src/main/java gnu/inet/encoding/PunycodeException.class -C ./src/main/java gnu/inet/encoding/RangeSet$1.class -C ./src/main/java gnu/inet/encoding/RangeSet$Builder.class -C ./src/main/java gnu/inet/encoding/RangeSet.class -C ./src/main/java gnu/inet/encoding/RangeSet$Range.class -C ./src/main/java gnu/inet/encoding/RangeSet$RangeContainsComparator.class -C ./src/main/java gnu/inet/encoding/RFC3454.class -C ./src/main/java gnu/inet/encoding/Stringprep.class -C ./src/main/java gnu/inet/encoding/StringprepException.class (null)*(null) -------------------------------------------------------------------------------- !!! When you file a bug report, please include the following information: GENTOO_VM=icedtea-bin-6 CLASSPATH="" JAVA_HOME="/opt/icedtea-bin-6.1.13.3" JAVACFLAGS="-source 1.5 -target 1.5" COMPILER="" and of course, the output of emerge --info =libidn-1.28 emerge --info =libidn-1.28 Portage 2.2.8-r1 (default/linux/amd64/13.0/desktop, gcc-4.7.3, glibc-2.17, 3.12.21-gentoo-r1 x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.12.21-gentoo-r1-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q8200_@_2.33GHz-with-gentoo-2.2 KiB Mem: 4047692 total, 940676 free KiB Swap: 4192928 total, 4192928 free Timestamp of tree: Mon, 09 Jun 2014 10:15:01 +0000 ld GNU ld (GNU Binutils) 2.23.2 ccache version 3.1.9 [disabled] app-shells/bash: 4.2_p45 dev-java/java-config: 2.2.0 dev-lang/python: 2.7.6, 3.3.3 dev-util/ccache: 3.1.9-r3 dev-util/cmake: 2.8.12.2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.10.3, 1.11.6, 1.12.6, 1.13.4 sys-devel/binutils: 2.23.2 sys-devel/gcc: 4.7.3-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.13 (virtual/os-headers) sys-libs/glibc: 2.17 Repositories: gentoo science ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA Oracle-BCLA-JavaSE PUEL dlj-1.1 AdobeFlash-11.x" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib/latex2html /usr/share/gnupg/qualified.txt /usr/share/texmf-site/tex/latex/html /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS=" -j3 --load-average 4" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://de-mirror.org/gentoo/ ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo" LANG="de_DE.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/science" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 amr berkdb branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cupsddk cxx dbus dri dts dvd dvdr dvi emboss encode exif fam firefox flac fortran g3dvl gdbm gif gimp gnutls gpm gstreamer gtk gtk3 hddtemp hpijs hunspell iconv ipv6 java jpeg jpg latex lcms libnotify lm_sensors lyx mad midi mime mmx mng modules mono mp3 mp4 mpeg mtp multilib ncurses nls nptl nsplugin nvidia odbc odf ogg opencl opengl openmp pam pango pcre pdf pmu png policykit ppds python qt3support raw readline scanner sdl session smp spell sse sse2 ssl startup-notification svg symlink system-cairo system-icu system-jpeg system-sqlite tcpd theora thunar thunderbird tiff truetype udev udisks unicode upower usb vorbis win32codecs wmf wxwidgets x264 xcb xinerama xml xpm xscreensaver xv xvid xvmc zlib" ABI_X86="64" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de en" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" SANE_BACKENDS="epson2 net" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Created attachment 378582 [details] /var/tmp/portage/net-dns/libidn-1.28/temp/build.log
*** Bug 512816 has been marked as a duplicate of this bug. ***
*** Bug 512824 has been marked as a duplicate of this bug. ***
*** Bug 512836 has been marked as a duplicate of this bug. ***
I can't readily find what may have recently changed. Was it a virtual/jdk provider that got bumped, maybe?
my change was upgrade icedtea-bin-6.1.12.7 to dev-java/icedtea-bin-6.1.13.3 media-video/ffmpeg-1.0.8 to media-video/ffmpeg-1.2.6 net-libs/libpcap-1.3.0-r1 to net-libs/libpcap-1.5.3 media-video/vlc-2.0.7 to media-video/vlc-2.1.2 then a emerge @preserved-rebuild of seven ebuilds app-cdr/k3b-2.0.2-r4 media-sound/sox-14.4.1 kde-base/ffmpegthumbs-4.12.5 media-libs/phonon-vlc-0.6.2 app-misc/strigi-0.7.8 kde-base/nepomuk-core-4.12.5 media-libs/opencv-2.4.5 where last one fails with java use, see bug 512816
In reply to Comment 9: The problem seems to be the upgrade to dev-java/icedtea-bin-6.1.13.3. Note that dev-java/icedtea got added a sandbox control file in 6.1.13.1 (see bug #499746) to fix a similar issue, while icedtea-bin-6.1.13.3 has none. So when the latter is the only java provider a sandbox violation will occur.
I can't find a good reason why sandbox should disallow programs to write to /proc/self/coredump_filter. Maybe it ought to be exempted somehow.
