Attachment #238679 for bug #212817




BASH_BINARY              = PORTAGE_BASH
MOVE_BINARY              = PORTAGE_MV
PRELINK_BINARY           = "/usr/sbin/prelink"
MACOSSANDBOX_BINARY      = "/usr/bin/sandbox-exec"
MACOSSANDBOX_PROFILE     = '''(version 1)

(allow default)

(deny file-write*)

(allow file-read* file-write*
  (literal
    #"@@WRITEABLE_PREFIX@@"
  )

  (regex
    #"^@@WRITEABLE_PREFIX_RE@@/"
    #"^(/private)?/var/tmp"
    #"^(/private)?/tmp"
  )
)

(allow file-read-data file-write-data
  (regex
    #"^/dev/null$"
    #"^(/private)?/var/run/syslog$"
  )
)'''

PORTAGE_GROUPNAME        = portagegroup
PORTAGE_USERNAME         = portageuser




	InvalidDependString, ParseError, PortageException
from portage.localization import _
from portage.output import colorize
from portage.process import fakeroot_capable, sandbox_capable, macossandbox_capable
from portage.util import ensure_dirs, getconfig, grabdict, \
	grabdict_package, grabfile, grabfile_package, LazyItemsDict, \
	normalize_path, shlex_split, stack_dictlist, stack_dicts, stack_lists, \

				writemsg(colorize("BAD", _("!!! Problem with sandbox"
					" binary. Disabling...\n\n")), noiselevel=-1)

		if not macossandbox_capable and \
			("macossandbox" in self.features or "macosusersandbox" in self.features):
			if self.profile_path is not None and \
				os.path.realpath(self.profile_path) == \
				os.path.realpath(os.path.join(
				self["PORTAGE_CONFIGROOT"], PROFILE_PATH)):
				""" Don't show this warning when running repoman and the
				sandbox feature came from a profile that doesn't belong to
				the user."""
				writemsg(colorize("BAD", "!!! Problem with macos sandbox" + \
					" binary. Disabling...\n\n"), noiselevel=-1)

		if "fakeroot" in self.features and \
			not fakeroot_capable:
			writemsg(_("!!! FEATURES=fakeroot is enabled, but the "




	_shell_quote, _split_ebuild_name_glep55, _unicode_decode, _unicode_encode
from portage.const import EBUILD_SH_ENV_FILE, EBUILD_SH_ENV_DIR, \
	EBUILD_SH_BINARY, INVALID_ENV_FILE, MISC_SH_BINARY, \
	EPREFIX, EPREFIX_LSTRIP, MACOSSANDBOX_PROFILE
from portage.data import portage_gid, portage_uid, secpass, \
	uid, userpriv_groups
from portage.dbapi.virtual import fakedbapi

		restrict = mysettings["PORTAGE_RESTRICT"].split()
		nosandbox = (("userpriv" in features) and \
			("usersandbox" not in features) and \
			("macosusersandbox" not in features) and \
			"userpriv" not in restrict and \
			"nouserpriv" not in restrict)
		if nosandbox and ("userpriv" not in features or \
			"userpriv" in restrict or \
			"nouserpriv" in restrict):
			nosandbox = ("sandbox" not in features and \
				"usersandbox" not in features and \
				"macosusersandbox" not in features)

		if not portage.process.sandbox_capable:
			nosandbox = True

		if not portage.process.macossandbox_capable:
			nosandbox = True

		sesandbox = mysettings.selinux_enabled() and \
			"sesandbox" in mysettings.features


	# fake ownership/permissions will have to be converted to real
	# permissions in the merge phase.
	fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable
	macossandbox = ("macossandbox" in features or \
		"macosusersandbox" in features)
	if droppriv and not uid and portage_gid and portage_uid:
		keywords.update({"uid":portage_uid,"gid":portage_gid,
			"groups":userpriv_groups,"umask":0o02})
	if not free:
		free=((droppriv and "usersandbox" not in features and
			"macosusersandbox" not in features) or \
			(not droppriv and "sandbox" not in features and \
			"usersandbox" not in features and not fakeroot and \
			not macossandbox))

