--- pym/portage.py	2007/01/09 01:03:37	1.1
+++ pym/portage.py	2007/01/09 03:08:38
@@ -3296,32 +3296,32 @@ def doebuild(myebuild, mydo, myroot, mys
 
 		#initial dep checks complete; time to process main commands
 
-		nosandbox = (("userpriv" in features) and \
+		userpriv_nosandbox = (("userpriv" in features) and \
 			("usersandbox" not in features) and \
 			("userpriv" not in mysettings["RESTRICT"]) and \
 			("nouserpriv" not in mysettings["RESTRICT"]))
-		if nosandbox and ("userpriv" not in features or \
-			"userpriv" in mysettings["RESTRICT"] or \
-			"nouserpriv" in mysettings["RESTRICT"]):
-			nosandbox = ("sandbox" not in features and \
-				"usersandbox" not in features)
+		restrict_sandbox = "sandbox" in mysettings["RESTRICT"]
 
 		sesandbox = mysettings.selinux_enabled() and \
 			"sesandbox" in mysettings.features
 		ebuild_sh = EBUILD_SH_BINARY + " %s"
 		misc_sh = MISC_SH_BINARY + " dyn_%s"
 
-		# args are for the to spawn function
-		actionmap = {
-"depend": {"cmd":ebuild_sh, "args":{"droppriv":1, "free":0,         "sesandbox":0}},
-"setup":  {"cmd":ebuild_sh, "args":{"droppriv":0, "free":1,         "sesandbox":0}},
-"unpack": {"cmd":ebuild_sh, "args":{"droppriv":1, "free":0,         "sesandbox":sesandbox}},
-"compile":{"cmd":ebuild_sh, "args":{"droppriv":1, "free":nosandbox, "sesandbox":sesandbox}},
-"test":   {"cmd":ebuild_sh, "args":{"droppriv":1, "free":nosandbox, "sesandbox":sesandbox}},
-"install":{"cmd":ebuild_sh, "args":{"droppriv":0, "free":0,         "sesandbox":sesandbox}},
-"rpm":    {"cmd":misc_sh,   "args":{"droppriv":0, "free":0,         "sesandbox":0}},
-"package":{"cmd":misc_sh,   "args":{"droppriv":0, "free":0,         "sesandbox":0}},
-		}
+		actionmap = {}
+		for x in ["depend", "setup", "unpack", "compile", "test", "install", 
+				"rpm", "package"]:
+			can_drop_privs = x in ["depend", "unpack", "compile", "test"]
+			must_disable_sandbox = x in ["setup"]
+			must_enable_sandbox = x in ["depend", "rpm", "package"]
+			can_restrict_sandbox = x in ["unpack", "compile", "test", "install"]
+			can_use_sesandbox = x in ["unpack", "compile", "test", "install"]
+			actionmap[mydo] = {	# args are for the to spawn function
+				"cmd": misc_sh if x in ["rpm", "package"] else ebuild_sh,
+				"args": {"droppriv": can_drop_privs,
+					"free": (((can_restrict_sandbox and restrict_sandbox) or
+							(can_drop_privs and userpriv_nosandbox)) and 
+						not must_enable_sandbox) or must_disable_sandbox
+					"sesandbox": can_use_sesandbox and sesandbox}}
 
 		# merge the deps in so we have again a 'full' actionmap
 		# be glad when this can die.