Attachment #145637 for bug #212817




	from portage.const import VDB_PATH, PRIVATE_PATH, CACHE_PATH, DEPCACHE_PATH, \
		USER_CONFIG_PATH, MODULES_FILE_PATH, CUSTOM_PROFILE_PATH, PORTAGE_BASE_PATH, \
		PORTAGE_BIN_PATH, PORTAGE_PYM_PATH, PROFILE_PATH, LOCALE_DATA_PATH, \
		EBUILD_SH_BINARY, SANDBOX_BINARY, MACOSSANDBOX_BINARY, MACOSSANDBOX_PROFILE, BASH_BINARY, \
		MOVE_BINARY, PRELINK_BINARY, WORLD_FILE, MAKE_CONF_FILE, MAKE_DEFAULTS_FILE, \
		DEPRECATED_PROFILE_FILE, USER_VIRTUALS_FILE, EBUILD_SH_ENV_FILE, \
		INVALID_ENV_FILE, CUSTOM_MIRRORS_FILE, CONFIG_MEMORY_FILE,\

				if "usersandbox" in self.features:
					self.features.remove("usersandbox")

			if not portage.process.macossandbox_capable and \
				("macossandbox" in self.features or "macosusersandbox" in self.features):
				if self.profile_path is not None and \
					os.path.realpath(self.profile_path) == \
					os.path.realpath(PROFILE_PATH):
					""" Don't show this warning when running repoman and the
					sandbox feature came from a profile that doesn't belong to
					the user."""
					writemsg(colorize("BAD", "!!! Problem with macos sandbox" + \
						" binary. Disabling...\n\n"), noiselevel=-1)
				if "macossandbox" in self.features:
					self.features.remove("macossandbox")
				if "macosusersandbox" in self.features:
					self.features.remove("macosusersandbox")

			self.features.sort()
			if "gpg" in self.features:
				writemsg(colorize("WARN", "!!! FEATURES=gpg is unmaintained, incomplete and broken. Disabling it."), noiselevel=-1)

	# fake ownership/permissions will have to be converted to real
	# permissions in the merge phase.
	fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable
	macossandbox = ("macossandbox" in features or \
		"macosusersandbox" in features)
	if droppriv and not uid and portage_gid and portage_uid:
		keywords.update({"uid":portage_uid,"gid":portage_gid,
			"groups":userpriv_groups,"umask":002})
	if not free:
		free=((droppriv and "usersandbox" not in features and
			"macosusersandbox" not in features) or \
			(not droppriv and "sandbox" not in features and \
			"usersandbox" not in features and \
			not macossandbox))

	# confining the process to a prefix sandbox is disabled by default, if
	# a normal sandbox is requested a this point, it will be used, if no
	# sandbox is requested, a prefix sandbox will be imposed if requested
	# by the appropriate features
	prefixsandbox = False
	if free:
		prefixsandbox = "macosprefixsandbox" in features
		free = not prefixsandbox

	if free or "SANDBOX_ACTIVE" in os.environ:
		keywords["opt_name"] += " bash"

		keywords["opt_name"] += " fakeroot"
		keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state")
		spawn_func = portage.process.spawn_fakeroot
	elif macossandbox:
		keywords["opt_name"] += " macossandbox"
		if prefixsandbox:
			sbprefixpath = mysettings["EPREFIX"]
		else:
			sbprefixpath = mysettings["PORTAGE_BUILDDIR"]

		# escape some characters with special meaning in re's
		sbprefixre = sbprefixpath.replace("+", "\+")
		sbprefixre = sbprefixre.replace("*", "\*")
		sbprefixre = sbprefixre.replace("[", "\[")
		sbprefixre = sbprefixre.replace("[", "\[")

		sbprofile = MACOSSANDBOX_PROFILE
		sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath)
		sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre)

		keywords["profile"] = sbprofile
		spawn_func = portage.process.spawn_macossandbox
	else:
		keywords["opt_name"] += " sandbox"
		spawn_func = portage.process.spawn_sandbox

		restrict = mysettings["PORTAGE_RESTRICT"].split()
		nosandbox = (("userpriv" in features) and \
			("usersandbox" not in features) and \
			("macosusersandbox" not in features) and \
			"userpriv" not in restrict and \
			"nouserpriv" not in restrict)
		if nosandbox and ("userpriv" not in features or \
			"userpriv" in restrict or \
			"nouserpriv" in restrict):
			nosandbox = ("sandbox" not in features and \
				"usersandbox" not in features and \
				"macosusersandbox" not in features)

		sesandbox = mysettings.selinux_enabled() and \
			"sesandbox" in mysettings.features




