Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 587746 - www-apache/mod_gnutls-0.7.5 sandbox violation
Summary: www-apache/mod_gnutls-0.7.5 sandbox violation
Status: RESOLVED NEEDINFO
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Lars Wendler (Polynomial-C) (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-02 03:52 UTC by MrSnivvel
Modified: 2017-02-04 21:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Build log for mod_gnutls-0.8.2 (mod_gnutls-0.8.2:20170204-203227.log.gz,5.51 KB, application/gzip)
2017-02-04 21:24 UTC, Navid Zamani 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description MrSnivvel 2016-07-02 03:52:00 UTC 
Portage 2.3.0 (python 3.5.1-final-0, default/linux/amd64/13.0/developer, gcc-5.4.0, glibc-2.23-r2, 4.5.2-gentoo x86_64)
=================================================================
System uname: Linux-4.5.2-gentoo-x86_64-Intel-R-_Xeon-R-_CPU_X5650_@_2.67GHz-with-gentoo-2.2
KiB Mem:    55699868 total,  16067236 free
KiB Swap:    3906556 total,   3612420 free
Timestamp of repository gentoo: Sat, 02 Jul 2016 02:30:01 +0000
sh bash 4.3_p46
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
app-shells/bash:          4.3_p46::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.22.2::gentoo
dev-lang/python:          2.7.11-r2::gentoo, 3.4.4::gentoo, 3.5.1-r3::gentoo
dev-util/cmake:           3.5.2-r1::gentoo
dev-util/pkgconfig:       0.29.1::gentoo
sys-apps/baselayout:      2.2-r1::gentoo
sys-apps/openrc:          0.21.1::gentoo
sys-apps/sandbox:         2.10-r2::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69-r2::gentoo
sys-devel/automake:       1.11.6-r2::gentoo, 1.12.6-r1::gentoo, 1.13.4-r1::gentoo, 1.14.1-r1::gentoo, 1.15-r2::gentoo
sys-devel/binutils:       2.25.1-r1::gentoo
sys-devel/gcc:            4.9.3::gentoo, 5.3.0::gentoo, 5.4.0::gentoo
sys-devel/gcc-config:     1.8-r1::gentoo
sys-devel/libtool:        2.4.6-r2::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.5::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r2::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000

Local-Grotto
    location: /usr/local/portage
    masters: gentoo
    priority: 0

andy
    location: /var/lib/layman/andy
    masters: gentoo
    priority: 50

gamerlay
    location: /var/lib/layman/gamerlay
    masters: gentoo
    priority: 50

games-overlay
    location: /var/lib/layman/games-overlay
    masters: gentoo
    priority: 50

steam-overlay
    location: /var/lib/layman/steam-overlay
    masters: gentoo
    priority: 50

stuff
    location: /var/lib/layman/stuff
    masters: gentoo
    priority: 50

sunrise
    location: /var/lib/layman/sunrise
    masters: gentoo
    priority: 50

