Hi! When trying to (re-)emerge autofs on an amd64 system, the following sandbox violation is shown: checking whether gcc -fPIE works... yes configure: creating ./config.status config.status: creating Makefile.conf config.status: creating include/config.h >>> Source configured. --------------------------- ACCESS VIOLATION SUMMARY --------------------------- LOG FILE "/var/log/sandbox/sandbox-28227.log" VERSION 1.0 FORMAT: F - Function called FORMAT: S - Access Status FORMAT: P - Path as passed to function FORMAT: A - Absolute Path (not canonical) FORMAT: R - Canonical Path FORMAT: C - Command Line F: mkdir S: deny P: /run/mount A: /run/mount R: /run/mount C: /bin/mount -s -------------------------------------------------------------------------------- Apparently a mount is called which tries to create a /run/mount directory. It's the same with all available versions but with slight differences. With 5.0.4 the same violation comes not after "Source configured" but after "Source compiled". With 5.0.3-r6 there is an ldap compile error but even with that there are two access violation: F: open_wr S: deny P: /etc/mtab A: /etc/mtab R: /etc/mtab C: /bin/mount -s F: mkdir S: deny P: /run/mount A: /run/mount R: /run/mount C: /bin/mount -s Probably ebuilds need additional addpredict for /run/mount. This fix works for me.
Which version are you using? emerge --info please.
Created attachment 337134 [details] emerge --info Here the output from emerge --info. Probably more interesting is that I'm using sys-apps/openrc-0.11.8 where /var/run is migrated to /run. Maybe emerge automatically fakes writing permission (addpredict) to /var/run but when it is moved to /run (and symlinked) it doesn't work anymore.
Created attachment 340836 [details] Full build.log
I'm having a similar problem, I've attached the build.log, here's emerge --info: celery etc # emerge --info Portage 2.1.11.52 (default/linux/amd64/13.0/desktop/kde, gcc-4.6.3, glibc-2.15-r3, 3.7.1-gentoo x86_64) ================================================================= System uname: Linux-3.7.1-gentoo-x86_64-Intel-R-_Pentium-R-_CPU_G2120_@_3.10GHz-with-gentoo-2.1 KiB Mem: 3748120 total, 47612 free KiB Swap: 1953120 total, 1800960 free Timestamp of tree: Sat, 02 Mar 2013 16:00:01 +0000 ld GNU ld (GNU Binutils) 2.22 app-shells/bash: 4.2_p37 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/cmake: 2.8.9 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.3-r2, 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.8 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo gamerlay-stable poly-c init6 x-local ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-fomit-frame-pointer -pipe -march=corei7 -mtune=corei7 -fexcess-precision=fast -O3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="${EPREFIX}/etc/gconf /etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-fomit-frame-pointer -pipe -march=corei7 -mtune=corei7 -fexcess-precision=fast -O3" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/gamerlay /var/lib/layman/poly-c /var/lib/layman/init6 /usr/portage/local" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="64bit X a52 aac acl acpi akonadi alsa amd64 ao apache2 aspell audio audiofile bash-completion berkdb binary-drivers bittorrent bluetooth bonjour boost branding bzip2 cairo cdda cddax cddb cdio cdparanoia cdr cdrom cdsound cgi cleartype cli cmake consolekit corefonts cracklib crypt css csv cups cupsddk curl curlwrappers cxx dbus declarative device-mapper dhcpcd disk-partition diskio dri dts dvd dvdr eclipse emboss emoticon encode exif extras faac faad fam fat fax fbcon