Attachment #208569 for bug #212817




	from portage.const import VDB_PATH, PRIVATE_PATH, CACHE_PATH, DEPCACHE_PATH, \
		USER_CONFIG_PATH, MODULES_FILE_PATH, CUSTOM_PROFILE_PATH, PORTAGE_BASE_PATH, \
		PORTAGE_BIN_PATH, PORTAGE_PYM_PATH, PROFILE_PATH, LOCALE_DATA_PATH, \
		EBUILD_SH_BINARY, SANDBOX_BINARY, MACOSSANDBOX_BINARY, MACOSSANDBOX_PROFILE, BASH_BINARY, \
		MOVE_BINARY, PRELINK_BINARY, WORLD_FILE, MAKE_CONF_FILE, MAKE_DEFAULTS_FILE, \
		DEPRECATED_PROFILE_FILE, USER_VIRTUALS_FILE, EBUILD_SH_ENV_FILE, \
		INVALID_ENV_FILE, CUSTOM_MIRRORS_FILE, CONFIG_MEMORY_FILE,\

			if bsd_chflags:
				self.features.add('chflags')

			if not portage.process.macossandbox_capable and \
				("macossandbox" in self.features or "macosusersandbox" in self.features):
				if self.profile_path is not None and \
					os.path.realpath(self.profile_path) == \
					os.path.realpath(PROFILE_PATH):
					""" Don't show this warning when running repoman and the
					sandbox feature came from a profile that doesn't belong to
					the user."""
					writemsg(colorize("BAD", "!!! Problem with macos sandbox" + \
						" binary. Disabling...\n\n"), noiselevel=-1)
				if "macossandbox" in self.features:
					self.features.remove("macossandbox")
				if "macosusersandbox" in self.features:
					self.features.remove("macosusersandbox")

			self["FEATURES"] = " ".join(sorted(self.features))
			self.backup_changes("FEATURES")
			global _glep_55_enabled, _validate_cache_for_unsupported_eapis

	# fake ownership/permissions will have to be converted to real
	# permissions in the merge phase.
	fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable
	macossandbox = ("macossandbox" in features or \
		"macosusersandbox" in features)
	if droppriv and not uid and portage_gid and portage_uid:
		keywords.update({"uid":portage_uid,"gid":portage_gid,
			"groups":userpriv_groups,"umask":0o02})
	if not free:
		free=((droppriv and "usersandbox" not in features and
			"macosusersandbox" not in features) or \
			(not droppriv and "sandbox" not in features and \
			"usersandbox" not in features and not fakeroot and \
			not macossandbox))

	# confining the process to a prefix sandbox is disabled by default, if
	# a normal sandbox is requested a this point, it will be used, if no
	# sandbox is requested, a prefix sandbox will be imposed if requested
	# by the appropriate features
	prefixsandbox = False
	if free:
		prefixsandbox = "macosprefixsandbox" in features
		free = not prefixsandbox

	if free or "SANDBOX_ACTIVE" in os.environ:
		keywords["opt_name"] += " bash"
		spawn_func = portage.process.spawn_bash

		keywords["opt_name"] += " fakeroot"
		keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state")
		spawn_func = portage.process.spawn_fakeroot
	elif macossandbox:
		keywords["opt_name"] += " macossandbox"
		if prefixsandbox:
			sbprefixpath = mysettings["EPREFIX"]
		else:
			sbprefixpath = mysettings["PORTAGE_BUILDDIR"]

		# escape some characters with special meaning in re's
		sbprefixre = sbprefixpath.replace("+", "\+")
		sbprefixre = sbprefixre.replace("*", "\*")
		sbprefixre = sbprefixre.replace("[", "\[")
		sbprefixre = sbprefixre.replace("[", "\[")

		sbprofile = MACOSSANDBOX_PROFILE
		sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath)
		sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre)

		keywords["profile"] = sbprofile
		spawn_func = portage.process.spawn_macossandbox
	else:
		keywords["opt_name"] += " sandbox"
		spawn_func = portage.process.spawn_sandbox

		restrict = mysettings["PORTAGE_RESTRICT"].split()
		nosandbox = (("userpriv" in features) and \
			("usersandbox" not in features) and \
			("macosusersandbox" not in features) and \
			"userpriv" not in restrict and \
			"nouserpriv" not in restrict)
		if nosandbox and ("userpriv" not in features or \
			"userpriv" in restrict or \
			"nouserpriv" in restrict):
			nosandbox = ("sandbox" not in features and \
				"usersandbox" not in features and \
				"macosusersandbox" not in features)

		sesandbox = mysettings.selinux_enabled() and \
			"sesandbox" in mysettings.features




