--------------------------- ACCESS VIOLATION SUMMARY --------------------------- LOG FILE "/var/log/sandbox/sandbox-3700.log" VERSION 1.0 FORMAT: F - Function called FORMAT: S - Access Status FORMAT: P - Path as passed to function FORMAT: A - Absolute Path (not canonical) FORMAT: R - Canonical Path FORMAT: C - Command Line F: utimensat S: deny P: /etc/mtab A: /etc/mtab R: /etc/mtab C: /bin/mount -s -------------------------------------------------------------------------------- Reproducible: Always Actual Results: no autofs Expected Results: autofs
Yes noticed this few days ago as well and didnt come around to report it. Solution right now is to compile autofs with FEATURES=-sandbox Here is my emerge --info: Portage 2.1.9.40 (default/linux/x86/10.0, gcc-4.5.2, glibc-2.13-r1, 2.6.36-gentoo-r8 i686) ================================================================= System uname: Linux-2.6.36-gentoo-r8-i686-Intel-R-_Pentium-R-_4_CPU_2.40GHz-with-gentoo-2.0.1 Timestamp of tree: Tue, 22 Feb 2011 09:15:01 +0000 app-shells/bash: 4.1_p9 dev-lang/python: 2.7.1-r1, 3.1.3-r1 dev-util/cmake: 2.8.4 sys-apps/baselayout: 2.0.1-r1 sys-apps/openrc: 0.7.0 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.68 sys-devel/automake: 1.11.1 sys-devel/binutils: 2.21 sys-devel/gcc: 4.5.2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82 virtual/os-headers: 2.6.36.1 (sys-kernel/linux-headers) ACCEPT_KEYWORDS="x86 ~x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -mtune=pentium4 -O2 -pipe -fomit-frame-pointer -msse -msse2 -mmmx" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=pentium4 -mtune=pentium4 -O2 -pipe -fomit-frame-pointer -msse -msse2 -mmmx" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="ftp://mirror.netcologne.de/gentoo/ ftp://mirror.switch.ch/mirror/gentoo/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://gentoo.lagis.at ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common" LINGUAS="en sl" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="-6 --recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="acl acpi animgif apache2 apm authfile bash-completion berkdb bluetooth bzip2 caps ccache cgi cli client cracklib crypt cups curl cxx dbus dedicated dhcp dovecot-sasl dri eap-tls encode expat extras fontconfig fortran ftp gd gdbm geoip gif gmp gpm gzip hardened iconv icu idn imap intl ipv6 ithreads jpeg lcms ldap lua lzma lzo maildir mhash mmx mng modules mpi mudflap mysql ncurses netboot nls nptl nptlonly ntp ocaml ocamlopt odbc openmp pam pch pcntl pcre pdo perl phar php pic png pop3d posix pppd python quota raw readline rpc samba sasl server session slang smtp snmp soap sockets spell sse sse2 ssl suexec suhosin svg swig sysfs tcl tcpd threads tiff truetype udev unicode urandom usb vhosts x86 xinetd xml xmlrpc xsl xtradb zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias auth_digest authn_dbd ident proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi" APACHE2_MPMS="event" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en sl" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Please attach the entire build log as a file.
Created attachment 263589 [details] build log for failed emerge of autofs-5.0.5
Please attach the contents of the /var/log/sandbox/sandbox-30868.log file.
Created attachment 263651 [details] sandbox log There is noting new in log that isnt already in emerge error...
I'm sorry but I failed to "parse" the sandbox errors before. Seems like autofs is trying to open /etc/mtab.
Well nothing wront with access to mtab (unless he wants write access which is big no anyway). mih ~ # ls -la /etc/mtab -rw-r--r-- 1 root root 809 Feb 24 02:44 /etc/mtab
I can't reproduce this. So let's start to collect more pieces about your setup to find out what's happening. (In reply to comment #0) [...] > F: utimensat This tries to update the timestamp of the file. Could you please post the mount options of the partition where /etc/mtab resides?