fbcondecor ffmpeg fftw firefox flac fortran ftp fuse games gd gdbm gif gimp git glib gnutls gpm gstreamer gtk gudev hal hpcups hpijs html htmltidy hwdb iconv id3 id3tag ipv6 irda jpeg jpeg2k kde kdm kipi lame lcms ldap libnotify lm_sensors logviewer mad matroska mjpeg mmx mng modules mozilla mp3 mp3tunes mp4 mpd mpeg mplayer mudflap multilib mysql mythtv ncurses net nfs nfsv3 nfsv4 nls nptl nsplugin nvidia nxclient ogg ogg123 ogm openal opencl opengl openmp openssl oss oxygen pam pango pcre pdf perl phonon php plasma png policykit posix postscript ppds projectm qt3support qt4 qtmultimedia quicktime rar raw rdesktop readline samba samba4 scanner sdl semantic-desktop session sftp sms spell sql sse sse2 sse3 ssl startup-notification subversion svg syslog tcpd theora thesaurus threads tidy tiff tk truetype twolame udev udev-acl udisks unicode unzip upower usb v4l v4l2 video vorbis wav webcam webkit wma wxwidgets x264 xcb xcomposite xinerama xml xorgmodule xscreensaver xulrunner xv xvid zip zlib" ABI_X86="64" ALSA_CARDS="hda_intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en_US en" LIRC_DEVICES="devinput" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
I reproduced this bug on x86 and amd64 Try unmask =sys-apps/sandbox-2.6 ~amd64 | ~x86 After upgrade sandbox autofs comiling clean with ldap use.
do NOT CC arch teams yourself, please. Just wait for maintainer's reply
Confirmed, it compiles with sandbox-2.6 which just throws the following message and just continues: checking if mount accepts the -s option... * ACCESS DENIED: mkdir: /run/mount So well, at least it compiles with sandbox-2.6.
*** Bug 463342 has been marked as a duplicate of this bug. ***
Reproduced with danbox-2.6-r1 and autofs 5.0.7
(In reply to comment #9) > Reproduced with danbox-2.6-r1 and autofs 5.0.7 I take you refer to sandbox-2.6-r1?
(In reply to comment #10) > (In reply to comment #9) > > Reproduced with danbox-2.6-r1 and autofs 5.0.7 > I take you refer to sandbox-2.6-r1? I can reproduce with sys-apps/sandbox-2.6-r1 and net-fs/autofs-5.0.7 =================================== emerge -av autofs ================ These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild N ~] net-fs/autofs-5.0.7 USE="ldap -hesiod -mount-locking -sasl" 325 kB Total: 1 package (1 new), Size of downloads: 325 kB Would you like to merge these packages? [Yes/No] >>> Verifying ebuild manifests >>> Emerging (1 of 1) net-fs/autofs-5.0.7 >>> Jobs: 0 of 1 complete, 1 running Load avg: 0.39, 0.37, 0.27 (null)*(null) (null)ACCESS DENIED(null): open_wr: /run/mount/utab >>> Failed to emerge net-fs/autofs-5.0.7, Log file: >>> '/var/tmp/portage/net-fs/autofs-5.0.7/temp/build.log' >>> Jobs: 0 of 1 complete, 1 failed Load avg: 0.39, 0.37, 0.27 * Package: net-fs/autofs-5.0.7 * Repository: gentoo * Maintainer: gentoobugsie.20.dsurawicz@spamgourmet.com net-fs@gentoo.org,proxy-maint@gentoo.org * USE: abi_x86_64 amd64 elibc_glibc kernel_linux ldap multilib userland_GNU * FEATURES: sandbox * Determining the location of the kernel source code * Found kernel source directory: * /usr/src/linux * Found kernel object directory: * /lib/modules/3.7.10-gentoo/build * Found sources for kernel version: * 3.7.10-gentoo >>> Unpacking source... >>> Unpacking autofs-5.0.7.tar.bz2 to /var/tmp/portage/net-fs/autofs-5.0.7/work >>> Unpacking autofs-5.0.7-patches-1.tar.lzma to /var/tmp/portage/net-fs/autofs-5.0.7/work >>> Source unpacked in /var/tmp/portage/net-fs/autofs-5.0.7/work >>> Preparing source in /var/tmp/portage/net-fs/autofs-5.0.7/work/autofs-5.0.7 ... * Applying various patches (bugfixes/updates) ... * 0001_all_fix-nobind-sun-escaped-map-entries.patch ... [ ok ] * 0002_all_fix-use-cache-entry-after-free-mistake.patch ... [ ok ] * 0003_all_fix-ipv6-proximity-calculation.patch ... [ ok ] * 0004_all_fix-parse-buffer-initialization.patch ... [ ok ] * 0005_all_fix-typo-in-automount-8.patch ... [ ok ] * 0006_all_include-usage-in-usage-message.patch ... [ ok ] * 0007_all_dont-wait-forever-to-restart.patch ... [ ok ] * 0008_all_add-timeout-option-description-to-man-p.patch ... [ ok ] * 0009_all_fix-null-map-entry-order-handling.patch ... [ ok ] * 0010_all_make-description-of-default-MOUNT_WAIT-.patch ... [ ok ] * 0011_all_configure.in-allow-cross-compilation.patch ... [ ok ] * 0012_all_README-update-mailing-list-subscription.patch ... [ ok ] * 0013_all_allow-non-root-user-to-check-status.patch ... [ ok ] * 0014_all_configure-allow-cross-compilation-updat.patch ... [ ok ] * 0015_all_fix-recursive-mount-deadlock.patch ... [ ok ] * 0016_all_increase-file-map-read-buffer-size.patch ... [ ok ] * 0017_all_Handle-new-location-of-systemd.patch ... [ ok ] * 0018_all_fix-map-entry-duplicate-offset-detectio.patch ... [ ok ] * 0019_all_Allow-nsswitch.conf-to-not-contain-auto.patch ... [ ok ] * Done with patching * Applying autofs-5.0.3-heimdal.patch ... [ ok ] * Applying autofs-5.0.6-respect-user-flags-and-fix-asneeded-r2.patch ... [ ok ] * Applying autofs-5.0.5-fix-install-deadlink.patch ... [ ok ] * Applying autofs-5.0.5-fix-building-without-ldap.patch ... [ ok ] * Applying autofs-5.0.5-add-missing-endif-HAVE_SASL-in-modules-lookup_ldap.c.patch ... [ ok ] * Applying autofs-5.0.6-revert-ldap.patch ... [ ok ] * Running eautoreconf in '/var/tmp/portage/net-fs/autofs-5.0.7/work/autofs-5.0.7' ... * Running autoconf ... [ ok ] * Running autoheader ... [ ok ] >>> Source prepared. >>> Configuring source in /var/tmp/portage/net-fs/autofs-5.0.7/work/autofs-5.0.7 ... ./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --with-confdir=/etc/conf.d --with-mapdir=/etc/autofs --with-openldap --without-sasl --without-hesiod --disable-mount-locking --enable-ignore-busy checking for binaries in... /usr/bin:/bin:/usr/sbin:/sbin checking for Linux proc filesystem... yes checking location of the init.d directory... /etc/init.d checking for autofs configuration file directory... /etc/conf.d checking for autofs maps directory... /etc/autofs checking for autofs fifos directory... /run checking for autofs flag file directory... /run checking for x86_64-pc-linux-gnu-gcc... x86_64-pc-linux-gnu-gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether x86_64-pc-linux-gnu-gcc accepts -g... yes checking for x86_64-pc-linux-gnu-gcc option to accept ISO C89... none needed checking if libtirpc is requested and available... no checking if malloc debugging is wanted... no checking for mount... /bin/mount checking for mount.nfs... no checking for umount... /bin/umount checking for fsck.ext2... /sbin/fsck.ext2 checking for fsck.ext3... /sbin/fsck.ext3 checking for fsck.ext4... /sbin/fsck.ext4 checking for modprobe... /sbin/modprobe checking for flex... /usr/bin/flex checking for bison... /usr/bin/bison checking for ranlib... /usr/bin/ranlib checking for rpcgen... /usr/bin/rpcgen checking for sssd autofs library... no checking if mount accepts the -s option... yes checking for xml2-config... /usr/bin/xml2-config checking for libxml2... yes checking for krb5-config... no checking for Kerberos library... no checking for yp_match in -lnsl... yes checking for res_query in -lresolv... no checking how to run the C preprocessor... x86_64-pc-linux-gnu-gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking rpcsvc/nis.h usability... yes checking rpcsvc/nis.h presence... yes checking for rpcsvc/nis.h... yes checking for ldap_initialize in -lldap... yes checking for ldap_create_page_control in -lldap... yes checking for ldap_parse_page_control in -lldap... yes checking for x86_64-pc-linux-gnu-gcc... (cached) x86_64-pc-linux-gnu-gcc checking whether we are using the GNU C compiler... (cached) yes checking whether x86_64-pc-linux-gnu-gcc accepts -g... (cached) yes checking for x86_64-pc-linux-gnu-gcc option to accept ISO C89... (cached) none needed checking whether gcc -fPIE works... yes configure: creating ./config.status config.status: creating Makefile.conf config.status: creating include/config.h >>> Source configured. (null)*(null) --------------------------- ACCESS VIOLATION SUMMARY --------------------------- (null)*(null) LOG FILE: "/var/log/sandbox/sandbox-5674.log" (null)*(null) VERSION 1.0 FORMAT: F - Function called FORMAT: S - Access Status FORMAT: P - Path as passed to function FORMAT: A - Absolute Path (not canonical) FORMAT: R - Canonical Path FORMAT: C - Command Line F: open_wr S: deny P: /run/mount/utab A: /run/mount/utab R: /run/mount/utab C: /bin/mount -s (null)*(null) -------------------------------------------------------------------------------- ===================================================== emerge --info =========================== Portage 2.1.11.55 (default/linux/amd64/13.0/desktop, gcc-4.6.3, glibc-2.15-r3, 3.7.10-gentoo x86_64) ================================================================= System uname: Linux-3.7.10-gentoo-x86_64-AMD_Athlon-tm-_II_X4_640_Processor-with-gentoo-2.1 KiB Mem: 4052640 total, 712612 free KiB Swap: 3999996 total, 3994356 free Timestamp of tree: Thu, 28 Mar 2013 19:15:01 +0000 ld GNU ld (GNU Binutils) 2.22 app-shells/bash: 4.2_p37 dev-lang/python: 2.7.3-r3, 3.2.3-r2 dev-util/cmake: 2.8.9 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.10.3, 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.6.3, 4.7.2-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.7 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: lcd-filtering jtriley mv gentoo mpd ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="-j8 --load-average=3.85" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://files.gentoo.gr" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/lcd-filtering /var/lib/layman/jtriley /var/lib/layman/mv /usr/portage /var/lib/layman/mpd" SYNC="rsync://rsync.gr.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 bash-completion berkdb bindist bluetooth branding bzip2 cairo cdda cdr cjk cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif gpm gtk iconv ipv6 jpeg lcms ldap libnotify mad mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds qt3support qt4 readline sdl session spell sse sse2 ssl startup-notification svg tcpd tiff truetype udev udisks unicode upower usb vim-syntax vorbis wxwidgets x264 xcb xinerama xml xv xvid zlib zsh-completion" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="intel nouveau radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