MISC_SH_BINARY          = PORTAGE_BIN_PATH+"/misc-functions.sh"
SANDBOX_BINARY          = EPREFIX+"/usr/bin/sandbox"
FAKEROOT_BINARY         = EPREFIX+"/usr/bin/fakeroot"
MACOSSANDBOX_BINARY     = "/usr/bin/sandbox-exec"
MACOSSANDBOX_PROFILE    = '''(version 1)

(allow default)

(deny file-write*)

(allow file-read* file-write*
  (literal
    #"@@WRITEABLE_PREFIX@@"
  )

  (regex
    #"^@@WRITEABLE_PREFIX_RE@@/"
    #"^(/private)?/var/tmp"
    #"^(/private)?/tmp"
  )
)

(allow file-read-data file-write-data
  (regex
    #"^/dev/null$"
    #"^(/private)?/var/run/syslog$"
  )
)'''

BASH_BINARY             = "bash"
MOVE_BINARY             = "mv"
PRELINK_BINARY          = "prelink"

Lines 10-16 Link Here

(-)prefix-portage-2.2.00.9380/pym/portage/process.py.msb (-1 / +17 lines)
10	import sys	10	import sys
11		11
12	from portage.util import dump_traceback	12	from portage.util import dump_traceback
13	from portage.const import BASH_BINARY, SANDBOX_BINARY, FAKEROOT_BINARY	13	from portage.const import BASH_BINARY, SANDBOX_BINARY, MACOSSANDBOX_BINARY, FAKEROOT_BINARY
14	from portage.exception import CommandNotFound	14	from portage.exception import CommandNotFound
15		15
16	try:	16	try:
Lines 32-37 Link Here
32	fakeroot_capable = (os.path.isfile(FAKEROOT_BINARY) and	32	fakeroot_capable = (os.path.isfile(FAKEROOT_BINARY) and
33	os.access(FAKEROOT_BINARY, os.X_OK))	33	os.access(FAKEROOT_BINARY, os.X_OK))
34		34
		35	macossandbox_capable = (os.path.isfile(MACOSSANDBOX_BINARY) and
		36	os.access(MACOSSANDBOX_BINARY, os.X_OK))
		37
35	def spawn_bash(mycommand, debug=False, opt_name=None, **keywords):	38	def spawn_bash(mycommand, debug=False, opt_name=None, **keywords):
36	"""	39	"""
37	Spawns a bash shell running a specific commands	40	Spawns a bash shell running a specific commands
Lines 81-86 Link Here
81	args.append(mycommand)	84	args.append(mycommand)
82	return spawn(args, opt_name=opt_name, **keywords)	85	return spawn(args, opt_name=opt_name, **keywords)
83		86
		87	def spawn_macossandbox(mycommand, profile=None, opt_name=None, **keywords):
		88	if not macossandbox_capable:
		89	return spawn_bash(mycommand, opt_name=opt_name, **keywords)
		90	args=[MACOSSANDBOX_BINARY]
		91	if not opt_name:
		92	opt_name = os.path.basename(mycommand.split()[0])
		93	args.append("-p")
		94	args.append(profile)
		95	args.append(BASH_BINARY)
		96	args.append("-c")
		97	args.append(mycommand)
		98	return spawn(args, opt_name=opt_name, **keywords)
		99
84	_exithandlers = []	100	_exithandlers = []
85	def atexit_register(func, args, *kargs):	101	def atexit_register(func, args, *kargs):
86	"""Wrapper around atexit.register that is needed in order to track	102	"""Wrapper around atexit.register that is needed in order to track

