Created attachment 248990 [details]
build.log

Created attachment 248991 [details]
emerge -pqv =dev-libs/nss-3.12.7

Created attachment 248993 [details]
emerge -pqv =dev-libs/nss-3.12.7

Created attachment 248994 [details]
environment

Confirming with nss 3.12.8_rc and sandbox 2.3-r1.

Same for nss-3.12.8 on ~x86 hardened.


# emerge --info
Portage 2.1.9.13 (hardened/linux/x86/10.0, gcc-4.4.4, glibc-2.12.1-r1, 2.6.35.7 i686)
=================================================================
System uname: Linux-2.6.35.7-i686-Intel-R-_Pentium-R-_4_CPU_2.80GHz-with-gentoo-2.0.1
Timestamp of tree: Mon, 04 Oct 2010 19:00:01 +0000
app-shells/bash:     4.1_p7
dev-java/java-config: 2.1.11
dev-lang/python:     2.6.5-r3, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.3
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.13, 2.68
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.35 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="x86 ~x86"
ACCEPT_LICENSE="* -@EULA"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y"
FEATURES="assume-digests binpkg-logs collision-protect distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/local/portage-test"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 acl acpi alsa berkdb bzip2 cairo cdda cddb cli cracklib crypt cxx dbus dri dts dvd fam ffmpeg fftw flac fontconfig gdbm gnutls gpm gtk hardened iconv idn ipv6 java jpeg libnotify matroska mmx modules mp3 mpeg mudflap ncurses nptl nptlonly ogg opengl openmp pam pcre perl pic png pppd python readline reflection sasl sdl session sse sse2 ssl startup-notification svg sysfs tcpd theora threads tiff truetype unicode urandom vorbis x264 x86 xcb xml xorg xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 	emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m 	maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XFCE_PLUGINS="menu trash" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

I encountered this as well.  A backtrace is included below.  It appears to be the result of an improper fix for bug #292050.  Specifically, in the git commit referenced in that bug <http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commitdiff;h=4c1eee83e412298d5c3019f386540ce0af0badc7>, we see that erealpath gained an if/abort on input==output and a comment stating

/* We can't handle resolving a buffer inline, so demand
 * separate read and write strings.
 */

That commit also touched canonicalize.  The commit log message indicates that this was to change it so that the call to erealpath would not use the same buffer for input and output.  However, that change was not made.  Instead, the code allocates a copy of the buffer, uses the original buffer for both input and output, then frees the copy without using it.  Aside from the allocation/free of the unused buffer, the new code is semantically equal to the old code.


$ gdb ../../../coreconf/nsinstall/Linux2.6_x86_64_x86_64-pc-linux-gnu-gcc_glibc_PTH_64_OPT.OBJ/nsinstall core
Core was generated by `../../../coreconf/nsinstall/Linux2.6_x86_64_x86_64-pc-linux-gnu-gcc_glibc_PTH_6'.
Program terminated with signal 6, Aborted.
#0  0x00002b234a6fd1b5 in raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
        in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) up
#1  0x00002b234a6fe5e0 in abort () at abort.c:92
92      abort.c: No such file or directory.
        in abort.c
(gdb)
#2  0x00002b234a29c5f0 in sb_abort ()
    at ../../sandbox-2.3/libsandbox/libsandbox.c:441
441     ../../sandbox-2.3/libsandbox/libsandbox.c: No such file or directory.
        in ../../sandbox-2.3/libsandbox/libsandbox.c
(gdb)
#3  0x00002b234a2a41ce in erealpath (
    name=0x7fff17d65ba0 "/var/tmp/portage/portage/dev-libs/nss-3.12.8/work/nss-3.12.8/mozilla/security/nss/lib/util/../../../dist/private",
    resolved=0x7fff17d65ba0 "/var/tmp/portage/portage/dev-libs/nss-3.12.8/work/nss-3.12.8/mozilla/security/nss/lib/util/../../../dist/private")
    at ../../sandbox-2.3/libsandbox/canonicalize.c:84
84      ../../sandbox-2.3/libsandbox/canonicalize.c: No such file or directory.
        in ../../sandbox-2.3/libsandbox/canonicalize.c
(gdb) up
#4  0x00002b234a29cb4a in canonicalize (
    path=0x7fff17d6b5d3 "../../../dist/private",
    resolved_path=<value optimized out>)
    at ../../sandbox-2.3/libsandbox/libsandbox.c:181
181     ../../sandbox-2.3/libsandbox/libsandbox.c: No such file or directory.
        in ../../sandbox-2.3/libsandbox/libsandbox.c

Comment 8 SpanKY 2010-10-08 19:25:42 UTC

*** Bug 340162 has been marked as a duplicate of this bug. ***

Created attachment 250643 [details, diff]
Proposed patch to make sandbox canonicalize not trigger erealpath to abort

I got tired of various things failing to build and prepared this patch.  It passes the sandbox src_test function on multilib amd64, works for me on those packages that failed with a stock sandbox-2.3, and has caused no apparent regressions.  It changes canonicalize to pass the allocated copy to erealpath, and defers creating the copy until the relative path component from the caller has been appended to the buffer used to initialize the copy.