BASH_BINARY              = PORTAGE_BASH
MOVE_BINARY              = PORTAGE_MV
PRELINK_BINARY           = EPREFIX + "/usr/sbin/prelink"
MACOSSANDBOX_BINARY     = "/usr/bin/sandbox-exec"
MACOSSANDBOX_PROFILE    = '''(version 1)

(allow default)

(deny file-write*)

(allow file-read* file-write*
  (literal
    #"@@WRITEABLE_PREFIX@@"
  )

  (regex
    #"^@@WRITEABLE_PREFIX_RE@@/"
    #"^(/private)?/var/tmp"
    #"^(/private)?/tmp"
  )
)

(allow file-read-data file-write-data
  (regex
    #"^/dev/null$"
    #"^(/private)?/var/run/syslog$"
  )
)'''

INVALID_ENV_FILE         = "/etc/spork/is/not/valid/profile.env"
REPO_NAME_FILE           = "repo_name"
REPO_NAME_LOC            = "profiles" + "/" + REPO_NAME_FILE

Lines 18-24 Link Here

(-)pym/portage/process.py (-1 / +17 lines)
18	'portage.util:dump_traceback',	18	'portage.util:dump_traceback',
19	)	19	)
20		20
21	from portage.const import BASH_BINARY, SANDBOX_BINARY, FAKEROOT_BINARY	21	from portage.const import BASH_BINARY, SANDBOX_BINARY, MACOSSANDBOX_BINARY, FAKEROOT_BINARY
22	from portage.exception import CommandNotFound	22	from portage.exception import CommandNotFound
23		23
24	try:	24	try:
Lines 44-49 Link Here
44	fakeroot_capable = (os.path.isfile(FAKEROOT_BINARY) and	44	fakeroot_capable = (os.path.isfile(FAKEROOT_BINARY) and
45	os.access(FAKEROOT_BINARY, os.X_OK))	45	os.access(FAKEROOT_BINARY, os.X_OK))
46		46
		47	macossandbox_capable = (os.path.isfile(MACOSSANDBOX_BINARY) and
		48	os.access(MACOSSANDBOX_BINARY, os.X_OK))
		49
47	def spawn_bash(mycommand, debug=False, opt_name=None, **keywords):	50	def spawn_bash(mycommand, debug=False, opt_name=None, **keywords):
48	"""	51	"""
49	Spawns a bash shell running a specific commands	52	Spawns a bash shell running a specific commands
Lines 93-98 Link Here
93	args.append(mycommand)	96	args.append(mycommand)
94	return spawn(args, opt_name=opt_name, **keywords)	97	return spawn(args, opt_name=opt_name, **keywords)
95		98
		99	def spawn_macossandbox(mycommand, profile=None, opt_name=None, **keywords):
		100	if not macossandbox_capable:
		101	return spawn_bash(mycommand, opt_name=opt_name, **keywords)
		102	args=[MACOSSANDBOX_BINARY]
		103	if not opt_name:
		104	opt_name = os.path.basename(mycommand.split()[0])
		105	args.append("-p")
		106	args.append(profile)
		107	args.append(BASH_BINARY)
		108	args.append("-c")
		109	args.append(mycommand)
		110	return spawn(args, opt_name=opt_name, **keywords)
		111
96	_exithandlers = []	112	_exithandlers = []
97	def atexit_register(func, args, *kargs):	113	def atexit_register(func, args, *kargs):
98	"""Wrapper around atexit.register that is needed in order to track	114	"""Wrapper around atexit.register that is needed in order to track

