Bug 84690

Summary:	Sandbox enabled in HEAD during pkg_setup() when it should be off.
Product:	Portage Development	Reporter:	Alec Warner (RETIRED) <antarus>
Component:	Core	Assignee:	Portage team <dev-portage>
Status:	RESOLVED INVALID
Severity:	normal
Priority:	High
Version:	2.2
Hardware:	All
OS:	All
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	This is my test ebuild

Description Alec Warner (RETIRED) archtester

2005-03-09 17:40:01 UTC

kyoto tmp # emerge games-mud/crystal
Calculating dependencies ...done!
>>> emerge (1 of 1) games-mud/crystal-0.2.1 to /
cleansing builddir/var/tmp/portage/crystal-0.2.1
>>> md5 src_uri ;-) crystal-0.2.1.tar.gz
creating temp dir
/usr/lib/libsandbox.so
SANDBOX_LIB=/usr/lib/libsandbox.so
SANDBOX_WRITE=/dev/zero:/dev/fd/:/dev/null:/dev/pts/:/dev/vc/:/dev/tty:/tmp/:/dev/shm/ngpt:/var/log/scrollkeeper.log:/usr/tmp/conftest:/usr/lib/conftest:/usr/lib32/conftest:/usr/lib64/conftest:/usr/tmp/cf:/usr/lib/cf:/usr/lib32/cf:/usr/lib64/cf:/tmp/.gconfd/lock:/tmp/.bash_history::/tmp:/var/tmp:/tmp/:/var/tmp/:/tmp/sandbox-10267.log:/dev/shm:/var/tmp:/tmp/sandbox-10267.log:/var/log/portage/2267-crystal-0.2.1.log
SANDBOX_DEBUG=1
SANDBOX_PREDICT=/tmp/.:/usr/lib/python2.0/:/usr/lib/python2.1/:/usr/lib/python2.2/:/usr/lib/python2.3/:/usr/lib/python2.4/:/usr/lib/python2.5/:/usr/lib/python3.0/::/proc/self/maps:/dev/console:/usr/lib/portage/pym:/dev/random
SANDBOX_DENY=/etc/ld.so.preload
SANDBOX_DIR=/usr/lib/portage/bin/
SANDBOX_ACTIVE=armedandready
SANDBOX_ON=0
SANDBOX_LOG=/tmp/sandbox-10267.log
SANDBOX_DISABLED=0
SANDBOX_READ=/bin:/:/dev/shm:/var/tmp:/dev/urandom:/dev/random:/usr/lib/portage/bin/
SANDBOX_DEBUG_LOG=/tmp/sandbox-debug-.log
ACCESS DENIED  open_wr:   /etc/passwd.28768

usermod: unable to lock password file
sandbox exists- /tmp/sandbox-10267.log
--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE = "/tmp/sandbox-10267.log"

open_wr: /etc/passwd.28768
--------------------------------------------------------------------------------
SANDBOX_ON:=1
SANDBOX_DISABLED:=0
SANDBOX_READ:=/:/dev/shm:/var/tmp
SANDBOX_WRITE:=/dev/zero:/dev/fd/:/dev/null:/dev/pts/:/dev/vc/:/dev/tty:/tmp/:/dev/shm/ngpt:/var/log/scrollkeeper.log:/usr/tmp/conftest:/usr/lib/conftest:/usr/lib32/conftest:/usr/lib64/conftest:/usr/tmp/cf:/usr/lib/cf:/usr/lib32/cf:/usr/lib64/cf:/tmp/.gconfd/lock:/tmp/.bash_history::/tmp:/var/tmp:/tmp/:/var/tmp/:/tmp/sandbox-10267.log:/dev/shm:/var/tmp:/tmp/sandbox-10267.log:/var/log/portage/2267-crystal-0.2.1.log
SANDBOX_PREDICT:=/tmp/.:/usr/lib/python2.0/:/usr/lib/python2.1/:/usr/lib/python2.2/:/usr/lib/python2.3/:/usr/lib/python2.4/:/usr/lib/python2.5/:/usr/lib/python3.0/::/proc/self/maps:/dev/console:/usr/lib/portage/pym:/dev/random
SANDBOX_DEBUG:=1
SANDBOX_DEBUG_LOG:=/tmp/sandbox-debug-.log
SANDBOX_LOG:=/tmp/sandbox-10267.log
SANDBOX_ARMED:=unset
phases failed

Accordingn to people ( carpaski? ) pkg_setup() shouldn't have sandbox enabled.  However the usermod that is attempted is in games.eclass in games_pkg_setup()

Comment 1 Alec Warner (RETIRED) archtester

2005-03-09 17:41:33 UTC

See bug 84146

Comment 2 Alec Warner (RETIRED) archtester

2005-03-09 19:00:32 UTC

Created attachment 53048 [details]
This is my test ebuild

root@kyoto test # emerge test
Calculating dependencies ...done!
>>> emerge (1 of 1) sys-apps/test-1.0 to /
cleansing builddir/var/tmp/portage/test-1.0
creating temp dir
/usr/lib/libsandbox.so
SANDBOX_LIB=/usr/lib/libsandbox.so
SANDBOX_WRITE=/dev/zero:/dev/fd/:/dev/null:/dev/pts/:/dev/vc/:/dev/tty:/tmp/:/dev/shm/ngpt:/var/log/scrollkeeper.log:/usr/tmp/conftest:/usr/lib/conftest:/usr/lib32/conftest:/usr/lib64/conftest:/usr/tmp/cf:/usr/lib/cf:/usr/lib32/cf:/usr/lib64/cf:/tmp/.gconfd/lock:/tmp/.bash_history::/tmp:/var/tmp:/tmp/:/var/tmp/:/tmp/sandbox-29940.log:/dev/shm:/var/tmp:/tmp/sandbox-29940.log:/var/log/portage/2268-test-1.0.log

SANDBOX_DEBUG=1
SANDBOX_PREDICT=/tmp/.:/usr/lib/python2.0/:/usr/lib/python2.1/:/usr/lib/python2.2/:/usr/lib/python2.3/:/usr/lib/python2.4/:/usr/lib/python2.5/:/usr/lib/python3.

