I get this with ebuild dev-python/pycparser clean install
Created attachment 409934 [details] pycparser-2.14:20150823-135804.log.xz debug build lgo
Just a guess: Did you recently switch from app-misc/pax-utils[-seccomp] to app-misc/pax-utils[seccomp]? Linux profiles were recently changed to enable seccomp by default, so that may have happened through no action on your part.
(In reply to Mike Gilbert from comment #2) > Just a guess: Did you recently switch from app-misc/pax-utils[-seccomp] to > app-misc/pax-utils[seccomp]? > > Linux profiles were recently changed to enable seccomp by default, so that > may have happened through no action on your part. yes, confirmed. This happens with app-misc/pax-utils[seccomp].
Can you provide your running kernel config?
Created attachment 409946 [details, diff] config.gz kernel config
*** Bug 558414 has been marked as a duplicate of this bug. ***
if you run scanelf by hand, does it work ? might be the sandbox triggering syscalls that normally scanelf itself doesn't. i might have to add a debug flag so that it'll report the actual failing syscall ...
(In reply to SpanKY from comment #7) > if you run scanelf by hand, does it work ? might be the sandbox triggering > syscalls that normally scanelf itself doesn't. i might have to add a debug > flag so that it'll report the actual failing syscall ... It is failing only inside the ebuild/sanbox scope. Also adding it to src_install() makes it fail. Running it manually is fine. How do I add some debugging flags? I don't see anything in the manual.
Okay, FEATURES=fakeroot is triggering this [I] sys-apps/fakeroot Available versions: 1.18.4 1.19 (~)1.20 1.20.2 {acl debug static-libs test} Installed versions: 1.20.2(16:06:31 23/10/14)(acl -debug -static-libs -test) Homepage: http://packages.qa.debian.org/f/fakeroot.html Description: A fake root environment by means of LD_PRELOAD and SysV IPC (or TCP) trickery
(In reply to Justin Lecher from comment #9) > Okay, FEATURES=fakeroot is triggering this > > [I] sys-apps/fakeroot > Available versions: 1.18.4 1.19 (~)1.20 1.20.2 {acl debug static-libs > test} > Installed versions: 1.20.2(16:06:31 23/10/14)(acl -debug -static-libs > -test) > Homepage: http://packages.qa.debian.org/f/fakeroot.html > Description: A fake root environment by means of LD_PRELOAD and > SysV IPC (or TCP) trickery Unlike Justin, I can reproduce by running it manually on my SGI Octane (MIPS): # scanelf Bad system call Only odd bit is, my Octane is running MIPS n32 userland...though I thought sys_seccomp was implemented in N32. Think this is a kernel problem I need to address with upstream? For now, I'll rebuild with USE="-seccomp" as a workaround, which fixes the problem. Doubt it's needed on this class of systems anyways.
(In reply to Joshua Kinard from comment #10) > > Unlike Justin, I can reproduce by running it manually on my SGI Octane > (MIPS): > > # scanelf > Bad system call > > Only odd bit is, my Octane is running MIPS n32 userland...though I thought > sys_seccomp was implemented in N32. Think this is a kernel problem I need > to address with upstream? For now, I'll rebuild with USE="-seccomp" as a > workaround, which fixes the problem. Doubt it's needed on this class of > systems anyways. Forgot the small strace output: execve("/usr/bin/scanelf", ["scanelf"], [/* 28 vars */]) = 0 brk(0) = 0x10100000 uname({sysname="Linux", nodename="<REDACTED>", ...}) = 0 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=34651, ...}) = 0 mmap(NULL, 34651, PROT_READ, MAP_PRIVATE, 3, 0) = 0x771e0000 close(3) = 0 open("/usr/lib32/libseccomp.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\0r\0\0\0\0004"..., 512) = 512 fstat(3, {st_mode=S_IFREG|0755, st_size=107688, ...}) = 0 mmap(NULL, 168416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x771b0000 mmap(0x771d0000, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10000) = 0x771d0000 close(3) = 0 open("/lib32/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\1\235\330\0\0\0004"..., 512) = 512 lseek(3, 800, SEEK_SET) = 800 read(3, "\0\0\0\4\0\0\0\20\0\0\0\1GNU\0\0\0\0\0\0\0\0\2\0\0\0\6\0\0\0 ", 32) = 32 fstat(3, {st_mode=S_IFREG|0755, st_size=1625524, ...}) = 0 mmap(NULL, 1605344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x77020000 mprotect(0x77190000, 65536, PROT_NONE) = 0 mmap(0x771a0000, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x170000) = 0x771a0000 close(3) = 0 set_thread_area(0x7723c5a0) = 0 munmap(0x771e0000, 34651) = 0 prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0 prctl(PR_SET_SECUREBITS, SECBIT_NOROOT|SECBIT_NOROOT_LOCKED|SECBIT_NO_SETUID_FIXUP|SECBIT_NO_SETUID_FIXUP_LOCKED|SECBIT_KEEP_CAPS_LOCKED) = 0 unshare(CLONE_NEWUTS|CLONE_NEWIPC) = 0 brk(0) = 0x10100000 brk(0x10130000) = 0x10130000 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len = 44, filter = 0x10103570}) = 0 fstat(1, <unfinished ...> --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_pid=0, si_uid=1997537564} --- +++ killed by SIGSYS +++ Bad system call
