Bug 213390

Summary: ports-mgmt/pkg: startup scripts are run with an open directory file descriptor, causing chroot() to fail
Product: Ports & Packages Reporter: Garrett Wollman <wollman>
Component: Individual Port(s)Assignee: freebsd-pkg (Nobody) <pkg>
Status: Closed FIXED    
Severity: Affects Only Me CC: jaap
Priority: --- Keywords: needs-qa
Version: LatestFlags: jaap: maintainer-feedback+
Hardware: amd64   
OS: Any   

Description Garrett Wollman freebsd_committer freebsd_triage 2016-10-11 19:06:03 UTC 
Upgrading unbound via pkg upgrade inside a jail fails:

Oct 11 14:59:08 XXXXX pkg: unbound upgraded: 1.5.9_1 -> 1.5.10 
Oct 11 14:59:08 XXXXX unbound: [47924:0] fatal error: unable to chroot to /usr/local/etc/unbound: Operation not permitted

Running "service unbound restart" in the jail after pkg(8) finishes succeeds, so I don't know if this is an actual unbound bug, or an rc script bug, or a pkg(8) bug.  I don't know why it's trying to chroot as 

Oct 11 14:59:31 XXXXX unbound: [47974:0] warning: did not exit gracefully last time (47924)
Oct 11 14:59:31 XXXXX unbound: [47975:0] notice: init module 0: validator
Oct 11 14:59:31 XXXXX unbound: [47975:0] notice: init module 1: iterator
Comment 1 Jaap Akkerhuis 2016-10-25 16:36:28 UTC 
It is odd that it complains about the chroot. Unbound should only do that when configured to do so.

Nothing changed in the rc script with this upgrade so that is unlikely the cause.
Comment 2 Garrett Wollman freebsd_committer freebsd_triage 2016-11-03 16:04:50 UTC 
I have figured out the cause of the problem.  unbound always attempts to chroot when starting, but normally succeeds.  When starting inside the environment of a package upgrade, however, it is erroneously running with a file descriptor open on a directory.  The check in `sys/kern/vfs_syscalls.c#chroot_refuse_vdir_fds` then refuses to allow the chroot to succeed, *if* either `kern.chroot_allow_open_directories` is set to 0, or it is set to 1 (which is the default) and is already running in a chroot (which includes jails).

Conclusion: this is a bug in pkg; the startup scripts should not be run with any descriptors open other than the standard 0/1/2.
Comment 3 Baptiste Daroussin freebsd_committer freebsd_triage 2016-11-03 18:15:33 UTC 
This has been fixed in the github repository and will be in the next release which will happen before the Weekend
Comment 4 Jaap Akkerhuis 2016-11-03 18:44:02 UTC 
(In reply to Garrett Wollman from comment #2)
Thanks for figuring this out.