quilt Makefile contains: GIT_DESC := $(shell ./git-desc | sed -e 's:^v::') OE @ //tmp/tmpfs/portage/dev-util/quilt-0.65/work/quilt-0.65 # cat git-desc #! /bin/sh if git rev-parse --show-cdup > /dev/null 2> /dev/null; then tag=$(git describe --tags HEAD 2> /dev/null || \ git rev-parse --short HEAD) dirty=$(git update-index --refresh --unmerged > /dev/null if git diff-index --name-only HEAD | read dummy; then echo -dirty fi) echo $tag$dirty fi In my case where whole rootfs is in git (don't ask why) the rev-parse doesn't fail: OE @ //tmp/tmpfs/portage/dev-util/quilt-0.65/work/quilt-0.65 # git rev-parse --show-cdup ../../../../../../../ so the code gets executed and the git update-index triggers the sandbox violation: # cat /var/log/sandbox/sandbox-14359.log VERSION 1.0 FORMAT: F - Function called FORMAT: S - Access Status FORMAT: P - Path as passed to function FORMAT: A - Absolute Path (not canonical) FORMAT: R - Canonical Path FORMAT: C - Command Line F: open_wr S: deny P: /.git/index.lock A: /.git/index.lock R: /.git/index.lock C: git update-index --refresh --unmerged As a work around I'm removing git-desc file. Reproducible: Always
My 2 cents: Having a git repository in / is a stupid idea, and not something we should work around in ebuilds. You can work around the issue locally by adding SANDBOX_PREDICT="/.git" to /etc/sandbox.conf.
Not a recommended configuration and workaround proposed.
