Attachment #57443 for bug #90343




	trap SIGINT SIGQUIT
}

iw_begin() {
	export SANDBOX_ON="1"
	export SANDBOX_WRITE="/"
	export SANDBOX_DEBUG="1"
	export SANDBOX_DEBUG_LOG="$INSTALLWATCHFILE"
}

iw_end() {
	export SANDBOX_ON="0"
	unset SANDBOX_DEBUG
	unset SANDBOX_DEBUG_LOG

	# forget read only operations
	sed -i \
		-e 's/^open_rd:.*//' \
		-e 's/^execve:.*//' \
		-e 's/^opendir:.*//' \
		-e 's/^open_wr: *\/dev\/null$//' \
		$INSTALLWATCHFILE

	# remove the empty lines
	local TMPFILE="`tempfile`"
	egrep -v '^$' $INSTALLWATCHFILE > $TMPFILE
	cat $TMPFILE > $INSTALLWATCHFILE
	rm $TMPFILE

	unset INSTALLWATCHFILE
}

dyn_preinst() {
	# set IMAGE depending if this is a binary or compile merge
	[ "${EMERGE_FROM}" == "binary" ] && IMAGE=${PKG_TMPDIR}/${PF}/bin \
					|| IMAGE=${D}
	[ -n "$INSTALLWATCHFILE" ] && iw_begin
	pkg_preinst
	[ -n "$INSTALLWATCHFILE" ] && iw_end

	# hopefully this will someday allow us to get rid of the no* feature flags
	# we don't want globbing for initial expansion, but afterwards, we do

		;;
	prerm|postrm|postinst|config)
		export SANDBOX_ON="0"
		[ -n "$INSTALLWATCHFILE" ] && iw_begin
		if [ "$PORTAGE_DEBUG" != "1" ]; then
			pkg_${myarg}
			#Allow non-zero return codes since they can be caused by &&

			#Allow non-zero return codes since they can be caused by &&
			set +x
		fi
		[ -n "$INSTALLWATCHFILE" ] && iw_end
		;;
	unpack|compile|test|clean|install)
		if [ "${SANDBOX_DISABLED="0"}" == "0" ]; then

