stedolan
config.sh issue with process sandboxing on macos
In an opam-repository PR, we observed the following error:
#=== ERROR while compiling afl-persistent.1.4 =================================#
# context 2.2.0~alpha2 | macos/x86_64 | ocaml-base-compiler.4.14.1 | file:///Users/mac1000/opam-repository
# path ~/.opam/4.14.1/.opam-switch/build/afl-persistent.1.4
# command ~/.opam/opam-init/hooks/sandbox.sh build ./config.sh
# exit-code 1
# env-file ~/.opam/log/afl-persistent-61874-2bd2b7.env
# output-file ~/.opam/log/afl-persistent-61874-2bd2b7.out
### output ###
# ./config.sh: line 17: cannot create temp file for here document: Operation not permitted
AFAweCT, the issue is that macos ships an old version of bash which creates a temporary file for the heredoc (the part in between <<EOF and EOF which is not allowed by sandboxing in /.
Suggested fix:
Replace cd / by cd .. on line 14 in config.sh
In fact bash should create the temporary file in /tmp or some other system temporary directory. I wonder whether the sandboxing allows that. Another workaround could be to use a printf '...' maybe?
bash should, and bash would, but macos ships a bash version that is dated, as in a version that is nearly old enough to drink. Apparently that old version of bash doesn't default to /tmp for heredoc content. It's difficult to confirm this though: I don't have access to the right machine to test it.
The sandboxing is meant to allow files in /tmp. In fact the first part of the script does use the temporary directory which succeeds.
It can be fixed with a microscopic patch: https://github.com/ocaml/opam-repository/pull/25144 I'll send a PR
Sorry this took me absurdly long to reply to! @mseri's microscopic patch looks good. I've merged #14, but I won't bother releasing a new package version, since the version of 1.4 on OPAM includes this patch already (thanks to https://github.com/ocaml/opam-repository/pull/25144)
