Bug 712588

Summary:	=games-simulation/firestorm-bin-6.3.2-r2::lmiphay ebuild causes media-video/mpv::gentoo to fail with sandbox violation
Product:	Gentoo Linux	Reporter:	Sophie Hamilton <gentoo-bugs>
Component:	Overlays	Assignee:	Paul Healy <lmiphay>
Status:	RESOLVED WORKSFORME
Severity:	normal	CC:	jstein
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	build.log for media-video/mpv::gentoo

Description Sophie Hamilton 2020-03-14 23:09:12 UTC

=games-simulation/firestorm-bin-6.3.2-r2::lmiphay recently had the following lines added to its ebuild:

>     # a hardwired fallback font in LLWindowSDL::getDynamicFallbackFontList
>     mkdir -p "${D}/usr/share/fonts/truetype/kochi/"
>     dosym /usr/share/fonts/kochi-substitute/kochi-gothic-subst.ttf \
>           /usr/share/fonts/truetype/kochi/kochi-gothic.ttf

This ebuild itself installs successfully, but causes media-video/mpv::gentoo to error out while emerging with a sandbox violation. I don't know why exactly as I couldn't find the sandbox.log file at the location cited in the error, but it seems to be due to trying to create a temporary file at the location of the symlink. I'll attach the build.log of the mpv install.

It's possible that this is a bug in Gentoo which just hasn't come to light before, but I figured I'd file it first as an overlay bug as I don't know exactly where to start.

Reproducible: Didn't try

Steps to Reproduce:
1. emerge -av =games-simulation/firestorm-bin-6.3.2-r2::lmiphay
2. emerge -av media/video::gentoo

Actual Results:  
The mpv merge fails with a sandbox violation.

Expected Results:  
The mpv merge should have succeeded.

home ~ # emerge -p1v mpv

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     U  ] media-video/mpv-0.31.0-r1::gentoo [0.31.0::gentoo] USE="X alsa bluray cdda cli doc dvb dvd egl iconv jpeg libass libmpv lua opengl rubberband uchardet vdpau vulkan xv zlib (-aqua) -archive (-coreaudio) -cplugins (-cuda) -debug -drm -gamepad -gbm -jack -javascript -lcms -libcaca -luajit -openal -oss -pulseaudio (-raspberry-pi) -samba -sdl (-selinux) -test -tools -vaapi -wayland -zimg" PYTHON_TARGETS="python3_6 -python3_7" 0 KiB

Total: 1 package (1 upgrade), Size of downloads: 0 KiB

---

home ~ # emerge --info firestorm-bin mpv
Portage 2.3.89 (python 3.6.10-final-0, default/linux/amd64/17.0, gcc-9.2.0, glibc-2.29-r7, 4.19.66-gentoo x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-4.19.66-gentoo-x86_64-Intel-R-_Core-TM-_i7-5820K_CPU_@_3.30GHz-with-gentoo-2.6
KiB Mem:    32913724 total,   5330432 free
KiB Swap:    8191996 total,   6311088 free
Timestamp of repository gentoo: Sat, 14 Mar 2020 00:45:01 +0000
sh bash 4.4_p23-r1
ld GNU ld (Gentoo 2.32 p2) 2.32.0
ccache version 3.7.7 [disabled]
app-shells/bash:          4.4_p23-r1::gentoo
dev-java/java-config:     2.2.0-r4::gentoo
dev-lang/perl:            5.30.1::gentoo
dev-lang/python:          2.7.17-r1::gentoo, 3.6.10::gentoo, 3.7.6::gentoo
dev-util/ccache:          3.7.7::gentoo
dev-util/cmake:           3.14.6::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.6-r1::gentoo
sys-apps/openrc:          0.42.1::gentoo
sys-apps/sandbox:         2.13::gentoo
sys-devel/autoconf:       2.13-r1::gentoo, 2.69-r4::gentoo
sys-devel/automake:       1.11.6-r3::gentoo, 1.13.4-r2::gentoo, 1.15.1-r2::gentoo, 1.16.1-r1::gentoo
sys-devel/binutils:       2.32-r1::gentoo, 2.33.1-r1::gentoo
sys-devel/gcc:            6.5.0-r1::gentoo, 8.3.0-r3::gentoo, 9.2.0-r2::gentoo
sys-devel/gcc-config:     2.2.1::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.2.1-r4::gentoo
sys-kernel/linux-headers: 4.19::gentoo (virtual/os-headers)
sys-libs/glibc:           2.29-r7::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: webrsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-webrsync-verify-signature: true

