Are macports builds prevented from accessing /dev/random ?
Christopher Jones
jonesc at hep.phy.cam.ac.uk
Tue Jun 13 22:18:00 UTC 2017
> On 13 Jun 2017, at 10:42 pm, Joshua Root <jmr at macports.org> wrote:
>
> On 2017-6-14 07:05 , Daniel J. Luke wrote:
>> On Jun 13, 2017, at 4:57 PM, Christopher Jones <jonesc at hep.phy.cam.ac.uk> wrote:
>>> :info:build open('/dev/random'): Operation not permitted
>>>
>>> Now, this works outside. So I suspect the build is in some way prevent the build process from accessing this. Is this possible ? If so, more to the point, is there a way I can get this to work… ?
>> I suspect the sandbox doesn't include access to /dev/random (Macports started using sandbox-exec with version 2.2.0)
>> As a temporary workaround (or to test this theory) you can add "sandbox_enable no" to your macports.conf
>
> Our sandbox only restricts writes. Seems like the program is opening /dev/random with O_RDWR? Writing to it is technically allowed (though I don't know that it does anything on darwin), so we should probably add it to the sandbox exceptions, but I'm not sure why it would be needed.
Had a look into this. The ROOT source never explicitly opens /dev/random in read/write mode. Only read only.
However, it also uses a number of external library calls, like std::rand(), and my best bet is one of these is doing it. As writing to /dev/random is allowed, to update the entropy pool, I don’t think this in itself is an issue.
So is it OK to add /dev/random to the allowed locations for the sandbox ?
cheers Chris
>
> - Josh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1910 bytes
Desc: not available
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20170613/9f90f31c/attachment-0001.bin>
More information about the macports-dev
mailing list