Confirmed with https://bugs.gentoo.org/show_bug.cgi?id=512836 - masking dev-java/icedtea-bin-6.1.13.3 and downgrading to dev-java/icedtea-bin-6.1.12.7 allows the virtualbox upgrade to succeed.
*** Bug 512840 has been marked as a duplicate of this bug. ***
(In reply to Bob Johnson from comment #13) > Confirmed with https://bugs.gentoo.org/show_bug.cgi?id=512836 - masking > dev-java/icedtea-bin-6.1.13.3 and downgrading to > dev-java/icedtea-bin-6.1.12.7 allows the virtualbox upgrade to succeed. FEATURES=-sandbox is probably the easiest workaround.
In reply to Comment 12: Isn't sandbox supposed to disallow writes to random files? I'm no expert here, but let's look what other java implementations do: There is "java-vm_sandbox-predict /proc/self/coredump_filter" or similar in the ebuilds for icedtea-7.*, icedtea-6.1.13.*, icedtea-bin-7.*, also for oracle-jdk-bin, some versions of ibm-jdk-bin, didn't check all the other ones. It is not needed for icedtea-6.1.12.* and icedtea-bin-6.1.12.*. Now, icedtea-bin-6.1.13.* fails without it. In the bug I mentioned above, icedtea-6.1.13.* was fixed with the following commit: <http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-java/icedtea/icedtea-6.1.13.1.ebuild?r1=1.1&r2=1.2> Here's what adding such a line would do: echo 'SANDBOX_PREDICT="/proc/self/coredump_filter"' > /etc/sandbox.d/20icedtea-bin-6
(In reply to Alexander Miller from comment #16) > Isn't sandbox supposed to disallow writes to random files? I wouldn't think /proc/self/* is random for any definition of "random". > In the bug I mentioned above, icedtea-6.1.13.* was fixed with the following > commit: > <http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-java/icedtea/ > icedtea-6.1.13.1.ebuild?r1=1.1&r2=1.2> > > Here's what adding such a line would do: > echo 'SANDBOX_PREDICT="/proc/self/coredump_filter"' > > /etc/sandbox.d/20icedtea-bin-6 That would work, too.
*** Bug 512894 has been marked as a duplicate of this bug. ***
> > Here's what adding such a line would do: > echo 'SANDBOX_PREDICT="/proc/self/coredump_filter"' > > /etc/sandbox.d/20icedtea-bin-6 This works for me.
(In reply to Kai Wüstermann from comment #19) > > > > Here's what adding such a line would do: > > echo 'SANDBOX_PREDICT="/proc/self/coredump_filter"' > > > /etc/sandbox.d/20icedtea-bin-6 > > This works for me. same here
Created attachment 378676 [details] buildlog of libbluray-0.5.0 Access violation of libblueray 0.5.0
*** Bug 512950 has been marked as a duplicate of this bug. ***
*** Bug 512954 has been marked as a duplicate of this bug. ***
Created attachment 378716 [details] libreoffice 4.2.3.3-r1 buildlog libreoffice 4.2.3.3-r1 affected too, I'll stop posting error, but this bug seems to affect many ebuilds using java.
*** Bug 512988 has been marked as a duplicate of this bug. ***
*** Bug 512990 has been marked as a duplicate of this bug. ***
+ 12 Jun 2014; Jeroen Roovers <jer@gentoo.org> icedtea-bin-6.1.13.3.ebuild, + icedtea-bin-6.1.13.3-r1.ebuild: + Add java-vm_sandbox-predict /proc/self/coredump_filter (bug #502280).
works for me (libreoffice, libbluray) thank you!
after manually # emerge -1v icedtea-bin it works for me, too (libidn, libbluray)
(In reply to spam-mails-here from comment #29) > after manually > > # emerge -1v icedtea-bin > > it works for me, too (libidn, libbluray) The above solution worked for me (app-emulation/virtualbox)
*** Bug 513306 has been marked as a duplicate of this bug. ***
*** Bug 513696 has been marked as a duplicate of this bug. ***
*** Bug 513722 has been marked as a duplicate of this bug. ***
Worked fine for me. Thanks.
*** Bug 513880 has been marked as a duplicate of this bug. ***
12 Jun 2014; Jeroen Roovers <jer@gentoo.org> icedtea-bin-6.1.13.3.ebuild, icedtea-bin-6.1.13.3-r1.ebuild: Add java-vm_sandbox-predict /proc/self/coredump_filter (bug #502280). Can we have a revbump for this change directly to stable? Otherwise people need to figure they need to rebuild icedtea-bin themselves :/
(In reply to Pacho Ramos from comment #36) > 12 Jun 2014; Jeroen Roovers <jer@gentoo.org> icedtea-bin-6.1.13.3.ebuild, > icedtea-bin-6.1.13.3-r1.ebuild: > Add java-vm_sandbox-predict /proc/self/coredump_filter (bug #502280). > > Can we have a revbump for this change directly to stable? Otherwise people > need to figure they need to rebuild icedtea-bin themselves :/ Done.
Thanks :)