Return to bug 212817

Lines 43-48 Link Here

(-)prefix-portage-2.2.00.9380/pym/portage/const.py.msb (+26 lines)
43	MISC_SH_BINARY = PORTAGE_BIN_PATH+"/misc-functions.sh"	43	MISC_SH_BINARY = PORTAGE_BIN_PATH+"/misc-functions.sh"
44	SANDBOX_BINARY = EPREFIX+"/usr/bin/sandbox"	44	SANDBOX_BINARY = EPREFIX+"/usr/bin/sandbox"
45	FAKEROOT_BINARY = EPREFIX+"/usr/bin/fakeroot"	45	FAKEROOT_BINARY = EPREFIX+"/usr/bin/fakeroot"
		46	MACOSSANDBOX_BINARY = "/usr/bin/sandbox-exec"
		47	MACOSSANDBOX_PROFILE = '''(version 1)
		48
		49	(allow default)
		50
		51	(deny file-write*)
		52
		53	(allow file-read* file-write*
		54	(literal
		55	#"@@WRITEABLE_PREFIX@@"
		56	)
		57
		58	(regex
		59	#"^@@WRITEABLE_PREFIX_RE@@/"
		60	#"^(/private)?/var/tmp"
		61	#"^(/private)?/tmp"
		62	)
		63	)
		64
		65	(allow file-read-data file-write-data
		66	(regex
		67	#"^/dev/null$"
		68	#"^(/private)?/var/run/syslog$"
		69	)
		70	)'''
		71
46	BASH_BINARY = "bash"	72	BASH_BINARY = "bash"
47	MOVE_BINARY = "mv"	73	MOVE_BINARY = "mv"
48	PRELINK_BINARY = "prelink"	74	PRELINK_BINARY = "prelink"