sph-local
    location: /opt/portage-overlay
    masters: gentoo
    priority: 0

abendbrot
    location: /var/lib/layman/abendbrot
    masters: gentoo
    priority: 50

anomen
    location: /var/lib/layman/anomen
    masters: gentoo
    priority: 50

gambas-overlay
    location: /var/lib/layman/gambas-overlay
    masters: gentoo
    priority: 50

jorgicio
    location: /var/lib/layman/jorgicio
    masters: gentoo
    priority: 50

lmiphay
    location: /var/lib/layman/lmiphay
    masters: gentoo
    priority: 50

netfab-overlay
    location: /var/lib/layman/netfab-overlay
    masters: gentoo
    priority: 50

palemoon
    location: /var/lib/layman/palemoon
    masters: gentoo
    priority: 50

pentoo
    location: /var/lib/layman/pentoo
    masters: gentoo
    priority: 50

roslin
    location: /var/lib/layman/roslin
    masters: gentoo
    priority: 50

stuff
    location: /var/lib/layman/stuff
    masters: gentoo
    priority: 50

vapoursynth
    location: /var/lib/layman/vapoursynth
    masters: gentoo
    priority: 50

wine
    location: /var/lib/layman/wine
    masters: gentoo
    priority: 50

x11
    location: /var/lib/layman/x11
    masters: gentoo
    priority: 50

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/avfs/extfs /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--ask-enter-invalid --autounmask-keep-masks y"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="https://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/"
LANG="en_GB.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en en-GB"
MAKEOPTS="-j13"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac aacplus acl acpi alsa amd64 amr berkdb bluray bzip2 cairo cdda cddb cdio cdparanoia cli crypt cups cxx dbus dri dts dvd flac fluidsynth fontconfig fortran gdbm gpm gtk ibus iconv icu ipv6 jpeg libnotify libtirpc lzma mad mmx modplug mp3 mtp multilib ncurses nls nptl ogg opengl openmp pam pcre png qt3support qt5 readline seccomp sound split-usr sse sse2 ssl startup-notification svg tcl tcpd theora tk truetype unicode v4l vdpau vim-syntax vorbis vulkan xattr xv xvmc zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 aes avx avx2 f16c fma3 pclmul popcnt sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" L10N="en en-GB" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" QEMU_SOFTMMU_TARGETS="x86_64 arm i386 mips mipsel ppc sparc" QEMU_USER_TARGETS="aarch64 alpha arm i386 m68k mips mipsel ppc sparc x86_64" RUBY_TARGETS="ruby24 ruby25" USERLAND="GNU" VIDEO_CARDS="nouveau amdgpu radeonsi" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

games-simulation/firestorm-bin-6.3.2-r2::lmiphay was built with the following:
USE="" ABI_X86="(64)"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"


media-video/mpv-0.31.0::gentoo was built with the following:
USE="X alsa bluray cdda cli doc dvb dvd egl iconv jpeg libass libmpv lua opengl rubberband uchardet vdpau vulkan xv zlib (-aqua) -archive (-coreaudio) -cplugins (-cuda) -debug -drm -gamepad -gbm -jack -javascript -lcms -libcaca -luajit -openal -oss -pulseaudio (-raspberry-pi) -samba -sdl (-selinux) -test -tools -vaapi -wayland -zimg" ABI_X86="(64)" PYTHON_TARGETS="python3_6 -python3_7"
FEATURES="unknown-features-warn binpkg-logs sandbox pid-sandbox multilib-strict news unmerge-logs distlocks usersync protect-owned unmerge-orphans userpriv ipc-sandbox strict assume-digests binpkg-docompress preserve-libs merge-sync usersandbox parallel-fetch userfetch sfperms binpkg-dostrip network-sandbox fixlafiles xattr ebuild-locks"

