I've this issue only on two x86 servers, one more amd64 (configured in same way and with same version of sandbox) doesn't have this issue. After upgrading mysql to 5.6 it start complaining about using passwords in command line, so I've updated my tool to use custom my.cnf file generated on-the-fly instead. While emerging it (package =dev-perl/Narada-1.3.15 from powerman overlay) I got this error while running tests: t/narada-backup.t ....... * ../../sandbox-2.6/libsandbox/libsandbox.c:check_syscall():879: failure (No such file or directory): * ISE: abs_path: (null) res_path: (null) I'm pretty sure this happens because of that mysql password-related change which I make in narada-mysqldump tool called by this test. Simplified perl code which trigger sandbox is: my $mycnf = tempfile(DIR=>'tmp'); print {$mycnf} "[client]\n"; print {$mycnf} "user = $user\n"; print {$mycnf} "password = $pass\n"; $mycnf->flush; sysseek $mycnf, 0, 0; fcntl $mycnf, F_SETFD, 0; my $fd = fileno $mycnf; system("mysqldump --defaults-file=/proc/self/fd/\Q$fd\E \Q$db\E ..."); It does this: 1. create file with random name in tmp/ subdir 2. unlink that file (without closing it file descriptor) 3. write my.cnf-like configuration into that file 4. flush it, seek to beginning 5. set FD_CLOEXEC on it to 0 6. run mysqldump --defaults-file=/proc/self/fd/<thisfd> ... All this hackery is just to make sure this temporary my.cnf won't be accessed by someone else and won't be left on disk in case of crash. So, sandbox's error message makes some sense - the mysqldump really access non-existing file using provided file descriptor. But this is legal POSIX code and sandbox should support this use case. Portage 2.2.14 (python 3.3.5-final-0, hardened/linux/x86, gcc-4.8.3, glibc-2.19-r1, 3.17.7-hardened-r1 i686) ================================================================= System uname: Linux-3.17.7-hardened-r1-i686-Intel-R-_Xeon-R-_CPU_X5680_@_3.33GHz-with-gentoo-2.2 KiB Mem: 16613200 total, 424420 free KiB Swap: 4194300 total, 4164156 free Timestamp of tree: Fri, 30 Jan 2015 18:15:01 +0000 ld GNU ld (Gentoo 2.24 p1.4) 2.24 app-shells/bash: 4.2_p53 dev-lang/perl: 5.20.1-r4 dev-lang/python: 2.7.9-r1, 3.3.5-r1 dev-util/cmake: 2.8.12.2-r1 dev-util/pkgconfig: 0.28-r1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.13.8 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6-r1, 1.13.4 sys-devel/binutils: 2.24-r3 sys-devel/gcc: 4.8.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.4 sys-devel/make: 4.0-r1 sys-kernel/linux-headers: 3.16 (virtual/os-headers) sys-libs/glibc: 2.19-r1 Repositories: gentoo perl-experimental-snapshots powerman local ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /service /usr/inferno/keydb /usr/inferno/lib /usr/inferno/services /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /var/log /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage-distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps=y --autounmask-write" FCFLAGS="-march=native -O2 -pipe" FEATURES="assume-digests binpkg-logs clean-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=native -O2 -pipe" GENTOO_MIRRORS="http://mirror.qubenet.net/mirror/gentoo/ http://mirrors.linuxant.fr/distfiles.gentoo.org/ http://mirror.leaseweb.com/gentoo/ http://mirror.bytemark.co.uk/gentoo/ http://gentoo.modulix.net/gentoo/" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j25" PKGDIR="/usr/portage-packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="--exclude ChangeLog --delete-excluded" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/perl-experimental-snapshots /var/lib/layman/powerman /usr/local/portage" SYNC="rsync://rsync.uk.gentoo.org/gentoo-portage" USE="adns aes bash-completion berkdb bzip2 caps cli cracklib crypt cxx dri fontconfig gdbm gif gnutls gpg hardened iconv icu idn ipv6 jpeg jpeg2k mbox mmx mmxext mng modules ncurses network-cron nls nptl openmp pam pax_kernel pcre perl pic png popcnt readline session spell sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 svg tcpd tiff truetype udev unicode urandom vim-syntax x86 xattr xtpax zlib" ABI_X86="32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="log_config vhost_alias autoindex alias rewrite dir deflate filter mime negotiation auth_basic authn_file authz_host authz_user authz_groupfile cgi actions headers env setenvif" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif fastcgi geo gzip limit_conn limit_req map memcached proxy referer rewrite scgi split_clients ssi upstream_ip_hash userid uwsgi fancyindex" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel mach64 mga nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON
that perl code doesn't run. please attach a fully functional test script. even better, write it in bash ;). could you try out sandbox-2.10-r1 to see if it improves things ?
Sorry, I don't have x86 servers at hand anymore. Is there any easy way to test it - maybe docker image with 32-bit gentoo?
i have 32bit chroots that i build in and have never seen this problem. i tried your code too and it didn't fail for me.
Well… then just close this. If it ever happens again - someone will notice this.