Return to bug 212817

Lines 104-110 Link Here

(-)pym/portage/__init__.py (-4 / +53 lines)
104	from portage.const import VDB_PATH, PRIVATE_PATH, CACHE_PATH, DEPCACHE_PATH, \	104	from portage.const import VDB_PATH, PRIVATE_PATH, CACHE_PATH, DEPCACHE_PATH, \
105	USER_CONFIG_PATH, MODULES_FILE_PATH, CUSTOM_PROFILE_PATH, PORTAGE_BASE_PATH, \	105	USER_CONFIG_PATH, MODULES_FILE_PATH, CUSTOM_PROFILE_PATH, PORTAGE_BASE_PATH, \
106	PORTAGE_BIN_PATH, PORTAGE_PYM_PATH, PROFILE_PATH, LOCALE_DATA_PATH, \	106	PORTAGE_BIN_PATH, PORTAGE_PYM_PATH, PROFILE_PATH, LOCALE_DATA_PATH, \
107	EBUILD_SH_BINARY, SANDBOX_BINARY, BASH_BINARY, \	107	EBUILD_SH_BINARY, SANDBOX_BINARY, MACOSSANDBOX_BINARY, MACOSSANDBOX_PROFILE, BASH_BINARY, \
108	MOVE_BINARY, PRELINK_BINARY, WORLD_FILE, MAKE_CONF_FILE, MAKE_DEFAULTS_FILE, \	108	MOVE_BINARY, PRELINK_BINARY, WORLD_FILE, MAKE_CONF_FILE, MAKE_DEFAULTS_FILE, \
109	DEPRECATED_PROFILE_FILE, USER_VIRTUALS_FILE, EBUILD_SH_ENV_FILE, \	109	DEPRECATED_PROFILE_FILE, USER_VIRTUALS_FILE, EBUILD_SH_ENV_FILE, \
110	INVALID_ENV_FILE, CUSTOM_MIRRORS_FILE, CONFIG_MEMORY_FILE,\	110	INVALID_ENV_FILE, CUSTOM_MIRRORS_FILE, CONFIG_MEMORY_FILE,\
Lines 2215-2220 Link Here
2215	if bsd_chflags:	2215	if bsd_chflags:
2216	self.features.add('chflags')	2216	self.features.add('chflags')
2217		2217
		2218	if not portage.process.macossandbox_capable and \
		2219	("macossandbox" in self.features or "macosusersandbox" in self.features):
		2220	if self.profile_path is not None and \
		2221	os.path.realpath(self.profile_path) == \
		2222	os.path.realpath(PROFILE_PATH):
		2223	""" Don't show this warning when running repoman and the
		2224	sandbox feature came from a profile that doesn't belong to
		2225	the user."""
		2226	writemsg(colorize("BAD", "!!! Problem with macos sandbox" + \
		2227	" binary. Disabling...\n\n"), noiselevel=-1)
		2228	if "macossandbox" in self.features:
		2229	self.features.remove("macossandbox")
		2230	if "macosusersandbox" in self.features:
		2231	self.features.remove("macosusersandbox")
		2232
2218	self["FEATURES"] = " ".join(sorted(self.features))	2233	self["FEATURES"] = " ".join(sorted(self.features))
2219	self.backup_changes("FEATURES")	2234	self.backup_changes("FEATURES")
2220	global _glep_55_enabled, _validate_cache_for_unsupported_eapis	2235	global _glep_55_enabled, _validate_cache_for_unsupported_eapis
Lines 4090-4103 Link Here
4090	# fake ownership/permissions will have to be converted to real	4105	# fake ownership/permissions will have to be converted to real
4091	# permissions in the merge phase.	4106	# permissions in the merge phase.
4092	fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable	4107	fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable
		4108	macossandbox = ("macossandbox" in features or \
		4109	"macosusersandbox" in features)
4093	if droppriv and not uid and portage_gid and portage_uid:	4110	if droppriv and not uid and portage_gid and portage_uid:
4094	keywords.update({"uid":portage_uid,"gid":portage_gid,	4111	keywords.update({"uid":portage_uid,"gid":portage_gid,
4095	"groups":userpriv_groups,"umask":0o02})	4112	"groups":userpriv_groups,"umask":0o02})
4096	if not free:	4113	if not free:
4097	free=((droppriv and "usersandbox" not in features) or \	4114	free=((droppriv and "usersandbox" not in features and
		4115	"macosusersandbox" not in features) or \
4098	(not droppriv and "sandbox" not in features and \	4116	(not droppriv and "sandbox" not in features and \
4099	"usersandbox" not in features and not fakeroot))	4117	"usersandbox" not in features and not fakeroot and \
		4118	not macossandbox))
4100		4119
		4120	# confining the process to a prefix sandbox is disabled by default, if
		4121	# a normal sandbox is requested a this point, it will be used, if no
		4122	# sandbox is requested, a prefix sandbox will be imposed if requested
		4123	# by the appropriate features
		4124	prefixsandbox = False
		4125	if free:
		4126	prefixsandbox = "macosprefixsandbox" in features
		4127	free = not prefixsandbox
		4128
4101	if free or "SANDBOX_ACTIVE" in os.environ:	4129	if free or "SANDBOX_ACTIVE" in os.environ:
4102	keywords["opt_name"] += " bash"	4130	keywords["opt_name"] += " bash"
4103	spawn_func = portage.process.spawn_bash	4131	spawn_func = portage.process.spawn_bash
Lines 4105-4110 Link Here
4105	keywords["opt_name"] += " fakeroot"	4133	keywords["opt_name"] += " fakeroot"
4106	keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state")	4134	keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state")
4107	spawn_func = portage.process.spawn_fakeroot	4135	spawn_func = portage.process.spawn_fakeroot
		4136	elif macossandbox:
		4137	keywords["opt_name"] += " macossandbox"
		4138	if prefixsandbox:
		4139	sbprefixpath = mysettings["EPREFIX"]
		4140	else:
		4141	sbprefixpath = mysettings["PORTAGE_BUILDDIR"]
		4142
		4143	# escape some characters with special meaning in re's
		4144	sbprefixre = sbprefixpath.replace("+", "\+")
		4145	sbprefixre = sbprefixre.replace("", "\")
		4146	sbprefixre = sbprefixre.replace("[", "\[")
		4147	sbprefixre = sbprefixre.replace("[", "\[")
		4148
		4149	sbprofile = MACOSSANDBOX_PROFILE
		4150	sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath)
		4151	sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre)
		4152
		4153	keywords["profile"] = sbprofile
		4154	spawn_func = portage.process.spawn_macossandbox
4108	else:	4155	else:
4109	keywords["opt_name"] += " sandbox"	4156	keywords["opt_name"] += " sandbox"
4110	spawn_func = portage.process.spawn_sandbox	4157	spawn_func = portage.process.spawn_sandbox
Lines 7232-7244 Link Here
7232	restrict = mysettings["PORTAGE_RESTRICT"].split()	7279	restrict = mysettings["PORTAGE_RESTRICT"].split()
7233	nosandbox = (("userpriv" in features) and \	7280	nosandbox = (("userpriv" in features) and \
7234	("usersandbox" not in features) and \	7281	("usersandbox" not in features) and \
		7282	("macosusersandbox" not in features) and \
7235	"userpriv" not in restrict and \	7283	"userpriv" not in restrict and \
7236	"nouserpriv" not in restrict)	7284	"nouserpriv" not in restrict)
7237	if nosandbox and ("userpriv" not in features or \	7285	if nosandbox and ("userpriv" not in features or \
7238	"userpriv" in restrict or \	7286	"userpriv" in restrict or \
7239	"nouserpriv" in restrict):	7287	"nouserpriv" in restrict):
7240	nosandbox = ("sandbox" not in features and \	7288	nosandbox = ("sandbox" not in features and \
7241	"usersandbox" not in features)	7289	"usersandbox" not in features and \
		7290	"macosusersandbox" not in features)
7242		7291
7243	sesandbox = mysettings.selinux_enabled() and \	7292	sesandbox = mysettings.selinux_enabled() and \
7244	"sesandbox" in mysettings.features	7293	"sesandbox" in mysettings.features

