Created attachment 873041 [details] full build log from the build log: >>> Compiling source in /var/tmp/portage/dev-libs/nss-3.94/work/nss-3.94/nss ... * .arm: running multilib-minimal_abi_src_compile * Running compilation test to determine bit'ness * ERROR: dev-libs/nss-3.94::gentoo failed (compile phase): * Failed to detect whether armv7a-unknown-linux-musleabihf-gcc builds 64bits or 32bits, disable distcc if you're using it, please this fails from the src_nssbits() parts: nssbits() { local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS" if [[ ${1} == BUILD_ ]]; then cc=$(tc-getBUILD_CC) else cc=$(tc-getCC) fi echo > "${T}"/test.c || die ${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die case $(file "${T}/${1}test.o") in *32-bit*x86-64*) echo USE_X32=1;; *64-bit*|*ppc64*|*x86_64*) echo USE_64=1;; *32-bit*|*ppc*|*i386*) ;; *) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";; esac } frankly, I'm not sure what really is going wrong with the detection. It certainly is possible to downgrade to =sys-apps/sandbox-2.37 and compile dev-libs/nss-3.94 happily.
Created attachment 873042 [details] output from emerge --info have my emerge --info for completion, the downgrade of sandbox to 2.37 solves the issue
Can you edit the ebuild to have this line after "${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die": echo $(file "${T}/${1}test.o") then show us the new build.log
Created attachment 873044 [details, diff] patch If you meant it like this, it's not working: >>> Compiling source in /var/tmp/portage/dev-libs/nss-3.94-r1/work/nss-3.94/nss ... * .arm: running multilib-minimal_abi_src_compile * Running compilation test to determine bit'ness * ERROR: dev-libs/nss-3.94-r1::musl failed (compile phase): * Failed to detect whether armv7a-unknown-linux-musleabihf-gcc builds 64bits or 32bits, disable distcc if you're using it, please *
oh right, the output gets redirected. try: die $(file "${T}/${1}test.o")
Created attachment 873045 [details] strace -f sandbox file /var/tmp/portage/dev-libs/nss-3.94/temp/test.o
I think we need to allow faccessat2 in the file filter.
(In reply to Sam James from comment #6) > I think we need to allow faccessat2 in the file filter. The NSS ebuild should also pass `-S` to file as the input is trusted.
It would probably make sense to add more ABIs to the case statement in the nss ebuild so we can avoid doing the compile/file test altogether.
I think it is actually blocking "getuid32", which gets called by musl's faccessat wrapper when the kernel does not support faccessat2. > 15139 faccessat2(AT_FDCWD, "/usr/share/misc/magic.mgc", F_OK, AT_EACCESS) = -1 ENOSYS (Function not implemented) > 15139 getuid32() = ? > 15139 +++ killed by SIGSYS +++
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dbbbf5f526aff28f9c8ba79c7a277bc3aa09398b commit dbbbf5f526aff28f9c8ba79c7a277bc3aa09398b Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2023-10-19 18:06:37 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2023-10-19 18:08:42 +0000 sys-apps/file: add another seccomp fix for sandbox Bug: https://bugs.gentoo.org/728978 Bug: https://bugs.gentoo.org/889046 Bug: https://bugs.gentoo.org/915890 Signed-off-by: Mike Gilbert <floppym@gentoo.org> .../{file-5.45-r1.ebuild => file-5.45-r2.ebuild} | 2 +- .../file/files/file-5.45-seccomp-sandbox.patch | 48 ++++++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-)
Please let me know if sys-apps/file-5.45-r2 resolves the issue.
