Created attachment 746370 [details] build.log Attached an example of the failure I'm seeing, but it's not specific to OpenSSL. Also seen with e.g. ncurses. This is within a systemd-nspawn container on arm64 which might be relevant. Host is Gentoo too. Let me know what more information you may need. ---- Portage 3.0.28 (python 3.9.7-final-0, default/linux/arm64/17.0/desktop/gnome/systemd, gcc-11.2.0, glibc-2.33-r7, 5.10.38-gentoo-dist aarch64) ================================================================= System uname: Linux-5.10.38-gentoo-dist-aarch64-with-glibc2.33 KiB Mem: 262984492 total, 157497780 free KiB Swap: 9767620 total, 9767620 free Timestamp of repository gentoo: Sun, 24 Oct 2021 02:30:01 +0000 Head commit of repository gentoo: 741ecd4f498a56b160e2ac8dd836e6016413c4f1 sh bash 5.1_p8 ld GNU ld (Gentoo 2.37_p1 p0) 2.37 ccache version 4.4.2 [disabled] app-shells/bash: 5.1_p8::gentoo dev-lang/perl: 5.34.0-r3::gentoo dev-lang/python: 3.9.7_p1::gentoo, 3.10.0_p1::gentoo dev-lang/rust-bin: 1.56.0::gentoo dev-util/ccache: 4.4.2::gentoo dev-util/cmake: 3.21.3::gentoo sys-apps/baselayout: 2.8::gentoo sys-apps/sandbox: 2.26::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.71-r1::gentoo sys-devel/automake: 1.16.5::gentoo sys-devel/binutils: 2.37_p1::gentoo sys-devel/gcc: 11.2.0::gentoo sys-devel/gcc-config: 2.4::gentoo sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.14::gentoo (virtual/os-headers) sys-libs/glibc: 2.33-r7::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-extra-opts: sync-rsync-verify-max-age: 24 sync-rsync-verify-jobs: 1 sync-rsync-verify-metamanifest: yes ACCEPT_KEYWORDS="arm64 ~arm64" ACCEPT_LICENSE="*" CBUILD="aarch64-unknown-linux-gnu" CFLAGS="-O2 -pipe" CHOST="aarch64-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -pipe" DISTDIR="/var/cache/distfiles" EMERGE_DEFAULT_OPTS="--keep-going=y --deep --complete-graph" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="C.UTF8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j20" PKGDIR="/var/cache/binpkgs" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X a52 aac acl acpi alsa arm64 bluetooth branding bzip2 cairo cdda cdr cli colord crypt cups dbus dri dts dvdr eds emboss encode evo exif flac fortran gdbm gif gnome gnome-keyring gnome-online-accounts gpm gstreamer gtk gui iconv icu introspection ipv6 jpeg lcms libglvnd libnotify libsecret libtirpc mad mng mp3 mp4 mpeg nautilus ncurses networkmanager nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds pulseaudio qt5 readline sdl seccomp spell split-usr ssl startup-notification svg sysprof systemd tcpd tiff tracker truetype udev udisks unicode upower usb vorbis wayland wxwidgets x264 xattr xcb xml xv xvid zlib" ADA_TARGET="gnat_2019" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_ARM="edsp thumb thumb2 v4 v5 v6 v7 v8 vfp vfp-d32 vfpv3 vfpv4" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-3 php7-4" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_9" PYTHON_TARGETS="python3_9" RUBY_TARGETS="ruby27" USERLAND="GNU" VIDEO_CARDS="fbdev dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RUSTFLAGS
sandbox.conf namespace settings: ``` # Global knob to control all namespaces. NAMESPACES_ENABLE="yes" # Knobs for different types of namespaces. If the runtime doesn't support a # particular type, it will be automatically skipped. Default to off as these # are currently experimental. # For more details on each type, see the namespaces(7) manpage. NAMESPACE_CGROUP_ENABLE="yes" NAMESPACE_IPC_ENABLE="yes" NAMESPACE_MNT_ENABLE="yes" NAMESPACE_NET_ENABLE="yes" NAMESPACE_PID_ENABLE="yes" NAMESPACE_SYSV_ENABLE="yes" NAMESPACE_TIME_ENABLE="yes" NAMESPACE_USER_ENABLE="yes" NAMESPACE_UTS_ENABLE="yes" ``` sys-apps/sandbox-2.26::gentoo was built with the following: USE="" CFLAGS="-O2 -pipe -fno-lto" CXXFLAGS="-O2 -pipe -fno-lto" LDFLAGS="-Wl,-O1 -Wl,--as-needed -fno-lto
(In reply to Sam James from comment #0) > This is within a systemd-nspawn container on arm64 which might be relevant. > Host is Gentoo too. > fwiw I've not seen anything interesting on any other machines after running with ns enabled for a while, so it's probably related to this?
odd that you had enough perms to use CLONE_NEWNET, but not enough to setup the iface in that new network namespace. this is needed to bring up the loopback iface inside the env otherwise some tools get weird. if you run `sandbox` as root inside the env directly (rather than via portage), you should be able to tell if it's from the host env.
(In reply to SpanKY from comment #3) > odd that you had enough perms to use CLONE_NEWNET, but not enough to setup > the iface in that new network namespace. this is needed to bring up the > loopback iface inside the env otherwise some tools get weird. > that's what I didn't get either.. > if you run `sandbox` as root inside the env directly (rather than via > portage), you should be able to tell if it's from the host env. ``` # sandbox ============================= Gentoo path sandbox ============================== Detection of the support files. Verification of the required files. Setting up the required environment variables. The protected environment has been started. -------------------------------------------------------------------------------- Process being started in forked instance. sandbox:ns_net_setup ioctl(SIOCSIFFLAGS, lo) failed: Operation not permitted ``` ... and works outside of systemd-nspawn.
We ran into a similar issue with FEATURES="network-sandbox" in Portage. https://github.com/systemd/systemd/issues/13308 systemd-nspawn removes CAP_NET_ADMIN by default. This is done to prevent containers from messing with the host network interfaces. CAP_NET_ADMIN is necessary to configure network interfaces, regardless of which namespace they reside in. Calling clone(CLONE_NEWNET) requires CAP_SYS_ADMIN, which systemd-nspawn retains by default. Workarounds: 1. Run systemd-nspawn --capability=CAP_NET_ADMIN to retain that capability in the container. This poses a security risk since the container will be able to reconfigure interfaces on the host. 2. Run systemd-nspwan --private-network. This also retains CAP_NET_ADMIN, but sets up a private network namespace at the same time, avoiding the security issue by not allowing the container to alter interfaces in the original namespace. Virtual network interfaces must be configured in the container to allow network access. 3. Disable the network namespace feature in sandbox.conf.
so sounds like not much to be done in portage or sandbox. if you want to restrict network access and run inside the systemd tooling, you'll have to pass in the caps. we could downgrade the SIOCSIFFLAGS to a warning for eperm, but i'm not keen on letting people set up partial network namespaces. loopback is needed to run local network unittests.
(In reply to SpanKY from comment #6) > we could downgrade the SIOCSIFFLAGS to a warning for eperm, but i'm not keen > on letting people set up partial network namespaces. loopback is needed to > run local network unittests. Portage currently emits a non-fatal warning if we fail to configure the loopback interface. Regarding network tests: sandbox should implement something like this function from Portage to avoid a problem with getaddrinfo() in the new network namespace. https://gitweb.gentoo.org/proj/portage.git/tree/lib/portage/process.py?h=portage-3.0.28#n548