I'd like to change the way path matching is ordered in sandbox, and while at it formally define it for EAPI 8. Currently, the behavior is not formally defined in the PMS. Furthermore, use of multiple lists is non-trivial and makes it hard to override restrictions in subdirectories. What I'd like to define instead is something along the lines of: Sandbox maintains a single ACL list. add* functions add the new ACL to the end of the list. When an operation is performed, the path is matched against all ACL entries in order, with the later entries overriding the earlier. In my opinion, this is both more flexible and simpler than the current behavior. It makes it possible to create overrides like: adddeny /foo # denied addwrite /foo/bar # read-write adddeny /foo/bar/baz # (denied) addread /foo/bar/baz # read-only
Have you filed a feature request or written a patch to actually implement this in sys-apps/sandbox? This is a pretty significant change in behavior, and I think it would be useful to see a reference implementation working before it gets added in PMS. I am especially interested in how the default lists would be maintained; currently these are 3 separate variables in sandbox.conf, and I think these would need to be merged somehow.
This bug serves for the feature request but I'd like to query some more opinion before proceeding with the patch. (In reply to Mike Gilbert from comment #1) > I am especially interested in how the default lists would be maintained; > currently these are 3 separate variables in sandbox.conf, and I think these > would need to be merged somehow. I suppose it wouldn't be hard to merge them into SANDBOX_ACL at start, with order matching current sandbox logic.
