Ticket #1321 (new defect)

Opened 4 years ago

Last modified 4 years ago

paludis/cave needs write access to /var/log/sandbox

Reported by: cmuelle8 Owned by:
Priority: Sometime Milestone:
Component: clients/cave Version: 2.2.0
Keywords: Cc:
Blocked By: Blocking:
Distribution: N/A

Description

The default install of sandbox uses root.root permissions for the directory

/var/log/sandbox

This will probably work well for portage emerges, but does not for paludis builds, since paludis drops privileges to the user 'paludisbuild'.

If a sandbox is in effect and cannot write to /var/log/sandbox the sandboxed process (and the sandbox) will be aborted and no log file will be written resulting in the build to fail.

TEST CASE: sudo -u paludisbuild sandbox bash paludisbuild@coltrane /etc/sandbox.d $ echo 1 > /proc/mtrr

  • ACCESS DENIED: open_wr: /proc/mtrr
  • ISE:write_logfile: unable to append logfile: /var/log/sandbox/sandbox-16870.log
  • ../../sandbox-2.6/libsandbox/libsandbox.c:check_syscall():879: failure (Ungültiger Dateideskriptor):
  • ISE:

abs_path: /proc/mtrr res_path: /proc/mtrr

/usr/lib64/libsandbox.so(+0xa252)[0x7f863fa76252] /usr/lib64/libsandbox.so(+0xa368)[0x7f863fa76368] /usr/lib64/libsandbox.so(+0x46e3)[0x7f863fa706e3] /usr/lib64/libsandbox.so(open+0x6c)[0x7f863fa74bcc] bash[0x47a552] bash(do_redirections+0x52)[0x450ab2] bash[0x451abd] bash(execute_command_internal+0xc5e)[0x452c7e] bash(execute_command+0x4e)[0x45450e] bash(reader_loop+0x202)[0x479602] /proc/16871/cmdline: bash

Sandboxed process killed by signal: Aborted

SEE ALSO:  https://bugs.gentoo.org/show_bug.cgi?id=537124

Change History

comment:1 Changed 4 years ago by cmuelle8

Pretty formatted test case:

sudo -u paludisbuild sandbox bash
paludisbuild@coltrane /etc/sandbox.d $ echo 1 > /proc/mtrr
 * ACCESS DENIED:  open_wr:      /proc/mtrr
 * ISE:write_logfile: unable to append logfile: /var/log/sandbox/sandbox-16870.log
 * ../../sandbox-2.6/libsandbox/libsandbox.c:check_syscall():879: failure (Ungültiger Dateideskriptor):
 * ISE:
	abs_path: /proc/mtrr
	res_path: /proc/mtrr
/usr/lib64/libsandbox.so(+0xa252)[0x7f863fa76252]
/usr/lib64/libsandbox.so(+0xa368)[0x7f863fa76368]
/usr/lib64/libsandbox.so(+0x46e3)[0x7f863fa706e3]
/usr/lib64/libsandbox.so(open+0x6c)[0x7f863fa74bcc]
bash[0x47a552]
bash(do_redirections+0x52)[0x450ab2]
bash[0x451abd]
bash(execute_command_internal+0xc5e)[0x452c7e]
bash(execute_command+0x4e)[0x45450e]
bash(reader_loop+0x202)[0x479602]
/proc/16871/cmdline: bash 

Sandboxed process killed by signal: Aborted
Note: See TracTickets for help on using tickets.