search

jmmv / sandboxctl

Automates the creation and management of chroot-based sandboxes
BSD 3-Clause "New" or "Revised" License
18 stars 2 forks source link

curl SSL doesn't work in darwin_native sandbox #2

Closed jlmuir closed 7 years ago

jlmuir commented 7 years ago

On macOS Sierra 10.12.3, running curl in a darwin_native sandbox to fetch an HTTPS URL fails with an error about an SSL certificate problem. (The same curl command works fine outside the sandbox.) This is problematic when used by pkg_comp because fetching a package distfile that is only available via HTTPS will fail.

The sandbox is created and entered with pkg_comp:

# pkg_comp sandbox-create
# pkg_comp bootstrap
# pkg_comp sandbox-shell

Inside the sandbox:

# /usr/bin/curl -IsS https://github.com/ | head -n 1
curl: (35) SSL certificate problem: Couldn't understand the server certificate format

Outside the sandbox:

# /usr/bin/curl -IsS https://github.com/ | head -n 1
HTTP/1.1 200 OK
jlmuir commented 7 years ago

I'm starting to wonder if maybe I should have filed this issue against pkg_comp instead.

I noticed that in Joyent's pkgbuild, if I'm understanding things correctly, they build curl as a tool and include it in the bootstrap so that it can be used for fetching rather than the macOS system curl. It seems like they do that in include/osx.mk where there's a comment that says, "Native curl SIGBUS's when accessing HTTPS in a chroot." So, if this issue is more to do with pkg_comp, then perhaps building a pkgsrc curl as a tool and using it instead of the macOS system curl is a possible workaround.

I tried invoking curl in the sandbox with the -k option (with the idea of getting pkgsrc to include that option as a workaround knowing that the distfiles will still have their checksums checked), but unfortunately that didn't work; the noted curl command fails in the same way with -k.

jmmv commented 7 years ago

I haven't taken a look yet in detail about why curl crashes but this rings a bell, as I think I noticed some crash in a networked tool (maybe it was ping?) but didn't bother much about tracking it down.

So, "it depends": if there is something misconfigured in the sandbox that is causing the crash, then yes, this should be fixed in sandboxctl. If there is nothing that can be done in the sandbox setup, then we can workaround it in pkg_comp.

jmmv commented 7 years ago

Aha, found the problem. /var/db had to exist so that the security framework can create files in it, and then /Library/Security had to be bind-mounted to allow access to the system keychain.