Lines 91-97 Link Here

(-)prefix-portage-2.2.00.9380/pym/portage/__init__.py.msb (-4 / +53 lines)
91	from portage.const import VDB_PATH, PRIVATE_PATH, CACHE_PATH, DEPCACHE_PATH, \	91	from portage.const import VDB_PATH, PRIVATE_PATH, CACHE_PATH, DEPCACHE_PATH, \
92	USER_CONFIG_PATH, MODULES_FILE_PATH, CUSTOM_PROFILE_PATH, PORTAGE_BASE_PATH, \	92	USER_CONFIG_PATH, MODULES_FILE_PATH, CUSTOM_PROFILE_PATH, PORTAGE_BASE_PATH, \
93	PORTAGE_BIN_PATH, PORTAGE_PYM_PATH, PROFILE_PATH, LOCALE_DATA_PATH, \	93	PORTAGE_BIN_PATH, PORTAGE_PYM_PATH, PROFILE_PATH, LOCALE_DATA_PATH, \
94	EBUILD_SH_BINARY, SANDBOX_BINARY, BASH_BINARY, \	94	EBUILD_SH_BINARY, SANDBOX_BINARY, MACOSSANDBOX_BINARY, MACOSSANDBOX_PROFILE, BASH_BINARY, \
95	MOVE_BINARY, PRELINK_BINARY, WORLD_FILE, MAKE_CONF_FILE, MAKE_DEFAULTS_FILE, \	95	MOVE_BINARY, PRELINK_BINARY, WORLD_FILE, MAKE_CONF_FILE, MAKE_DEFAULTS_FILE, \
96	DEPRECATED_PROFILE_FILE, USER_VIRTUALS_FILE, EBUILD_SH_ENV_FILE, \	96	DEPRECATED_PROFILE_FILE, USER_VIRTUALS_FILE, EBUILD_SH_ENV_FILE, \
97	INVALID_ENV_FILE, CUSTOM_MIRRORS_FILE, CONFIG_MEMORY_FILE,\	97	INVALID_ENV_FILE, CUSTOM_MIRRORS_FILE, CONFIG_MEMORY_FILE,\
Lines 1591-1596 Link Here
1591	if "usersandbox" in self.features:	1591	if "usersandbox" in self.features:
1592	self.features.remove("usersandbox")	1592	self.features.remove("usersandbox")
1593		1593
		1594	if not portage.process.macossandbox_capable and \
		1595	("macossandbox" in self.features or "macosusersandbox" in self.features):
		1596	if self.profile_path is not None and \
		1597	os.path.realpath(self.profile_path) == \
		1598	os.path.realpath(PROFILE_PATH):
		1599	""" Don't show this warning when running repoman and the
		1600	sandbox feature came from a profile that doesn't belong to
		1601	the user."""
		1602	writemsg(colorize("BAD", "!!! Problem with macos sandbox" + \
		1603	" binary. Disabling...\n\n"), noiselevel=-1)
		1604	if "macossandbox" in self.features:
		1605	self.features.remove("macossandbox")
		1606	if "macosusersandbox" in self.features:
		1607	self.features.remove("macosusersandbox")
		1608
1594	self.features.sort()	1609	self.features.sort()
1595	if "gpg" in self.features:	1610	if "gpg" in self.features:
1596	writemsg(colorize("WARN", "!!! FEATURES=gpg is unmaintained, incomplete and broken. Disabling it."), noiselevel=-1)	1611	writemsg(colorize("WARN", "!!! FEATURES=gpg is unmaintained, incomplete and broken. Disabling it."), noiselevel=-1)
Lines 2878-2890 Link Here
2878	# fake ownership/permissions will have to be converted to real	2893	# fake ownership/permissions will have to be converted to real
2879	# permissions in the merge phase.	2894	# permissions in the merge phase.
2880	fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable	2895	fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable
		2896	macossandbox = ("macossandbox" in features or \
		2897	"macosusersandbox" in features)
2881	if droppriv and not uid and portage_gid and portage_uid:	2898	if droppriv and not uid and portage_gid and portage_uid:
2882	keywords.update({"uid":portage_uid,"gid":portage_gid,	2899	keywords.update({"uid":portage_uid,"gid":portage_gid,
2883	"groups":userpriv_groups,"umask":002})	2900	"groups":userpriv_groups,"umask":002})
2884	if not free:	2901	if not free:
2885	free=((droppriv and "usersandbox" not in features) or \	2902	free=((droppriv and "usersandbox" not in features and
		2903	"macosusersandbox" not in features) or \
2886	(not droppriv and "sandbox" not in features and \	2904	(not droppriv and "sandbox" not in features and \
2887	"usersandbox" not in features))	2905	"usersandbox" not in features and \
		2906	not macossandbox))
		2907
		2908	# confining the process to a prefix sandbox is disabled by default, if
		2909	# a normal sandbox is requested a this point, it will be used, if no
		2910	# sandbox is requested, a prefix sandbox will be imposed if requested
		2911	# by the appropriate features
		2912	prefixsandbox = False
		2913	if free:
		2914	prefixsandbox = "macosprefixsandbox" in features
		2915	free = not prefixsandbox
2888		2916
2889	if free or "SANDBOX_ACTIVE" in os.environ:	2917	if free or "SANDBOX_ACTIVE" in os.environ:
2890	keywords["opt_name"] += " bash"	2918	keywords["opt_name"] += " bash"
Lines 2893-2898 Link Here
2893	keywords["opt_name"] += " fakeroot"	2921	keywords["opt_name"] += " fakeroot"
2894	keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state")	2922	keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state")
2895	spawn_func = portage.process.spawn_fakeroot	2923	spawn_func = portage.process.spawn_fakeroot
		2924	elif macossandbox:
		2925	keywords["opt_name"] += " macossandbox"
		2926	if prefixsandbox:
		2927	sbprefixpath = mysettings["EPREFIX"]
		2928	else:
		2929	sbprefixpath = mysettings["PORTAGE_BUILDDIR"]
		2930
		2931	# escape some characters with special meaning in re's
		2932	sbprefixre = sbprefixpath.replace("+", "\+")
		2933	sbprefixre = sbprefixre.replace("", "\")
		2934	sbprefixre = sbprefixre.replace("[", "\[")
		2935	sbprefixre = sbprefixre.replace("[", "\[")
		2936
		2937	sbprofile = MACOSSANDBOX_PROFILE
		2938	sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath)
		2939	sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre)
		2940
		2941	keywords["profile"] = sbprofile
		2942	spawn_func = portage.process.spawn_macossandbox
2896	else:	2943	else:
2897	keywords["opt_name"] += " sandbox"	2944	keywords["opt_name"] += " sandbox"
2898	spawn_func = portage.process.spawn_sandbox	2945	spawn_func = portage.process.spawn_sandbox
Lines 4820-4832 Link Here
4820	restrict = mysettings["PORTAGE_RESTRICT"].split()	4867	restrict = mysettings["PORTAGE_RESTRICT"].split()
4821	nosandbox = (("userpriv" in features) and \	4868	nosandbox = (("userpriv" in features) and \
4822	("usersandbox" not in features) and \	4869	("usersandbox" not in features) and \
		4870	("macosusersandbox" not in features) and \
4823	"userpriv" not in restrict and \	4871	"userpriv" not in restrict and \
4824	"nouserpriv" not in restrict)	4872	"nouserpriv" not in restrict)
4825	if nosandbox and ("userpriv" not in features or \	4873	if nosandbox and ("userpriv" not in features or \
4826	"userpriv" in restrict or \	4874	"userpriv" in restrict or \
4827	"nouserpriv" in restrict):	4875	"nouserpriv" in restrict):
4828	nosandbox = ("sandbox" not in features and \	4876	nosandbox = ("sandbox" not in features and \
4829	"usersandbox" not in features)	4877	"usersandbox" not in features and \
		4878	"macosusersandbox" not in features)
4830		4879
4831	sesandbox = mysettings.selinux_enabled() and \	4880	sesandbox = mysettings.selinux_enabled() and \
4832	"sesandbox" in mysettings.features	4881	"sesandbox" in mysettings.features