Comment 10 Jorge Manuel B. S. Vicetto (RETIRED) 2010-10-19 15:36:41 UTC

I was going to create a new bug about eselect-python-20100321, but as Mike already closed one bug as a dupe of this one, I'm adding a comment here. If you prefer, I'll open a new bug about this.
The current weekly auto-builds for the amd64 and x86 hardened stages are failing because of this bug. After applying the patch, the build no longer fails.

>>> Emerging (34 of 147) app-admin/eselect-python-20100321
>>> Failed to emerge app-admin/eselect-python-20100321, Log file:
>>>  '/var/tmp/portage/app-admin/eselect-python-20100321/temp/build.log'
 * CPV:  app-admin/eselect-python-20100321
 * REPO: gentoo
 * USE:  amd64 elibc_glibc kernel_linux userland_GNU
checking for x86_64-pc-linux-gnu-gcc... x86_64-pc-linux-gnu-gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether x86_64-pc-linux-gnu-gcc accepts -g... yes
checking for x86_64-pc-linux-gnu-gcc option to accept ISO C89... none needed
checking for install... /usr/bin/install
checking how to run the C preprocessor... x86_64-pc-linux-gnu-gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking for setenv... yes
checking for strtok_r... yes
checking for strndup... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
x86_64-pc-linux-gnu-gcc  -O2 -pipe -Wall -Wextra -Wl,-O1 -Wl,--as-needed -o python-wrapper python-wrapper.c 
/usr/bin/install -d /var/tmp/portage/app-admin/eselect-python-20100321/image//usr/bin /var/tmp/portage/app-admin/eselect-python-20100321/image//usr/share/eselect/modules
/usr/lib/libsandbox.so(+0x3872)[0x2b9addfa4872]
/usr/lib/libsandbox.so(+0x3903)[0x2b9addfa4903]
/usr/lib/libsandbox.so(+0xa780)[0x2b9addfab780]
/usr/lib/libsandbox.so(+0x3ff9)[0x2b9addfa4ff9]
/usr/lib/libsandbox.so(+0x6e36)[0x2b9addfa7e36]
/usr/lib/libsandbox.so(mkdir+0x27)[0x2b9addfaa5b7]
/usr/bin/install(+0x3646)[0x2b9addb68646]
/usr/bin/install(+0xc514)[0x2b9addb71514]
/usr/bin/install(+0xc67d)[0x2b9addb7167d]
/usr/bin/install(+0x4a76)[0x2b9addb69a76]
/proc/23929/cmdline: /usr/bin/install -d /var/tmp portage/app-admin/eselect-python-20100321/image//usr/bin /var/tmp/portage/app-admin/eselect-python-20100321/image//usr/share/eselect/modules 

make: *** [install] Aborted
 * ERROR: app-admin/eselect-python-20100321 failed:
 *   emake install failed
 * 
 * Call stack:
 *     ebuild.sh, line  54:  Called src_install
 *   environment, line 943:  Called die
 * The specific snippet of code:
 *       emake DESTDIR="${D}" install || die "emake install failed"
 * 
 * If you need support, post the output of 'emerge --info =app-admin/eselect-python-20100321',
 * the complete build log and the output of 'emerge -pqv =app-admin/eselect-python-20100321'.
 * The complete build log is located at '/var/tmp/portage/app-admin/eselect-python-20100321/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/app-admin/eselect-python-20100321/temp/environment'.
 * S: '/var/tmp/portage/app-admin/eselect-python-20100321/work/eselect-python-20100321'

 * Messages for package sys-libs/timezone-data-2010l:

 * You do not have TIMEZONE set in /etc/conf.d/clock.
 * Skipping auto-update of /etc/localtime.

