Are macports builds prevented from accessing /dev/random ?

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Are macports builds prevented from accessing /dev/random ?

Chris Jones
Hi,

I have a slightly odd issue… I am working on an update to the ROOT6 port, to the newly released 6.10.00 release,

As part of the build process their build system runs the root C++ interpreter on some example scripts, which generate various output files. This running of the script has part of the build process seems to be failing due to it being unable to access /dev/random…

The build step is

:info:build cd /opt/local/var/macports/build/_Users_chris_Projects_MacPorts_ports_science_root6/root6/work/build/tutorials && DYLD_LIBRARY_PATH=/opt/local/var/macports/build/_Users_chris_Projects_MacPorts_ports_science_root6/root6/work/build/lib: ROOTIGNOREPREFIX=1 /opt/local/var/macports/build/_Users_chris_Projects_MacPorts_ports_science_root6/root6/work/build/bin/root.exe -l -q -b -n -x hsimple.C -e return

You don’t need to understand the details, just that root.exe is the main excitable and hsimple.C is a c++ source file that root interprets (using the cling interpreter built on top of the clang compiler).

This gives the error, when run inside a macports build

:info:build open('/dev/random'): Operation not permitted

Now, this works outside. So I suspect the build is in some way prevent the build process from accessing this. Is this possible ? If so, more to the point, is there a way I can get this to work… ?

cheers Chris

smime.p7s (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are macports builds prevented from accessing /dev/random ?

Sterling Smith
Is this trace mode?

-Sterling

----- Original Message -----
From: "Christopher Jones" <[hidden email]>
To: "MacPorts Developers" <[hidden email]>
Sent: Tuesday, June 13, 2017 1:57:57 PM
Subject: Are macports builds prevented from accessing /dev/random ?

Hi,

I have a slightly odd issue… I am working on an update to the ROOT6 port, to the newly released 6.10.00 release,

As part of the build process their build system runs the root C++ interpreter on some example scripts, which generate various output files. This running of the script has part of the build process seems to be failing due to it being unable to access /dev/random…

The build step is

:info:build cd /opt/local/var/macports/build/_Users_chris_Projects_MacPorts_ports_science_root6/root6/work/build/tutorials && DYLD_LIBRARY_PATH=/opt/local/var/macports/build/_Users_chris_Projects_MacPorts_ports_science_root6/root6/work/build/lib: ROOTIGNOREPREFIX=1 /opt/local/var/macports/build/_Users_chris_Projects_MacPorts_ports_science_root6/root6/work/build/bin/root.exe -l -q -b -n -x hsimple.C -e return

You don’t need to understand the details, just that root.exe is the main excitable and hsimple.C is a c++ source file that root interprets (using the cling interpreter built on top of the clang compiler).

This gives the error, when run inside a macports build

:info:build open('/dev/random'): Operation not permitted

Now, this works outside. So I suspect the build is in some way prevent the build process from accessing this. Is this possible ? If so, more to the point, is there a way I can get this to work… ?

cheers Chris
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are macports builds prevented from accessing /dev/random ?

Daniel J. Luke
In reply to this post by Chris Jones
On Jun 13, 2017, at 4:57 PM, Christopher Jones <[hidden email]> wrote:
> :info:build open('/dev/random'): Operation not permitted
>
> Now, this works outside. So I suspect the build is in some way prevent the build process from accessing this. Is this possible ? If so, more to the point, is there a way I can get this to work… ?

I suspect the sandbox doesn't include access to /dev/random (Macports started using sandbox-exec with version 2.2.0)

As a temporary workaround (or to test this theory) you can add "sandbox_enable no" to your macports.conf
--
Daniel J. Luke



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are macports builds prevented from accessing /dev/random ?

