921578 – sys-apps/hwloc[nvml]: Sandbox violations when linking nvml from x11-drivers/nvidia-drivers-545.29.06 (ACCESS DENIED: chmod: /dev/nvidia-caps)

Bug 921578 - sys-apps/hwloc[nvml]: Sandbox violations when linking nvml from x11-drivers/nvidia-drivers-545.29.06 (ACCESS DENIED: chmod: /dev/nvidia-caps)

Summary: sys-apps/hwloc[nvml]: Sandbox violations when linking nvml from x11-drivers/n...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Cluster Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2024-01-07 16:47 UTC by Daniel M. Weeks
Modified:	2024-01-07 18:16 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel M. Weeks 2024-01-07 16:47:24 UTC

While rebuilding sys-apps/hwloc-2.9.3 (with USE=nvml) with x11-drivers/nvidia-drivers-545.29.06 I caught this sandbox exception during configure:

 * ACCESS DENIED:  chmod:              /dev/nvidia-caps
 * ACCESS DENIED:  chmod:              /dev/nvidia-caps

In the test that configure is running it's just calling nvmlInit() [1]. I manually ran the same test though strace and it indeed tries calling chmod 0755 on that directory twice. (This is the current mode; it appears nvml is attempting to create the directory with try-ignore semantics.)

I looked back over my log and I last built sys-apps/hwloc-2.9.3 successfully against x11-drivers/nvidia-drivers-535.113.01 so this looks like a new behavior in nvml (nvidia-drivers).

I'm not sure whether the sandbox rule needs to be adjusted in nvidia-drivers-545.29.06 in /etc/sandbox.d/20nvidia or this is specifically a build-time adjustment that's missing from sys-apps/hwloc to work with newer drivers. I have to suspect other packages linking nvml will be affected since it appears to be a change in nvidia-drivers. To me, the note in nvidia-drivers ebuild about sandbox issues does not make it clear where this should be corrected [2].

[1] https://github.com/open-mpi/hwloc/blob/8b82269e321e44379b6e100d3b903401ed64d8a9/config/hwloc.m4#L1192
[2] https://github.com/gentoo/gentoo/blob/61a14f9fa9079f7ff6bb6a24f024ff6aaa30db85/x11-drivers/nvidia-drivers/nvidia-drivers-545.29.06.ebuild#L411

Reproducible: Always

Comment 1 Ionen Wolkens gentoo-dev

2024-01-07 18:09:32 UTC

Can reproduce and addpredict seems to be enough, guess I could add it directly to nvidia-drivers since it's new.

Do note that this still leaves hwloc[nvml] with:

    checking whether a program linked with -lnvidia-ml can run... no

Haven't checked if this worked before and/or if it has any impact on the end result. Beside that it's still detected fine.

Comment 2 Larry the Git Cow gentoo-dev

2024-01-07 18:16:55 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c093eafea3da66f98b84d2754e6f293eba585815

commit c093eafea3da66f98b84d2754e6f293eba585815
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2024-01-07 18:11:14 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2024-01-07 18:15:11 +0000

    x11-drivers/nvidia-drivers: add /dev/nvidia-caps to sandbox predict
    
    Only needed for 545 branch and above for packages using nvml.
    
    Likely only needed when they attempt to use it rather than just
    link with it, so this may be specific to hwloc's tests. But given
    it's new and scope is uncertain, let's add it here rather than
    hwloc itself.
    
    Closes: https://bugs.gentoo.org/921578
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 ...-drivers-545.29.06.ebuild => nvidia-drivers-545.29.06-r1.ebuild} | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)