 * Messages for package app-portage/portage-utils-0.3.1:

 * /etc/portage/postsync.d/q-reinitialize has been installed for convenience
 * If you wish for it to be automatically run at the end of every --sync:
 *    # chmod +x /etc/portage/postsync.d/q-reinitialize
 * Normally this should only take a few seconds to run but file systems
 * such as ext3 can take a lot longer.  To disable, simply do:
 *    # chmod -x /etc/portage/postsync.d/q-reinitialize

 * Messages for package app-admin/eselect-python-20100321:
 * ERROR: app-admin/eselect-python-20100321 failed:
 *   emake install failed
 * 
 * Call stack:
 *     ebuild.sh, line  54:  Called src_install
 *   environment, line 943:  Called die
 * The specific snippet of code:
 *       emake DESTDIR="${D}" install || die "emake install failed"
 * 
 * If you need support, post the output of 'emerge --info =app-admin/eselect-python-20100321',
 * the complete build log and the output of 'emerge -pqv =app-admin/eselect-python-20100321'.
 * The complete build log is located at '/var/tmp/portage/app-admin/eselect-python-20100321/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/app-admin/eselect-python-20100321/temp/environment'.
 * S: '/var/tmp/portage/app-admin/eselect-python-20100321/work/eselect-python-20100321'

nss-3.12.8 keeps failing to compile on my system and I think it is due to sandbox. Not sure if it is the same as this bug post.

make[4]: Entering directory `/var/tmp/portage/dev-libs/nss-3.12.8/work/nss-3.12.8/mozilla/security/nss/lib/libpkix/pkix/store'
/usr/lib/libsandbox.so(+0x2704)[0x4004b704]
/usr/lib/libsandbox.so(+0x27ab)[0x4004b7ab]
/usr/lib/libsandbox.so(+0xa371)[0x40053371]
/usr/lib/libsandbox.so(+0x2f52)[0x4004bf52]
/usr/lib/libsandbox.so(+0x630d)[0x4004f30d]
/usr/lib/libsandbox.so(mkdir+0x40)[0x40051ec0]
../../../../../coreconf/nsinstall/Linux2.6_x86_i686-pc-linux-gnu-gcc_glibc_PTH_OPT.OBJ/nsinstall(+0x128b)[0x4000128b]
../../../../../coreconf/nsinstall/Linux2.6_x86_i686-pc-linux-gnu-gcc_glibc_PTH_OPT.OBJ/nsinstall(main+0x28c)[0x400015fc]
/lib/libc.so.6(__libc_start_main+0xe5)[0x4008abe5]
../../../../../coreconf/nsinstall/Linux2.6_x86_i686-pc-linux-gnu-gcc_glibc_PTH_OPT.OBJ/nsinstall(+0x1071)[0x40001071]
/proc/8839/cmdline: ../../../../../coreconf/nsinstall/Linux2.6_x86_i686-pc-linux-gnu-gcc_glibc_PTH_OPT.OBJ/nsinstall -D Linux2.6_x86_i686-pc-linux-gnu-gcc_glibc_PTH_OPT.OBJ

/bin/sh: line 1:  8839 Aborted                 ../../../../../coreconf/nsinstall/Linux2.6_x86_i686-pc-linux-gnu-gcc_glibc_PTH_OPT.OBJ/nsinstall -D Linux2.6_x86_i686-pc-linux gnu-gcc_glibc_PTH_OPT.OBJ
make[4]: *** [Linux2.6_x86_i686-pc-linux-gnu-gcc_glibc_PTH_OPT.OBJ/pkix_store.o] Error 134
make[4]: Leaving directory `/var/tmp/portage/dev-libs/nss-3.12.8/work/nss-3.12.8/mozilla/security/nss/lib/libpkix/pkix/store'
make[3]: *** [libs] Error 2
make[3]: Leaving directory `/var/tmp/portage/dev-libs/nss-3.12.8/work/nss-3.12.8/mozilla/security/nss/lib/libpkix/pkix'
make[2]: *** [libs] Error 2
make[2]: Leaving directory `/var/tmp/portage/dev-libs/nss-3.12.8/work/nss-3.12.8/mozilla/security/nss/lib/libpkix'
make[1]: *** [libs] Error 2
make[1]: Leaving directory `/var/tmp/portage/dev-libs/nss-3.12.8/work/nss-3.12.8/mozilla/security/nss/lib'
make: *** [libs] Error 2
 * ERROR: dev-libs/nss-3.12.8 failed:
 *   nss make failed
 *
 * Call stack:
 *     ebuild.sh, line  54:  Called src_compile
 *   environment, line 2693:  Called die
 * The specific snippet of code:
 *       emake -j1 CC="$(tc-getCC)" || die "nss make failed"
 *
 * If you need support, post the output of 'emerge --info =dev-libs/nss-3.12.8',
 * the complete build log and the output of 'emerge -pqv =dev-libs/nss-3.12.8'.
 * The complete build log is located at '/var/tmp/portage/dev-libs/nss-3.12.8/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/dev-libs/nss-3.12.8/temp/environment'.
 * S: '/var/tmp/portage/dev-libs/nss-3.12.8/work/nss-3.12.8'