Joshua Root-8
On 2017-6-14 07:05 , Daniel J. Luke wrote:
> On Jun 13, 2017, at 4:57 PM, Christopher Jones <[hidden email]> wrote:
>> :info:build open('/dev/random'): Operation not permitted
>>
>> Now, this works outside. So I suspect the build is in some way prevent the build process from accessing this. Is this possible ? If so, more to the point, is there a way I can get this to work… ?
>
> I suspect the sandbox doesn't include access to /dev/random (Macports started using sandbox-exec with version 2.2.0)
>
> As a temporary workaround (or to test this theory) you can add "sandbox_enable no" to your macports.conf

Our sandbox only restricts writes. Seems like the program is opening
/dev/random with O_RDWR? Writing to it is technically allowed (though I
don't know that it does anything on darwin), so we should probably add
it to the sandbox exceptions, but I'm not sure why it would be needed.

- Josh
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are macports builds prevented from accessing /dev/random ?

Chris Jones
Hi,

turning off the sandbox fixed the build, so this definitely is the issue….

I agree requiring access to /dev/random during the build is a bit weird, but actually does make some sense in this case, the script being run is generating an example output ROOT file for the tutorials, which includes filling some histograms and tuples with random numbers.

Is it possible to flag at a port level that access to some areas is OK for certain ports ? To be honest I would be surprised if there was, as it would potentially allow ports to start turning off the protections the sandbox provides willy nilly, but I thought I would ask ?

Failing that, yes, could we add /dev/random to the list of allowed areas ? Odd yes, but in this case does make some sense…

cheers Chris


> On 13 Jun 2017, at 10:42 pm, Joshua Root <[hidden email]> wrote:
>
> On 2017-6-14 07:05 , Daniel J. Luke wrote:
>> On Jun 13, 2017, at 4:57 PM, Christopher Jones <[hidden email]> wrote:
>>> :info:build open('/dev/random'): Operation not permitted
>>>
>>> Now, this works outside. So I suspect the build is in some way prevent the build process from accessing this. Is this possible ? If so, more to the point, is there a way I can get this to work… ?
>> I suspect the sandbox doesn't include access to /dev/random (Macports started using sandbox-exec with version 2.2.0)
>> As a temporary workaround (or to test this theory) you can add "sandbox_enable no" to your macports.conf
>
> Our sandbox only restricts writes. Seems like the program is opening /dev/random with O_RDWR? Writing to it is technically allowed (though I don't know that it does anything on darwin), so we should probably add it to the sandbox exceptions, but I'm not sure why it would be needed.
>
> - Josh


smime.p7s (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are macports builds prevented from accessing /dev/random ?

Chris Jones
In reply to this post by Joshua Root-8

> On 13 Jun 2017, at 10:42 pm, Joshua Root <[hidden email]> wrote:
>
> On 2017-6-14 07:05 , Daniel J. Luke wrote:
>> On Jun 13, 2017, at 4:57 PM, Christopher Jones <[hidden email]> wrote:
>>> :info:build open('/dev/random'): Operation not permitted
>>>
>>> Now, this works outside. So I suspect the build is in some way prevent the build process from accessing this. Is this possible ? If so, more to the point, is there a way I can get this to work… ?
>> I suspect the sandbox doesn't include access to /dev/random (Macports started using sandbox-exec with version 2.2.0)
>> As a temporary workaround (or to test this theory) you can add "sandbox_enable no" to your macports.conf
>
> Our sandbox only restricts writes. Seems like the program is opening /dev/random with O_RDWR? Writing to it is technically allowed (though I don't know that it does anything on darwin), so we should probably add it to the sandbox exceptions, but I'm not sure why it would be needed.
Had a look into this. The ROOT source never explicitly opens /dev/random in read/write mode. Only read only.

However, it also uses a number of external library calls, like std::rand(), and my best bet is one of these is doing it. As writing to /dev/random is allowed, to update the entropy pool, I don’t think this in itself is an issue.

