655300 – sys-cluster/keepalived-1.4.3 : sandbox issue

Bug 655300 - sys-cluster/keepalived-1.4.3 : sandbox issue

Summary: sys-cluster/keepalived-1.4.3 : sandbox issue

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Cluster Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	CVE-2018-19044, CVE-2018-19045, CVE-2018-19046, CVE-2018-19115
	Show dependency tree

Reported:	2018-05-08 19:48 UTC by Toralf Förster
Modified:	2018-11-21 09:08 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
emerge-info.txt (emerge-info.txt,16.33 KB, text/plain) 2018-05-08 19:48 UTC, Toralf Förster	Details
emerge-history.txt (emerge-history.txt,213.30 KB, text/plain) 2018-05-08 19:48 UTC, Toralf Förster	Details
etc.portage.tbz2 (etc.portage.tbz2,13.48 KB, application/x-bzip) 2018-05-08 19:48 UTC, Toralf Förster	Details
logs.tbz2 (logs.tbz2,11.98 KB, application/x-bzip) 2018-05-08 19:48 UTC, Toralf Förster	Details
sandbox-22556.log (sandbox-22556.log,283 bytes, text/plain) 2018-05-08 19:48 UTC, Toralf Förster	Details
sys-cluster:keepalived-1.4.3:20180508-194539.log (sys-cluster:keepalived-1.4.3:20180508-194539.log,14.46 KB, text/plain) 2018-05-08 19:48 UTC, Toralf Förster	Details
sys-cluster:keepalived-2.0.10-r1:20181116-161512.log (sys-cluster:keepalived-2.0.10-r1:20181116-161512.log,16.47 KB, text/plain) 2018-11-16 16:18 UTC, Agostino Sarubbo	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Toralf Förster gentoo-dev

2018-05-08 19:48:41 UTC

VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: open_wr
S: deny

  -------------------------------------------------------------------

  This is an unstable amd64 chroot image at a tinderbox (==build bot)
  name: 17.0-systemd_abi32+64-test_20180501-232814

  -------------------------------------------------------------------

gcc-config -l:
 [1] x86_64-pc-linux-gnu-7.3.0 *

Available Python interpreters, in order of preference:
  [1]   python3.5
  [2]   python2.7 (fallback)




emerge -qpv sys-cluster/keepalived
[ebuild  N    ] sys-cluster/keepalived-1.4.3  USE="ipv6 -dbus -debug -json -snmp"

Comment 1 Toralf Förster gentoo-dev

2018-05-08 19:48:44 UTC

Created attachment 530536 [details]
emerge-info.txt

Comment 2 Toralf Förster gentoo-dev

2018-05-08 19:48:47 UTC

Created attachment 530538 [details]
emerge-history.txt

Comment 3 Toralf Förster gentoo-dev

2018-05-08 19:48:50 UTC

Created attachment 530540 [details]
etc.portage.tbz2

Comment 4 Toralf Förster gentoo-dev

2018-05-08 19:48:53 UTC

Created attachment 530542 [details]
logs.tbz2

Comment 5 Toralf Förster gentoo-dev

2018-05-08 19:48:56 UTC

Created attachment 530544 [details]
sandbox-22556.log

Comment 6 Toralf Förster gentoo-dev

2018-05-08 19:48:59 UTC

Created attachment 530546 [details]
sys-cluster:keepalived-1.4.3:20180508-194539.log

Comment 7 Agostino Sarubbo gentoo-dev

2018-11-16 16:18:05 UTC

Created attachment 555334 [details]
sys-cluster:keepalived-2.0.10-r1:20181116-161512.log

I'm still hitting the bug with the 2.0.10-r1 version

Comment 8 Tomáš Mózes 2018-11-21 08:46:17 UTC

Cannot reproduce locally on (~)amd64 even after setting your FEATURES. It seems like keepalived tries to guess the init system: https://github.com/acassen/keepalived/blob/master/configure.ac#L2075

Since we ship our own openrc/systemd files, can you please test if the following works for you?

diff --git a/sys-cluster/keepalived/keepalived-2.0.10-r1.ebuild b/sys-cluster/keepalived/keepalived-2.0.10-r1.ebuild
index a9e8dd02900..21b1b911c6e 100644
--- a/sys-cluster/keepalived/keepalived-2.0.10-r1.ebuild
+++ b/sys-cluster/keepalived/keepalived-2.0.10-r1.ebuild
@@ -43,6 +43,7 @@ src_prepare() {
 src_configure() {
        STRIP=/bin/true \
        econf \
+               --with-init=custom \
                --with-kernel-dir=/usr \
                --enable-sha1 \
                --enable-vrrp \

This should prevent the /sbin/init call and disable init auto-detection.

Thank you!

Comment 9 Agostino Sarubbo gentoo-dev

2018-11-21 09:03:38 UTC

@cluster, since the suggested change works, I committed it.

Comment 10 Tomáš Mózes 2018-11-21 09:08:23 UTC

Thanks for testing ago.