Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 225873 Details for
Bug 212817
use Sandbox/Seatbelt to confine ebuild on Mac OS X 10.5
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
mac os x sandbox/seatbelt for current prefix-portage
portage-2.2.00.15842-msb.patch (text/plain), 7.57 KB, created by
Michael Weiser
on 2010-03-30 20:20:51 UTC
(
hide
)
Description:
mac os x sandbox/seatbelt for current prefix-portage
Filename:
MIME Type:
Creator:
Michael Weiser
Created:
2010-03-30 20:20:51 UTC
Size:
7.57 KB
patch
obsolete
>--- prefix-portage-2.2.00.15842/pym/portage/const.py.msb 2010-03-30 21:59:26 +0200 >+++ prefix-portage-2.2.00.15842/pym/portage/const.py 2010-03-30 21:59:34 +0200 >@@ -78,6 +78,31 @@ > BASH_BINARY = PORTAGE_BASH > MOVE_BINARY = PORTAGE_MV > PRELINK_BINARY = EPREFIX + "/usr/sbin/prelink" >+MACOSSANDBOX_BINARY = "/usr/bin/sandbox-exec" >+MACOSSANDBOX_PROFILE = '''(version 1) >+ >+(allow default) >+ >+(deny file-write*) >+ >+(allow file-read* file-write* >+ (literal >+ #"@@WRITEABLE_PREFIX@@" >+ ) >+ >+ (regex >+ #"^@@WRITEABLE_PREFIX_RE@@/" >+ #"^(/private)?/var/tmp" >+ #"^(/private)?/tmp" >+ ) >+) >+ >+(allow file-read-data file-write-data >+ (regex >+ #"^/dev/null$" >+ #"^(/private)?/var/run/syslog$" >+ ) >+)''' > > INVALID_ENV_FILE = "/etc/spork/is/not/valid/profile.env" > REPO_NAME_FILE = "repo_name" >--- prefix-portage-2.2.00.15842/pym/portage/package/ebuild/config.py.msb 2010-03-30 21:59:26 +0200 >+++ prefix-portage-2.2.00.15842/pym/portage/package/ebuild/config.py 2010-03-30 21:59:34 +0200 >@@ -39,7 +39,7 @@ > InvalidDependString, ParseError, PortageException > from portage.localization import _ > from portage.output import colorize >-from portage.process import fakeroot_capable, sandbox_capable >+from portage.process import fakeroot_capable, sandbox_capable, macossandbox_capable > from portage.util import ensure_dirs, getconfig, grabdict, \ > grabdict_package, grabfile, grabfile_package, LazyItemsDict, \ > normalize_path, stack_dictlist, stack_dicts, stack_lists, \ >@@ -1150,6 +1150,18 @@ > writemsg(colorize("BAD", _("!!! Problem with sandbox" > " binary. Disabling...\n\n")), noiselevel=-1) > >+ if not macossandbox_capable and \ >+ ("macossandbox" in self.features or "macosusersandbox" in self.features): >+ if self.profile_path is not None and \ >+ os.path.realpath(self.profile_path) == \ >+ os.path.realpath(os.path.join( >+ self["PORTAGE_CONFIGROOT"], PROFILE_PATH)): >+ """ Don't show this warning when running repoman and the >+ sandbox feature came from a profile that doesn't belong to >+ the user.""" >+ writemsg(colorize("BAD", "!!! Problem with macos sandbox" + \ >+ " binary. Disabling...\n\n"), noiselevel=-1) >+ > if "fakeroot" in self.features and \ > not fakeroot_capable: > writemsg(_("!!! FEATURES=fakeroot is enabled, but the " >--- prefix-portage-2.2.00.15842/pym/portage/package/ebuild/doebuild.py.msb 2010-03-30 21:59:26 +0200 >+++ prefix-portage-2.2.00.15842/pym/portage/package/ebuild/doebuild.py 2010-03-30 22:00:03 +0200 >@@ -34,7 +34,8 @@ > unmerge, _encodings, _parse_eapi_ebuild_head, _os_merge, \ > _shell_quote, _split_ebuild_name_glep55, _unicode_decode, _unicode_encode > from portage.const import EBUILD_SH_ENV_FILE, EBUILD_SH_BINARY, \ >- INVALID_ENV_FILE, MISC_SH_BINARY, EPREFIX, EPREFIX_LSTRIP >+ INVALID_ENV_FILE, MISC_SH_BINARY, EPREFIX, EPREFIX_LSTRIP, \ >+ MACOSSANDBOX_PROFILE > from portage.data import portage_gid, portage_uid, secpass, \ > uid, userpriv_groups > from portage.dbapi.virtual import fakedbapi >@@ -915,17 +916,22 @@ > restrict = mysettings["PORTAGE_RESTRICT"].split() > nosandbox = (("userpriv" in features) and \ > ("usersandbox" not in features) and \ >+ ("macosusersandbox" not in features) and \ > "userpriv" not in restrict and \ > "nouserpriv" not in restrict) > if nosandbox and ("userpriv" not in features or \ > "userpriv" in restrict or \ > "nouserpriv" in restrict): > nosandbox = ("sandbox" not in features and \ >- "usersandbox" not in features) >+ "usersandbox" not in features and \ >+ "macosusersandbox" not in features) > > if not portage.process.sandbox_capable: > nosandbox = True > >+ if not portage.process.macossandbox_capable: >+ nosandbox = True >+ > sesandbox = mysettings.selinux_enabled() and \ > "sesandbox" in mysettings.features > >@@ -1205,15 +1211,29 @@ > # fake ownership/permissions will have to be converted to real > # permissions in the merge phase. > fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable >+ macossandbox = ("macossandbox" in features or \ >+ "macosusersandbox" in features) > if droppriv and not uid and portage_gid and portage_uid: > keywords.update({"uid":portage_uid,"gid":portage_gid, > "groups":userpriv_groups,"umask":0o02}) > if not free: >- free=((droppriv and "usersandbox" not in features) or \ >+ free=((droppriv and "usersandbox" not in features and >+ "macosusersandbox" not in features) or \ > (not droppriv and "sandbox" not in features and \ >- "usersandbox" not in features and not fakeroot)) >+ "usersandbox" not in features and not fakeroot and \ >+ not macossandbox)) >+ >+ # confining the process to a prefix sandbox is disabled by default, if >+ # a normal sandbox is requested a this point, it will be used, if no >+ # sandbox is requested, a prefix sandbox will be imposed if requested >+ # by the appropriate features >+ prefixsandbox = False >+ if free: >+ prefixsandbox = "macosprefixsandbox" in features >+ free = not prefixsandbox > >- if not free and not (fakeroot or portage.process.sandbox_capable): >+ if not free and not (fakeroot or portage.process.sandbox_capable or \ >+ portage.process.macossandbox_capable): > free = True > > if free or "SANDBOX_ACTIVE" in os.environ: >@@ -1223,6 +1243,25 @@ > keywords["opt_name"] += " fakeroot" > keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state") > spawn_func = portage.process.spawn_fakeroot >+ elif macossandbox: >+ keywords["opt_name"] += " macossandbox" >+ if prefixsandbox: >+ sbprefixpath = mysettings["EPREFIX"] >+ else: >+ sbprefixpath = mysettings["PORTAGE_BUILDDIR"] >+ >+ # escape some characters with special meaning in re's >+ sbprefixre = sbprefixpath.replace("+", "\+") >+ sbprefixre = sbprefixre.replace("*", "\*") >+ sbprefixre = sbprefixre.replace("[", "\[") >+ sbprefixre = sbprefixre.replace("[", "\[") >+ >+ sbprofile = MACOSSANDBOX_PROFILE >+ sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath) >+ sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre) >+ >+ keywords["profile"] = sbprofile >+ spawn_func = portage.process.spawn_macossandbox > else: > keywords["opt_name"] += " sandbox" > spawn_func = portage.process.spawn_sandbox >--- prefix-portage-2.2.00.15842/pym/portage/process.py.msb 2010-03-30 21:59:26 +0200 >+++ prefix-portage-2.2.00.15842/pym/portage/process.py 2010-03-30 21:59:34 +0200 >@@ -18,7 +18,7 @@ > 'portage.util:dump_traceback', > ) > >-from portage.const import BASH_BINARY, SANDBOX_BINARY, FAKEROOT_BINARY >+from portage.const import BASH_BINARY, SANDBOX_BINARY, MACOSSANDBOX_BINARY, FAKEROOT_BINARY > from portage.exception import CommandNotFound > > try: >@@ -44,6 +44,9 @@ > fakeroot_capable = (os.path.isfile(FAKEROOT_BINARY) and > os.access(FAKEROOT_BINARY, os.X_OK)) > >+macossandbox_capable = (os.path.isfile(MACOSSANDBOX_BINARY) and >+ os.access(MACOSSANDBOX_BINARY, os.X_OK)) >+ > def spawn_bash(mycommand, debug=False, opt_name=None, **keywords): > """ > Spawns a bash shell running a specific commands >@@ -93,6 +96,19 @@ > args.append(mycommand) > return spawn(args, opt_name=opt_name, **keywords) > >+def spawn_macossandbox(mycommand, profile=None, opt_name=None, **keywords): >+ if not macossandbox_capable: >+ return spawn_bash(mycommand, opt_name=opt_name, **keywords) >+ args=[MACOSSANDBOX_BINARY] >+ if not opt_name: >+ opt_name = os.path.basename(mycommand.split()[0]) >+ args.append("-p") >+ args.append(profile) >+ args.append(BASH_BINARY) >+ args.append("-c") >+ args.append(mycommand) >+ return spawn(args, opt_name=opt_name, **keywords) >+ > _exithandlers = [] > def atexit_register(func, *args, **kargs): > """Wrapper around atexit.register that is needed in order to track
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=225873">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 212817
:
145637
|
146708
|
208202
|
208203
|
208569
|
225873
|
238679
|
238687
|
248497