Comment 1 Sophie Hamilton 2020-03-14 23:19:00 UTC

Created attachment 619278 [details]
build.log for media-video/mpv::gentoo

Comment 2 Sophie Hamilton 2020-03-15 06:41:04 UTC

Sorry, I must have been tired when filing this bug. Obviously step 2 in my steps to reproduce is wrong. The steps to reproduce are:

Steps to Reproduce:
1. emerge -av =games-simulation/firestorm-bin-6.3.2-r2::lmiphay
2. emerge -av media-video/mpv::gentoo

Comment 3 Paul Healy 2020-03-18 18:39:09 UTC

Hi,

I can't reproduce this here - installing mpv-0.31.0-r1 with firestorm-bin-6.3.2-r2 already installed works as expected.

Also uninstalling firestorm-bin, reinstalling it, and immediately installing mpv also works as expected.

fc-list isn't present in the mpv tarball, nor in any eclass in /usr/portage/eclass - do you have anything relevant in /etc/portage/bashrc, or is fc-list mentioned anywhere under /etc/portage? ( grep -r fc-list /etc/portage/ )

Thanks,

Paul

Comment 4 Sophie Hamilton 2020-03-18 20:58:46 UTC

I don't even *have* a /etc/portage/bashrc, and "grep -r fc-list /etc/portage" turns up nothing. (looking for "fc-" turns up some unrelated matches in /etc/portage/savedconfig/sys-kernel/linux-firmware-20200302, matching filenames like "s5p-mfc-v6.fw", but nothing else).

I tried compiling with MAKEOPTS="-j1" in order to see which step was actually triggering the sandbox violation. It turns out to be this step:

> [429/430] Compiling DOCS/man/mpv.rst
> 20:01:50 runner ' /usr/bin/rst2pdf -c -b 1 --repeat-table-rows ../DOCS/man/mpv.rst -o DOCS/man/mpv.pdf '
>  * ACCESS DENIED:  mkostemp:     /usr/share/fonts/truetype/.uuid.TMP-XXXXXX
>  * ACCESS DENIED:  mkostemp:     /usr/share/fonts/truetype/kochi/.uuid.TMP-XXXXXX

This would explain why there's no matches - because it's not a Portage thing, but something triggered by rst2pdf. After some investigation, it looks like rst2pdf (a Python application) uses the matplotlib library, which is what is actually calling fc-list and causing the error.

Judging from these results, I imagine the 'bug', such that it is, lies somewhere in fc-list itself. I don't understand why you're not getting the same problem, though. I wonder if fc-list is making some sort of cache somewhere, and you already have that cache and so aren't seeing this error?

I'll try doing this on a new Gentoo chroot and report back on whether this still happens. If so, that's probably the best way to see it in action.

Comment 5 Paul Healy 2020-03-19 19:55:05 UTC

We are still missing something.

I didn't have rst2pdf installed. I installed it, and merging mpv still works as expected here (no sandbox violation).

I then added the extra sandbox features you have in FEATURES and mpv still installs as expected (I added "ipc-sandbox sandbox usersandbox" - some of these are enabled by default). 

Finally using exactly your FEATURE settings also allows mpv to be installed.

Other ideas welcome...

Paul

Comment 6 Sophie Hamilton 2020-03-19 20:47:05 UTC

Oh, that's valuable information - if you didn't have rst2pdf installed then that would suggest you don't have the "doc" USE flag for media-video/mpv enabled, and I do. Give that a go? I'll try it on my chroot as well. (It installed fine on the chroot, but I didn't have the doc USE flag enabled. I'll let you know what happens.)

Comment 7 Sophie Hamilton 2020-03-19 20:51:01 UTC

Okay, I tried enabling the "doc" USE flag for media-video/mpv in my fresh chroot, but it still successfully installed. Hmm. Something doesn't add up here.

