Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 704848 - Sandbox violation during emerge will cause sandbox violations for all packages being built simultaneously with FEATURES=pid-sandbox due to SANDBOX_LOG collision
Summary: Sandbox violation during emerge will cause sandbox violations for all package...
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Portage team
URL:
Whiteboard:
Keywords: InVCS
Depends on:
Blocks: 706142
  Show dependency tree
 
Reported: 2020-01-06 01:04 UTC by Thomas Deutschmann
Modified: 2020-04-21 07:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
pid-sandbox: mount private /var/log/sandbox (0001-pid-sandbox-mount-private-var-log-sandbox-bug-704848.patch,2.41 KB, patch)
2020-01-18 04:36 UTC, Zac Medico
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2020-01-06 01:04:38 UTC
When you allow portage to build more than one package simultaneously (--jobs 2) and one of this packages will cause a sandbox violation, all packages being built simultaneously will fail with (the same) sandbox violation.
Comment 1 Zac Medico gentoo-dev 2020-01-06 02:59:18 UTC
I think this must be triggered by FEATURES=pid-sandbox, since sandbox's _get_sb_log function puts the pid in the filename.
Comment 2 Zac Medico gentoo-dev 2020-01-06 03:20:17 UTC
It looks like there's no way to override the SANDBOX_LOG location, but since pid-sandbox requires a mount namespace anyway, we can bind mount a private directory to /var/log/sandbox.
Comment 3 Zac Medico gentoo-dev 2020-01-18 04:36:47 UTC
Created attachment 603640 [details, diff]
pid-sandbox: mount private /var/log/sandbox

After having written this patch, I think its better if we go ahead and add support in sandbox to override SANBOX_LOG, since otherwise we'll end up having sandbox output a log path located in /var/log/sandbox instead of the true location which is in ${PORTAGE_BUILDDIR}/sandbox_log with this patch.

> From efe2c5b55f60660e9ddb2b57381d11261f59e502 Mon Sep 17 00:00:00 2001
> From: Zac Medico <zmedico@gentoo.org>
> Date: Fri, 17 Jan 2020 19:23:16 -0800
> Subject: [PATCH] pid-sandbox: mount private /var/log/sandbox (bug 704848)
> 
> Create a private /var/log/sandbox since the pid namespace triggers
> log file name collision with a process in another pid namespace with
> the same pid.
> 
> TODO: Patch sandbox to allow portage to override SANDBOX_LOG, since
> otherwise sandbox violation messages will output a log path located
> in /var/log/sandbox instead of the true location which is in
> ${PORTAGE_BUILDDIR}/sandbox_log.
> 
> Bug: https://bugs.gentoo.org/704848
> Signed-off-by: Zac Medico <zmedico@gentoo.org>
> ---
>  lib/portage/process.py | 24 ++++++++++++++++++++++++
>  1 file changed, 24 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2020-01-23 06:10:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/portage.git/commit/?id=1b18d8257ecd6c8c8f10c711b41a2be0fe7d587f

commit 1b18d8257ecd6c8c8f10c711b41a2be0fe7d587f
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-01-18 05:31:16 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-01-23 06:08:31 +0000

    doebuild: export SANDBOX_LOG=${T}/sandbox.log (bug 704848)
    
    In order to avoid a SANDBOX_LOG collision with another process
    having the same pid when pid-sandbox is enabled, export a
    unique SANDBOX_LOG value. The ${T} directory is a convenient
    location, since it is guaranteed to exist and be writable during
    relevant ebuild phases.
    
    Bug: https://bugs.gentoo.org/704848
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 lib/portage/package/ebuild/_config/special_env_vars.py | 4 ++--
 lib/portage/package/ebuild/doebuild.py                 | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2020-01-23 07:05:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=926daa64ce2932685e50c5b87ebe6e1f2578feb2

commit 926daa64ce2932685e50c5b87ebe6e1f2578feb2
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-01-23 06:54:10 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-01-23 07:04:32 +0000

    sys-apps/portage: Bump to version 2.3.85
    
     #615594 dosym: revert deprecated prefix compat
     #704256 emerge-webrsync: chmod 755 temp dir
     #704320 Add QA check for unresolved soname dependencies
     #704848 doebuild: export SANDBOX_LOG=${T}/sandbox.log
     #705986 solve pypy / pypy-exe dependency cycle
    
    Bug: https://bugs.gentoo.org/706142
    Bug: https://bugs.gentoo.org/615594
    Bug: https://bugs.gentoo.org/704256
    Bug: https://bugs.gentoo.org/704320
    Bug: https://bugs.gentoo.org/704848
    Bug: https://bugs.gentoo.org/705986
    Package-Manager: Portage-2.3.85, Repoman-2.3.20
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 sys-apps/portage/Manifest              |   1 +
 sys-apps/portage/portage-2.3.85.ebuild | 276 +++++++++++++++++++++++++++++++++
 2 files changed, 277 insertions(+)
Comment 7 Larry the Git Cow gentoo-dev 2020-01-23 17:59:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/genkernel.git/commit/?id=ae029bbb6836e5a68d87309f7e321dd1062f6c70

commit ae029bbb6836e5a68d87309f7e321dd1062f6c70
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-01-23 17:55:55 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-01-23 17:57:16 +0000

    sandbox: Set unique SANDBOX_LOG values to avoid collisions
    
    Bug: https://bugs.gentoo.org/704848
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 gen_funcs.sh | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)