Lines 1564-1570 Link Here

(-)portage-2.0.51.20.orig/pym/portage.py (-15 / +26 lines)
1564		1564
1565	# XXX This would be to replace getstatusoutput completely.	1565	# XXX This would be to replace getstatusoutput completely.
1566	# XXX Issue: cannot block execution. Deadlock condition.	1566	# XXX Issue: cannot block execution. Deadlock condition.
1567	def spawn(mystring,mysettings,debug=0,free=0,droppriv=0,fd_pipes=None,**keywords):	1567	def spawn(mystring,mysettings,debug=0,free=0,droppriv=0,fd_pipes=None,iw_log=None,**keywords):
1568	"""spawn a subprocess with optional sandbox protection,	1568	"""spawn a subprocess with optional sandbox protection,
1569	depending on whether sandbox is enabled. The "free" argument,	1569	depending on whether sandbox is enabled. The "free" argument,
1570	when set to 1, will disable sandboxing. This allows us to	1570	when set to 1, will disable sandboxing. This allows us to
Lines 1589-1595 Link Here
1589		1589
1590	if ("sandbox" in features) and (not free):	1590	if ("sandbox" in features) and (not free):
1591	keywords["opt_name"] += " sandbox"	1591	keywords["opt_name"] += " sandbox"
1592	if droppriv and portage_gid and portage_uid:	1592	if iw_log:
		1593	env["INSTALLWATCHFILE"]=iw_log
		1594	elif droppriv and portage_gid and portage_uid:
1593	keywords.update({"uid":portage_uid,"gid":portage_gid,"groups":[portage_gid],"umask":002})	1595	keywords.update({"uid":portage_uid,"gid":portage_gid,"groups":[portage_gid],"umask":002})
1594	return portage_exec.spawn_sandbox(mystring,env=env,**keywords)	1596	return portage_exec.spawn_sandbox(mystring,env=env,**keywords)
1595	else:	1597	else:
Lines 2314-2320 Link Here
2314	droppriv=actionmap[mydo]["args"][1],logfile=logfile)	2316	droppriv=actionmap[mydo]["args"][1],logfile=logfile)
2315	return retval	2317	return retval
2316		2318
2317	def doebuild(myebuild,mydo,myroot,mysettings,debug=0,listonly=0,fetchonly=0,cleanup=0,dbkey=None,use_cache=1,fetchall=0,tree="porttree"):	2319	def doebuild(myebuild,mydo,myroot,mysettings,debug=0,listonly=0,fetchonly=0,cleanup=0,dbkey=None,use_cache=1,fetchall=0,tree="porttree",iw_log=None):
2318	global db	2320	global db
2319		2321
2320	ebuild_path = os.path.abspath(myebuild)	2322	ebuild_path = os.path.abspath(myebuild)
Lines 2595-2601 Link Here
2595	return spawn(EBUILD_SH_BINARY+" "+mydo,mysettings,debug=debug,free=1,logfile=logfile)	2597	return spawn(EBUILD_SH_BINARY+" "+mydo,mysettings,debug=debug,free=1,logfile=logfile)
2596	elif mydo in ["prerm","postrm","preinst","postinst","config"]:	2598	elif mydo in ["prerm","postrm","preinst","postinst","config"]:
2597	mysettings.load_infodir(pkg_dir)	2599	mysettings.load_infodir(pkg_dir)
2598	return spawn(EBUILD_SH_BINARY+" "+mydo,mysettings,debug=debug,free=1,logfile=logfile)	2600	free=1
		2601	if iw_log:
		2602	free=0
		2603	return spawn(EBUILD_SH_BINARY+" "+mydo,mysettings,debug=debug,free=free,logfile=logfile,iw_log=iw_log)
2599		2604
2600	try:	2605	try:
2601	mysettings["SLOT"],mysettings["RESTRICT"] = db["/"]["porttree"].dbapi.aux_get(mycpv,["SLOT","RESTRICT"])	2606	mysettings["SLOT"],mysettings["RESTRICT"] = db["/"]["porttree"].dbapi.aux_get(mycpv,["SLOT","RESTRICT"])
Lines 6428-6439 Link Here
6428	print ">>> Merging",self.mycpv,"to",destroot	6433	print ">>> Merging",self.mycpv,"to",destroot
6429		6434
6430	# run preinst script	6435	# run preinst script
		6436	iw_log=None
		6437	if "installwatch" in features:
		6438	iw_log=self.dbtmpdir+"/PREINST"
6431	if myebuild:	6439	if myebuild:
6432	# if we are merging a new ebuild, use its pre/postinst rather than using the one in /var/db/pkg	6440	# if we are merging a new ebuild, use its pre/postinst rather than using the one in /var/db/pkg
6433	# (if any).	6441	# (if any).
6434	a=doebuild(myebuild,"preinst",root,self.settings,cleanup=cleanup,use_cache=0)	6442	a=doebuild(myebuild,"preinst",root,self.settings,cleanup=cleanup,use_cache=0,iw_log=iw_log)
6435	else:	6443	else:
6436	a=doebuild(inforoot+"/"+self.pkg+".ebuild","preinst",root,self.settings,cleanup=cleanup,use_cache=0)	6444	a=doebuild(inforoot+"/"+self.pkg+".ebuild","preinst",root,self.settings,cleanup=cleanup,use_cache=0,iw_log=iw_log)
6437		6445
6438	# XXX: Decide how to handle failures here.	6446	# XXX: Decide how to handle failures here.
6439	if a != 0:	6447	if a != 0:
Lines 6514-6526 Link Here
6514	self.dbdir = self.dbtmpdir	6522	self.dbdir = self.dbtmpdir
6515	print ">>> original instance of package unmerged safely."	6523	print ">>> original instance of package unmerged safely."
6516		6524
6517	# We hold both directory locks.
6518	self.dbdir = self.dbpkgdir
6519	self.delete()
6520	movefile(self.dbtmpdir, self.dbpkgdir, mysettings=self.settings)
6521
6522	self.unlockdb()
6523
6524	#write out our collection of md5sums	6525	#write out our collection of md5sums
6525	if cfgfiledict.has_key("IGNORE"):	6526	if cfgfiledict.has_key("IGNORE"):
6526	del cfgfiledict["IGNORE"]	6527	del cfgfiledict["IGNORE"]
Lines 6545-6556 Link Here
6545	portage_locks.unlockfile(mylock)	6546	portage_locks.unlockfile(mylock)
6546		6547
6547	#do postinst script	6548	#do postinst script
		6549	iw_log=None
		6550	if "installwatch" in features:
		6551	iw_log=self.dbtmpdir+"/POSTINST"
6548	if myebuild:	6552	if myebuild:
6549	# if we are merging a new ebuild, use its pre/postinst rather than using the one in /var/db/pkg	6553	# if we are merging a new ebuild, use its pre/postinst rather than using the one in /var/db/pkg
6550	# (if any).	6554	# (if any).
6551	a=doebuild(myebuild,"postinst",root,self.settings,use_cache=0)	6555	a=doebuild(myebuild,"postinst",root,self.settings,use_cache=0,iw_log=iw_log)
6552	else:	6556	else:
6553	a=doebuild(inforoot+"/"+self.pkg+".ebuild","postinst",root,self.settings,use_cache=0)	6557	a=doebuild(inforoot+"/"+self.pkg+".ebuild","postinst",root,self.settings,use_cache=0,iw_log=iw_log)
		6558
		6559	# We hold both directory locks.
		6560	self.dbdir = self.dbpkgdir
		6561	self.delete()
		6562	movefile(self.dbtmpdir, self.dbpkgdir, mysettings=self.settings)
		6563
		6564	self.unlockdb()
6554		6565
6555	# XXX: Decide how to handle failures here.	6566	# XXX: Decide how to handle failures here.
6556	if a != 0:	6567	if a != 0:

