(as seen on IRC) Kernel source is built using clang-17 and further tried to rebuild the @module-rebuild set for the Kernel »-Wl,-z,relro« in /etc/clang/gentoo-hardened-ld.cfg from sys-devel/clang-common-17* causes nvidia-drivers to create /usr/src/linux-*/a.out file - which breaks FEATURE=usersandbox Reproducible: Always
Please include the full build.log & emerge --info.
Created attachment 871007 [details] emerge --info
Created attachment 871008 [details] build.log
Created attachment 871009 [details] sandbox.log
ftr a.out usage can be observed with just `clang -v` without -Wl,-z,relro (commented out, or clang-common-16): $ clang -v clang version 17.0.1 Target: x86_64-pc-linux-gnu Thread model: posix InstalledDir: /usr/lib/llvm/17/bin Configuration file: /etc/clang/x86_64-pc-linux-gnu-clang.cfg System configuration file directory: /etc/clang Selected GCC installation: /usr/lib/gcc/x86_64-pc-linux-gnu/13 Candidate multilib: .;@m64 Candidate multilib: 32;@m32 Selected multilib: .;@m64 with -Wl,-z,relro (or similar, -Wl,-O1 does this too): $ clang -v clang version 17.0.1 Target: x86_64-pc-linux-gnu Thread model: posix InstalledDir: /usr/lib/llvm/17/bin Configuration file: /etc/clang/x86_64-pc-linux-gnu-clang.cfg System configuration file directory: /etc/clang Selected GCC installation: /usr/lib/gcc/x86_64-pc-linux-gnu/13 Candidate multilib: .;@m64 Candidate multilib: 32;@m32 Selected multilib: .;@m64 "/usr/lib/llvm/17/bin/ld.lld" <snip> -o a.out <snip> ld.lld: error: undefined symbol: main >>> referenced by /usr/lib/gcc/x86_64-pc-linux-gnu/13/../../../../lib64/Scrt1.o:(_start) clang: error: linker command failed with exit code 1 (use -v to see invocation) And if happen to be in a directory cannot write to (like /usr/src/linux), results in sandbox violations.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a9174554448aa4f7ec724d09b1b31d115e6063f commit 6a9174554448aa4f7ec724d09b1b31d115e6063f Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2023-09-20 16:12:56 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2023-09-20 16:30:27 +0000 x11-drivers/nvidia-drivers: workaround clang-common-17 sandbox issue Most kernel modules do not seem affected and it depends on the tests being performed, so workaround at least here while being looked at. Issue could affect other packages if they happen to e.g. cd / (for some reason) and use clang in certain ways for some tests, but likely not a widespread problem. Fortunately does not actually write these a.out and can get away with just addpredict (kept clang-only not to shadow issues). Bug: https://bugs.gentoo.org/914468 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> x11-drivers/nvidia-drivers/nvidia-drivers-390.157.ebuild | 4 ++++ x11-drivers/nvidia-drivers/nvidia-drivers-470.199.02.ebuild | 4 ++++ x11-drivers/nvidia-drivers/nvidia-drivers-525.125.06.ebuild | 3 +++ x11-drivers/nvidia-drivers/nvidia-drivers-535.104.05.ebuild | 3 +++ x11-drivers/nvidia-drivers/nvidia-drivers-535.43.09.ebuild | 3 +++ 5 files changed, 17 insertions(+)
Filed https://github.com/llvm/llvm-project/issues/67209.
*** Bug 914757 has been marked as a duplicate of this bug. ***
With >=20, we may be able to adapt our config files to use '$'. See https://github.com/llvm/llvm-project/pull/117573. (btw, mgorny, this is a usecase for us having configs per version, I suppose..)
