Building ports with USE_SYSTRACE=Yes

[hanzer]

I followed the FAQ - Configuration of the ports system including the USE_SYSTRACE=Yes (just curious/tinkering) and I noticed several reports like:

Code:

 mkdir -p '/usr/ports/pobj/squid-3.HEAD-20140626-r13480/fake-i386/usr/local/share/squid/icons/silk'
systrace: deny user: root, prog: /bin/mkdir, pid: 12743(0)[13804], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr
systrace: deny user: root, prog: /bin/mkdir, pid: 12743(0)[13804], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr/ports
systrace: deny user: root, prog: /bin/mkdir, pid: 12743(0)[13804], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr/ports/pobj

It's a fresh 5.6-stable i386 system with nothing unusual except maybe /usr/ports/pobj is on its own disk partition. Could that be the problem?

[jggimi]

I think so, yes.

$USE_SYSTRACE is really helpful for port development, because it can indicate if there are any issues with scripts and makefiles. It's one of those variables I enable when developing a new port, and do not use when building packages of established ports. The OpenBSD Porter's Handbook discusses this knob in Chapters 2 and 4.

[hanzer]

I'm beginning to think this is how systrace responds to 'mkdir -p' and 'install -d'. I did a $ sudo umount /usr/ports/pobj and tried a test by building the unzip package:

$ cd /usr/ports/archivers/unzip
$ make package
and got:

Code:

===>  Faking installation for unzip-6.0p5
install -d -o root -g bin -m 755 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin
systrace: deny user: root, prog: /usr/bin/install, pid: 3283(0)[4291], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr
systrace: deny user: root, prog: /usr/bin/install, pid: 3283(0)[4291], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr/ports
systrace: deny user: root, prog: /usr/bin/install, pid: 3283(0)[4291], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr/ports/pobj
install -c -s -o root -g bin -m 555 unzip funzip unzipsfx /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin
install -c -o root -g bin -m 555 unix/zipgrep /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin
rm -f /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin/zipinfo
ln -sf /usr/local/bin/unzip /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin/zipinfo
install -d -o root -g bin -m 755 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1
systrace: deny user: root, prog: /usr/bin/install, pid: 10058(0)[4291], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr
systrace: deny user: root, prog: /usr/bin/install, pid: 10058(0)[4291], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr/ports
systrace: deny user: root, prog: /usr/bin/install, pid: 10058(0)[4291], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr/ports/pobj
install -c -o root -g bin -m 444 man/funzip.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/funzip.1
install -c -o root -g bin -m 444 man/unzip.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/unzip.1
install -c -o root -g bin -m 444 man/unzipsfx.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/unzipsfx.1
install -c -o root -g bin -m 444 man/zipgrep.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/zipgrep.1
install -c -o root -g bin -m 444 man/zipinfo.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/zipinfo.1
install -d -o root -g bin -m 755 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/share/doc/unzip
systrace: deny user: root, prog: /usr/bin/install, pid: 1993(0)[5716], policy: /usr/bin/make, filters: 246, syscall: native-fswrite(136), filename: /usr
systrace: deny user: root, prog: /usr/bin/install, pid: 1993(0)[5716], policy: /usr/bin/make, filters: 246, syscall: native-fswrite(136), filename: /usr/ports
systrace: deny user: root, prog: /usr/bin/install, pid: 1993(0)[5716], policy: /usr/bin/make, filters: 246, syscall: native-fswrite(136), filename: /usr/ports/pobj
cd /usr/ports/pobj/unzip-6.0/unzip60; install -c -o root -g bin -m 444 COPYING.OLD LICENSE README WHERE /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/share/doc/unzip
===>  Building package for unzip-6.0p5
Create /usr/ports/packages/i386/all/unzip-6.0p5.tgz
Link to /usr/ports/packages/i386/ftp/unzip-6.0p5.tgz
Link to /usr/ports/packages/i386/cdrom/unzip-6.0p5.tgz

Which is the same response as with /usr/ports/pobj mounted on its own partition.

I modified the systrace policy file for the ports system /usr/ports/infrastructure/db/systrace.filter to include rules for $WRKOBJDIR (which is set to /usr/ports/pobj in /etc/mk.conf) then:

$ sudo mount /usr/ports/pobj
$ cd /usr/ports/archivers/unzip
$ make package
and got:

Code:

===>  Faking installation for unzip-6.0p5
install -d -o root -g bin -m 755 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin
systrace: deny user: root, prog: /usr/bin/install, pid: 24801(0)[25430], policy: /usr/bin/env, filters: 274, syscall: native-fswrite(136), filename: /usr
systrace: deny user: root, prog: /usr/bin/install, pid: 24801(0)[25430], policy: /usr/bin/env, filters: 274, syscall: native-fswrite(136), filename: /usr/ports
install -c -s -o root -g bin -m 555 unzip funzip unzipsfx /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin
install -c -o root -g bin -m 555 unix/zipgrep /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin
rm -f /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin/zipinfo
ln -sf /usr/local/bin/unzip /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin/zipinfo
install -d -o root -g bin -m 755 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1
systrace: deny user: root, prog: /usr/bin/install, pid: 12752(0)[25430], policy: /usr/bin/env, filters: 274, syscall: native-fswrite(136), filename: /usr
systrace: deny user: root, prog: /usr/bin/install, pid: 12752(0)[25430], policy: /usr/bin/env, filters: 274, syscall: native-fswrite(136), filename: /usr/ports
install -c -o root -g bin -m 444 man/funzip.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/funzip.1
install -c -o root -g bin -m 444 man/unzip.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/unzip.1
install -c -o root -g bin -m 444 man/unzipsfx.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/unzipsfx.1
install -c -o root -g bin -m 444 man/zipgrep.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/zipgrep.1
install -c -o root -g bin -m 444 man/zipinfo.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/zipinfo.1
install -d -o root -g bin -m 755 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/share/doc/unzip
systrace: deny user: root, prog: /usr/bin/install, pid: 20634(0)[7099], policy: /usr/bin/make, filters: 274, syscall: native-fswrite(136), filename: /usr
systrace: deny user: root, prog: /usr/bin/install, pid: 20634(0)[7099], policy: /usr/bin/make, filters: 274, syscall: native-fswrite(136), filename: /usr/ports
cd /usr/ports/pobj/unzip-6.0/unzip60; install -c -o root -g bin -m 444 COPYING.OLD LICENSE README WHERE /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/share/doc/unzip
===>  Building package for unzip-6.0p5
Create /usr/ports/packages/i386/all/unzip-6.0p5.tgz
Link to /usr/ports/packages/i386/ftp/unzip-6.0p5.tgz
Link to /usr/ports/packages/i386/cdrom/unzip-6.0p5.tgz

Slightly different - no denials on /usr/ports/pobj, just the two parent directories. The -d option on install(1) and the -p option on mkdir(1) seem to trigger systrace.