/dev/sda3 / ext4 noatime 0 1 one other interesting thing... if i remove /etc/mtab i can compile with feature +sandbox.
and this is my whole mtab mih ~ # cat /etc/mtab rootfs / rootfs rw 0 0 /dev/root / ext4 rw,noatime,barrier=1,data=ordered 0 0 proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 rc-svcdir /lib/rc/init.d tmpfs rw,nosuid,nodev,noexec,relatime,size=1024k,mode=755 0 0 sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0 udev /dev tmpfs rw,nosuid,relatime,size=10240k,mode=755 0 0 fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0 devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620 0 0 shm /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0 /dev/sdb1 /home/SHARED/ShareWare ext4 rw,noatime 0 0 /dev/sdc1 /home/SHARED/Stuff ext4 rw,noatime 0 0 usbfs /proc/bus/usb usbfs rw,noexec,nosuid,devmode=0664,devgid=85 0 0 nfsd /proc/fs/nfsd nfsd rw,noexec,nosuid,nodev 0 0 binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,noexec,nosuid,nodev 0 0
I finally was able to reproduce this. The sandbox violation is triggered with /bin/mount from =sys-apps/util-linux-2.19. Could someone from base-system herd explain why the following command tries to update the timestamp of /etc/mtab since util-linux-2.19 but not before? # /bin/mount -s Is this intentional or is this a bug in /bin/mount from util-linux? Thanks. Dustin
you dont even need the -s flag. `mount` will do it too. the code is doing it on purpose, but i think it's a matter of people didnt quite think through all the possibilities. it's used to detect if the fs is r/o.
(In reply to comment #12) > you dont even need the -s flag. `mount` will do it too. > > the code is doing it on purpose, but i think it's a matter of people didnt > quite think through all the possibilities. it's used to detect if the fs is > r/o. Thanks for the prompt reply. `mount -s` is used during configure to determine whether `mount` supports sloppy mount so I think dropping -s flag is not an option. The question is whether `mount` is supposed to update mtab's timestamp when called to just output all active mounts listed in it. If you can confirm that this is okay (the behavior has changed from <util-linux-2.19 to =util-linux-2.19), then I will check whether adding -n flag to the test solves the sandbox violation.
not really. -s is ignored when running `mount -s` which means "print all". and in the "print all" code, mount has always attempted to detect whether /etc/mtab is writable. the only thing that has changed is the readonly detection code. in the past, it would attempt to write to the file, but under slightly different circumstances, and didnt catch all cases. the new code catches more, but inadvertently tickles sandbox.
Mike, thanks for taking the time to shed some light onto this. (In reply to comment #14) > not really. -s is ignored when running `mount -s` which means "print all". True. The test relies on mount throwing an non-zero exit code if the -s flag is not a valid flag. > in the past, it would attempt to write to the file, but under slightly > different circumstances, and didnt catch all cases. the new code catches more, > but inadvertently tickles sandbox. So, what options do I have to avoid this? Is any of the following a valid option? 1) Define an exception for sandbox (is this even possible?) to allow access to mtab as it can be ensured that the file content is not modified. 2) Remove the check and hard-default to HAVE_SLOPPY_MOUNT because mount always accepts -s flag. Comments are highly appreciated. Thanks. Dustin
you can add `addpredict /etc/mtab` to the src_configure step and i imagine that'll make things work
(In reply to comment #16) > you can add `addpredict /etc/mtab` to the src_configure step and i imagine > that'll make things work Thanks for the advice. This works if I do it from command line: SANDBOX_PREDICT="/etc/mtab" mount -s Adding `addpredict /etc/mtab` to src_configure() just before the econf call fails with the same sandbox violation though... Do you have an idea what could be the cause? Sorry for bothering you with this but I really have no knowledge about sandbox internals.