	# confining the process to a prefix sandbox is disabled by default, if
	# a normal sandbox is requested a this point, it will be used, if no
	# sandbox is requested, a prefix sandbox will be imposed if requested
	# by the appropriate features
	prefixsandbox = False
	if free:
		prefixsandbox = "macosprefixsandbox" in features
		free = not prefixsandbox

	if not free and not (fakeroot or portage.process.sandbox_capable or \
		portage.process.macossandbox_capable):
		free = True

	if free or "SANDBOX_ACTIVE" in os.environ:

		keywords["opt_name"] += " fakeroot"
		keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state")
		spawn_func = portage.process.spawn_fakeroot
	elif macossandbox:
		keywords["opt_name"] += " macossandbox"
		if prefixsandbox:
			sbprefixpath = mysettings["EPREFIX"]
		else:
			sbprefixpath = mysettings["PORTAGE_BUILDDIR"]

		# escape some characters with special meaning in re's
		sbprefixre = sbprefixpath.replace("+", "\+")
		sbprefixre = sbprefixre.replace("*", "\*")
		sbprefixre = sbprefixre.replace("[", "\[")
		sbprefixre = sbprefixre.replace("[", "\[")

		sbprofile = MACOSSANDBOX_PROFILE
		sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath)
		sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre)

		keywords["profile"] = sbprofile
		spawn_func = portage.process.spawn_macossandbox
	else:
		keywords["opt_name"] += " sandbox"
		spawn_func = portage.process.spawn_sandbox

Lines 17-23 Link Here

(-)prefix-portage-2.2.01.15354/pym/portage/process.py.msb (-1 / +17 lines)
17	'portage.util:dump_traceback',	17	'portage.util:dump_traceback',
18	)	18	)
19		19
20	from portage.const import BASH_BINARY, SANDBOX_BINARY, FAKEROOT_BINARY	20	from portage.const import BASH_BINARY, SANDBOX_BINARY, MACOSSANDBOX_BINARY, FAKEROOT_BINARY
21	from portage.exception import CommandNotFound	21	from portage.exception import CommandNotFound
22		22
23	try:	23	try:
Lines 43-48 Link Here
43	fakeroot_capable = (os.path.isfile(FAKEROOT_BINARY) and	43	fakeroot_capable = (os.path.isfile(FAKEROOT_BINARY) and
44	os.access(FAKEROOT_BINARY, os.X_OK))	44	os.access(FAKEROOT_BINARY, os.X_OK))
45		45
		46	macossandbox_capable = (os.path.isfile(MACOSSANDBOX_BINARY) and
		47	os.access(MACOSSANDBOX_BINARY, os.X_OK))
		48
46	def spawn_bash(mycommand, debug=False, opt_name=None, **keywords):	49	def spawn_bash(mycommand, debug=False, opt_name=None, **keywords):
47	"""	50	"""
48	Spawns a bash shell running a specific commands	51	Spawns a bash shell running a specific commands
Lines 90-95 Link Here
90	args.append(BASH_BINARY)	93	args.append(BASH_BINARY)
91	args.append("-c")	94	args.append("-c")
92	args.append(mycommand)	95	args.append(mycommand)
		96	return spawn(args, opt_name=opt_name, **keywords)
		97
		98	def spawn_macossandbox(mycommand, profile=None, opt_name=None, **keywords):
		99	if not macossandbox_capable:
		100	return spawn_bash(mycommand, opt_name=opt_name, **keywords)
		101	args=[MACOSSANDBOX_BINARY]
		102	if not opt_name:
		103	opt_name = os.path.basename(mycommand.split()[0])
		104	args.append("-p")
		105	args.append(profile)
		106	args.append(BASH_BINARY)
		107	args.append("-c")
		108	args.append(mycommand)
93	return spawn(args, opt_name=opt_name, **keywords)	109	return spawn(args, opt_name=opt_name, **keywords)
94		110
95	_exithandlers = []	111	_exithandlers = []