Return to bug 90343

Lines 1119-1130 Link Here

(-)portage-2.0.51.20.orig/bin/ebuild.sh (-1 / +33 lines)
1119	trap SIGINT SIGQUIT	1119	trap SIGINT SIGQUIT
1120	}	1120	}
1121		1121
		1122	iw_begin() {
		1123	export SANDBOX_ON="1"
		1124	export SANDBOX_WRITE="/"
		1125	export SANDBOX_DEBUG="1"
		1126	export SANDBOX_DEBUG_LOG="$INSTALLWATCHFILE"
		1127	}
		1128
		1129	iw_end() {
		1130	export SANDBOX_ON="0"
		1131	unset SANDBOX_DEBUG
		1132	unset SANDBOX_DEBUG_LOG
		1133
		1134	# forget read only operations
		1135	sed -i \
		1136	-e 's/^open_rd:.*//' \
		1137	-e 's/^execve:.*//' \
		1138	-e 's/^opendir:.*//' \
		1139	-e 's/^open_wr: *\/dev\/null$//' \
		1140	$INSTALLWATCHFILE
		1141
		1142	# remove the empty lines
		1143	local TMPFILE="`tempfile`"
		1144	egrep -v '^$' $INSTALLWATCHFILE > $TMPFILE
		1145	cat $TMPFILE > $INSTALLWATCHFILE
		1146	rm $TMPFILE
		1147
		1148	unset INSTALLWATCHFILE
		1149	}
		1150
1122	dyn_preinst() {	1151	dyn_preinst() {
1123	# set IMAGE depending if this is a binary or compile merge	1152	# set IMAGE depending if this is a binary or compile merge
1124	[ "${EMERGE_FROM}" == "binary" ] && IMAGE=${PKG_TMPDIR}/${PF}/bin \	1153	[ "${EMERGE_FROM}" == "binary" ] && IMAGE=${PKG_TMPDIR}/${PF}/bin \
1125	\|\| IMAGE=${D}	1154	\|\| IMAGE=${D}
1126		1155	[ -n "$INSTALLWATCHFILE" ] && iw_begin
1127	pkg_preinst	1156	pkg_preinst
		1157	[ -n "$INSTALLWATCHFILE" ] && iw_end
1128		1158
1129	# hopefully this will someday allow us to get rid of the no* feature flags	1159	# hopefully this will someday allow us to get rid of the no* feature flags
1130	# we don't want globbing for initial expansion, but afterwards, we do	1160	# we don't want globbing for initial expansion, but afterwards, we do
Lines 1749-1754 Link Here
1749	;;	1779	;;
1750	prerm\|postrm\|postinst\|config)	1780	prerm\|postrm\|postinst\|config)
1751	export SANDBOX_ON="0"	1781	export SANDBOX_ON="0"
		1782	[ -n "$INSTALLWATCHFILE" ] && iw_begin
1752	if [ "$PORTAGE_DEBUG" != "1" ]; then	1783	if [ "$PORTAGE_DEBUG" != "1" ]; then
1753	pkg_${myarg}	1784	pkg_${myarg}
1754	#Allow non-zero return codes since they can be caused by &&	1785	#Allow non-zero return codes since they can be caused by &&
Lines 1758-1763 Link Here
1758	#Allow non-zero return codes since they can be caused by &&	1789	#Allow non-zero return codes since they can be caused by &&
1759	set +x	1790	set +x
1760	fi	1791	fi
		1792	[ -n "$INSTALLWATCHFILE" ] && iw_end
1761	;;	1793	;;
1762	unpack\|compile\|test\|clean\|install)	1794	unpack\|compile\|test\|clean\|install)
1763	if [ "${SANDBOX_DISABLED="0"}" == "0" ]; then	1795	if [ "${SANDBOX_DISABLED="0"}" == "0" ]; then