Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 625834 - =x11-libs/pango-1.40.6 in a Parallels guest: sandbox violation - open_wr on /proc/driver/prl_vtg
Summary: =x11-libs/pango-1.40.6 in a Parallels guest: sandbox violation - open_wr on /...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Linux Gnome Desktop Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-21 10:07 UTC by Morladim
Modified: 2021-03-06 01:15 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
screenshot (28455650-59104f9a-6e32-11e7-8ae5-1dd80e0820cb.png,48.57 KB, image/png)
2017-07-21 10:22 UTC, Morladim
Details
log (5620d7700608.txt,79.16 KB, text/plain)
2017-07-21 12:40 UTC, Morladim
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Morladim 2017-07-21 10:07:19 UTC
install log
https://bpaste.net/raw/5620d7700608
Linux Gentoo 4.9.34-gentoo #1 SMP Fri Jul 21 01:12:26 CST 2017 x86_64 Intel(R) Core(TM) i7-2635QM CPU @ 2.00GHz GenuineIntel GNU/Linux

same porblem while update pango-1.40.6
Comment 1 Morladim 2017-07-21 10:22:48 UTC
Created attachment 486262 [details]
screenshot

screenshot
Comment 2 Morladim 2017-07-21 10:31:02 UTC
emerge --info
!!! SYNC setting found in make.conf.
    This setting is Deprecated and no longer used.  Please ensure your 'sync-type' and 'sync-uri' are set correctly in /etc/portage/repos.conf/gentoo.conf
Portage 2.3.6 (python 3.4.5-final-0, default/linux/amd64/13.0/desktop/gnome, gcc-5.4.0, glibc-2.23-r4, 4.9.34-gentoo x86_64)
=================================================================
System uname: Linux-4.9.34-gentoo-x86_64-Intel-R-_Core-TM-_i7-2635QM_CPU_@_2.00GHz-with-gentoo-2.3
KiB Mem:     4039512 total,    470028 free
KiB Swap:    2097148 total,   2097148 free
Timestamp of repository gentoo: Fri, 21 Jul 2017 08:30:01 +0000
sh bash 4.3_p48-r1
ld GNU ld (Gentoo 2.28 p1.2) 2.28
app-shells/bash:          4.3_p48-r1::gentoo
dev-lang/perl:            5.24.1-r2::gentoo
dev-lang/python:          2.7.12::gentoo, 3.4.5::gentoo
dev-util/cmake:           3.7.2::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/openrc:          0.26.3::gentoo
sys-apps/sandbox:         2.9::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
sys-devel/automake:       1.15-r2::gentoo
sys-devel/binutils:       2.28-r2::gentoo
sys-devel/gcc:            5.4.0-r3::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r4::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000

elementary
    location: /var/lib/layman/elementary
    masters: gentoo
    priority: 50

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--autounmask-write=y --keep-going=y --with-bdeps=y"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://mirrors.sohu.com/gentoo/"
LANG="zh_CN.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi alsa amd64 asf bash-completion berkdb bluetooth branding bzip2 cairo cdda cdr cli colord consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr eds emboss encode evo exif fam firefox flac fortran gdbm gif glamor gnome gnome-keyring gnome-online-accounts gstreamer gtk iconv introspection ipv6 jpeg lcms ldap libnotify libsecret mad mmx mng modules mp3 mp4 mpeg multilib nautilus ncurses nls nptl nsplugin ogg opengl openmp pam pango pcre pdf png policykit ppds pulseaudio qt3support qt4 readline real sdl seccomp session spell sse sse2 ssl startup-notification svg tcpd tiff tracker truetype udev udisks unicode upower usb vim-syntax vorbis win32codecs wxwidgets x264 xattr xcb xml xv xvid zlib" ABI_X86="64 32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authz_host cgi dir mime actions alias asis auth_basic auth_digest authn_alias authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_owner authz_user autoindex cache cern_meta cgid charset_lite dav dav_fs dav_lock dbd deflate disk_cache dumpio env expires ext_filter file_cache filter headers ident imagemap include info log_config log_forensic logio mem_cache mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http reqtimeout rewrite setenvif speling status substitute unique_id userdir usertrack version vhost_alias unixd socache_shmcb authn_core authz_core" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev synaptics" KERNEL="linux" L10N="de pt-BR en en-US en-GB zh-CN" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="zh_CN zh_TW en_US" NGINX_MODULES_HTTP="addition fastcgi flv geo geoip sub access auth_basic charset dav gzip gzip_static image_filter limit_req limit_zone map memcached perl proxy realip referer rewrite secure_link ssi stub_status upstream_ip_hash userid xslt random autoindex browser cache_purge degradation empty_gif headers_more push random_index scgi split_clients uwsgi slowfs_cache upload upload_progress" NGINX_MODULES_MAIL="imap pop3 smtp" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_4" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21 ruby22" USERLAND="GNU" VIDEO_CARDS="Parallels" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 3 Morladim 2017-07-21 12:36:43 UTC
make[1]: Leaving directory '/var/tmp/portage/x11-libs/pango-1.40.6/work/pango-1.40.6-abi_x86_64.amd64'
>>> Source compiled.
 * --------------------------- ACCESS VIOLATION SUMMARY ---------------------------
 * LOG FILE: "/var/log/sandbox/sandbox-23678.log"
 *
VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: open_wr
S: deny
P: /proc/driver/prl_vtg
A: /proc/driver/prl_vtg
R: /proc/driver/prl_vtg
C: /var/tmp/portage/x11-libs/pango-1.40.6/work/pango-1.40.6-abi_x86_64.amd64/pango/tmp-introspectk2i_2j9q/.libs/PangoCairo-1.0 --introspect-dump=/var/tmp/portage/x11-libs/pango-1.40.6/work/pango-1.40.6-abi_x86_64.amd64/pango/tmp-introspectk2i_2j9q/functions.txt,/var/tmp/portage/x11-libs/pango-1.40.6/work/pango-1.40.6-abi_x86_64.amd64/pango/tmp-introspectk2i_2j9q/dump.xml
 * --------------------------------------------------------------------------------

