Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 562380 Details for
Bug 675868
>=dev-lang/python-3.4 with FEATURES="pid-sandbox userpriv": test test_resource failed
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
portage.patch (text/plain), 3.79 KB, created by
Arfrever Frehtes Taifersar Arahesis
on 2019-01-21 16:22:37 UTC
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Arfrever Frehtes Taifersar Arahesis
Created:
2019-01-21 16:22:37 UTC
Size:
3.79 KB
patch
obsolete
>From 3192c6636c7492a6a1ed5650f8368464fac040e4 Mon Sep 17 00:00:00 2001 >From: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org> >Date: Mon, 21 Jan 2019 17:14:03 +0100 >Subject: [PATCH] pid-ns-init: Drop permissions only for subprocess of > pid-ns-init but not pid-ns-init itself > >With FEATURES="pid-sandbox userpriv", pid-ns-init should be run with unchanged >permissions (usually UID=0, GID=0). > >Bug: https://bugs.gentoo.org/675868 >Signed-off-by: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org> >--- > bin/pid-ns-init | 26 +++++++++++++++++++++++--- > lib/portage/process.py | 12 ++++++++++-- > 2 files changed, 33 insertions(+), 5 deletions(-) > >diff --git a/bin/pid-ns-init b/bin/pid-ns-init >index f9b8cc4f3..d66a8d510 100644 >--- a/bin/pid-ns-init >+++ b/bin/pid-ns-init >@@ -39,7 +39,7 @@ def forward_kill_signal(main_child_pid, signum, frame): > > def main(argv): > if len(argv) < 2: >- return 'Usage: {} <main-child-pid> or <pass_fds> <binary> <argv0> [arg]..'.format(argv[0]) >+ return 'Usage: {} <main-child-pid> or <uid> <gid> <groups> <umask> <pass_fds> <binary> <argv0> [arg]..'.format(argv[0]) > > if len(argv) == 2: > # The child process is init (pid 1) in a child pid namespace, and >@@ -50,13 +50,33 @@ def main(argv): > proc = None > else: > # The current process is init (pid 1) in a child pid namespace. >- pass_fds, binary, args = tuple(int(fd) for fd in argv[1].split(',')), argv[2], argv[3:] >+ uid, gid, groups, umask, pass_fds, binary, args = argv[1], argv[2], argv[3], argv[4], tuple(int(fd) for fd in argv[5].split(',')), argv[6], argv[7:] >+ if uid: >+ uid = int(uid) >+ if gid: >+ gid = int(gid) >+ if groups: >+ groups = tuple(int(group) for group in groups.split(',')) >+ if umask: >+ umask = int(umask) >+ >+ def preexec(): >+ if gid: >+ os.setgid(gid) >+ if groups: >+ os.setgroups(groups) >+ if uid: >+ os.setuid(uid) >+ if umask: >+ os.umask(umask) >+ if signal_disposition_preexec is not None: >+ signal_disposition_preexec() > > popen_kwargs = {} > if sys.version_info.major > 2: > popen_kwargs['pass_fds'] = pass_fds > proc = subprocess.Popen(args, executable=binary, >- preexec_fn=signal_disposition_preexec, **popen_kwargs) >+ preexec_fn=preexec, **popen_kwargs) > main_child_pid = proc.pid > > sig_handler = functools.partial(forward_kill_signal, main_child_pid) >diff --git a/lib/portage/process.py b/lib/portage/process.py >index dd3d58ddc..86b25226f 100644 >--- a/lib/portage/process.py >+++ b/lib/portage/process.py >@@ -1,5 +1,5 @@ > # portage.py -- core Portage functionality >-# Copyright 1998-2018 Gentoo Authors >+# Copyright 1998-2019 Gentoo Authors > # Distributed under the terms of the GNU General Public License v2 > > >@@ -467,7 +467,7 @@ def _exec(binary, mycommand, opt_name, fd_pipes, > @param gid: Group ID to run the process under > @type gid: Integer > @param groups: Groups the Process should be in. >- @type groups: Integer >+ @type groups: List > @param uid: User ID to run the process under > @type uid: Integer > @param umask: an int representing a unix umask (see man chmod for umask details) >@@ -571,8 +571,16 @@ def _exec(binary, mycommand, opt_name, fd_pipes, > portage._python_interpreter, > os.path.join(portage._bin_path, > 'pid-ns-init'), >+ _unicode_encode(str(uid) if uid is not None else ''), >+ _unicode_encode(str(gid) if gid is not None else ''), >+ _unicode_encode(','.join(str(group) for group in groups) if groups is not None else ''), >+ _unicode_encode(str(umask) if umask is not None else ''), > _unicode_encode(','.join(str(fd) for fd in fd_pipes)), > binary] + myargs >+ uid = None >+ gid = None >+ groups = None >+ umask = None > else: > # Execute a supervisor process which will forward > # signals to init and forward exit status to the >-- >2.20.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=562380">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 675868
:
562202
| 562380 |
563004