Return to bug 212817

Lines 34-40 Link Here

(-)prefix-portage-2.2.01.15354/pym/portage/package/ebuild/doebuild.py.msb (-5 / +43 lines)
34	_shell_quote, _split_ebuild_name_glep55, _unicode_decode, _unicode_encode	34	_shell_quote, _split_ebuild_name_glep55, _unicode_decode, _unicode_encode
35	from portage.const import EBUILD_SH_ENV_FILE, EBUILD_SH_ENV_DIR, \	35	from portage.const import EBUILD_SH_ENV_FILE, EBUILD_SH_ENV_DIR, \
36	EBUILD_SH_BINARY, INVALID_ENV_FILE, MISC_SH_BINARY, \	36	EBUILD_SH_BINARY, INVALID_ENV_FILE, MISC_SH_BINARY, \
37	EPREFIX, EPREFIX_LSTRIP	37	EPREFIX, EPREFIX_LSTRIP, MACOSSANDBOX_PROFILE
38	from portage.data import portage_gid, portage_uid, secpass, \	38	from portage.data import portage_gid, portage_uid, secpass, \
39	uid, userpriv_groups	39	uid, userpriv_groups
40	from portage.dbapi.virtual import fakedbapi	40	from portage.dbapi.virtual import fakedbapi
Lines 931-947 Link Here
931	restrict = mysettings["PORTAGE_RESTRICT"].split()	931	restrict = mysettings["PORTAGE_RESTRICT"].split()
932	nosandbox = (("userpriv" in features) and \	932	nosandbox = (("userpriv" in features) and \
933	("usersandbox" not in features) and \	933	("usersandbox" not in features) and \
		934	("macosusersandbox" not in features) and \
934	"userpriv" not in restrict and \	935	"userpriv" not in restrict and \
935	"nouserpriv" not in restrict)	936	"nouserpriv" not in restrict)
936	if nosandbox and ("userpriv" not in features or \	937	if nosandbox and ("userpriv" not in features or \
937	"userpriv" in restrict or \	938	"userpriv" in restrict or \
938	"nouserpriv" in restrict):	939	"nouserpriv" in restrict):
939	nosandbox = ("sandbox" not in features and \	940	nosandbox = ("sandbox" not in features and \
940	"usersandbox" not in features)	941	"usersandbox" not in features and \
		942	"macosusersandbox" not in features)
941		943
942	if not portage.process.sandbox_capable:	944	if not portage.process.sandbox_capable:
943	nosandbox = True	945	nosandbox = True
944		946
		947	if not portage.process.macossandbox_capable:
		948	nosandbox = True
		949
945	sesandbox = mysettings.selinux_enabled() and \	950	sesandbox = mysettings.selinux_enabled() and \
946	"sesandbox" in mysettings.features	951	"sesandbox" in mysettings.features
947		952
Lines 1221-1235 Link Here
1221	# fake ownership/permissions will have to be converted to real	1226	# fake ownership/permissions will have to be converted to real
1222	# permissions in the merge phase.	1227	# permissions in the merge phase.
1223	fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable	1228	fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable
		1229	macossandbox = ("macossandbox" in features or \
		1230	"macosusersandbox" in features)
1224	if droppriv and not uid and portage_gid and portage_uid:	1231	if droppriv and not uid and portage_gid and portage_uid:
1225	keywords.update({"uid":portage_uid,"gid":portage_gid,	1232	keywords.update({"uid":portage_uid,"gid":portage_gid,
1226	"groups":userpriv_groups,"umask":0o02})	1233	"groups":userpriv_groups,"umask":0o02})
1227	if not free:	1234	if not free:
1228	free=((droppriv and "usersandbox" not in features) or \	1235	free=((droppriv and "usersandbox" not in features and
		1236	"macosusersandbox" not in features) or \
1229	(not droppriv and "sandbox" not in features and \	1237	(not droppriv and "sandbox" not in features and \
1230	"usersandbox" not in features and not fakeroot))	1238	"usersandbox" not in features and not fakeroot and \
		1239	not macossandbox))
		1240
		1241	# confining the process to a prefix sandbox is disabled by default, if
		1242	# a normal sandbox is requested a this point, it will be used, if no
		1243	# sandbox is requested, a prefix sandbox will be imposed if requested
		1244	# by the appropriate features
		1245	prefixsandbox = False
		1246	if free:
		1247	prefixsandbox = "macosprefixsandbox" in features
		1248	free = not prefixsandbox
1231		1249
1232	if not free and not (fakeroot or portage.process.sandbox_capable):	1250	if not free and not (fakeroot or portage.process.sandbox_capable or \
		1251	portage.process.macossandbox_capable):
1233	free = True	1252	free = True
1234		1253
1235	if free or "SANDBOX_ACTIVE" in os.environ:	1254	if free or "SANDBOX_ACTIVE" in os.environ:
Lines 1239-1244 Link Here
1239	keywords["opt_name"] += " fakeroot"	1258	keywords["opt_name"] += " fakeroot"
1240	keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state")	1259	keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state")
1241	spawn_func = portage.process.spawn_fakeroot	1260	spawn_func = portage.process.spawn_fakeroot
		1261	elif macossandbox:
		1262	keywords["opt_name"] += " macossandbox"
		1263	if prefixsandbox:
		1264	sbprefixpath = mysettings["EPREFIX"]
		1265	else:
		1266	sbprefixpath = mysettings["PORTAGE_BUILDDIR"]
		1267
		1268	# escape some characters with special meaning in re's
		1269	sbprefixre = sbprefixpath.replace("+", "\+")
		1270	sbprefixre = sbprefixre.replace("", "\")
		1271	sbprefixre = sbprefixre.replace("[", "\[")
		1272	sbprefixre = sbprefixre.replace("[", "\[")
		1273
		1274	sbprofile = MACOSSANDBOX_PROFILE
		1275	sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath)
		1276	sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre)
		1277
		1278	keywords["profile"] = sbprofile
		1279	spawn_func = portage.process.spawn_macossandbox
1242	else:	1280	else:
1243	keywords["opt_name"] += " sandbox"	1281	keywords["opt_name"] += " sandbox"
1244	spawn_func = portage.process.spawn_sandbox	1282	spawn_func = portage.process.spawn_sandbox