Lines 78-84 Link Here

(-)pym/portage/const.py (+25 lines)
78	BASH_BINARY = PORTAGE_BASH	78	BASH_BINARY = PORTAGE_BASH
79	MOVE_BINARY = PORTAGE_MV	79	MOVE_BINARY = PORTAGE_MV
80	PRELINK_BINARY = EPREFIX + "/usr/sbin/prelink"	80	PRELINK_BINARY = EPREFIX + "/usr/sbin/prelink"
		81	MACOSSANDBOX_BINARY = "/usr/bin/sandbox-exec"
		82	MACOSSANDBOX_PROFILE = '''(version 1)
81		83
		84	(allow default)
		85
		86	(deny file-write*)
		87
		88	(allow file-read* file-write*
		89	(literal
		90	#"@@WRITEABLE_PREFIX@@"
		91	)
		92
		93	(regex
		94	#"^@@WRITEABLE_PREFIX_RE@@/"
		95	#"^(/private)?/var/tmp"
		96	#"^(/private)?/tmp"
		97	)
		98	)
		99
		100	(allow file-read-data file-write-data
		101	(regex
		102	#"^/dev/null$"
		103	#"^(/private)?/var/run/syslog$"
		104	)
		105	)'''
		106
82	INVALID_ENV_FILE = "/etc/spork/is/not/valid/profile.env"	107	INVALID_ENV_FILE = "/etc/spork/is/not/valid/profile.env"
83	REPO_NAME_FILE = "repo_name"	108	REPO_NAME_FILE = "repo_name"
84	REPO_NAME_LOC = "profiles" + "/" + REPO_NAME_FILE	109	REPO_NAME_LOC = "profiles" + "/" + REPO_NAME_FILE