(In reply to comment #17) > Adding `addpredict /etc/mtab` to src_configure() just before the econf call > fails with the same sandbox violation though... Failure of mine to remove old environment after update of ebuild. Fix has been included into rev bump request, so I make this bug depend on that one. Please try whether that ebuild fixes the problem and give feedback if it won't. Thanks.
autofs-5.0.5-r4 from DuPol overlay (yours i guess) fixes this issues for me...
(In reply to comment #19) > autofs-5.0.5-r4 from DuPol overlay (yours i guess) fixes this issues for me... Thanks for the feedback. Yes, that's my overlay and it's the same ebuild now waiting in bug #346537 for inclusion into portage. Un-CC base-system, thanks for your help, Mike.
*** Bug 358069 has been marked as a duplicate of this bug. ***
Three weeks later, I hit the issue again. How are the chances that autofs-5.0.5-r4 comes into the tree?
(In reply to comment #22) > Three weeks later, I hit the issue again. How are the chances that > autofs-5.0.5-r4 comes into the tree? I am waiting for feedback of the dev proxying me. If you want the ebuild now, you could use my personal overlay (DuPol).
addpredict added in 5.0.5-r1. Fixed.
*** Bug 361789 has been marked as a duplicate of this bug. ***
Shouldn't the fix be applied also in the latest stable? being net-fs/autofs-5.0.4-r5.
(In reply to comment #26) > Shouldn't the fix be applied also in the latest stable? being > net-fs/autofs-5.0.4-r5. Yes. Peter, could you please add the addpredict line to autofs-{5.0.3-r6,5.0.4-r5} as well, please?
Ok, done for latest stable (autofs-5.0.4-r5.ebuild). BTW, may be it's good idea to stabilize autofs-5.0.5-r3 now, or wait another month and stabilize 4.x and 5.x in one go...
I'm still hitting this with the latest stable net-fs/autofs-5.0.4-r5. I'm not sure why, but addpredict /etc/mtab doesn't help.
net-fs/autofs-5.0.5-r4 does work however. Looks like the econf stage has been moved from src_compile to src_configure, and the sandbox violation occures in the econf stage. Any chance of getting autofs-5.0.5-r4 stable soon? Otherwise autofs-5.0.4 ebuild will need to be rewritten a bit...
Also, please re-open, this issue is not fixed in the latest stable Gentoo.
Re-opening per last comment.
(In reply to comment #29) > I'm still hitting this with the latest stable net-fs/autofs-5.0.4-r5. > I'm not sure why, but addpredict /etc/mtab doesn't help. I can't reproduce this; for me, it builds fine. Please post your emerge --info and attach build log for further investigation, please. (In reply to comment #30) > Any chance of getting autofs-5.0.5-r4 stable soon? Otherwise autofs-5.0.4 > ebuild will need to be rewritten a bit... I've scheduled 5.0.5 stabilization at the end of the month if no major bug is reported until then. Nevertheless, I want to have this fixed in 5.0.4 as well.
Strange, I can't reproduce it either... I have done a new emerge --sync in between, but I can't really see what that would have changed. Tried several times 2 days ago, couldn't make it compile. Tried several times today, compiles every time! So maybe I synced from some outdated server the other day? Did you step r4 to r5 when adding addpredict, or could I have had an old autofs-5.0.4-r5 ebuild in my portage?
(In reply to comment #34) > Strange, I can't reproduce it either... > I have done a new emerge --sync in between, but I can't really see what that > would have changed. > Tried several times 2 days ago, couldn't make it compile. > Tried several times today, compiles every time! > So maybe I synced from some outdated server the other day? > Did you step r4 to r5 when adding addpredict, or could I have had an old > autofs-5.0.4-r5 ebuild in my portage? pva just added the line to the existing ebuild without rev bumping it. This change happened already one month ago; so if you haven't synced since then, you had the old version. Since you can't reproduce this anymore, closing again.