sadly, it didn't work for me with =sys-apps/sandbox-2.38 and =sys-apps/file-5.45-r2: >>> Compiling source in /var/tmp/portage/dev-libs/nss-3.94/work/nss-3.94/nss ... * .arm: running multilib-minimal_abi_src_compile * Running compilation test to determine bit'ness * ERROR: dev-libs/nss-3.94::gentoo failed (compile phase): * Failed to detect whether armv7a-unknown-linux-musleabihf-gcc builds 64bits or 32bits, disable distcc if you're using it, please * * Call stack: * ebuild.sh, line 136: Called src_compile * environment, line 2265: Called multilib-minimal_src_compile * environment, line 1428: Called multilib_foreach_abi 'multilib-minimal_abi_src_compile' * environment, line 1695: Called multibuild_foreach_variant '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_compile' * environment, line 1388: Called _multibuild_run '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_compile' * environment, line 1386: Called _multilib_multibuild_wrapper 'multilib-minimal_abi_src_compile' * environment, line 450: Called multilib-minimal_abi_src_compile * environment, line 1422: Called multilib_src_compile * environment, line 1928: Called nssbits * environment, line 2136: Called die * The specific snippet of code: * die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please" *
(In reply to Mike Gilbert from comment #9) > I think it is actually blocking "getuid32", which gets called by musl's > faccessat wrapper when the kernel does not support faccessat2. > > > 15139 faccessat2(AT_FDCWD, "/usr/share/misc/magic.mgc", F_OK, AT_EACCESS) = -1 ENOSYS (Function not implemented) > > 15139 getuid32() = ? > > 15139 +++ killed by SIGSYS +++ Oh right. (In reply to tt_1 from comment #12) > sadly, it didn't work for me with =sys-apps/sandbox-2.38 and > =sys-apps/file-5.45-r2: > Please run the strace command again.
Oh, I bet it is failing on geteuid32 now. But please confirm with strace.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a8e3a3717ff4d46c6c7b1d356ded751275c531d commit 1a8e3a3717ff4d46c6c7b1d356ded751275c531d Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2023-10-19 19:05:58 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2023-10-19 19:05:58 +0000 sys-apps/file: seccomp: also allow geteuid and getegid Bug: https://bugs.gentoo.org/915890 Signed-off-by: Mike Gilbert <floppym@gentoo.org> .../file/{file-5.45-r2.ebuild => file-5.45-r3.ebuild} | 0 sys-apps/file/files/file-5.45-seccomp-sandbox.patch | 18 +++++++++++++----- 2 files changed, 13 insertions(+), 5 deletions(-)
Created attachment 873162 [details] compressed strace
(In reply to tt_1 from comment #16) > Created attachment 873162 [details] > compressed strace Looks like my guess was correct. > [pid 15991] faccessat2(AT_FDCWD, "/usr/share/misc/magic.mgc", F_OK, AT_EACCESS) = -1 ENOSYS (Function not implemented) > [pid 15991] getuid32() = 0 > [pid 15991] geteuid32() = ? Please give file-5.45-r3 a spin.
=sys-apps/file-5.45-r3 does fix the compile of dev-libs/nss for me with =sys-apps/sandbox-2.38
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a8259d53400b26766eec198df9ca9cf9dae9668 commit 4a8259d53400b26766eec198df9ca9cf9dae9668 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-12-16 08:37:15 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-12-16 09:53:24 +0000 dev-libs/nss: disable seccomp sandbox for file(1) in bitness check We just built the file that file(1) is being used on, so it's entirely safe. We don't need the sandboxing here which leads to a confusing error if file(1) bails out. Bug: https://bugs.gentoo.org/915890 Signed-off-by: Sam James <sam@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/34308 Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-libs/nss/nss-3.96.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5342a0ba4686d0d75f7bdbf4e8645fa607748d92 commit 5342a0ba4686d0d75f7bdbf4e8645fa607748d92 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-02-18 04:11:59 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-02-18 04:12:32 +0000 dev-libs/nspr: sync bitness check from dev-libs/nss Pass -fno-lto to the compiler and -S to file, as we do in dev-libs/nss. Bug: https://bugs.gentoo.org/915890 Bug: https://bugs.gentoo.org/917792 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/nspr/nspr-4.35-r2.ebuild | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)