I am seeing the same behavior with sandbox 2.6-r1 with autofs-5.0.7 failing to build: * --------------------------- ACCESS VIOLATION SUMMARY --------------------------- * LOG FILE: "/var/log/sandbox/sandbox-20129.log" * VERSION 1.0 FORMAT: F - Function called FORMAT: S - Access Status FORMAT: P - Path as passed to function FORMAT: A - Absolute Path (not canonical) FORMAT: R - Canonical Path FORMAT: C - Command Line F: open_wr S: deny P: /run/mount/utab A: /run/mount/utab R: /run/mount/utab C: /bin/mount -s * -------------------------------------------------------------------------------- emerge --info Portage 2.1.11.59 (default/linux/amd64/13.0/desktop, gcc-4.7.2, glibc-2.17, 3.7.8-gentoo x86_64) ================================================================= System uname: Linux-3.7.8-gentoo-x86_64-AMD_Phenom-tm-_II_X6_1055T_Processor-with-gentoo-2.2 KiB Mem: 8174348 total, 161948 free KiB Swap: 4200992 total, 3802036 free Timestamp of tree: Fri, 29 Mar 2013 14:00:01 +0000 ld GNU ld (GNU Binutils) 2.23.2 app-shells/bash: 4.2_p45 dev-java/java-config: 2.1.12-r1 dev-lang/python: 2.7.3-r3, 3.2.3-r2 dev-util/cmake: 2.8.10.2-r1 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.4_p6-r1, 1.9.6-r3, 1.10.3, 1.11.6, 1.12.6, 1.13.1 sys-devel/binutils: 2.23.2 sys-devel/gcc: 4.6.3, 4.7.2-r1 sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.8 (virtual/os-headers) sys-libs/glibc: 2.17 Repositories: gentoo multimedia x-portage ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=amdfam10 -mcx16 -mpopcnt -msahf -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/polkit-1/actions" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/apache2-php5.4/ext-active/ /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=amdfam10 -mcx16 -mpopcnt -msahf -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe"
This issue can be worked around like this: # ebuild /usr/portage/net-fs/autofs/autofs-5.0.7.ebuild clean prepare # sed -i 's:"$MOUNT" -s:true:' \ /var/tmp/portage/net-fs/autofs-5.0.7/work/autofs-5.0.7/configure # ebuild /usr/portage/net-fs/autofs/autofs-5.0.7.ebuild install This “solution” is an ugly hack, so it's not fit for the portage tree. It assumes that your mount binary accepts the -s option, so you might want to verify that up front, by calling "mount -s" outside the ebuild and its sandbox. One proper solution might be adding an AC_ARG_ENABLE rule to provide a --with-sloppy-mounts command line switch, and only executing the code from the AF_SLOPPY_MOUNT macro if neither --with-sloppy-mounts nor --without-sloppy-mounts was specified. Then the ebuild could depend on a version which does provide the -s option, and unconditionally enable sloppy mounts. Note that even after doing this fix, the build failed for me once, but succeeeded immediately afterwards. The failed build complained about missing symbols: rpc_subs.c:67:9: error: ‘MOUNTVERS_NFSV3’ undeclared here (not in a function) rpc_subs.c:68:9: error: ‘MOUNTVERS_POSIX’ undeclared here (not in a function) rpc_subs.c:69:9: error: ‘MOUNTVERS’ undeclared here (not in a function) rpc_subs.c:790:58: error: unknown type name ‘exports’ … This appears to be due to a race condition in parallel builds. So to work around that issue, add MAKEOPTS=-j1 to the ebuild invocations. The problem is that lib/Makefile does not name mount.h as a dependency for rpc_subs.o. There might be other missing dependencies as well.
I get this same access violation in build 5.0.7. I tried the proposed hack in comment 13, but it did not work.
(In reply to comment #14) > I get this same access violation in build 5.0.7. I tried the proposed hack > in comment 13, but it did not work. Why all the hack's when having an additional addpredict as stated in my initial suggestion solves the problem. Well, not at it's root, but at least for the sandbox violation. There is already an addpredict for mount's behavior in the ebuild: addpredict "/etc/mtab" so IMHO putting an additional addpredict "/run/mount" just below it shouldn't hurt more. So Gentoo Devs or proxy maintainer, please add this line and let's close this bug. Thx.