Lines 78-83 Link Here

(-)prefix-portage-2.2.01.15354/pym/portage/const.py.msb (+25 lines)
78	BASH_BINARY = PORTAGE_BASH	78	BASH_BINARY = PORTAGE_BASH
79	MOVE_BINARY = PORTAGE_MV	79	MOVE_BINARY = PORTAGE_MV
80	PRELINK_BINARY = "/usr/sbin/prelink"	80	PRELINK_BINARY = "/usr/sbin/prelink"
		81	MACOSSANDBOX_BINARY = "/usr/bin/sandbox-exec"
		82	MACOSSANDBOX_PROFILE = '''(version 1)
		83
		84	(allow default)
		85
		86	(deny file-write*)
		87
		88	(allow file-read* file-write*
		89	(literal
		90	#"@@WRITEABLE_PREFIX@@"
		91	)
		92
		93	(regex
		94	#"^@@WRITEABLE_PREFIX_RE@@/"
		95	#"^(/private)?/var/tmp"
		96	#"^(/private)?/tmp"
		97	)
		98	)
		99
		100	(allow file-read-data file-write-data
		101	(regex
		102	#"^/dev/null$"
		103	#"^(/private)?/var/run/syslog$"
		104	)
		105	)'''
81		106
82	PORTAGE_GROUPNAME = portagegroup	107	PORTAGE_GROUPNAME = portagegroup
83	PORTAGE_USERNAME = portageuser	108	PORTAGE_USERNAME = portageuser

Lines 38-44 Link Here

(-)prefix-portage-2.2.01.15354/pym/portage/package/ebuild/config.py.msb (-1 / +13 lines)
38	InvalidDependString, ParseError, PortageException	38	InvalidDependString, ParseError, PortageException
39	from portage.localization import _	39	from portage.localization import _
40	from portage.output import colorize	40	from portage.output import colorize
41	from portage.process import fakeroot_capable, sandbox_capable	41	from portage.process import fakeroot_capable, sandbox_capable, macossandbox_capable
42	from portage.util import ensure_dirs, getconfig, grabdict, \	42	from portage.util import ensure_dirs, getconfig, grabdict, \
43	grabdict_package, grabfile, grabfile_package, LazyItemsDict, \	43	grabdict_package, grabfile, grabfile_package, LazyItemsDict, \
44	normalize_path, shlex_split, stack_dictlist, stack_dicts, stack_lists, \	44	normalize_path, shlex_split, stack_dictlist, stack_dicts, stack_lists, \
Lines 1157-1162 Link Here
1157	writemsg(colorize("BAD", _("!!! Problem with sandbox"	1157	writemsg(colorize("BAD", _("!!! Problem with sandbox"
1158	" binary. Disabling...\n\n")), noiselevel=-1)	1158	" binary. Disabling...\n\n")), noiselevel=-1)
1159		1159
		1160	if not macossandbox_capable and \
		1161	("macossandbox" in self.features or "macosusersandbox" in self.features):
		1162	if self.profile_path is not None and \
		1163	os.path.realpath(self.profile_path) == \
		1164	os.path.realpath(os.path.join(
		1165	self["PORTAGE_CONFIGROOT"], PROFILE_PATH)):
		1166	""" Don't show this warning when running repoman and the
		1167	sandbox feature came from a profile that doesn't belong to
		1168	the user."""
		1169	writemsg(colorize("BAD", "!!! Problem with macos sandbox" + \
		1170	" binary. Disabling...\n\n"), noiselevel=-1)
		1171
1160	if "fakeroot" in self.features and \	1172	if "fakeroot" in self.features and \
1161	not fakeroot_capable:	1173	not fakeroot_capable:
1162	writemsg(_("!!! FEATURES=fakeroot is enabled, but the "	1174	writemsg(_("!!! FEATURES=fakeroot is enabled, but the "