670761 – media-gfx/imagemagick - missing path in /etc/sandbox.d/99imagemagick?

Bug 670761 - media-gfx/imagemagick - missing path in /etc/sandbox.d/99imagemagick?

Summary: media-gfx/imagemagick - missing path in /etc/sandbox.d/99imagemagick?

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Andreas K. Hüttel

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-11-09 15:14 UTC by Russell Knighton
Modified:	2020-10-16 20:59 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Russell Knighton 2018-11-09 15:14:24 UTC

I'm not entirely sure whether to post this as a bug against sci-misc/boinc or media-gfx/imagemagick. As there appear to be a few related historical bugs relating to imagemagick (and I feel that is where this probably needs resolving), I've opt'd to post it against imagemagick for now. Feel free to move/change the title etc. to be more appropriate.

A recent system upgrade has updated me to media-gfx/imagemagick-7.0.8.14, but a subsequent rebuild of sci-misc/boinc (which calls the /usr/bin/convert utility from imagemagick) is now failing with sandbox violations:
----------------------------------------------------
 * ACCESS DENIED:  open_wr:      /dev/dri/card0
X server found. dri2 connection failed! 
 * ACCESS DENIED:  open_wr:      /dev/dri/card0
open("/dev/dri/card0", O_RDWR) failed: Permission denied
Device open failed, aborting...
----------------------------------------------------

As you can see, it is trying to access /dev/dri/card0, but the contents of /etc/sandbox.d/99imagemagick are:
SANDBOX_PREDICT="/dev/nvidiactl:/dev/nvidia-uvm:/dev/ati/card:/dev/dri/card:/dev/dri/renderD128"

which doesn't appear to be enough for my case.

If I append "/dev/dri/card0" to the sandbox.d file, then I no-longer receive the sandbox violation. I do, however, now see a "permissions denied" error, but the installation does seem to proceed and all seems to work. (Why do we use SANDBOX_PREDICT instead of SANDBOX_WRITE?)

Please can we either add "/dev/dri/card0" to the SANDBOX_PREFIX list or some sort of wildcard/regex match? (I tried "/dev/dri/card[0-9]", but that does not work.)

In addition, I think a switch to SANDBOX_WRITE should really be considered.

Comment 1 Larry the Git Cow gentoo-dev

2020-10-16 20:59:57 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4742a4a03827492fd6f2fafe7aacccdae95278f

commit a4742a4a03827492fd6f2fafe7aacccdae95278f
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2020-10-16 20:59:34 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2020-10-16 20:59:34 +0000

    media-gfx/imagemagick: Add /dev/dri/card0 to SANDBOX_PREDICT
    
    Closes: https://bugs.gentoo.org/670761
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 .../{imagemagick-6.9.11.31.ebuild => imagemagick-6.9.11.31-r1.ebuild}   | 2 +-
 .../{imagemagick-6.9.11.34.ebuild => imagemagick-6.9.11.34-r1.ebuild}   | 2 +-
 .../{imagemagick-7.0.10.31.ebuild => imagemagick-7.0.10.31-r1.ebuild}   | 2 +-
 .../{imagemagick-7.0.10.34.ebuild => imagemagick-7.0.10.34-r1.ebuild}   | 2 +-
 media-gfx/imagemagick/imagemagick-9999.ebuild                           | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)