I think the problem is clear: the sandbox violation should be "permitted" with an addpredict statement. I propose to apply the following patch to the ebuild, which makes the autofs ebuild working for me: --- autofs-5.0.7.ebuild 2013-03-25 20:27:27.000000000 +0100 +++ autofs-5.0.7-r1.ebuild 2013-04-02 22:02:23.002792899 +0200 @@ -70,6 +70,9 @@ # with >=sys-apps/util-linux-2.19, addpredict "/etc/mtab" + # work around bug #453778 (mount tries to open /run/mount/utab for writing) + addpredict "/run/mount/utab" + # --with-confdir is for bug #361481 # --with-mapdir is for bug #385113 # for systemd support (not enabled yet):
(In reply to comment #16) > I think the problem is clear: > the sandbox violation should be "permitted" with an addpredict statement. > I propose to apply the following patch to the ebuild, which makes the autofs > ebuild working for me: I think addpredict "/run/mount/utab" is too specific - it will not fix the mkdir: /run/mount violation in comment #7. As addpredict is making sandbox to silently ignore the write attempt and is not allowing to write there should be no security implication by adding /run/mount.
(In reply to comment #17) > > I think addpredict "/run/mount/utab" is too specific - it will not fix the > mkdir: /run/mount violation in comment #7. As addpredict is making sandbox > to silently ignore the write attempt and is not allowing to write there > should be no security implication by adding /run/mount. Basically you are right, would be no problem, but I think comment #7 has a copy/paste error.... BTW sorry for the double-post.
(In reply to comment #18) > (In reply to comment #17) > > > > I think addpredict "/run/mount/utab" is too specific - it will not fix the > > mkdir: /run/mount violation in comment #7. As addpredict is making sandbox > > to silently ignore the write attempt and is not allowing to write there > > should be no security implication by adding /run/mount. > > Basically you are right, would be no problem, but I think comment #7 has a > copy/paste error.... I don't get the copy/paste error but mkdir /run/mount is the violation I got as well (comment #0). In my initial case it was a chroot-install but as /var/run moved to tmpfs /run the subdirectory /run/mount does not have to exist and mount wants to create it then. So this case should be covered as well.
Dustin, Per http://thread.gmane.org/gmane.linux.gentoo.devel/84831, please contact proxy-maint@gentoo.org with a valid e-mail address we can use for metadata.xml. Please use a valid e-mail address in bugzilla as well so others can contact you if needed.
(In reply to comment #20) > Dustin, > > Per http://thread.gmane.org/gmane.linux.gentoo.devel/84831, please contact > proxy-maint@gentoo.org with a valid e-mail address we can use for > metadata.xml. Please use a valid e-mail address in bugzilla as well so > others can contact you if needed. I've changed my email address to the one I use for my overlay (DuPol@gmx.de).
(In reply to comment #16) no, because that path can move around. the correct fix is to not run `mount -s` at all. you can run `mount -h` and grep the output instead.
(In reply to comment #22) > you can run `mount -h` and grep the output instead. At least on my system, “mount -h” will NOT report about the “-s” option, even though it IS supported. I considered that alternative as well, but it does not appear to be feasible here. (In reply to comment #17) > As addpredict is making sandbox > to silently ignore the write attempt and is not allowing to write there > should be no security implication by adding /run/mount. But if mount fails to open that file, it will probably report an error itself, which in turn will be (incorrectly) interpreted by configure as an indication that mount does not support the “-s” switch.
Since this bug is still marked "unconfirmed", just thought I would add that I have been living with this one for awhile too, on x86_64, x86, and ppc32. I can provide more details if needed.
(In reply to comment #24) > Since this bug is still marked "unconfirmed", just thought I would add that > I have been living with this one for awhile too, on x86_64, x86, and ppc32. > I can provide more details if needed. The status field does not always reflect the reality but I changed it now
(In reply to comment #23) looks like the older mount included it, but the new rewrite does not $ mount --version mount from util-linux 2.20.1 (with libblkid and selinux support) $ mount --help | grep -e '^Other options.*-[[:alpha:]]*s' Other options: [-nfFrsvw] [-o options] [-p passwdfd]. $ mount --version mount from util-linux 2.22.2 (libmount 2.22.0: debug) $ mount --help | grep -e-.*s <nothing useful> just update the ebuild to require a recent util-linux (we've have 2.20.x stable for over a year at this point) and then sed out the test to `true`.