So is it OK to add /dev/random to the allowed locations for the sandbox ?

cheers Chris

>
> - Josh


smime.p7s (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are macports builds prevented from accessing /dev/random ?

Joshua Root-8
On 2017-6-14 08:18 , Christopher Jones wrote:
>
> Had a look into this. The ROOT source never explicitly opens /dev/random in read/write mode. Only read only.
>
> However, it also uses a number of external library calls, like std::rand(), and my best bet is one of these is doing it. As writing to /dev/random is allowed, to update the entropy pool, I don’t think this in itself is an issue.
>
> So is it OK to add /dev/random to the allowed locations for the sandbox ?

Yes, that would be fine.

I had a look at the xnu source by the way, and writing to /dev/random on
Darwin is indeed equivalent to writing to /dev/null; the kernel doesn't
use the written data in any way.

- Josh
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are macports builds prevented from accessing /dev/random ?

Michael_google gmail_Gersten

On 2017-06-13, at 4:20 PM, Joshua Root <[hidden email]> wrote:

> On 2017-6-14 08:18 , Christopher Jones wrote:
>> Had a look into this. The ROOT source never explicitly opens /dev/random in read/write mode. Only read only.
>> However, it also uses a number of external library calls, like std::rand(), and my best bet is one of these is doing it. As writing to /dev/random is allowed, to update the entropy pool, I don’t think this in itself is an issue.
>> So is it OK to add /dev/random to the allowed locations for the sandbox ?
>
> Yes, that would be fine.
>
> I had a look at the xnu source by the way, and writing to /dev/random on Darwin is indeed equivalent to writing to /dev/null; the kernel doesn't use the written data in any way.
>
> - Josh

Odd. The manual states: "To add entropy to the random generation system, open /dev/random for writing and write data that you believe to be somehow random."

In the past, on linux systems, I would have a shutdown script that pulled 512 bytes out of /dev/random, and saved it in a file; on restart, it would be put back into /dev/random. But that was when it was actually possible to modify /etc/rc and run stuff at startup.

So in Xnu, how do you ensure random data in the entropy pool? How do you seed the random numbers so that there's some ... randomness?

(rc.local is way too late to adjust system startup. And launchd/init wants to have some sort of hard-coded startup functions that you can't alter).

---
Entertaining minecraft videos
http://YouTube.com/keybounce

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are macports builds prevented from accessing /dev/random ?

Michael_google gmail_Gersten
In reply to this post by Joshua Root-8
Speaking of /dev/random, I did a little reading up on Yarrow today after checking the man page.

Yarrow was effectively replaced by Fortuna, and Fortuna was published, according to wikipedia, in 2003. Even the PDF paper describing it has a date of 2010. Linux got Fortuna in 2005.

This machine came out in 2014, and is still documented as using Yarrow in 10.9.5, even though that was 10 years out of date by that time.

Has Fortuna replaced Yarrow in any later kernel?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are macports builds prevented from accessing /dev/random ?

Chris Jones
In reply to this post by Joshua Root-8


On 14/06/17 00:20, Joshua Root wrote:

> On 2017-6-14 08:18 , Christopher Jones wrote:
>>
>> Had a look into this. The ROOT source never explicitly opens
>> /dev/random in read/write mode. Only read only.
>>
>> However, it also uses a number of external library calls, like
>> std::rand(), and my best bet is one of these is doing it. As writing
>> to /dev/random is allowed, to update the entropy pool, I don’t think
>> this in itself is an issue.
>>
>> So is it OK to add /dev/random to the allowed locations for the sandbox ?
>
> Yes, that would be fine.

So, should I submit an MR for this, or can you do it ? If you want me
to, where in base should I go looking for the allowed list ?

Chris

>
> I had a look at the xnu source by the way, and writing to /dev/random on
> Darwin is indeed equivalent to writing to /dev/null; the kernel doesn't
> use the written data in any way.
>
> - Josh
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are macports builds prevented from accessing /dev/random ?

