Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 238679 Details for
Bug 212817
use Sandbox/Seatbelt to confine ebuild on Mac OS X 10.5
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for current portage
portage-2.2.01.15354-msb.patch (text/plain), 7.48 KB, created by
Michael Weiser
on 2010-07-14 07:04:51 UTC
(
hide
)
Description:
patch for current portage
Filename:
MIME Type:
Creator:
Michael Weiser
Created:
2010-07-14 07:04:51 UTC
Size:
7.48 KB
patch
obsolete
>--- prefix-portage-2.2.01.15354/pym/portage/const.py.msb 2010-07-02 19:14:22.000000000 +0200 >+++ prefix-portage-2.2.01.15354/pym/portage/const.py 2010-07-14 08:56:21.000000000 +0200 >@@ -78,6 +78,31 @@ > BASH_BINARY = PORTAGE_BASH > MOVE_BINARY = PORTAGE_MV > PRELINK_BINARY = "/usr/sbin/prelink" >+MACOSSANDBOX_BINARY = "/usr/bin/sandbox-exec" >+MACOSSANDBOX_PROFILE = '''(version 1) >+ >+(allow default) >+ >+(deny file-write*) >+ >+(allow file-read* file-write* >+ (literal >+ #"@@WRITEABLE_PREFIX@@" >+ ) >+ >+ (regex >+ #"^@@WRITEABLE_PREFIX_RE@@/" >+ #"^(/private)?/var/tmp" >+ #"^(/private)?/tmp" >+ ) >+) >+ >+(allow file-read-data file-write-data >+ (regex >+ #"^/dev/null$" >+ #"^(/private)?/var/run/syslog$" >+ ) >+)''' > > PORTAGE_GROUPNAME = portagegroup > PORTAGE_USERNAME = portageuser >--- prefix-portage-2.2.01.15354/pym/portage/package/ebuild/config.py.msb 2010-07-02 19:14:23.000000000 +0200 >+++ prefix-portage-2.2.01.15354/pym/portage/package/ebuild/config.py 2010-07-14 08:55:50.000000000 +0200 >@@ -38,7 +38,7 @@ > InvalidDependString, ParseError, PortageException > from portage.localization import _ > from portage.output import colorize >-from portage.process import fakeroot_capable, sandbox_capable >+from portage.process import fakeroot_capable, sandbox_capable, macossandbox_capable > from portage.util import ensure_dirs, getconfig, grabdict, \ > grabdict_package, grabfile, grabfile_package, LazyItemsDict, \ > normalize_path, shlex_split, stack_dictlist, stack_dicts, stack_lists, \ >@@ -1157,6 +1157,18 @@ > writemsg(colorize("BAD", _("!!! Problem with sandbox" > " binary. Disabling...\n\n")), noiselevel=-1) > >+ if not macossandbox_capable and \ >+ ("macossandbox" in self.features or "macosusersandbox" in self.features): >+ if self.profile_path is not None and \ >+ os.path.realpath(self.profile_path) == \ >+ os.path.realpath(os.path.join( >+ self["PORTAGE_CONFIGROOT"], PROFILE_PATH)): >+ """ Don't show this warning when running repoman and the >+ sandbox feature came from a profile that doesn't belong to >+ the user.""" >+ writemsg(colorize("BAD", "!!! Problem with macos sandbox" + \ >+ " binary. Disabling...\n\n"), noiselevel=-1) >+ > if "fakeroot" in self.features and \ > not fakeroot_capable: > writemsg(_("!!! FEATURES=fakeroot is enabled, but the " >--- prefix-portage-2.2.01.15354/pym/portage/package/ebuild/doebuild.py.msb 2010-07-02 19:14:23.000000000 +0200 >+++ prefix-portage-2.2.01.15354/pym/portage/package/ebuild/doebuild.py 2010-07-14 08:57:09.000000000 +0200 >@@ -34,7 +34,7 @@ > _shell_quote, _split_ebuild_name_glep55, _unicode_decode, _unicode_encode > from portage.const import EBUILD_SH_ENV_FILE, EBUILD_SH_ENV_DIR, \ > EBUILD_SH_BINARY, INVALID_ENV_FILE, MISC_SH_BINARY, \ >- EPREFIX, EPREFIX_LSTRIP >+ EPREFIX, EPREFIX_LSTRIP, MACOSSANDBOX_PROFILE > from portage.data import portage_gid, portage_uid, secpass, \ > uid, userpriv_groups > from portage.dbapi.virtual import fakedbapi >@@ -931,17 +931,22 @@ > restrict = mysettings["PORTAGE_RESTRICT"].split() > nosandbox = (("userpriv" in features) and \ > ("usersandbox" not in features) and \ >+ ("macosusersandbox" not in features) and \ > "userpriv" not in restrict and \ > "nouserpriv" not in restrict) > if nosandbox and ("userpriv" not in features or \ > "userpriv" in restrict or \ > "nouserpriv" in restrict): > nosandbox = ("sandbox" not in features and \ >- "usersandbox" not in features) >+ "usersandbox" not in features and \ >+ "macosusersandbox" not in features) > > if not portage.process.sandbox_capable: > nosandbox = True > >+ if not portage.process.macossandbox_capable: >+ nosandbox = True >+ > sesandbox = mysettings.selinux_enabled() and \ > "sesandbox" in mysettings.features > >@@ -1221,15 +1226,29 @@ > # fake ownership/permissions will have to be converted to real > # permissions in the merge phase. > fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable >+ macossandbox = ("macossandbox" in features or \ >+ "macosusersandbox" in features) > if droppriv and not uid and portage_gid and portage_uid: > keywords.update({"uid":portage_uid,"gid":portage_gid, > "groups":userpriv_groups,"umask":0o02}) > if not free: >- free=((droppriv and "usersandbox" not in features) or \ >+ free=((droppriv and "usersandbox" not in features and >+ "macosusersandbox" not in features) or \ > (not droppriv and "sandbox" not in features and \ >- "usersandbox" not in features and not fakeroot)) >+ "usersandbox" not in features and not fakeroot and \ >+ not macossandbox)) >+ >+ # confining the process to a prefix sandbox is disabled by default, if >+ # a normal sandbox is requested a this point, it will be used, if no >+ # sandbox is requested, a prefix sandbox will be imposed if requested >+ # by the appropriate features >+ prefixsandbox = False >+ if free: >+ prefixsandbox = "macosprefixsandbox" in features >+ free = not prefixsandbox > >- if not free and not (fakeroot or portage.process.sandbox_capable): >+ if not free and not (fakeroot or portage.process.sandbox_capable or \ >+ portage.process.macossandbox_capable): > free = True > > if free or "SANDBOX_ACTIVE" in os.environ: >@@ -1239,6 +1258,25 @@ > keywords["opt_name"] += " fakeroot" > keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state") > spawn_func = portage.process.spawn_fakeroot >+ elif macossandbox: >+ keywords["opt_name"] += " macossandbox" >+ if prefixsandbox: >+ sbprefixpath = mysettings["EPREFIX"] >+ else: >+ sbprefixpath = mysettings["PORTAGE_BUILDDIR"] >+ >+ # escape some characters with special meaning in re's >+ sbprefixre = sbprefixpath.replace("+", "\+") >+ sbprefixre = sbprefixre.replace("*", "\*") >+ sbprefixre = sbprefixre.replace("[", "\[") >+ sbprefixre = sbprefixre.replace("[", "\[") >+ >+ sbprofile = MACOSSANDBOX_PROFILE >+ sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath) >+ sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre) >+ >+ keywords["profile"] = sbprofile >+ spawn_func = portage.process.spawn_macossandbox > else: > keywords["opt_name"] += " sandbox" > spawn_func = portage.process.spawn_sandbox >--- prefix-portage-2.2.01.15354/pym/portage/process.py.msb 2010-07-02 19:14:23.000000000 +0200 >+++ prefix-portage-2.2.01.15354/pym/portage/process.py 2010-07-14 08:55:50.000000000 +0200 >@@ -17,7 +17,7 @@ > 'portage.util:dump_traceback', > ) > >-from portage.const import BASH_BINARY, SANDBOX_BINARY, FAKEROOT_BINARY >+from portage.const import BASH_BINARY, SANDBOX_BINARY, MACOSSANDBOX_BINARY, FAKEROOT_BINARY > from portage.exception import CommandNotFound > > try: >@@ -43,6 +43,9 @@ > fakeroot_capable = (os.path.isfile(FAKEROOT_BINARY) and > os.access(FAKEROOT_BINARY, os.X_OK)) > >+macossandbox_capable = (os.path.isfile(MACOSSANDBOX_BINARY) and >+ os.access(MACOSSANDBOX_BINARY, os.X_OK)) >+ > def spawn_bash(mycommand, debug=False, opt_name=None, **keywords): > """ > Spawns a bash shell running a specific commands >@@ -90,6 +93,19 @@ > args.append(BASH_BINARY) > args.append("-c") > args.append(mycommand) >+ return spawn(args, opt_name=opt_name, **keywords) >+ >+def spawn_macossandbox(mycommand, profile=None, opt_name=None, **keywords): >+ if not macossandbox_capable: >+ return spawn_bash(mycommand, opt_name=opt_name, **keywords) >+ args=[MACOSSANDBOX_BINARY] >+ if not opt_name: >+ opt_name = os.path.basename(mycommand.split()[0]) >+ args.append("-p") >+ args.append(profile) >+ args.append(BASH_BINARY) >+ args.append("-c") >+ args.append(mycommand) > return spawn(args, opt_name=opt_name, **keywords) > > _exithandlers = []
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 212817
:
145637
|
146708
|
208202
|
208203
|
208569
|
225873
|
238679
|
238687
|
248497