x11
    location: /var/lib/layman/x11
    masters: gentoo
    priority: 50

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -mtune=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/gnupg/qualified.txt /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.6/ext-active/ /etc/php/apache2-php7.0/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cgi-php7.0/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/php/cli-php7.0/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -mtune=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms sign splitdebug strict test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,--hash-style=gnu -Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j28"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac account acl acpi addc aio alsa amd64 ao apache2 archive asio audit aura bash-completion berkdb branding bzip2 cairo caps cdda cddb cdr cg cgmanager cinder clang cleartype cli client cluster consolekit context corefonts cpudetection cracklib crypt cups curl custom-cflags custom-optimization cxx dbus declarative dhcp-tools dri drm dts dvd dvdr egl emboss encode evdev examples exif extensions extra extraengine faac fam ffmpeg firefox flac fontconfig fortran fpm fuse gallium games gbm gcj gd gdbm gif gimp glamor glance gles2 gnome-keyring gnutls gold gphoto2 gpm graphics gstreamer gtk gtk3 hbci hidpi horizon http humanities icedtea7 iconv inotify ipv6 jabber javascript jemalloc jingle jpeg keystone lame lcms ldap libcaca libcanberra libkms libnotify libsecret llvm-shared-libs logrotate lxc lzma lzo mad md5sum meanwhile metapost mmap mms mmx mmxext mng modules monitor mp3 mp4 mpeg mtp multilib music mysql mysqli mysqlnd ncat ncurses ndiff networkmanager neutron nls nova nping nptl nsplugin offensive ofx ogg omega omxil opcache opencl opencv openexr opengl openmp opus osmesa pam pango pcre pdf pdo pgo pipelight pkcs11 playlist png policykit postgres postproc ppds projectm pstricks publishers pulseaudio python python3 qos qrcode qt3support qt5 r600-llvm-compiler readline rfc3779 rtmp science sctp sdl seccomp secure-delete session shout smbtav2 snmp soap sockets source speex spell sphinx sse sse2 ssh ssl staging startup-notification streaming svc svg swift system-cairo system-icu system-jpeg system-sqlite systemd sysv-utils tcpd terminal tex4ht texi2html theora threads tiff tokudb tools truetype type1 udev udisks unicode upower usb usbredir utils uvm uxa vaapi vdpau vim-syntax virtualbox visio vorbis vpx wayland webkit2 webp widevine wxwidgets x264 x265 xa xattr xcb xcomposite xetex xindy xinerama xml xmlreader xmlrpc xmlwriter xmpp xorg xpm xscreensaver xslt xv xvfb xvid xvmc zenmap zip zlib zsh-completion" ABI_X86="64 32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_core authn_dbm authn_file authz_core authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation proxy proxy_balancer proxy_connect proxy_fdpass proxy_fcgi proxy_http proxy_scgi proxy_wstunnel ratelimit rewrite setenvif slotmem_shm socache_shmcb speling status unique_id unixd userdir usertrack vhost_alias" APACHE2_MPMS="event" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" CURL_SSL="openssl" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="emu efi-64 pc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_US en_us" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif fastcgi geo gzip limit_conn limit_req map memcached proxy referer rewrite scgi split_clients ssi upstream_ip_hash userid uwsgi gunzip gzip_static metrics mp4 naxsi security realip stub_status pcre-jit" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_5" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby20 ruby21 ruby22 ruby23" USERLAND="GNU" VIDEO_CARDS="nvidia intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

checking for permission to create network and user namespaces...  * ACCESS DENIED:  open_wr:      /proc/self/setgroups
no
checking whether to enable MSVA functionality... no
checking for apu-1-config... /usr/bin/apu-1-config
checking for apr_memcache_create in -laprutil-1... yes
configure: using ' -laprutil-1' for memcache
checking for pandoc... no
checking for markdown... no
checking for apache2... /usr/sbin/apache2
checking for curl... /usr/bin/curl
checking for softhsm2-util... no
checking for softhsm... no
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating test/Makefile
config.status: creating test/tests/Makefile
config.status: creating doc/Makefile
config.status: creating include/mod_gnutls.h
config.status: creating test/proxy_backend.conf
config.status: creating test/apache-conf/listen.conf
config.status: creating test/apache-conf/netns.conf
config.status: creating include/mod_gnutls_config.h
config.status: executing depfiles commands
config.status: executing libtool commands
---
Configuration summary for mod_gnutls:

   * mod_gnutls version:	0.7.5
   * Apache Modules directory:	/usr/lib64/apache2/modules
   * GnuTLS Library version:	3.4.13
   * SRP Authentication:	yes
   * MSVA Client Verification:	no
   * Build documentation:	no

---
>>> Source configured.
 * --------------------------- ACCESS VIOLATION SUMMARY ---------------------------
 * LOG FILE: "/var/log/sandbox/sandbox-14130.log"
 * 
VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: open_wr
S: deny
P: /proc/self/setgroups
A: /proc/self/setgroups
R: /proc/15421/setgroups
C: /usr/bin/unshare --net -r /bin/sh -c ip link set up lo && ip addr show 
 * --------------------------------------------------------------------------------
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-07-13 20:09:56 UTC 
Please attach the full build.log file to this bug.
Comment 2 Navid Zamani 2017-02-04 21:24:46 UTC 
Created attachment 462458 [details]
Build log for mod_gnutls-0.8.2

This problem still exists in 0.8.2. I attached the complete build log.

As we see, it happens during the configure phase, when it is

  checking for permission to create network and user namespaces...
  * ACCESS DENIED:  open_wr:      /proc/self/setgroups
  no

Also, bug #601228 is a duplicate of this bug.