Joshua Root-8
On 2017-6-14 19:21 , Chris Jones wrote:

>
>
> On 14/06/17 00:20, Joshua Root wrote:
>> On 2017-6-14 08:18 , Christopher Jones wrote:
>>>
>>> Had a look into this. The ROOT source never explicitly opens
>>> /dev/random in read/write mode. Only read only.
>>>
>>> However, it also uses a number of external library calls, like
>>> std::rand(), and my best bet is one of these is doing it. As writing
>>> to /dev/random is allowed, to update the entropy pool, I don’t think
>>> this in itself is an issue.
>>>
>>> So is it OK to add /dev/random to the allowed locations for the
>>> sandbox ?
>>
>> Yes, that would be fine.
>
> So, should I submit an MR for this, or can you do it ? If you want me
> to, where in base should I go looking for the allowed list ?

<https://github.com/macports/macports-base/commit/c8c1565f42a60c2b9e85a204603a66052f444c43>

- Josh
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are macports builds prevented from accessing /dev/random ?

Joshua Root-8
In reply to this post by Michael_google gmail_Gersten
On 2017-6-14 10:07 , Michael wrote:

>
> On 2017-06-13, at 4:20 PM, Joshua Root <[hidden email]> wrote:
>
>> On 2017-6-14 08:18 , Christopher Jones wrote:
>>> Had a look into this. The ROOT source never explicitly opens /dev/random in read/write mode. Only read only.
>>> However, it also uses a number of external library calls, like std::rand(), and my best bet is one of these is doing it. As writing to /dev/random is allowed, to update the entropy pool, I don’t think this in itself is an issue.
>>> So is it OK to add /dev/random to the allowed locations for the sandbox ?
>>
>> Yes, that would be fine.
>>
>> I had a look at the xnu source by the way, and writing to /dev/random on Darwin is indeed equivalent to writing to /dev/null; the kernel doesn't use the written data in any way.
>>
>> - Josh
>
> Odd. The manual states: "To add entropy to the random generation system, open /dev/random for writing and write data that you believe to be somehow random."
>
> In the past, on linux systems, I would have a shutdown script that pulled 512 bytes out of /dev/random, and saved it in a file; on restart, it would be put back into /dev/random. But that was when it was actually possible to modify /etc/rc and run stuff at startup.
>
> So in Xnu, how do you ensure random data in the entropy pool? How do you seed the random numbers so that there's some ... randomness?
>
> (rc.local is way too late to adjust system startup. And launchd/init wants to have some sort of hard-coded startup functions that you can't alter).

Best I can tell, the entropy pool gets 16 random bytes obtained in a
hardware-specific manner very early in the boot process.

- Josh
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are macports builds prevented from accessing /dev/random ?

Chris Jones
In reply to this post by Joshua Root-8

Thanks !

On 14/06/17 13:56, Joshua Root wrote:

> On 2017-6-14 19:21 , Chris Jones wrote:
>>
>>
>> On 14/06/17 00:20, Joshua Root wrote:
>>> On 2017-6-14 08:18 , Christopher Jones wrote:
>>>>
>>>> Had a look into this. The ROOT source never explicitly opens
>>>> /dev/random in read/write mode. Only read only.
>>>>
>>>> However, it also uses a number of external library calls, like
>>>> std::rand(), and my best bet is one of these is doing it. As writing
>>>> to /dev/random is allowed, to update the entropy pool, I don’t think
>>>> this in itself is an issue.
>>>>
>>>> So is it OK to add /dev/random to the allowed locations for the
>>>> sandbox ?
>>>
>>> Yes, that would be fine.
>>
>> So, should I submit an MR for this, or can you do it ? If you want me
>> to, where in base should I go looking for the allowed list ?
>
> <https://github.com/macports/macports-base/commit/c8c1565f42a60c2b9e85a204603a66052f444c43>
>
>
> - Josh
Loading...