Comment 8 Paul Healy 2020-03-19 21:10:43 UTC

I didn't have doc use flag on - I enabled that, and I am still able to install mpv.

Also confirmed that rst2pdf is called as part of the build:

[211/213] Compiling DOCS/man/mpv.rst
21:06:14 runner ' /usr/bin/rst2html.py ../DOCS/man/mpv.rst DOCS/man/mpv.html '
[212/213] Compiling DOCS/man/mpv.rst
21:06:16 runner ' /usr/bin/rst2man.py --strip-elements-with-class=contents ../DOCS/man/mpv.rst DOCS/man/mpv.1 '
[213/213] Compiling DOCS/man/mpv.rst
21:06:18 runner ' /usr/bin/rst2pdf -c -b 1 --repeat-table-rows ../DOCS/man/mpv.rst -o DOCS/man/mpv.pdf '

Comment 9 Sophie Hamilton 2020-03-20 08:18:44 UTC

So I copied my make.conf, package.accept_keywords, package.license and package.use wholesale from my host system into the chroot, and no matter what I do, I couldn't reproduce the sandbox violation error in the chroot.

Going off of my idea that this might be a fontconfig cache issue, I first tried using "fc-cache -rfv" to reconstruct the fontconfig cache in the chroot, and that didn't change anything.

Then I wondered if this might be a problem with *my* fontconfig cache somehow, so I took a backup of my /var/cache/fontconfig directory and ran "fc-cache -rfv" on the host. This ended up resolving the issue, and I can now emerge mpv successfully.

I'm not altogether sure how my fontconfig cache got into a state where it needed reconstruction like this, but it appears to have done the trick. It seems like Portage should take care of something like that though. Is there a way you can signal in the ebuild that Portage should update the fontconfig cache after emerging firestorm-bin?

In any case, thanks for your help in diagnosing! I'm not sure what you'd like me to do with this bug, but I do still have my backup fontconfig cache directory if we need to investigate this more.

Comment 10 Sophie Hamilton 2020-03-20 08:27:40 UTC

Okay, I investigated a little and it looks like the easiest way to solve this is by including "inherit font" in the ebuild. The font eclass rebuilds the cache in font_pkg_postinst unconditionally, so I believe this should be all you need to do.

Comment 11 Mikle Kolyada (RETIRED) archtester

2020-04-01 10:11:36 UTC

mpv is irrelevant, firestorm-bin does not handle global fontcache properly.

Comment 12 Sophie Hamilton 2020-04-01 12:04:19 UTC

mpv was incidental as it turned out, yes, but I had filed this bug against the ebuild in the 'lmiphay' repository, using the Overlays component to do so. My suggestion to do 'inherit font' to rebuild the font cache after merge was intended for the firestorm-bin ebuild, not mpv.

As far as I know there isn't another place for me to file bugs against the 'lmiphay' repository, and I thought this was the correct place to do so in that case. Should I file another bug without mentioning mpv this time, now that we know the cause? If not, what can/should I do?

Comment 13 Paul Healy 2020-04-05 18:24:47 UTC

So I tried & failed to recreate this both with:

1.
emerge -C =firestorm-bin-6.3.2-r2
fc-cache -rfv
emerge =firestorm-bin-6.3.2-r2
emerge mpv

and

2.
emerge -C =firestorm-bin-6.3.2-r2
cd /var/cache && mv fontconfig fontconfig.orig && mkdir fontconfig
fc-cache -rfv
emerge =firestorm-bin-6.3.2-r2
emerge mpv

In both cases mpv built and installed without a sandbox violation.

Since it seems reasonable and doesn't appear to break anything else, I have added an inherit font to rev -3 and pushed that as: https://cgit.gentoo.org/user/lmiphay.git/commit/?id=99c0de2ebab9a047a2ed2d499b4c0335a533d8f6

Confirm that you see as part of the merge output: "* Updating global fontcache ..."

Thanks!

Paul