Created attachment 410026 [details, diff] signal log patch try using this patch to get a log of what syscall is failing
scanelf: seccomp violated: syscall 68 scanelf: syscall = msgget scanelf: seccomp violated: syscall 68 scanelf: syscall = msgget scanelf: seccomp violated: syscall 68 scanelf: syscall = msgget scanelf: seccomp violated: syscall 68 scanelf: syscall = msgget scanelf: seccomp violated: syscall 68 scanelf: syscall = msgget scanelf: seccomp violated: syscall 68 scanelf: syscall = msgget scanelf: seccomp violated: syscall 68 scanelf: syscall = msgget
(In reply to SpanKY from comment #12) > Created attachment 410026 [details, diff] [details, diff] > signal log patch > > try using this patch to get a log of what syscall is failing Won't compile on MIPS: In file included from security.c:8:0: security.c: In function 'pax_seccomp_sigal': security.c:47:43: error: 'siginfo_t' has no member named 'si_syscall' warn("seccomp violated: syscall %i", info->si_syscall); ^ paxinc.h:113:61: note: in definition of macro 'warn' fprintf(stderr, "%s%s%s: " fmt "\n", RED, argv0, NORM , ## args) ^ security.c:50:68: error: 'siginfo_t' has no member named 'si_syscall' warn(" syscall = %s", seccomp_syscall_resolve_num_arch(arch, info->si_syscall)); ^
(In reply to Justin Lecher from comment #13) i guess fakeroot utilizes Sys V IPC. i wonder if there's a way to detect that fakeroot is active in the processes' VM space. (In reply to Joshua Kinard from comment #14) glibc is broken. clone that into a diff bug.
(In reply to SpanKY from comment #15) > (In reply to Joshua Kinard from comment #14) i've moved that upstream actually: https://sourceware.org/bugzilla/show_bug.cgi?id=18863
Comment on attachment 410026 [details, diff] signal log patch i've pushed a cleaned up version of this: http://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=9d0a60f489c17e47e08aa5ec09da8d7049e402ea http://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=bcb6683c56d9646e12881a6b59bc740e6004e663
Created attachment 410172 [details, diff] pax-utils-fakeroot.patch try this for the fakeroot failures
(In reply to SpanKY from comment #18) > Created attachment 410172 [details, diff] [details, diff] > pax-utils-fakeroot.patch > > try this for the fakeroot failures Same problem as before.
(In reply to Justin Lecher from comment #19) you still get bad syscall for msgget ? or you get a different syscall error ? please post the log.
(In reply to SpanKY from comment #20) > (In reply to Justin Lecher from comment #19) > > you still get bad syscall for msgget ? or you get a different syscall error > ? please post the log. You are right: scanelf: seccomp violated: syscall 64 scanelf: syscall = semget It is another one now.
(In reply to Justin Lecher from comment #21) so keep adding syscalls like in my patch until it works and then let me know which ones those were. no point in me adding one at a time in new patches.
(In reply to SpanKY from comment #16) > (In reply to SpanKY from comment #15) > > (In reply to Joshua Kinard from comment #14) > > i've moved that upstream actually: > https://sourceware.org/bugzilla/show_bug.cgi?id=18863 I am assuming this upstream glibc bug is specific to the missing si_syscall bits, and not related to the fact that MIPS N32 appears to not support the SYS_SECCOMP syscall correctly. Do you want me to file a separate Gentoo bug for the MIPS case? Recompiling pax-utils with -seccomp did workaround the problem, but I suspect it's a bug that needs fixing somewhere, be it kernel or glibc. I'm updating my old O32 chroot right now, so in a few days (yes, it's that far behind), I'll re-check pax-utils on O32 to see if it is an O32 vs N32 problem.
(In reply to Joshua Kinard from comment #23) yes, file a sep bug for mips/seccomp runtime failures please
That's the full list for fakeroot @@ -118,6 +138,13 @@ static void pax_seccomp_init(bool allow_forking) /* Syscalls listed because of sandbox. */ SCMP_SYS(readlink), + + /* Syscalls listed because of fakeroot. */ + SCMP_SYS(msgget), + SCMP_SYS(semget), + SCMP_SYS(semop), + SCMP_SYS(msgsnd), + SCMP_SYS(msgrcv), }; int fork_syscalls[] = { SCMP_SYS(clone),
(In reply to Justin Lecher from comment #25) thanks, i've whitelisted those for now: http://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=c39a557a2b53f6fea61117d9b0d90ea51a738d6b
Same here, fakeroot patch does not help. I also get scanelf scanelf: seccomp_load failed: Invalid argument * Scan ELF binaries for stuff ... when simply calling scanelf (AMD64).
(In reply to Small_Penguin from comment #28) that's an unrelated issue. please file a new bug.
Created new bug: https://bugs.gentoo.org/show_bug.cgi?id=558954