Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 145637 Details for
Bug 212817
use Sandbox/Seatbelt to confine ebuild on Mac OS X 10.5
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
add Mac OS X 10.5 sandboxing to prefix-portage
portage-msb-3.patch (text/plain), 6.94 KB, created by
Michael Weiser
on 2008-03-09 12:34:29 UTC
(
hide
)
Description:
add Mac OS X 10.5 sandboxing to prefix-portage
Filename:
MIME Type:
Creator:
Michael Weiser
Created:
2008-03-09 12:34:29 UTC
Size:
6.94 KB
patch
obsolete
>--- prefix-portage-2.2.00.9380/pym/portage/__init__.py.msb 2008-02-24 10:44:42.000000000 +0100 >+++ prefix-portage-2.2.00.9380/pym/portage/__init__.py 2008-03-09 13:00:27.000000000 +0100 >@@ -91,7 +91,7 @@ > from portage.const import VDB_PATH, PRIVATE_PATH, CACHE_PATH, DEPCACHE_PATH, \ > USER_CONFIG_PATH, MODULES_FILE_PATH, CUSTOM_PROFILE_PATH, PORTAGE_BASE_PATH, \ > PORTAGE_BIN_PATH, PORTAGE_PYM_PATH, PROFILE_PATH, LOCALE_DATA_PATH, \ >- EBUILD_SH_BINARY, SANDBOX_BINARY, BASH_BINARY, \ >+ EBUILD_SH_BINARY, SANDBOX_BINARY, MACOSSANDBOX_BINARY, MACOSSANDBOX_PROFILE, BASH_BINARY, \ > MOVE_BINARY, PRELINK_BINARY, WORLD_FILE, MAKE_CONF_FILE, MAKE_DEFAULTS_FILE, \ > DEPRECATED_PROFILE_FILE, USER_VIRTUALS_FILE, EBUILD_SH_ENV_FILE, \ > INVALID_ENV_FILE, CUSTOM_MIRRORS_FILE, CONFIG_MEMORY_FILE,\ >@@ -1591,6 +1591,21 @@ > if "usersandbox" in self.features: > self.features.remove("usersandbox") > >+ if not portage.process.macossandbox_capable and \ >+ ("macossandbox" in self.features or "macosusersandbox" in self.features): >+ if self.profile_path is not None and \ >+ os.path.realpath(self.profile_path) == \ >+ os.path.realpath(PROFILE_PATH): >+ """ Don't show this warning when running repoman and the >+ sandbox feature came from a profile that doesn't belong to >+ the user.""" >+ writemsg(colorize("BAD", "!!! Problem with macos sandbox" + \ >+ " binary. Disabling...\n\n"), noiselevel=-1) >+ if "macossandbox" in self.features: >+ self.features.remove("macossandbox") >+ if "macosusersandbox" in self.features: >+ self.features.remove("macosusersandbox") >+ > self.features.sort() > if "gpg" in self.features: > writemsg(colorize("WARN", "!!! FEATURES=gpg is unmaintained, incomplete and broken. Disabling it."), noiselevel=-1) >@@ -2878,13 +2893,26 @@ > # fake ownership/permissions will have to be converted to real > # permissions in the merge phase. > fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable >+ macossandbox = ("macossandbox" in features or \ >+ "macosusersandbox" in features) > if droppriv and not uid and portage_gid and portage_uid: > keywords.update({"uid":portage_uid,"gid":portage_gid, > "groups":userpriv_groups,"umask":002}) > if not free: >- free=((droppriv and "usersandbox" not in features) or \ >+ free=((droppriv and "usersandbox" not in features and >+ "macosusersandbox" not in features) or \ > (not droppriv and "sandbox" not in features and \ >- "usersandbox" not in features)) >+ "usersandbox" not in features and \ >+ not macossandbox)) >+ >+ # confining the process to a prefix sandbox is disabled by default, if >+ # a normal sandbox is requested a this point, it will be used, if no >+ # sandbox is requested, a prefix sandbox will be imposed if requested >+ # by the appropriate features >+ prefixsandbox = False >+ if free: >+ prefixsandbox = "macosprefixsandbox" in features >+ free = not prefixsandbox > > if free or "SANDBOX_ACTIVE" in os.environ: > keywords["opt_name"] += " bash" >@@ -2893,6 +2921,25 @@ > keywords["opt_name"] += " fakeroot" > keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state") > spawn_func = portage.process.spawn_fakeroot >+ elif macossandbox: >+ keywords["opt_name"] += " macossandbox" >+ if prefixsandbox: >+ sbprefixpath = mysettings["EPREFIX"] >+ else: >+ sbprefixpath = mysettings["PORTAGE_BUILDDIR"] >+ >+ # escape some characters with special meaning in re's >+ sbprefixre = sbprefixpath.replace("+", "\+") >+ sbprefixre = sbprefixre.replace("*", "\*") >+ sbprefixre = sbprefixre.replace("[", "\[") >+ sbprefixre = sbprefixre.replace("[", "\[") >+ >+ sbprofile = MACOSSANDBOX_PROFILE >+ sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath) >+ sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre) >+ >+ keywords["profile"] = sbprofile >+ spawn_func = portage.process.spawn_macossandbox > else: > keywords["opt_name"] += " sandbox" > spawn_func = portage.process.spawn_sandbox >@@ -4820,13 +4867,15 @@ > restrict = mysettings["PORTAGE_RESTRICT"].split() > nosandbox = (("userpriv" in features) and \ > ("usersandbox" not in features) and \ >+ ("macosusersandbox" not in features) and \ > "userpriv" not in restrict and \ > "nouserpriv" not in restrict) > if nosandbox and ("userpriv" not in features or \ > "userpriv" in restrict or \ > "nouserpriv" in restrict): > nosandbox = ("sandbox" not in features and \ >- "usersandbox" not in features) >+ "usersandbox" not in features and \ >+ "macosusersandbox" not in features) > > sesandbox = mysettings.selinux_enabled() and \ > "sesandbox" in mysettings.features >--- prefix-portage-2.2.00.9380/pym/portage/const.py.msb 2007-11-18 22:08:30.000000000 +0100 >+++ prefix-portage-2.2.00.9380/pym/portage/const.py 2008-03-09 13:00:15.000000000 +0100 >@@ -43,6 +43,32 @@ > MISC_SH_BINARY = PORTAGE_BIN_PATH+"/misc-functions.sh" > SANDBOX_BINARY = EPREFIX+"/usr/bin/sandbox" > FAKEROOT_BINARY = EPREFIX+"/usr/bin/fakeroot" >+MACOSSANDBOX_BINARY = "/usr/bin/sandbox-exec" >+MACOSSANDBOX_PROFILE = '''(version 1) >+ >+(allow default) >+ >+(deny file-write*) >+ >+(allow file-read* file-write* >+ (literal >+ #"@@WRITEABLE_PREFIX@@" >+ ) >+ >+ (regex >+ #"^@@WRITEABLE_PREFIX_RE@@/" >+ #"^(/private)?/var/tmp" >+ #"^(/private)?/tmp" >+ ) >+) >+ >+(allow file-read-data file-write-data >+ (regex >+ #"^/dev/null$" >+ #"^(/private)?/var/run/syslog$" >+ ) >+)''' >+ > BASH_BINARY = "bash" > MOVE_BINARY = "mv" > PRELINK_BINARY = "prelink" >--- prefix-portage-2.2.00.9380/pym/portage/process.py.msb 2007-12-22 14:29:52.000000000 +0100 >+++ prefix-portage-2.2.00.9380/pym/portage/process.py 2008-03-09 13:00:15.000000000 +0100 >@@ -10,7 +10,7 @@ > import sys > > from portage.util import dump_traceback >-from portage.const import BASH_BINARY, SANDBOX_BINARY, FAKEROOT_BINARY >+from portage.const import BASH_BINARY, SANDBOX_BINARY, MACOSSANDBOX_BINARY, FAKEROOT_BINARY > from portage.exception import CommandNotFound > > try: >@@ -32,6 +32,9 @@ > fakeroot_capable = (os.path.isfile(FAKEROOT_BINARY) and > os.access(FAKEROOT_BINARY, os.X_OK)) > >+macossandbox_capable = (os.path.isfile(MACOSSANDBOX_BINARY) and >+ os.access(MACOSSANDBOX_BINARY, os.X_OK)) >+ > def spawn_bash(mycommand, debug=False, opt_name=None, **keywords): > """ > Spawns a bash shell running a specific commands >@@ -81,6 +84,19 @@ > args.append(mycommand) > return spawn(args, opt_name=opt_name, **keywords) > >+def spawn_macossandbox(mycommand, profile=None, opt_name=None, **keywords): >+ if not macossandbox_capable: >+ return spawn_bash(mycommand, opt_name=opt_name, **keywords) >+ args=[MACOSSANDBOX_BINARY] >+ if not opt_name: >+ opt_name = os.path.basename(mycommand.split()[0]) >+ args.append("-p") >+ args.append(profile) >+ args.append(BASH_BINARY) >+ args.append("-c") >+ args.append(mycommand) >+ return spawn(args, opt_name=opt_name, **keywords) >+ > _exithandlers = [] > def atexit_register(func, *args, **kargs): > """Wrapper around atexit.register that is needed in order to track
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=145637">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 212817
:
145637
|
146708
|
208202
|
208203
|
208569
|
225873
|
238679
|
238687
|
248497