>>> Failed to emerge x11-libs/pango-1.40.6, Log file:
Comment 4 Morladim 2017-07-21 12:40:17 UTC
Created attachment 486266 [details]
log

log
Comment 5 Morladim 2017-07-21 12:56:43 UTC
 # sudo ebuild awesome-4.1.ebuild merge
!!! SYNC setting found in make.conf.
    This setting is Deprecated and no longer used.  Please ensure your 'sync-type' and 'sync-uri' are set correctly in /etc/portage/repos.conf/gentoo.conf
>>> Existing ${T}/environment for 'awesome-4.1' will be sourced. Run
>>> 'clean' to start with a fresh environment.
>>> Checking awesome-4.1.tar.xz's mtime...
>>> WORKDIR is up-to-date, keeping...
 * checking ebuild checksums ;-) ...                                                  [ ok ]
 * checking auxfile checksums ;-) ...                                                 [ ok ]
 * checking miscfile checksums ;-) ...                                                [ ok ]
>>> It appears that 'setup' has already executed for 'awesome-4.1'; skipping.
>>> Remove '/var/tmp/portage/x11-wm/awesome-4.1/.setuped' to force setup.
>>> It appears that 'unpack' has already executed for 'awesome-4.1'; skipping.
>>> Remove '/var/tmp/portage/x11-wm/awesome-4.1/.unpacked' to force unpack.
>>> It appears that 'prepare' has already executed for 'awesome-4.1'; skipping.
>>> Remove '/var/tmp/portage/x11-wm/awesome-4.1/.prepared' to force prepare.
>>> It appears that 'configure' has already executed for 'awesome-4.1'; skipping.
>>> Remove '/var/tmp/portage/x11-wm/awesome-4.1/.configured' to force configure.
>>> It appears that 'compile' has already executed for 'awesome-4.1'; skipping.
>>> Remove '/var/tmp/portage/x11-wm/awesome-4.1/.compiled' to force compile.
>>> Test phase [not enabled]: x11-wm/awesome-4.1

>>> Install awesome-4.1 into /var/tmp/portage/x11-wm/awesome-4.1/image/ category x11-wm
>>> Working in BUILD_DIR: "/var/tmp/portage/x11-wm/awesome-4.1/work/awesome-4.1_build"
make -j3 install
[ 11%] Built target generated_icons
[ 13%] Built target generated_sources
[ 61%] Built target man
 * ACCESS DENIED:  open_wr:      /proc/driver/prl_vtg
lua: /usr/share/lua/5.1/lgi/namespace.lua:151: Typelib file for namespace 'Pango' (any version) not found
stack traceback:
        [C]: in function 'assert'
        /usr/share/lua/5.1/lgi/namespace.lua:151: in function </usr/share/lua/5.1/lgi/namespace.lua:148>
        (tail call): ?
        (command line):1: in main chunk
        [C]: ?


