Bug 387753

Summary: Usage of `qmlplugindump` causes sandbox violations
Product: [Frameworks and Libraries] extra-cmake-modules Reporter: Elias Probst <mail>
Component: generalAssignee: ecm-bugs-null <ecm-bugs-null>
Status: RESOLVED DOWNSTREAM    
Severity: major CC: eugene.shalygin+bugzilla.kde
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Gentoo Packages   
OS: Linux   
URL: https://bugzilla.gnome.org/show_bug.cgi?id=744135
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: sandbox.log of "sandbox qmlplugindump QtQuick.Window 2.1"

Description Elias Probst 2017-12-09 23:44:21 UTC 
Created attachment 109279 [details]
sandbox.log of "sandbox qmlplugindump QtQuick.Window 2.1"

The usage of `qmlplugindump` causes sandbox violations, e.g. here on Gentoo when trying to build kwin since @fe9664fd8 [1]

It looks like `qmlplugindump` is not quite environment agnostic but instead tries to do all kind of stuff depending on the environment in which it is executed in, which is clearly shown by e.g. running `sandbox qmlplugindump QtQuick.Window 2.1`, (as regular user of a Plasma/Wayland session) causing at least 4 sandbox violations of which at least the one attempting to write to /dev/dri/card0 would be considered severe:

trimmed sandbox.log, full log attached:

F: chmod
P: /run/user/1000

F: mkostemp
P: /run/user/1000/wayland-cursor-shared-XXXXXX

F: open_wr
P: /dev/dri/card0

F: mkostemp
P: /run/user/1000/mesa-shared-XXXXXX



The sandbox.log of the build process (as root, no graphical session) looks similar:

F: open_wr
P: /dev/dri/renderD128
C: /usr/lib64/gstreamer-1.0/gst-plugin-scanner -l

F: open_wr                               
P: /dev/dri/card0                                                            
C: /usr/lib64/gstreamer-1.0/gst-plugin-scanner -l              

F: open_wr                                                                                             
P: /dev/video0                                 
C: /usr/lib64/qt5/bin/qmlplugindump QtMultimedia 5.0


This seems to only happen with QtQuick.Window, so I'm not sure whether that's an issue with the way ECM calls qmlplugindump, qmlplugindump itself or just QtDeclarative's "QtQuick.Window".


[1] https://phabricator.kde.org/R108:fe9664fd8
Comment 1 Elias Probst 2017-12-09 23:50:46 UTC 
It looks like this is actually an upstream issue:
https://bugzilla.gnome.org/show_bug.cgi?id=744135


As documented in Gentoo's bugtracker:
https://bugs.gentoo.org/570624
Comment 2 Christophe Marin 2017-12-09 23:59:11 UTC 
Downstream issue rather, according to https://bugzilla.gnome.org/show_bug.cgi?id=744135#c1