emerge --info
Portage 2.1.8.3 (hardened/linux/x86/10.0, gcc-4.4.4, glibc-2.11.2-r0, 2.6.35-gentoo-r4 i686)
=================================================================
                        System Settings
=================================================================
System uname: Linux-2.6.35-gentoo-r4-i686-Intel-R-_Core-TM-2_Duo_CPU_T5750_@_2.00GHz-with-gentoo-1.12.13
Timestamp of tree: Thu, 28 Oct 2010 01:00:02 +0000
app-shells/bash:     4.1_p7
dev-java/java-config: 2.1.11
dev-lang/python:     2.4.6, 2.5.4-r4, 2.6.5-r3, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       3.4.6-r2, 4.1.2, 4.3.4, 4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe -fomit-frame-pointer -msse -msse2 -msse3"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=i686 -pipe -fomit-frame-pointer -msse -msse2 -msse3"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en en_US"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X aac acl acpi alsa berkdb bzip2 cairo cdr cli cracklib crypt cups cxx dbus dri dvd dvdr dvdread encode faac faad fam ffmpeg flac fortran gdbm gif gnutls gpm gstreamer gtk gtk2 hal hardened iconv java jpeg kde laptop libnotify loop-aes mad matroska midi mikmod mmx mng modules mp3 mpeg mplayer mudflap mysql ncurses nls nptl nptlonly nsplugin ogg opengl openmp pam pcre perl pic png ppds pppd python qt qt3support qt4 readline sdl session smp spell sql sse sse2 ssl subtitles svg sysfs tcpd tiff truetype unicode urandom v4l v4l2 vorbis webkit win32codecs x86 xine xorg xvid zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1     emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m       maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fglrx" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY 

applying sandbox-2.3-canonicalize-erealpath.patch fixes my problem.

Following up on comment number 11, I am also unable to build dev-libs/nss-3.12.8, which is now stable on amd64 due to bug 341821 (fixing security vulnerabilities).  

emerge --info below:
Portage 2.1.8.3 (hardened/linux/amd64/10.0, gcc-4.4.4, glibc-2.11.2-r2, 2.6.34-gentoo-r12-2010Oct22 x86_64)
=================================================================
System uname: Linux-2.6.34-gentoo-r12-2010Oct22-x86_64-Intel-R-_Core-TM-2_Duo_CPU_U9400_@_1.40GHz-with-gentoo-1.12.13
Timestamp of tree: Sat, 30 Oct 2010 00:45:02 +0000
app-shells/bash:     4.1_p7
dev-java/java-config: 2.1.11
dev-lang/python:     2.6.5-r3, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.3.4, 4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA @BINARY-REDISTRIBUTABLE AdobeFlash-10.1 PUEL"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -O2 -pipe -msse4.1"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=core2 -O2 -pipe -msse4.1"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.netnitco.net      http://gentoo.mirrors.tds.net/gentoo    http://mirror.csclub.uwaterloo.ca/gentoo-distfiles/     http://distfiles.gentoo.org     http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en_US en"
MAKEOPTS="--jobs=4 --load-average=2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/benf"
SYNC="rsync://rsync.us.gentoo.org/gentoo-portage"
USE="X acl alsa amd64 berkdb bzip2 cairo caps cjk cli consolekit cracklib crypt cups cxx dbus dri dvd exif ffmpeg gdbm gnutls gpm hal hardened iconv jpeg justify laptop mmx modules mp3 mudflap multilib ncurses nls nptl nptlonly opengl openmp pam pcre perl pic png ppds pppd python readline sdl session spell sse sse2 ssl ssse3 sysfs system-sqlite tcpd threads truetype unicode urandom v4l2 xorg xv xvmc zlib" ALSA_CARDS="hda-intel usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LINGUAS="en_US en" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Created attachment 252851 [details]
build log for dev-libs/nss-3.12.8

This bug appears very similar to a bug 292050 (sys-apps/sandbox-2.2: dev-libs/nss fails to install on hardened systems), which is marked as resolved.  

Should one be marked as a duplicate of the other? (Different sandbox version numbers though.)

(Trying emerge -e system as suggested in the other thread.)

(In reply to comment #15)
> This bug appears very similar to a bug 292050 (sys-apps/sandbox-2.2:
> dev-libs/nss fails to install on hardened systems), which is marked as
> resolved.