       WARNING
       =======

 The lgi check failed.
 The Lua GObject introspection package is just a runtime dependency, so it is not
 necessary for building awesome. However, awesome needs it to run.
 Add AWESOME_IGNORE_LGI=1 to your environment to continue.


make[2]: *** [CMakeFiles/lgi-check.dir/build.make:57: CMakeFiles/lgi-check] Error 1
make[1]: *** [CMakeFiles/Makefile2:234: CMakeFiles/lgi-check.dir/all] Error 2
make: *** [Makefile:128: all] Error 2
 * ERROR: x11-wm/awesome-4.1::gentoo failed (install phase):
 *   emake failed
 *
 * If you need support, post the output of `emerge --info '=x11-wm/awesome-4.1::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=x11-wm/awesome-4.1::gentoo'`.
 * The complete build log is located at '/var/tmp/portage/x11-wm/awesome-4.1/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/x11-wm/awesome-4.1/temp/environment'.
 * Working directory: '/var/tmp/portage/x11-wm/awesome-4.1/work/awesome-4.1_build'
 * S: '/var/tmp/portage/x11-wm/awesome-4.1/work/awesome-4.1'
 * --------------------------- ACCESS VIOLATION SUMMARY ---------------------------
 * LOG FILE: "/var/log/sandbox/sandbox-10523.log"
 *
VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: open_wr
S: deny
P: /proc/driver/prl_vtg
A: /proc/driver/prl_vtg
R: /proc/driver/prl_vtg
C: lua -e l = require("lgi") assert(l.cairo, l.Pango, l.PangoCairo, l.GLib, l.Gio)
 * --------------------------------------------------------------------------------

 * Messages for package x11-wm/awesome-4.1:

 * ERROR: x11-wm/awesome-4.1::gentoo failed (install phase):
 *   emake failed
 *
 * If you need support, post the output of `emerge --info '=x11-wm/awesome-4.1::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=x11-wm/awesome-4.1::gentoo'`.
 * The complete build log is located at '/var/tmp/portage/x11-wm/awesome-4.1/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/x11-wm/awesome-4.1/temp/environment'.
 * Working directory: '/var/tmp/portage/x11-wm/awesome-4.1/work/awesome-4.1_build'
 * S: '/var/tmp/portage/x11-wm/awesome-4.1/work/awesome-4.1'
Comment 6 Pengcheng Xu 2017-07-21 13:33:46 UTC
According to the logs the build system is trying to access `/proc/driver/prl_vtg`, which is the guest driver for Parallels Desktop (12.2.0(41591)) , which is a virtual machine software on Mac.

Here's a header file defining the driver (probably): 
https://github.com/cdelorme/fedora_parallels_tools/blob/master/prl_tg/Toolgate/Guest/Linux/Interfaces/prltg.h

Sandbox is denying the access outside the build environment. Similar issues are present on RHEL, Fedora and CentOS as well due to their nature of SELinux being enabled by default. Here's one of the SELinux access logs quoted from https://bugzilla.redhat.com/show_bug.cgi?id=1130750 . Look for `comm="tumblerd" name="prl_vtg" dev="proc"`.


Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                system_u:object_r:proc_t:s0
Target Objects                 [ file ]
Source                        tumblerd
Source Path                   /usr/lib64/tumbler-1/tumblerd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           tumbler-0.1.30-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-179.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.15.10-200.fc20.x86_64 #1 SMP Thu
                              Aug 14 15:39:24 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-08-17 03:40:19 PDT
Last Seen                     2014-08-17 03:40:19 PDT
Local ID                      4fe17434-1e54-4a35-a969-3b6886afc68b

Raw Audit Messages
type=AVC msg=audit(1408272019.885:373): avc:  denied  { write } for  pid=2410 comm="tumblerd" name="prl_vtg" dev="proc" ino=4026532211 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file


type=SYSCALL msg=audit(1408272019.885:373): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffff74ebbea a1=1 a2=7ffff7715328 a3=7fffffffdf00 items=0 ppid=2409 pid=2410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=tumblerd exe=/usr/lib64/tumbler-1/tumblerd subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)

Hash: tumblerd,thumb_t,proc_t,file,write
Comment 7 Marek Szuba archtester gentoo-dev 2021-01-18 10:07:39 UTC
Is this still a problem with current ebuilds?
Comment 8 Marek Szuba archtester gentoo-dev 2021-01-18 13:52:55 UTC
Either way, the log shows this is again related to Pango so I'm reassigning this issue.