From: Daniel Drake <dsd@gentoo.org>
To: Sam Ravnborg <sam@ravnborg.org>
Cc: Michael Rasenberger <miraze@web.de>,
akpm@osdl.org, linux-kernel@vger.kernel.org
Subject: Re: 2.6.18-mm1 violates sandbox feature on linux distribution
Date: Fri, 13 Oct 2006 09:34:58 -0400 [thread overview]
Message-ID: <452F9602.1050906@gentoo.org> (raw)
In-Reply-To: <20061001104046.GA10205@uranus.ravnborg.org>
Sam Ravnborg wrote:
> Can you point to to some description of this sandbox feature.
> The error you point out looks pretty generic and should happen
> in several places - so I need to understand what problem I shall
> fix before trying to fix it.
It's basically a runtime linker hack (LD_PRELOAD?) which limits a
processes access to files to a certain portion of the filesystem. In
Gentoo's package compilation system, the compile processes are limited
in that they can only write to /var/tmp/portage/<packagename>
Writes onto other parts of the filesystem will cause the whole process
to bail out. Reads are OK. Compilation happens in
/var/tmp/portage/<packagename>/work and then installation happens in
/var/tmp/portage/<packagename>/image. When that is done, the package
manager moves the contents of image onto the real system (with sandbox
obviously disabled at this point).
> The point is that we have other places where we create temporary files
> so this should not be the only issue.
It should be noted that this issue is only related to compiling external
modules through kbuild. Actual kernel compilation is not done in the
sandbox.
If these other places have been introduced in 2.6.19 then yes there may
be other issues. However, this sandboxed module compilation system has
been working flawlessly for a long time now, so either those other
places don't matter or those build-paths simply don't happen in the
common cases.
This is a bigger problem for us now that this change has gone into
Linus' tree. Would you accept a patch to make this output to /dev/null
like many of the other toolchain checks do?
Thanks,
Daniel
prev parent reply other threads:[~2006-10-13 13:35 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-27 18:08 2.6.18-mm1 violates sandbox feature on linux distribution Michael Rasenberger
2006-10-01 10:40 ` Sam Ravnborg
2006-10-01 16:43 ` Mark Knecht
2006-10-02 9:38 ` Michael Rasenberger
2006-10-13 13:34 ` Daniel Drake [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=452F9602.1050906@gentoo.org \
--to=dsd@gentoo.org \
--cc=akpm@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miraze@web.de \
--cc=sam@ravnborg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox