[gentoo-dev] problems with media-gfx/asymptote

[gentoo-dev] problems with media-gfx/asymptote

[Andrey Grozin]

Hello *,

asymptote-3.00 has just appeared, and I'm trying to update the ebuild.

asymptote now bundles boehm-gc; the option to use system boehm-gc is now 
absent. asymptote-3.00/gc/README.md says that it's 8.2.8; however, the 
sourse tree asymptote-3.00/gc differs from the plain gc-8.2.8. I suppose 
some hacking autoconf files is needed to unbundle it, and it's a 
nontrivial work. A pity.

What's more, compiling this bundled gc leads to sandbox violations like

F: open_wr
S: deny
P: /proc/4643/clear_refs
A: /proc/4643/clear_refs
R: /proc/4643/clear_refs
C: ./cordtest

and several more. All of them are in some test programs:

cordtest
gctest
staticrootstest
disclaim_test
disclaim_weakmap_test

All of them try to write to some /proc/*/clear_refs; I don't know what are 
these /proc/*/clear_refs files. Surprisingly, all gc test are marked as 
passed. Maybe, the resulting libgc (and the resulting asymptote) even 
work. But, of course, the ebuild fails, and does not install these results.

Interestingly, emerging boehm-gc succeeds, no sandbox violations.

I suppose the best way out is to somehow force asymptote to use the system 
boehm-gc. As a stopgap measure, is it possible to allow these test 
programs to write to /proc/*/clear_refs?

Hoping for some help,
Andrey

Re: [gentoo-dev] problems with media-gfx/asymptote

[Jérôme Carretero]

[-- Attachment #1: Type: text/plain, Size: 590 bytes --]

Hi Andrey,



On Tue, 2025-02-18 at 12:18 +0000, Andrey Grozin wrote:
> [asymptote-3.00 has just appeared
> [...]
> What's more, compiling this bundled gc leads to sandbox violations 


As an asymptote user, I went to check the issue tracker:
https://github.com/vectorgraphics/asymptote/issues
and the forum:
https://sourceforge.net/p/asymptote/discussion/409349/thread/f8851c5214/
but I'm not seeing anything related to this.

May I suggest to bring these issues to upstream's attention so maybe
they can understand them and fix them?


Best regards,

-- 
Jérôme

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 854 bytes --]

Re: [gentoo-dev] problems with media-gfx/asymptote

[Andrey Grozin]

[-- Attachment #1: Type: text/plain, Size: 518 bytes --]

On Tue, 18 Feb 2025, Jérôme Carretero wrote:
> As an asymptote user, I went to check the issue tracker:
> https://github.com/vectorgraphics/asymptote/issues
> and the forum:
> https://sourceforge.net/p/asymptote/discussion/409349/thread/f8851c5214/
> but I'm not seeing anything related to this.
But from the upstream point of view, there is no issue. When I run these 
<something>test programs outside the Gentoo sandbox, they succeed and 
report that the test has passed.

This is an issue for Gentoo only.

Andrey

[gentoo-dev] sandbox and /proc/<pid>/clear_refs [was: problems with media-gfx/asymptote]

[Andrey Grozin]

Some additional information:

# strace -e trace=file ./cordtest
...
openat(AT_FDCWD, "/proc/3702/clear_refs", O_WRONLY) = 3
...
SUCCEEDED
+++ exited with 0 +++

It is absolutely legal for the owner of a process to write to 
/proc/<pid>/clear_refs
I think it is a bug in Gentoo sandbox that this is not allowed.

Andrey

Re: [gentoo-dev] sandbox and /proc/<pid>/clear_refs [was: problems with media-gfx/asymptote]

[Mike Gilbert]

On Tue, Feb 18, 2025 at 11:40 PM Andrey Grozin <grozin@gentoo.org> wrote:
>
> Some additional information:
>
> # strace -e trace=file ./cordtest
> ...
> openat(AT_FDCWD, "/proc/3702/clear_refs", O_WRONLY) = 3
> ...
> SUCCEEDED
> +++ exited with 0 +++
>
> It is absolutely legal for the owner of a process to write to
> /proc/<pid>/clear_refs
> I think it is a bug in Gentoo sandbox that this is not allowed.

Please use Bugzilla.