Are macports builds prevented from accessing /dev/random ?
Christopher Jones
jonesc at hep.phy.cam.ac.uk
Tue Jun 13 21:51:07 UTC 2017
Hi,
turning off the sandbox fixed the build, so this definitely is the issue….
I agree requiring access to /dev/random during the build is a bit weird, but actually does make some sense in this case, the script being run is generating an example output ROOT file for the tutorials, which includes filling some histograms and tuples with random numbers.
Is it possible to flag at a port level that access to some areas is OK for certain ports ? To be honest I would be surprised if there was, as it would potentially allow ports to start turning off the protections the sandbox provides willy nilly, but I thought I would ask ?
Failing that, yes, could we add /dev/random to the list of allowed areas ? Odd yes, but in this case does make some sense…
cheers Chris
> On 13 Jun 2017, at 10:42 pm, Joshua Root <jmr at macports.org> wrote:
>
> On 2017-6-14 07:05 , Daniel J. Luke wrote:
>> On Jun 13, 2017, at 4:57 PM, Christopher Jones <jonesc at hep.phy.cam.ac.uk> wrote:
>>> :info:build open('/dev/random'): Operation not permitted
>>>
>>> Now, this works outside. So I suspect the build is in some way prevent the build process from accessing this. Is this possible ? If so, more to the point, is there a way I can get this to work… ?
>> I suspect the sandbox doesn't include access to /dev/random (Macports started using sandbox-exec with version 2.2.0)
>> As a temporary workaround (or to test this theory) you can add "sandbox_enable no" to your macports.conf
>
> Our sandbox only restricts writes. Seems like the program is opening /dev/random with O_RDWR? Writing to it is technically allowed (though I don't know that it does anything on darwin), so we should probably add it to the sandbox exceptions, but I'm not sure why it would be needed.
>
> - Josh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1910 bytes
Desc: not available
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20170613/487236a0/attachment.bin>
More information about the macports-dev
mailing list