943012 – dev-libs/thrift-0.20.0 on RAP: cmake finds java outside of prefix and trigger sandbox violation

Bug 943012 - dev-libs/thrift-0.20.0 on RAP: cmake finds java outside of prefix and trigger sandbox violation

Summary: dev-libs/thrift-0.20.0 on RAP: cmake finds java outside of prefix and trigger...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Patrick McLean

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2024-11-08 07:08 UTC by Yiyang Wu
Modified:	2025-03-10 00:22 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/40903
Package list:
Runtime testing required:	---

Attachments
emerge --info output (emerge-info.txt,6.46 KB, text/plain) 2024-11-08 07:09 UTC, Yiyang Wu	Details
build.log (build.log,8.02 KB, text/x-log) 2024-11-08 07:09 UTC, Yiyang Wu	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yiyang Wu 2024-11-08 07:08:40 UTC

On Gentoo Prefix, I noticed dev-libs/thrift src_configure sandbox violation. This is because it has `option(WITH_JAVA "Build Java Thrift library" ON)` and cmake tries to find java to determine whether java exists.

On Gentoo Prefix, the host system may have /usr/bin/java but the prefix does not. Then cmake finds and executes /usr/bin/java --version, resulting in sandbox violation:

 * ----------------------- SANDBOX ACCESS VIOLATION SUMMARY -----------------------
 * LOG FILE: "/fast/portage/dev-libs/thrift-0.20.0/temp/sandbox.log"
 * 
VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: fopen_wr
S: deny
P: /proc/self/coredump_filter
A: /proc/self/coredump_filter
R: /proc/1381438/coredump_filter
C: /usr/bin/java -version 

F: fopen_wr
S: deny
P: /proc/self/coredump_filter
A: /proc/self/coredump_filter
R: /proc/1381438/coredump_filter
C: /usr/bin/java -version 
 * --------------------------------------------------------------------------------

Comment 1 Yiyang Wu 2024-11-08 07:09:32 UTC

Created attachment 908124 [details]
emerge --info output

Comment 2 Yiyang Wu 2024-11-08 07:09:44 UTC

Created attachment 908125 [details]
build.log

Comment 3 Larry the Git Cow gentoo-dev

2025-03-10 00:22:58 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9e15a75e6f60417f941868ae1761ab70a1116b2

commit d9e15a75e6f60417f941868ae1761ab70a1116b2
Author:     Alfred Wingate <parona@protonmail.com>
AuthorDate: 2025-03-05 01:23:28 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-03-10 00:21:10 +0000

    dev-libs/thrift: add 0.21.0
    
    * Use github tarball over missing test files.
    * Drop test patches and use CMAKE_SKIP_TESTS instead.
    * Comprehensily set cmakeargs and use WITH_OPTION over BUILD_OPTION to
      stop cmake looking for the dependencies despite the feature being disabled.
    
    Bug: https://bugs.gentoo.org/943012
    Bug: https://bugs.gentoo.org/938100
    Bug: https://bugs.gentoo.org/949634
    Signed-off-by: Alfred Wingate <parona@protonmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/40903
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/thrift/Manifest                           |  1 +
 .../thrift/files/thrift-0.21.0-gcc15-cstdint.patch | 52 +++++++++++++++
 dev-libs/thrift/thrift-0.21.0.ebuild               | 73 ++++++++++++++++++++++
 3 files changed, 126 insertions(+)