Created attachment 344338 [details, diff] Add --enable-sloppy-mount option to configure (In reply to comment #13) > One proper solution might be adding an AC_ARG_ENABLE […] Did that. With this patch in place (and configure recreated from it), the ebuild could depend on >=sys-apps/util-linux-2.20 and pass --enable-sloppy-mount to configure, thus preventing the call to mount used to autodetect this feature. For reasons I still don't understand, simply applying this patch and letting the ebuild do its autoreconf apparently isn't enough to actually recreate the configure script. In my experiments I had to delete that script in order to let it get recreated. But I'm sure someone will know a proper way to handle this. I guess this patch might be fit to be included upstream eventually. So once you decide to use it, I'd propose it upstream as well (unless someone else wants to). With a bit of luck we won't have to maintain this modification at the distro level forever.
(In reply to comment #27) If this patch avoids the mount call at all, the addpredict "/etc/mtab" already present in the ebuild may become obsolete and could be removed. Seems to be a good way to go for me.
(In reply to comment #27) > In my experiments I had to delete that script in order > to let it get recreated. I'm sorry, but what do you mean by that ? I just add an epatch entry in the src_prepare() section of the ebuild, and it continue to fail with the same error. So I suspect that you're right, that is not enough.
(In reply to comment #29) > (In reply to comment #27) > > In my experiments I had to delete that script in order > > to let it get recreated. > > I'm sorry, but what do you mean by that ? I can't reproduce what I meant by this. I believe I originally had run either the ebuild prepare phase, or a manual "autoreconf" call in $S, and the option still didn't get included into the configure script. But now that works all right. The check is whether "configure --help" will describe "--enable-sloppy-mount". (In reply to comment #29) > I just add an epatch entry in the src_prepare() section of the ebuild, and > it continue to fail with the same error. So I suspect that you're right, > that is not enough. The patch is intended to not modify default behaviour, in a attempt to make it fit for upstream inclusion. You have to do two modifications to the ebuild: 1. DEPEND on >=sys-apps/util-linux-2.20 2. add "--enable-sloppy-mount" to the arguments for econf
(In reply to comment #30) > The patch is intended to not modify default behaviour, in a attempt to make it > fit for upstream inclusion. You have to do two modifications to the ebuild: 1. DEPEND on >=sys-apps/util-linux-2.20 2. add "--enable-sloppy-mount" to the arguments for econf OK that did the tricks I just needed to do an ebuild clean to force it to recreate the configure script like you said thanks
I still have the "ACCESS VIOLATION": F: open_wr S: deny P: /run/mount/utab A: /run/mount/utab R: /run/mount/utab C: /bin/mount -s root@impala:/root(12)# qlist -Iv sandbox autofs util-linux net-fs/autofs-5.0.6-r5 sys-apps/sandbox-2.6-r1 sys-apps/util-linux-2.22.2
I am afflicted by this problem as well. Having read the unfolding drama, I have to confess that I don't understand all of it. Life for me tends to involve "emerge" and USE flags, and that's as deep as I generally go. I have tried using: ACCEPT_KEYWORDS="~x86" emerge -1 sandbox emerge autofs and still had pretty much the same problem, this ACCESS VIOLATION. I have never seen one of those before now either. Guys, I could do with a fix or some workaround that mortals can use. I'm doing a virgin install on an x86 machine and I cannot install the automounter at all because of this problem. I'm happy enough to use arcane commands, but I need my hand holding somewhat with some step-by-step instructions. I did build a package manually once, but it was years ago and I cannot remember how to do it. Some guidance from an expert would be much appreciated.
