Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 532540 Details for
Bug 655996
Portage SELinux enhancements for musl and cleanups
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
preinst_selinux_labels: disable LD_PRELOAD sandbox
0001-preinst_selinux_labels-disable-LD_PRELOAD-sandbox-bu.patch (text/plain), 4.50 KB, created by
Zac Medico
on 2018-05-21 09:09:22 UTC
(
hide
)
Description:
preinst_selinux_labels: disable LD_PRELOAD sandbox
Filename:
MIME Type:
Creator:
Zac Medico
Created:
2018-05-21 09:09:22 UTC
Size:
4.50 KB
patch
obsolete
>From cb73599de0449898170f11dc22e041d62367bffc Mon Sep 17 00:00:00 2001 >From: Zac Medico <zmedico@gentoo.org> >Date: Thu, 17 May 2018 20:57:59 -0700 >Subject: [PATCH] preinst_selinux_labels: disable LD_PRELOAD sandbox (bug > 655996) > >Since SELinux does not allow LD_PRELOAD across domain transitions, >disable the LD_PRELOAD sandbox for preinst_selinux_labels. > >Bug: https://bugs.gentoo.org/655996 >--- > pym/_emerge/EbuildPhase.py | 30 +++++++++++++++++++++++++++++- > pym/_emerge/MiscFunctionsProcess.py | 6 +++++- > pym/portage/package/ebuild/doebuild.py | 28 +++++++++++++++++++++------- > 3 files changed, 55 insertions(+), 9 deletions(-) > >diff --git a/pym/_emerge/EbuildPhase.py b/pym/_emerge/EbuildPhase.py >index 890b178702..d057dc45e3 100644 >--- a/pym/_emerge/EbuildPhase.py >+++ b/pym/_emerge/EbuildPhase.py >@@ -13,6 +13,7 @@ from _emerge.MiscFunctionsProcess import MiscFunctionsProcess > from _emerge.EbuildProcess import EbuildProcess > from _emerge.CompositeTask import CompositeTask > from _emerge.PackagePhase import PackagePhase >+from _emerge.TaskSequence import TaskSequence > from portage.package.ebuild.prepare_build_dirs import (_prepare_workdir, > _prepare_fake_distdir, _prepare_fake_filesdir) > from portage.util import writemsg >@@ -275,7 +276,7 @@ class EbuildPhase(CompositeTask): > # when FEATURES=compress-build-logs is enabled. > fd, logfile = tempfile.mkstemp() > os.close(fd) >- post_phase = MiscFunctionsProcess(background=self.background, >+ post_phase = _PostPhaseCommands(background=self.background, > commands=post_phase_cmds, fd_pipes=self.fd_pipes, > logfile=logfile, phase=self.phase, scheduler=self.scheduler, > settings=settings) >@@ -405,3 +406,30 @@ class EbuildPhase(CompositeTask): > log_path = self.settings.get("PORTAGE_LOG_FILE") > self.scheduler.output(msg, log_path=log_path, > background=background) >+ >+ >+class _PostPhaseCommands(CompositeTask): >+ >+ __slots__ = ("commands", "fd_pipes", "logfile", "phase", "settings") >+ >+ def _start(self): >+ if isinstance(self.commands, list): >+ cmds = [({}, self.commands)] >+ else: >+ cmds = list(self.commands) >+ >+ if 'selinux' not in self.settings.features: >+ cmds = [(kwargs, commands) for kwargs, commands in >+ cmds if not kwargs.get('selinux_only')] >+ >+ tasks = TaskSequence() >+ for kwargs, commands in cmds: >+ # Select args intended for MiscFunctionsProcess. >+ kwargs = dict((k, v) for k, v in kwargs.items() >+ if k in ('ld_preload_sandbox',)) >+ tasks.add(MiscFunctionsProcess(background=self.background, >+ commands=commands, fd_pipes=self.fd_pipes, >+ logfile=self.logfile, phase=self.phase, >+ scheduler=self.scheduler, settings=self.settings, **kwargs)) >+ >+ self._start_task(tasks, self._default_final_exit) >diff --git a/pym/_emerge/MiscFunctionsProcess.py b/pym/_emerge/MiscFunctionsProcess.py >index 99cf5983f7..89fd226351 100644 >--- a/pym/_emerge/MiscFunctionsProcess.py >+++ b/pym/_emerge/MiscFunctionsProcess.py >@@ -13,7 +13,7 @@ class MiscFunctionsProcess(AbstractEbuildProcess): > Spawns misc-functions.sh with an existing ebuild environment. > """ > >- __slots__ = ('commands',) >+ __slots__ = ('commands', 'ld_preload_sandbox') > > def _start(self): > settings = self.settings >@@ -29,6 +29,10 @@ class MiscFunctionsProcess(AbstractEbuildProcess): > AbstractEbuildProcess._start(self) > > def _spawn(self, args, **kwargs): >+ # If self.ld_preload_sandbox is None, default to free=False, >+ # in alignment with the spawn(free=False) default. >+ kwargs.setdefault('free', False if self.ld_preload_sandbox is None >+ else not self.ld_preload_sandbox) > > if self._dummy_pipe_fd is not None: > self.settings["PORTAGE_PIPE_FD"] = str(self._dummy_pipe_fd) >diff --git a/pym/portage/package/ebuild/doebuild.py b/pym/portage/package/ebuild/doebuild.py >index 31b552ff36..c3b89ade23 100644 >--- a/pym/portage/package/ebuild/doebuild.py >+++ b/pym/portage/package/ebuild/doebuild.py >@@ -1722,13 +1722,27 @@ _post_phase_cmds = { > "install_symlink_html_docs", > "install_hooks"], > >- "preinst" : [ >- "preinst_sfperms", >- "preinst_selinux_labels", >- "preinst_suid_scan", >- "preinst_qa_check", >- ], >- >+ "preinst" : ( >+ ( >+ # Since SELinux does not allow LD_PRELOAD across domain transitions, >+ # disable the LD_PRELOAD sandbox for preinst_selinux_labels. >+ { >+ "ld_preload_sandbox": False, >+ "selinux_only": True, >+ }, >+ [ >+ "preinst_selinux_labels", >+ ], >+ ), >+ ( >+ {}, >+ [ >+ "preinst_sfperms", >+ "preinst_suid_scan", >+ "preinst_qa_check", >+ ], >+ ), >+ ), > "postinst" : [ > "postinst_qa_check"], > } >-- >2.13.6 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=532540">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 655996
:
531970
|
531972
| 532540
