Opened 8 years ago

Last modified 8 years ago

#52828 assigned defect

Use of --with-local-prefix= produces compilers which can mismatch headers and libs from /usr/local/lib by default

Reported by: jwhowarth Owned by: macports-tickets@…
Priority: Normal Milestone:
Component: ports Version: 2.3.4
Keywords: Cc: ryandesign (Ryan Carsten Schmidt)
Port: gcc43 gcc44 gcc45 gcc46 gcc47 gcc48 gcc49 gcc5 gcc6 gcc7

Description

While implementing the same sandboxing in the fink project that MacPorts has been using, I noticed that the FSF gcc compilers fail to bootstrap under a sandbox with...

(version 1)

(allow default)

(deny file*
       (subpath "/usr/local")
)

The bootstrap of the FSF gcc compilers fail due to an error...

cc1: error: /usr/local/include: Operation not permitted

One solution is to pass '--with-local-prefix=' to configure when building FSF gcc with some path other than /usr/local. However this creates the undesirable side-effect of a FSF gcc compiler which doesn't have '/usr/local/include' in the header search paths but does include /usr/local/lib in the library search paths which makes the compiler susceptible to resulting in header/library mismatches out of /usr/local when used outside of the Apple sandbox.

Interestingly, the clang compilers (both Apple and LLVM.org) don't have this issue when compiling under a sandbox which denies file access to /usr/local. Those compilers retain /usr/local in their search path without failing on file access errors in this case.

I also noticed that the usage of '--with-local-prefix=' in the MacPorts FSF gcc packages dates back over nine years so it wasn't done explicitly to solve this issue in compiler failures under the Apple sandbox.

Attachments (1)

r241919.diff (967 bytes) - added by jwhowarth 8 years ago.
upstream patch to make FSF gcc's cc1 Apple sandbox friendly

Download all attachments as: .zip

Change History (7)

comment:1 Changed 8 years ago by jwhowarth

Actually this issue appears to be trivial to fix. The use of --with-local-prefix= can be dropped entirely for builds of FSF gcc within an Apple sandbox that denies file accesses to /usr/local if the following change is made...

--- gcc/incpath.c.bak	2015-01-05 07:33:28.000000000 -0500
+++ gcc/incpath.c	2016-11-06 07:25:20.000000000 -0500
@@ -256,7 +256,7 @@
       if (stat (cur->name, &st))
 	{
 	  /* Dirs that don't exist are silently ignored, unless verbose.  */
-	  if (errno != ENOENT)
+	  if ((errno != ENOENT) && (errno != EPERM))
 	    cpp_errno (pfile, CPP_DL_ERROR, cur->name);
 	  else
 	    {

for the Apple llvmgcc42-2336.11 build this will have to be....

--- gcc/c-incpath.c.bak	2009-02-14 23:17:54.000000000 -0500
+++ gcc/c-incpath.c	2016-11-06 07:28:39.000000000 -0500
@@ -384,7 +384,7 @@
       if (stat (cur->name, &st))
 	{
 	  /* Dirs that don't exist are silently ignored, unless verbose.  */
-	  if (errno != ENOENT)
+	  if ((errno != ENOENT) && (errno != EPERM))
 	    cpp_errno (pfile, CPP_DL_ERROR, cur->name);
 	  else
 	    {

comment:2 Changed 8 years ago by jwhowarth

Note that this fix is now proposed on gcc-patches at https://gcc.gnu.org/ml/gcc-patches/2016-11/msg00521.html

comment:3 Changed 8 years ago by ryandesign (Ryan Carsten Schmidt)

Cc: ryandesign added

comment:4 Changed 8 years ago by jwhowarth

Note that...

241919 | mrs | 2016-11-07 13:33:49 -0500 (Mon, 07 Nov 2016) | 5 lines

2016-11-06  Jack Howarth  <howarth.at.gcc@gmail.com>

        PR driver/78206
        * incpath.c: (remove_dup(): Also silently ignore EPERM.

has landed in gcc trunk as well as on gcc-5-branch and gcc-6-branch. If MacPorts adopts this patch for their gcc packages, the --with-local-prefix usage can be dropped from the gcc* Portfiles and the sandbox blacklisting of /usr/local be relied upon instead of the package builds of those compilers and their usage within other MacPort package builds.

Last edited 8 years ago by jwhowarth (previous) (diff)

Changed 8 years ago by jwhowarth

Attachment: r241919.diff added

upstream patch to make FSF gcc's cc1 Apple sandbox friendly

comment:5 Changed 8 years ago by mf2k (Frank Schima)

Cc: mww@… removed
Owner: changed from macports-tickets@… to mww@…
Status: newassigned

comment:6 Changed 8 years ago by kurthindenburg (Kurt Hindenburg)

Owner: changed from mww@… to macports-tickets@…
Note: See TracTickets for help on using tickets.