The attempted fix for bug #292050 is what caused this bug (as I explained in comment #7).

At this point, there does not seem to be any need for more build logs or additional me-too comments.  We have two build logs attached, a symbolic backtrace posted in comment #7 showing exactly how the abort was reached, and my proposed fix that two people unrelated to me have said improves the situation.  I validated the patch on amd64 before posting it.  Per comment #10, it has been validated on the weekly auto-build of x86.

Comment 17 Jorge Manuel B. S. Vicetto (RETIRED) 2010-11-10 04:33:23 UTC

Any chance of getting this fixed soon?
The x86 hardened weekly build failed again tonight.

Created attachment 254231 [details]
ebuild to apply patch

In case this helps speed things up, here's the modified ebuild I used to apply Kevin's patch.  (I'm new to making ebuild files, so someone should double-check it, but it fixes the problem for me).  (You'll probably want to increment the revision number, which I kept the same.)

Seems like people are still experiencing this problem, and this bug prevents several security updates (e.g., bug 341821, bug 342847), which won't proceed without nss-3.12.8, so I'm sure many people (including me) will appreciate a resolution to this bug.  

For those wondering how to use this ebuild (before it hits the official portage tree), see <https://forums.gentoo.org/viewtopic-t-850517.html>.

Thanks guys.
The patch and the ebuild works perfectly!

Comment 20 Jorge Manuel B. S. Vicetto (RETIRED) 2010-11-17 13:08:08 UTC

(In reply to comment #17)
> Any chance of getting this fixed soon?
> The x86 hardened weekly build failed again tonight.

and yet again this week.

Comment 21 Diego Elio Pettenò (RETIRED) 2010-11-20 14:41:16 UTC

Mike can we get Kevin's patch in, pretty please?

Comment 22 Magnus Granberg 2010-11-21 20:53:15 UTC

please can you get sandbox fixed?
For we don't sone have any autobuild hardened stage3 files left.

Comment 23 SpanKY 2010-11-23 01:35:08 UTC

should be fixed in git now.  i would credit Kevin for analysis/fix, but his e-mail is junk, and i'm not adding that to the git history.

http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commitdiff;h=9d7962023b360a3456b13dbe5f45f8b2d354b250

Comment 24 SpanKY 2010-11-23 01:36:02 UTC

Magnus: if your autobuilds are auto-expiring on the servers, that's a bug that you need to fix independently.  new failures should not force older successes to expire automatically.

Comment 25 Jorge Manuel B. S. Vicetto (RETIRED) 2010-11-23 04:20:57 UTC

(In reply to comment #24)
> Magnus: if your autobuilds are auto-expiring on the servers, that's a bug that
> you need to fix independently.  new failures should not force older successes
> to expire automatically.

This is not an issue with the hardened team, but a releng / infra issue. The infra team is already working on this.

From a releng PoV though, the autobuilds are built from a snapshot of the CVS tree when the build process starts - using stable ebuilds. Any stable ebuild that is broken or breaks the stages build process will cause the autobuilds to fail and will prevent building new stages until the ebuild is fixed.
Thus, releng kindly asks all maintainers to fix such failures ASAP.

(In reply to comment #23)
> i would credit Kevin for analysis/fix, but his e-mail is junk, and i'm not adding that to the git history.

Gee, thanks.  Not even a mention in the commit message.

Comment 27 Robin Johnson 2010-11-23 05:46:13 UTC

The hardened stages are back on the mirrors now (on the masters already, and
starting to appear on the others). They shouldn't have been expired like that,
I improved the code to keep one of each catalyst product file always.
Eg:
http://ftp-chi.osuosl.org/pub/gentoo/releases/amd64/autobuilds/20100923/hardened/

Comment 28 SpanKY 2010-11-23 06:16:00 UTC

if you had an e-mail that wasnt garbage, you'd get full credit.  but you dont.

Comment 29 SpanKY 2010-11-23 12:23:28 UTC

my point wasnt that it was hardened team's fault their autobuilds were no longer available but rather that blaming autoexpiration on a random ebuild in the tree is a red herring -- infra/releng was broken.  glad it is now fixed.

Comment 30 Jorge Manuel B. S. Vicetto (RETIRED) 2010-12-11 13:07:15 UTC

Mike,

can we please get the new ebuild marked stable? Until that's done, the hardened stages build will continue to fail.

Comment 31 SpanKY 2010-12-11 14:25:47 UTC

if you want to stabilize, do like normal and file a stabilization bug

Comment 32 Jeroen Roovers (RETIRED) 2010-12-14 16:20:56 UTC

*** Bug 347720 has been marked as a duplicate of this bug. ***