(In reply to comment #33) > I could do with […] some workaround that mortals can use. […] I'm happy > enough to use arcane commands, but I need my hand holding somewhat with > some step-by-step instructions. Have you tried the commands from comment #13? # export MAKEOPTS=-j1 # ebuild /usr/portage/net-fs/autofs/autofs-5.0.7.ebuild clean prepare # sed -i 's:"$MOUNT" -s:true:' \ /var/tmp/portage/net-fs/autofs-5.0.7/work/autofs-5.0.7/configure # ebuild /usr/portage/net-fs/autofs/autofs-5.0.7.ebuild merge This should be the easiest solution for end users, if it works. Comment #14 suggests problems with this, but perhaps that was because I originally omitted the MAKEOPTS from the instructions, and only did an install not a merge as the final step. If the above does not work, please let us know how it failed.
(In reply to comment #34) > (In reply to comment #33) > > I could do with […] some workaround that mortals can use. […] I'm happy > > enough to use arcane commands, but I need my hand holding somewhat with > > some step-by-step instructions. > > Have you tried the commands from comment #13? > > # export MAKEOPTS=-j1 > # ebuild /usr/portage/net-fs/autofs/autofs-5.0.7.ebuild clean prepare > # sed -i 's:"$MOUNT" -s:true:' \ > /var/tmp/portage/net-fs/autofs-5.0.7/work/autofs-5.0.7/configure > # ebuild /usr/portage/net-fs/autofs/autofs-5.0.7.ebuild merge > > This should be the easiest solution for end users, if it works. Comment #14 > suggests problems with this, but perhaps that was because I originally > omitted the MAKEOPTS from the instructions, and only did an install not a > merge as the final step. If the above does not work, please let us know how > it failed. This recipe works here on several systems.
That does seem to have done the trick. Thank you so very very much, I am enormously grateful. Hopefully there will be a resolution that everyone can agree upon in the near future.
Proposed my patch upstream: http://thread.gmane.org/gmane.linux.kernel.autofs/6525
*** Bug 468324 has been marked as a duplicate of this bug. ***
Still getting sanbox ACCESS VIOLATION with net-fs/autofs-5.0.7-r1. Violation summary is identical to comment #12.
(In reply to comment #39) > Still getting sanbox ACCESS VIOLATION with net-fs/autofs-5.0.7-r1. Violation > summary is identical to comment #12. of course you are. this bug has not been fixed yet
(In reply to comment #40) > (In reply to comment #39) > > Still getting sanbox ACCESS VIOLATION with net-fs/autofs-5.0.7-r1. Violation > > summary is identical to comment #12. > > of course you are. this bug has not been fixed yet My mistake, by the gname thread, I wasn't sure if the patch was coming down to/by the maintainers or not. Just wanted to get on the CC
*** Bug 468568 has been marked as a duplicate of this bug. ***
should be all set now in the tree; thanks for the report! Commit message: Disable mount sloppy test since it violates the sandbox http://sources.gentoo.org/net-fs/autofs/autofs-5.0.7-r1.ebuild?r1=1.1&r2=1.2 http://sources.gentoo.org/net-fs/autofs/files/autofs-5.0.7-mount-sloppy.patch?rev=1.1
(In reply to comment #43) > should be all set now in the tree; thanks for the report! > > Commit message: Disable mount sloppy test since it violates the sandbox > http://sources.gentoo.org/net-fs/autofs/autofs-5.0.7-r1.ebuild?r1=1.1&r2=1.2 > http://sources.gentoo.org/net-fs/autofs/files/autofs-5.0.7-mount-sloppy. > patch?rev=1.1 Thx. But please add the fix to autofs-5.0.6 as well as 5.0.7 is not working with nfs shares (see Bug 463718) and probably many people will not use it before this is fixed.
*** Bug 472588 has been marked as a duplicate of this bug. ***
*** Bug 481086 has been marked as a duplicate of this bug. ***