0/::/proc/self/maps:/dev/console:/usr/lib/portage/pym:/dev/random
SANDBOX_DENY=/etc/ld.so.preload
SANDBOX_DIR=/usr/lib/portage/bin/
SANDBOX_ACTIVE=armedandready
SANDBOX_ON=0
SANDBOX_LOG=/tmp/sandbox-29940.log
SANDBOX_DISABLED=0
SANDBOX_READ=/bin:/:/dev/shm:/var/tmp:/dev/urandom:/dev/random:/usr/lib/portage/bin/

SANDBOX_DEBUG_LOG=/tmp/sandbox-debug-.log
ACCESS DENIED  open_wr:   /etc/passwd.15681
useradd: unable to lock password file
sandbox exists- /tmp/sandbox-29940.log
--------------------------- ACCESS VIOLATION SUMMARY
---------------------------
LOG FILE = "/tmp/sandbox-29940.log"

open_wr: /etc/passwd.15681
--------------------------------------------------------------------------------

SANDBOX_ON:=1
SANDBOX_DISABLED:=0
SANDBOX_READ:=/:/dev/shm:/var/tmp
SANDBOX_WRITE:=/dev/zero:/dev/fd/:/dev/null:/dev/pts/:/dev/vc/:/dev/tty:/tmp/:/dev/shm/ngpt:/var/log/scrollkeeper.log:/usr/tmp/conftest:/usr/lib/conftest:/usr/lib32/conftest:/usr/lib64/conftest:/usr/tmp/cf:/usr/lib/cf:/usr/lib32/cf:/usr/lib64/cf:/tmp/.gconfd/lock:/tmp/.bash_history::/tmp:/var/tmp:/tmp/:/var/tmp/:/tmp/sandbox-29940.log:/dev/shm:/var/tmp:/tmp/sandbox-29940.log:/var/log/portage/2268-test-1.0.log

SANDBOX_PREDICT:=/tmp/.:/usr/lib/python2.0/:/usr/lib/python2.1/:/usr/lib/python2.2/:/usr/lib/python2.3/:/usr/lib/python2.4/:/usr/lib/python2.5/:/usr/lib/python3.0/::/proc/self/maps:/dev/console:/usr/lib/portage/pym:/dev/random

SANDBOX_DEBUG:=1
SANDBOX_DEBUG_LOG:=/tmp/sandbox-debug-.log
SANDBOX_LOG:=/tmp/sandbox-29940.log
SANDBOX_ARMED:=unset
phases failed

A better example + emerge info

root@kyoto test # emerge info
Portage 1.578-cvs (default-linux/x86/2004.3, gcc-3.3.5,
glibc-2.3.4.20040808-r1, 2.6.10-hardened-r3 i686)
=================================================================
System uname: 2.6.10-hardened-r3 i686 AMD Athlon(tm) XP 1800+
Gentoo Base System version 1.4.16
Python: 	     dev-lang/python-2.3.4-r1 [2.3.4 (#1, Mar  5 2005,
02:36:29)]
distcc: No such file or directory [disabled]
ccache: No such file or directory [enabled]
dev-lang/python:     2.3.4-r1
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.8.5-r3, 1.5, 1.7.9-r1, 1.6.3, 1.4_p6, 1.9.4
sys-devel/binutils:  2.15.92.0.2-r1
sys-devel/libtool:   1.5.10-r4
virtual/os-headers:  2.6.8.1-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="no"
CFLAGS="-mcpu=athlon-xp -march=athlon-xp -O3 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env
/usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-mcpu=athlon-xp -march=athlon-xp -O3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig buildpkg ccache confcache digest distlocks
parallel-fetch sandbox sfperms userpriv usersandbox"
GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo
ftp://gentoo.chem.wisc.org/gentoo"
MAKEOPTS="-j2"
PKGDIR="/home/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="x86 3dnow X acpi alsa apm arts avi bash-completion berkdb bitmap-fonts bmp
canna caps cdr cjk crypt curl dvd dvdr dvdread emboss encode esd ethereal f77
fam font-server foomaticdb fortran gdbm gif gpm gtk gtk2 imagemagick imap imlib
ipv6 jpeg kde libg++ libwww lm_sensors mad maildir matroska mikmod mmx mono
motif mp3 mpeg mysql ncurses nis nls nptl offensive oggvorbis openal opengl pam
pdflib perl png posix python qt quicktime readline real sdl spell sse ssl svg
svga tcltk tcpd threads tiff truetype truetype-fonts type1-fonts wxwindows xml
xml2 xmms xv zlib"
Unset:	ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS

Comment 3 Jason Stubbs (RETIRED) gentoo-dev

2005-03-10 02:42:09 UTC

Brian is working on getting all phases working under sandbox. As you can see it's not ready yet, but the general case works fine.